Successful intrusion in our website led to steal of coins from select accounts

Permalink Report to webmaster

Document updated on Dec 17 at 3:26 PM CST. Take a look now.

During the afternoon of past Wednesday December 8, a perpetrator bypassed our security locks and hacked several VIP user accounts. He changed user emails and placed withdrawal requests.

Since most of those accounts had elevated privileges, withdrawals were broadcasted immediately. Two withdrawal requests from a "normal" account waited for admin approval, but the coadmin that was in charge failed to recognize the threat and approved them.

After the withdrawals took place, we were notified that a bot that was monitoring a specific account started to send warnings about lack of funds. We went to check our logs and noticed the email/ip changes in one of our admin accounts so we started the investigation immediately.

Our first step was blocking the offender network and suspending all withdrawals to avoid further damage.

The stolen funds

¹ Absorbed coins are from BCF team members who embraced the loss and our own.
² Stolen GRWI were secured by Unnamed Exchange. See updates below.
³ The Onix team induced a fork to undo transactions. See updates below.

Preemptive steps

The perpetrator selectively chose accounts with high balances, and those accounts belong to team members of some supported coins. Once we restored access to those accounts, we sent emails and started a Telegram group to discuss directly about the problem. We made a report with detailed data and lost balances.

Once we notified the affected users, we started making changes on our systems to enforce checks on impersonation attempts at deeper level, then added two security layers, one of them is optional for everyone to use and the other is mandatory.

First actions

Since the coins that received more damage were Growers and Onix and we helped the integration of several systems on their end, we touched base immediately. We had a meeting with the core team at Unnamed exchange and they confirmed that they got all the Growers that were being sent from here. They also noticed the huge amount of Panda getting in (they even tweeted about it), so we started a 3-way plan to get those coins back.

Regarding the stolen Onix, the team is working on a solution to take coins back, and we'll notify everyone on our user base any solution they decide.

That being said, the plan is to reduce the damage being done on the Growers/Onix projects now that it is in an early stage.

Regarding the stolen Panda that apparently were sent to Unnamed, we'll work with their dev and see how much can we recover.

The rest of the coins will be reimbursed to the original owners as soon as we're ready for it.

Changes in our security measures

  • Added further checks to withdrawals before they're submitted.
  • Restricted access to all admin and "system helper" accounts to specific locations.
  • Added real time IP change checks to all accounts.
  • Added an option for all users to whitelist their common login locations.
  • Changed internal methods that handle user sessions.

From the list of measures taken, one will impact users that login from their phone and are under constant movement or have a high IP address rotation. We're sorry for that, but security is really important for us.

Further steps

  • Both GRWI and Onix are in maintenance mode.
  • The GRWI/Onix swap is suspended.
  • All withdrawals are suspended.

We still have some security measures to implement in our systems and once we're done, we'll go over an audit with a security firm. We'll elaborate on that afterwards.

Withdrawals will be taken back in a couple of days.

We'll keep updating this post as soon as more information is available.

Please make sure you follow us in any of our social channels so you get notifications as soon as they're pushed.

Updates

[December 10, 2021 5:19 PM CST] - Onix statement published

  • The Onix team published an announcement regarding the impact of the hack on their project. Read it here.

[December 11, 2021 5:19 PM CST] - Updated amounts stolen

  • After taking time to review the server logs we discovered other accounts being compromised. We've sent notifications to the other users and updated the table at the top.

[December 12, 7:46 PM CST] - Added information to the stolen amounts table

  • Seggregated information on the stolen funds table at the top.
  • In previous developments, the Unnamed Exchange team locked up stolen GRWI so most of them can be taken back.
  • In previous developments, the Onix team decided to fork their blockchain to rollback the withdrawals, thus, all Onix will be recovered.
  • We deducted those funds we and holders from our team can absorb.
  • We received donations from a handful of affected users, who surrended their losses to help us keeping up.
  • Several security checks have been added. We'll notify those updates in a separate post.
  • We almost finished our investigation. We'll restore withdrawals after final checks in a few hours.
  • We're touching base with security firms, requesting quotes for a security systems audit.

[December 13, 2021 11:05 PM CST] - Added security locks, restored withdrawals

  • We secured all admin accounts from being accessed from strange locations.
  • We added a check that will prevent withdrawals and transfers for 24 hours on accounts that have been changed recently.
  • Withdrawals have been enabled, but GRWI and ONIX will not be available until further notice.
  • The GRWI/ONIX swap will keep suspended until further notice.
  • There are additional measures that we will take to prevent unwanted withdrawals from all accounts, but we'll announce them on a separate post.

[December 17, 2021 3:26 PM CST] - Stolen Onix recovered

  • The Onix Team made a successful fork of the blockchain.
  • A new wallet has been released. The update is mandatory and requires a chain resync, so please check here for download details.
  • We updated our wallet daemon and recovered all stolen funds: the offending transactions never happened on the new chain.
  • Transaction history in our Onix wallet is intact. All previously generated deposit addresses are safe to use.
  • The GRWI/ONIX swap is still suspended. It will be resumed once the stolen GRWI are recovered from Unnamed exchange by the Onix team.
  • All Onix services are enabled again on our end.
5 users rated this post.
Vote now!
Cumulative results: 21 points • Rating: 4.2

Do you know you can set a label to Blockchain Financial?

Blockchain Financial has a system that lets users stick labels to other users as an alternative way to show their appreciation or discontent for the contents of their posts or their attitude when commenting.
Do you want to be part of the elite? Become a valuable contributor!

Learn more about the user labels

7 comments

Dec 13, 2021 11:50 PM (7 months ago)

 

Dec 14, 2021 3:35 PM (7 months ago)

Transaction is on the HTML block explorer:
http://explorer.htmlcoin.com/tx/a9acc074...3f82ae24

Jan 3 11:08 PM (6 months ago)

started from urself

Jan 3 11:10 PM (6 months ago)

u add html after i messaged all; the hacker didnt want htmlcoin,,,i safed jpgs^^

Jan 4 10:28 AM (6 months ago)

Oh yes, and we faked the transaction in the HTML blockchain by travelling back in time.

Dec 15, 2021 1:42 AM (7 months ago)

Hi, when can we withdraw Onix to the Onix wallet for staking..? Swap had already been completed,

Dec 17, 2021 3:44 PM (7 months ago)

As of now, all Onix services have been enabled. You can place your withdrawal request now.

Just remember that withdrawals are manually reviewed and might take several hours to go through.

Also: a new wallet version has been released, so make sure to download it and resync your blockchain files before launching it or you'll get stranded on the wrong side of the fork.

https://onixcoin.io/wallet-020-released