Large sum of crypto currency stolen by someone on the same exchange as me

Ticker

1 BTC = $23899.10 USD  (via Coinbase)
1 ETH = $1778.67 USD  (via Coinbase)
1 LTC = $62.72 USD  (via Coinbase)
Quotes delayed up to 2 minutes.

Kryptous

Crypto Coins News - Ratings - Reviews

1 News - 247 News - 247 Bitcoin - 1 Search

BTC - BCH - ETH - LITE - XRP

Buy Sell Trade Crypto Here

 

The Situation

I am a software engineer, but sometimes a very stupid one. I made a mistake and accidentally committed my API key and Secret key to a public repository, where I was developing a trading app, free for the general public. This key is used to make trades and view account balances on a crypto-currency exchange (no password required).

 

After committing it, I realized my mistake and logged onto my my crypto-exchange account, to amend the mistake. I deleted the keys, or so I thought and logged off and that's that. Meanwhile, unbeknownst to me, a thief developed a script, which would transfer my funds from my account, to his account, by executing rapid fire transactions within the spread of the chosen crypto-currency.


The Thieves Technique

Sounds complicated? It's not. Here's how it works; The attacker will write a script which sends buy and sell commands to the cyrpto exchange API. First he gets my account to sell at the price just below the current lowest sell price of a crypto, then he will get his account to buy at the same price. The transaction is completed. Now he gets his account to sell at the price just above the current buy price, and gets my account to buy at the same price. Again the transaction is completed and the thief is now a little richer, while I'm a little poorer.

 

For example, if BTC was selling for $501 and the lowest buy order was $500, the thief would get my account to sell at $500.01, then he would buy at this value. Then he would sell at the higher price of $500.99 and get my account to buy at this price. Each transaction in this example would transfer 98c across.

 

Of course Bitcoin is not the best crypto to use in this attack, rather cryptos with larger spread were used instead. This way the amount transferred was maximize for each iteration of the 4-step sequence. I call this technique the Crypto Spread Attack.

 

The follow chart shows 4 transactions, out of over a thousand transactions that occurred.

Transaction # User Exchange Type Quantity Limit
1 Me BTC-NXC LIMIT_SELL 4900 0.00000279
2 Thief BTC-NXC LIMIT_BUY 4900 0.00000279
3 Thief BTC-NXC LIMIT_SELL 4900 0.00000287
4 Me BTC-NXC LIMIT_BUY 4900 0.00000287

 


The Aftermath

Now the technique used is not super important, but what is is his transactions are completely trackable and the exchange will know with 100% certainty who performed the attack. Every user on the exchange is verified, in other words they have had to submit many copies of different forms of ID. So he has stolen this money in full daylight.

 

I have contacted the Exchange and the Repository host, for information about the thief. My repository wasn't very popular, so it was only visited a few times within the vulnerability period. The Repository host should be able to tell who looked at what files and when (by IP). Also they may even be able to tell which user account looked at these files – if the thief was logged in at the time.

 

Now I am waiting for the information from the two parties, but I thought I would let you guys know, just in case I have missed something. Is there anything else I can do here? Should I try to contact the thief, by leaving him a note on my repository? Should I try to track the transactions in the block chain?

Please if someone has any information that might be of use, please share.

 


Note to the Thief

If you are the thief, please know you are in trouble and will not get away with this crime. I will pursue this until I find you and I will make sure justice is served. What you did was wrong and I hope you feel even a fraction of how broken I feel. I am not even rich, you have stolen half of my entire life's savings. Many years worth of savings that I have been investing for the future. Now my future is unknown.

You can make this right.

Please do the right thing.

BTC Addr: 34okmWfnKUm6JKwxe5d8R1YBVBcYwaJbo4

submitted by /u/PeacefulGiant
[link] [comments]

Kryptous

Crypto Coins News - Ratings - Reviews

1 News - 247 News - 247 Bitcoin - 1 Search

BTC - BCH - ETH - LITE - XRP

Buy Sell Trade Crypto Here

 

Ticker

1 BTC = $23899.10 USD  (via Coinbase)
1 ETH = $1778.67 USD  (via Coinbase)
1 LTC = $62.72 USD  (via Coinbase)
Quotes delayed up to 2 minutes.

Leave a Reply