Very unprofessional customer treatment after hack by Bittrex

This is my story how I got hacked on Bittrex.

I'm using bot to trade on Bittrex and API keys. Also, I use app on my android to track trades made by bot.

Date: 5 Oct 2017 I got many strange notifications on my android in very short time about trades on my accounts. I was suspecting that something strange is happening because that wasn't normal behavior of my bot, it's trading just few trades daily, but after quick inspect of trades I realized that all of them were made at loss, it never ever happened before, also it's impossible by bot to make trades at loss. Also, I never traded that pair before. I realized that I'm hacked. And it wasn't stolen password, it was trough API keys. Attacker stole my API key(s) and chosen pair that had very low trading volume then bought that coin from my account at high value then sold at loss, repeating process multiple times. Because it was very low volume, attacker was on other side, taking my orders, basically he was using my account to buy high from my account from himself (he was placing/taking orders) and selling low from my account to him. API keys had only trading, not withdrawal permissions. Just minutes after, I logged in from my PC and deleted API keys. Trading was stopped, I was roughly 0.4BTC short.

I contacted Bittrex support after, explained everything, attached malicious trades and requested info did attacker logged in into web interface or used API keys.

Date 5 Oct 2017 + 19Hrs from placing my ticket Received answer. Support employee just posted generic answer, quote: " Please review your logs on Settings->Summary for IPs that you do not recognize. The system does not make trades that were not placed from within your account. Any trades placed were done so using either your API key or the UI.

We cannot determine what orders you intended to place vs orders placed by someone else.

We understand this is a frustrating situation. While we are sorry that your funds were lost, it is ultimately your responsibility to maintain the security of your login credentials. There is no way to recover your funds at this time. If you have not already done so, we strongly encourage you to do the following:

Always browse directly to https://www.bittrex.com instead of searching for it.

Review your recent browsing history to identify whether you unintentionally visited and surrendered your credentials to any phishing site.

Scan your computer and mobile devices for malicious software.

Change all of your passwords, and take steps to secure your other online accounts.

Change your Bittrex password to a unique and complex password that is not used anywhere else.

Check with your wireless provider to make sure that you have set your wireless account to require a unique PIN in order to make modifications to authorized users of your service.

Enable two-factor authentication on your Bittrex account, and if it was already enabled, disable and re-enable it.

Report the event to your local law enforcement and encourage them to contact us if they need additional information about the incident.

If you have disabled your account, please reply here once you have changed your password and secured your account with two-factor authentication.

If you would like to view your account logon history to conduct research about what happened at the time of compromise, you can view it by clicking “Settings->Summary.”

Again, we are very sorry that this happened to your account. If you have any further questions, please do not hesitate to contact us again.

Thank you,"

Date 5 Oct 2017 +1.30Hrs from support reply: I requested API logs, to track from what API key were attack launched to track of possible leak, for example, maybe attacker stole key I was using on trading bot or android app. It was impossible from attacker to login into my account from webUI because I'm using 2FA and there was no unknown IPs. All I was asking was to connect API keys with trades I attached before.

Then silence.

I tried to reach customer support 5 days later on their slack channel. All I got was answer that my ticket was escalated. 2 days later, same thing. My ticket is escalated. Great. No ETA.

Date 16 Oct 2017 Ticket update: Knock, knock, anybody here? Still silence, never received answer from customer support

Date 13 Nov 2017 Kicked off slack channel because of inactivity. Opened new support ticket. Placed this topic on Reddit.

I'm citizen of EU, is it possible to sue Bittrex for hiding malicious activity on their site? I got hacked by their customer, not some random hacker that hacked my password and withdrawed BTC to his address. There were malicious/unauthorized trades. And Bittrex does nothing. They keep logs of trades, they have to know what was another account who was taking "my" orders at that time.

What should I do? Please help, 0.4BTC is not small money, I work daily job 6 days a week, 4 months for that money. That BTC were for organizing upcoming wedding. Fuck.

submitted by /u/wanemox
[link] [comments]

Read More

Popular posts from this blog

World Economic Forum Bitcoin Discussions Validate the Movement

The World Economic Forum WEF has long been a lightning rod of global discussion on economic, social and political trends. This years gathering in Davos, Switzerland, was no exception.Blockchain technology emerged center stage last week as a key discussion theme, receiving praise from attendees for its cutting-edge potential. Bitcoin and the future of cryptocurrencies, too, were highly discussed topics at the forum, not just casually but also in an official session and a few panel discussions.
Read more