Conversations With a Crypto Hacker

It started around 9PM on Wednesday night. I was in the office sitting at my desk when I received a Twitter message from a friend, we’ll call him Robert. On that night, Robert and I had a series of conversations where an urgent matter had compelled him to request that I send him Bitcoin. The screenshots in this post depict a conversation I had with the hacker that gained access to Robert’s Twitter account by means of a phone porting attack in conjunction with a phishing attack.

It began as a casual conversation. Robert had asked me for a huge favor. Prior to him indicating what the favor was, I offered to send a large amount of Bitcoin. Cryptocurrency savvy hackers will request payments in Bitcoin, although traceable and public, Bitcoin payments are instant and non-reversible making it a convenient choice.

The hacker joked, requesting a smaller amount of Bitcoin. At this point it was not clear whether Robert had been compromised as it appeared as a sarcastic response just as much as it appeared a legitimate request. Regardless, I agreed.

In order to continue the conversation, the hacker was provided with the impression that the funds had been sent to a pre-determined address. The hacker insisted on receiving a payment at an alternate Bitcoin address.

The hacker was provided with the impression that we were participating in an exclusive ICO presale. This was done in order to retrieve the hacker’s Ethereum address for a reason to be discussed later.

In exchange for my Bitcoin, I had requested that the hacker send me Ethereum.

The hacker was unimpressed. I located a recently sent transaction for around 10 BTC and sent hacker the transaction ID in order to prove that I had sent the funds. There was no way for the hacker to verify whether Robert and I had agreed to use that address through another means of communication.

Still, the hacker insisted.

After retrieving the hacker’s Ethereum address, it was time to reveal my cards.

There have been many high profile cryptocurrency hacks in 2017. It is common for a hacker or the general public to send what is known as a F*** Token into the compromised contract or address. This is a means by which a hacker can mark their territory and can be observed with The DAO contract.

With the hacker’s Ethereum address in play, I decided to purchase some F*** Tokens.

With the F*** Tokens in hand, the hacker was alerted that they received the Ethereum payment. The hacker had received 1 F***.

How to Protect Yourself

Unfortunately phone porting attacks have become all too common. The following guidelines can help reduce the risk of being subject to such an attack:

  1. Setup all of your accounts with a non-SMS based two-factor authentication mechanism like Google Authenticator or Yubikeys. Set this up on your email at the very least as it is the most common source of vulnerability.
  2. Use a password manager to auto-generate all of your passwords. If your username and password do not auto-populate in the username and password field, you are being phished.
  3. Always confirm cryptocurrency transactions through multiple channels, by email and by verbal communications.