Tracing my stolen funds stored without due care by GateHub

I wanted to write this post to lay out the follow-on actions I decided to take on the incident I recently experienced with GateHub. This is an ongoing matter with them. Just over USD 103,000 (4 January 2018) worth of my investments disappeared in their apparent “100% safe” care (17,900 XRP and 9.25 ETH, converted to 32,000 XRP before it was stolen).

After speaking with regulators, cyber crime and financial crime specialists in my network I came to the conclusion the authorities do not have enough resources to look after the little guys. Sure, the large cases are looked at, but unless your case adds up to many thousands or millions, or if there are many victims of a similar issue coming forward, then sadly chances are the authorities will never get to it.

What I have also found is that there is no service on offer — unless I just don’t know of any —that an individual can call-on to investigate cyber or financial crime breaches or incidents. Seems the specialist companies that do exist are only interested in the big corporate cases or where there are hundreds of thousands or millions involved. You can see why; the usual cost / benefit challenge…

I also wanted to put this out there to speak-up about the ongoing ‘party’ the cyber criminals are enjoying across the cryptocurrencies space and expose how they operate and so others can see the dangers, but more importantly give those companies that do perform investigations a bit more info than simply saying: “my funds were stolen, can you help?”.

This will also flush out the complete lack of oversight the wallet providers and exchanges have on financial crime on their platforms, never mind the bad cyber security defences of some.

So, here we go. If you think I’ve got things wrong, let me know — happy to listen and change course.

My goals:

1. Follow the trail of the stolen funds to see where it ended up, and who has / had it!
2. Try and figure out the attack vector and vulnerability, and who was at fault.

First Transaction — consolidated funds; preparing for the theft

The first transaction is where the hacker was in my GateHub account and exchanged my ETH for XRP on the GateHub platform.

My XRP address is ‘rPiGtVmyJzHfqZkXVPZUVuHvZDnQjcRr6T’.

This is merely changing one currency, i.e. USD for another currency, i.e. GBP. Purely a change of one cryptocurrency for another cryptocurrency but within the same account effectively.

Image 1 is the transaction details on GateHub, and Image 2 is where it hit the Ripple blockchain. Image 3 is a Bithomp query which provides an indication where the receiving address is registered and provides more detail.

On GateHub (Wallet / Exchange / Ripple Gateway):

Image 1

On Ripple (Blockchain):

Image 2

On Bithomp (Ripple Account Explorer):

In this case, the receiving address is registered in GateHub’s name, which is fine, as that is where one cryptocurrency was exchanged for another cryptocurrency within the same account on GateHub.

Image 3

Second Transaction — actual theft; funds transferred out of my account

The second transaction is where the hacker sent my XRP* from the GateHub platform (from within my account) to an address registered by a user on the Poloniex platform.

Poloniex is another cryptocurrency exchange. These exchanges are like traditional stock exchanges, it is where currencies are traded against each other.

* The XRP I owned, plus the newly XRP he/she got from exchanging my ETH.

So really what this appears like is the cryptocurrency (my money!) was transferred to someone who has an XRP account with Poloniex.

On GateHub:

Image 4

On Ripple (Blockchain):

Image 5

On Bithomp (Ripple Account Explorer):

The highlighted address in Image 5 and the Image 6 is the address of the hacker (rHdNRDdqB1hSEHmPvCdnJvLU7W7oQsBGVq) to where the stolen funds were sent to, and the very first address outside of GateHub that received my cryptocurrency.

The red circled transaction is the one in question — see the amount? You can also see the address that sent that amount is my wallet address. Date and time align — that’s my money!

The interesting thing here is the person last used this address on 20 September 2017.

Image 6

How do I know it is Poloniex? You will notice the address starting with ‘rHd’ was activated by a person with address starting with ‘rwv’ (refer ‘Activated by:’ Image 6).

When you then follow that trail — see Image 7 below — you clearly see the address ‘rwv’ was activated by Poloniex.

Image 7

What’s more interesting — if I understand this correctly — is that the person is still very much active on Poloniex. By the looks of things the last time on 20 October. O, did we say cyber criminals are still running riot on the very platforms we trade on everyday…?

What happened to my funds

So now that we have seen there is still activity, question is what happened to my funds and who has it.

Back to Image 6. Per Bithomp the address ‘rHd’ (of the hacker) transferred funds (49,500 XRP) to a Changelly* XRP account (see ‘changelly.com, user: 77855’). If you look at the history of the account, that is the amount that includes my stolen funds. The address associated with that Changelly account is ‘rPujGTiw6nKmMvAiUT6UjpFxT9QrDn9kJP’. This address is Changelly’s XRP address.

* Changelly is another wallet and exchange. I contacted them for more information and asked the question if they know the user ‘77855’ on their platform. No response at the time of writing this. Surely the code ‘user: 77855’ must mean something?

Let’s take stock

Going back to my goals, on 1 — so far we know where the stolen funds went to and we know Changelly user 77855 has/had it.

We can’t see what happened to the funds from Changelly onwards, as the history I have access to via Bithomp doesn’t go back as far as that — as I said, the hacker’s address is still active on Changelly as we speak…Bithomp only keep the last 200 transaction public.

Who is this thief, can he/she be identified?

The place we start at is the address that first received the stolen funds (see above), that was ‘rHdNRDdqB1hSEHmPvCdnJvLU7W7oQsBGVq’.

Google didn’t yield any results on that address.

There is no point in searching Google for address ‘rPujGTiw6nKmMvAiUT6UjpFxT9QrDn9kJP’ as that is Changelly’s XRP address.

So really we are at the mercy of Changelly to come up with who the user 77855 is. The expectation is KYC/AML would have been done, right? So they ought to know who the person is…

Even though I contacted Changelly, I am not holding my breath as they can just cite customer confidentiality and say they can’t release the details.

Goal 2 — Identify attack vector and who was at fault

I know for a fact my network, devices, email or credentials were not compromised.

The reason I want to identify this is to approach GateHub to hold them accountable if they were hacked or due to a software malfunction.

Access Logs:

I accessed my GateHub account and found an access log. I could see the following IP address accessed my account via Chrome which do not belong to me on Sep 19, 2017 at 16:07:07 PM — the same day the attack took place.

2602:ffc8:1:c:9cbd:c2a6:f420:3bd7 (United States IP)

I don’t use any VPN software.

However, the time of the theft was Sep 19, 2017, 15:08. So that means the theft took place before the unknown IP accessed my account — this could just be 1 time difference between the app and the IP logger, as I know the GateHub team works from Slovenia and so to the UK there is 1 hour time difference.

The other odd thing here is the thief got into my account and within 1 minute knew exactly what to do, he/she accessed my account, exhanged ETH for XRP, and then transferred XRP out of my account to another account. All within 1 minute? Very strange! Either the person knew how to navigate GateHub (insider?) or a system glitch.

Device Logs:

GateHub also has a device log, and the same address is on there, but on a different date, Sep 27, 2017, via Chrome (Windows).

2602:ffc8:1:c:9cbd:c2a6:f420:3bd7 (United States IP)

GateHub Email Notification:

GateHub sends emails every time an IP logs into your account they don’t recognise. I also got an email on the day the thief accessed my wallet. GateHub still allowed access to the thief’s IP address (2602:ffc8:1:c:9cbd:c2a6:f420:3bd7) even though I did not “Allow Access” as requested by GateHub’s email (see below image 8 for email). So why did GateHub allow access to my wallet from an unknown IP address without my approval?

Image 8

Engaged Cyber Security Professionals (independent of each other):

I got two independent freelance cyber professionals look at my issue. Here are their responses/findings.

Cyber Professional 1:

• Because of the method of attack it appears the hacker got into the GateHub user interface then jacked some accounts.
• It could possibly be am ex associate or employee, someone familiar with their systems.
• It’s almost impossible to crack your passwords and snake through brute force.
• The way they accessed it seems like it was routed through back end.

Cyber Professional 2:

• I’m pretty confident based on what I’ve seen that your GateHub account was compromised through their web interface and that your network wasn’t compromised. It’s unfortunately all too common.
• You got an email notice that your account was being accessed by an unknown device (image 8).
• You didn’t give it access and there are logs showing that it was accessed by an unknown VPN.
• Even if they lifted a password by hacking you directly, their security should have stopped any unknown device from accessing your account without your authorisation.
• That email asking if you wanted to allow the new device either did not work or was likely spoofed by the hacker exploiting a bug on their site.

Other findings

• During my search on Google, I found another user who’s XRP was also stolen, by the same address! This person lost 700,000 XRP which in today’s value is USD 2.7m! That is an awful lot of money. Since three more user came forward responding to my initial post who lost 20k XRP, 62.5k XRP and 330k XRP respectively. Clearly something is not working with GateHub’s systems…
• No doubt the hacker / address that took my crypto is still active — the total theft can easily go into the millions.
• It appears funds are transferred back and forth between various exchanges and so the hacker layers the crypto across various addresses with the sole intention to confuse the trail.

Conclusion:

• We know AML/Sanctions regulation exist. So ID&V should have been done via KYC. Surely Changelly and Poloniex know the identities behind the address I mentioned…
• Why did GateHub allow access to my account for an unknown address even though I did not ‘Allow Access’ on the email…?
• I do not have a tool / utility to pursue this and ‘pull the string’ on this one address (and associated addresses) to see where it ends up, but if my findings are correct the web of this criminal operation is HUGE, with many millions at stake, and still active as of today (15 Dec).
• Changelly did not getting back to me about the hacker on their system. So what’s next?

Questions from my end

1. Did I interpret the Bithomp activations correctly? (I emailed Bithomp twice now, and sent them a tweet — no reply)
2. Why do some Bithomp entries not have names noted, or names next to ‘Activated by’ noted? How can I find the names? The funds received — is that in Poloniex, or where? See image 3 vs image 6. (I emailed Bithomp twice now, and sent them a tweet — no reply)

Before you go…If you enjoyed this post, please consider showing your support by clicking on the clapping hands button, as well as sharing it on your favourite social networks. Follow me on Medium and Twitter (Twitter DMs are open).