Internet Security Blog - Hackology
Localbitcoins Hacked

LocalBitcoins Users Scammed in Advanced Phishing Attack : BTC Stolen



Users of Bitcoin trading service LocalBitcoins have been targeted by hackers as part of a phishing scam. Forum users were being redirected to a phishing site, which was prompting the users to input two-factor authentication codes that were used to access user accounts and empty them of all their Bitcoin.

Just three days back I published an article about Top Phishing Attacks and its Severity and today LocalBitcoins , one of the most credible and famous Bitcoin trading platform fell prey to a Phishing Attack which resulted in almost $30,000 worth of BTC stolen. Cryptocurrency Hacks and Scams are not new and I cover the most famous ones but phishing attacks on such a reputable platform are a head turner

How LocalBitcoins was Hacked

LBC was not hacked in its entirely , rather hackers used Phishing Attack on the Forums of Localbitcoins, although LBC Staff was very prompt in disabling the forums and they are still disabled as I type this article.

Localbitcoins Forums Hacked
LBC Forums disabled after the Phishing Attack while a read-only forum copy available for users convenience

Let me step down how the hack occurred as it was done with careful planning

  • Logged In users were asked to log in again when they tried to access the forums because users were redirected on the phishing page where the login had fake logins, unfortunately no screenshot of the phishing login site could be saved, if you have seen one please share so it may be added.
  • Hackers opened trades with some users and tried to redirect them to the forum, the place which had their phishing hack.

    Forcing Localbitcoins users to Hacked Forum
    Attempts to redirect LBC users to the Hacked Forums
  • The above procedure allowed the hackers to obtain the Email,Password (through probable cookie session hijacking ) and 2FA (those who had it activated). The fact that everyone received the “2FA Screen” twice means that the first login page was fake one and the second time it was the actual LBC login screen so that the users were able to log in their accounts.
  • Hackers used an automated script here as the 2FA expires pretty quickly and proceed with two techniques:
    • Hackers started a sell trade with the victim against all available BTC in their wallets on a very low price ($1000 / BTC)
    • Hackers moved the available BTC on victims account to external wallets

Who Hacked LocalBitcoins

The phishing attack on LocalBitcoins was carried by unknown hackers and I have been able to gather limited details including LBC profile along with 1 external BTC wallet

  • artur.d profile was created just 4 days prior and LBC users have reported that the same profile opened trades with them without their knowledge as you can also see in the image above, Localbitcoins Profile of Artur.d : https://localbitcoins.com/p/artur.d/

 

Localbitcoins Hacker Artur D Profile
Localbitcoins Profile of Artur.D – Hacker

  • BTC Wallet where hackers were able to move around 7.9 BTC before LBC staff promptly disabled External transactions making it difficult for hackers to succeed ,BTC Wallet address is 13WaahhsiGph4ysmQtjVhVTdgQUSL62KJr  and 7.952 BTC transactions can be seen on Blockchain. Although hackers were able to move all the stolen bitcoin onto different exchanges thus it wont be possible anymore to track them.

    Localbitcoins Hackers BTC Wallet
    Hackers took Localbitcoins BTC and moved them to other exchanges

Is LocalBitcoins Safe for Trading ?

Yes , you can proceed and trade on LBC as the phishing attack was carried out on the Forums which are already disabled by the staff, as always follow the safety precautions and stay alert and see which website you are logging in, Turn on 2FA if you have not already done so while keep a different password of LBC and the associated Email account you used to sign IN.

LocalBitcoins would reimburse the Users ?

Many of the users who fell for the attack have already been reimbursed with the amount they lost, although it is not yet clear that if they would reimburse the users whose BTC left the LBC system and went to external exchanges. As the amount of stolen BTC is only 7.9 BTC , everyone is hoping that they would reimburse the same amount as well , as this hack was fault of the website and not the users.

Phishing Attack or DNS Spoofing ?

I have been reading on Reddit and LBC forum that people are saying it is not a phishing attack rather it was DNS spoofing , which would put all the blame on LBC although this Phishing Attack was also fault of Localbitcoins but in this attack the chances of LBC Server getting compromised are less while in a DNS attack the chances are pretty high.

Localbitcoins staff has not yet shared the details about how the hack went down as you can see in their statement

Localbitcoins Site Hack Announcement
LBC Staff Announcement after the Hack

Why I believe that it was a phishing attack is because of the number of affected users : 6 Users. Had it been a DNS attack the number of users would have been really high and the amount of bitcoins stolen would have been again very high. Would update if any details are shared by the LBC team.

Another reason to believe that it was a phishing hack is because some users have reported on Reddit that they were forced to visit the Forums after a trade was opened with them by the hackers, had this been a DNS spoof all that wouldn’t be required.

What LocalBitcoins Can Do ?

This hack would have made the LBC team worried as it could have been worse, I do personally thing LBC always tries to keep the system simple reducing the chances of such attacks even if it compromises UI and features. There is always place for improvement, LBC might need the same.

  • Security Bounties – LocalBitcoins does not have any credible bounty program for bounty hunters, Hacker One bounty program attract bounty hunters to submit and perform responsible disclosures helping website in it’s security
  • Public Certificate Pinning – Public Certificate Pinning would maintain a valid cert for 6 months and it would have been easier for users to identify a phishing Attack

Whats your take on the incident ? and how you suggest one can keep more “secure”



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)

Pin It on Pinterest

Shares
Share This