cont'd
9. Make it a habit to regularly review your security and establish a standard operating procedure. Attackers can remain dormant and wait for the right moment to strike after waiting a very long time.
FWIW I do have a hardware wallet, this was not compromised. Yes you should use hardware wallets when you can, obviously. Also, to those who are alleging this is to dodge taxes, know that taxes from theft or hacks can no longer be deducted since after 2017.
The final tally is about $677k. Unfortunately the user has begun Tornado'ing. I do have some additional clues on the attacker but will keep it discreet at this time for the sake of continuing to determine the user identity. I've also since filed a police report and reported to the CEXs that some of my funds the attacker sent them through.
It's a long shot but I am willing to offer a $150k bounty for return of the funds, no questions asked and no further investigation. I would also consider a bounty-based forensics service (upfront pay services, don't bother). An expensive lesson, but I'm still here. A painful set back, but the show must go on.
Above investigation was prompted by this post:
(@sell9000
Just realized I got $500k drained from multiple wallet apps 46 hours ago
Think I got extension attacked, with two suspicious extensions that appeared on my chrome browser
does not feel good fam
still investigating )
LIVEPSA re: an expensive opsec lesson
At this time I have confirmed that it was a Google login that caused this compromise. An unknown Windows machine gained access about half a day before the attack. It also spoofed the device name, so the notification of the new activity alert (which occurred early morning while I was asleep) appeared similar to devices I normally use (it may have been a calculated gamble for a common device name unless I was specifically targeted).
Upon further investigation, this device is a VPS hosted by #KaopuCloud as a global edge cloud provider that is shared among hacker circles in Telegram, and has been used in the past for #phishing and other malicious activities by shared users.
I do have 2FA enabled, which the user managed to bypass. I have yet to determine exactly how this was achieved, but possibly attack vectors were OAuth phishing, cross site scripting, or man-in-the-middle attack on a compromised site, followed by possible additional #Malware . In fact, apparently #OAuth endpoint attack recently has been reported to hijack user cookie session (https://darkreading.com/cloud-security/attackers-abuse-google-oauth-endpoint-hijack-user-sessions…). Be extremely careful if you have to use Sign In From Google.
Takeaways:
1. Bitdefender sucks, it caught nothing while Malwarebytes caught a bunch of vulnerabilities after the fact.
2. Do not become complacent just because you were moving large figures for years without issues.
3. Never enter a seed, period, no matter what reasonable excuse you give yourself. Not worth the risk, just nuke the computer and start fresh.
4. I'm done with Chrome, stick with a better browser like Brave.
5. Preferably never mix devices, and have an isolated device for crypto activities.
6. Always check the Google Activity alert if you are continuing to use Google based devices or authentication.
7. Turn off extension sync'ing. Or just turn off sync'ing period for your isolated crypto machine.
8. 2FA is clearly not bulletproof, don't become complacent to it.