Bitcoin Stolen From Indian Exchange User Despite OTP Authentication

[Martin ◢◤]

Makrand, a fictitious name used for a Bengaluru data scientist and bitcoin investor, got his bitcoinaccount hacked at Unocoin, an exchange for digital currencies in India, with him losing approximately 120,000 INR (about $1,870) within a few minutes.

On June 1, Makrand logged into his Unocoin account using the smartphone app of the exchangewith the intention to purchase BTC. As soon as the transaction was complete, he received an email from Unocoin with a link to reset his password. The email was almost immediately followed by another confirming the successful password reset. When Makrand checked his account, he realized that there were two unauthorized transactions, one for 0.40049 BTC and the other for 0.3005 BTC, followed by a third with the same amount as the last one, but, fortunately, it did not go through.

“The thing with Bitcoin is that the users behind the transactions are anonymous until and unless they voluntarily reveal their identity,” Makrand said in an interview with the news publication FactorDaily.

However, the hack was not easy. To gain access to Makrand’s bitcoin wallet, the criminal or criminals needed to get inside the victim’s Gmail account to obtain the password reset link, and needed access to Makrand’s phone number, on which he receives the OTP (one-time password) for transaction authentication.

Quote

“The hack seems to have happened on the Unocoin server where both the password reset link and OTP are generated,” Makrand said.

After Makrand researched the hack, he discovered that the breach was done from an IP address based in Chicago, US from a service called QuadraNet. However, this information is not sure, since there are numerous different proxies and VPN services, which could be used to mask someone’s IP address.

Soon after the breach, Makrand tried to move his balance out of his account, however, Unocoin stopped him from doing so, and fortunately, the third transaction of the hackers too.

After that, Makrand visit to Unocoin’s office to seek solution for the problem. He was asked by an executive to file a complaint about the two transactions, and promised Makrand that they will cooperate with the cybercrime division of the police. Unocoin also said that they have three or four of these hacks per month, totalling the number to nine cases.

Unocoin showed full cooperation with Makrand, saying that they will share logs for logins and transactions with the affected user or authorities for further investigation.