On an unlucky day last year, I tried to sign in to my Blockchain.com mobile wallet, only to discover that the system had kicked me out. Since this often happens on mobile apps, I tried the same on PC. I was, of course, using 2FA (two-factor authentication) with my email. Surprisingly when logging in, I didn’t receive such email. I tried several times, waited for long, but emails never arrived. As I was unable to login into my account, I decided to contact Blockchain.com support.
Since Blockchain.com has such lousy customer support, it took over 2 weeks to get an initial reply, and then it took another week for them to understand what was the problem about. It appeared that someone had changed my 2FA email.
Disclaimer: All opinions in this article belong to the author alone and do not reflect the opinions of Hacker Noon as a whole. Please conduct your own thorough research before making and investment decisions, purchases, or withdrawals.
1. By logging into the account and changing the email.
2. By using this form.
Obviously, for the first option, you need to log in first, and for that, you need to complete 2FA.
But for the second option, you don’t need to pass 2FA; you only need to know the Wallet ID and the email. Wallet ID is a long 36 character code. It’s impossible for someone to guess it like they could guess your email. But Blockchain.com staff has access to this Wallet ID, they can see in the system which email is associated with which wallet ID.
Thus potentially a Blockchain.com employee could look up this information and change 2FA without anyone’s knowledge for his own email. The system is supposed to send a notification to the original email to prevent unlawful 2FA change, but I never got that email. There could have been a bug in Blockchain.com mailing server or more likely someone disabled email notifications on purpose.
It’s clear that my email was not compromised, as in that case the hacker would have just logged in with 2FA code sent to my email and moved the funds out. There wouldn’t be a need to change 2FA email and take a huge risk by waiting until it’s done.
Blockchain.com support suggested me to change 2FA back to my email and provided to me an email account that was set as new 2FA. By this point, I already have realized that my funds were stolen. I dug details of my previous transactions to Blockchain.com wallet and checked in the Bitcoin explorer what happened to them afterwards. All funds were transferred to unknown wallet just 1 day before I discovered problems with logging in.
When bringing up this theft to Blockchain.com support, they started to blame me for what happened and after some time stopped replying completely. I sent multiple emails to different blockchain.com email accounts, but they were all ignored. I even contacted Blockchain.com founder Peter Smith on Telegram (his account is @onemorepeter) but he ignored me too. It was clear that Blockchain.com did not want to investigate this theft.
I started searching online and discovered that there were many similar cases
https://www.trustpilot.com/reviews/6000e632755dc107e87e4f07
https://www.trustpilot.com/reviews/5f5914d902e8570650b5a559
https://www.trustpilot.com/reviews/5f47f09202e85708c8da4f77
https://www.trustpilot.com/reviews/5fecaea5755dc107e0d2f768
https://www.trustpilot.com/reviews/5fb0444a5e693f0a84273f35
https://www.trustpilot.com/reviews/5f8d85b1798e6f04a417abeb
https://www.trustpilot.com/reviews/5f5ca49d02e8570a4870925e
https://www.trustpilot.com/reviews/5f259f7e1a5a6907a4787852
https://www.trustpilot.com/reviews/5ee888f77dd753070884b184
https://www.trustpilot.com/reviews/5eae1f9a086b6409544678e4
https://www.trustpilot.com/reviews/5f47f09202e85708c8da4f77
https://www.reddit.com/r/Bitcoin/comments/lbba0a/…
https://www.reddit.com/r/Bitcoin/comments/d5fjsv/…
https://www.reddit.com/r/Bitcoin/comments/l8kvti/…
https://www.reddit.com/r/Bitcoin/comments/l0g3lp/…
https://www.reddit.com/r/Bitcoin/comments/k8db3t/…
https://www.reddit.com/r/Bitcoin/comments/7cz9pu/…
https://www.reddit.com/r/Bitcoin/comments/b4aq5g/…
https://www.reddit.com/r/Bitcoin/comments/7cz9pu/…
https://www.reddit.com/r/Bitcoin/comments/99tw18/…
https://www.reddit.com/r/Bitcoin/comments/6dfyde/…
https://www.reddit.com/r/Bitcoin/comments/7h8jcl/…
https://www.reddit.com/r/Bitcoin/comments/72fvj3/…
https://www.reddit.com/r/Bitcoin/comments/9txcg0/…
https://www.reddit.com/r/Bitcoin/comments/790nks/…
https://www.reddit.com/r/Bitcoin/comments/kzsv77/…
Blockchain.com Currently has a "Poor" 2.4 rating on Trust Pilot
1. 2FA has been mystically disabled
2. Funds were stolen from the account
That’s 11 similar cases on TrustPilot and 15 on Reddit: 26 in total, all recent. A bit too much to call it coincidence or to blame the users? Most likely, this is only the tip of the iceberg, as not everybody will write a public review about how they were robbed or scammed.
If you calculate the total amount of funds stolen, we are talking about millions of US dollars.
My email was not hacked. I know this because I get notifications of all logins from new devices to my other email account. I can also see logs of all logins to the account with date, time, and IP address. And there was no suspicious activity.
No one but me had physical access to my devices. I never leave them anywhere unattended, and they are always protected by a password, which no one knows expect me.
My computer or phone were not hijacked remotely. I have up-to-date anti-virus software and after this incident, I ran diagnostics, which didn’t find anything.
I had not visited any phishing site nor have entered by blockchain.com wallet credential anywhere else.
2FA was clearly the only real obstacle for the thief. He changed the 2FA email and waited for weeks, until he could have accessed the wallet. This rules very unlikely possibility that a staff member from an email service provider would have accessed my email and without leaving any trace, as then there would be absolutely no reason to request 2FA change.
2FA email change is also a strange backdoor left on purpose. The user cannot reset the password, but for some reason, he can reset 2FA. When the likelihood of losing access to 2FA email, is almost non-existing since email accounts can be recovered much more easily, in case of a lost or forgotten password. It’s an obvious design flaw, and it would be interesting to know the motives of adding such vulnerability to the wallet.
Since all these scenarios are ruled out, it leaves only two possibilities of what could have happened.
In my opinion, there are two possible theories of what could have happened:
It’s plausible that the theft was possible because of system malfunction on Blockchain.com due to which notification emails about 2FA reset were not sent to the users. Because there’s evidence that these cases happened during several months, it means that Blockchain.com had outrageously neglected security for a long period of time, which is unacceptable for a company that handles money.
It’s more likely that an unknown employee who had access to the system and user information was behind the theft. Mostly because it’s hard to believe that such large company would have handled their security so poorly.
In case it was the inside job, it probably happened like this:
The employee looked up Wallet IDs and account emails in Blockchain.com system and requested 2FA change via the publicly available form.
He disabled email notifications about 2FA change (possibly only for the specific account).
Once the 2FA email was changed, he either used a brute-force attack to crack the password, or perhaps Blockchain.com passwords are not stored as securely as they claim to be stored, and there is a way to decrypt them.
It’s also possible that there has been a hack of the Blockchain.com wallet the past, about which we don’t know since the data was not leaked to the public.
After gaining access to the wallet, he withdrew all balance to his own wallet.
Since the victims have notified Blockchain.com customer support, Blockchain.com was aware of this from the start. However, they didn’t interfere and let it happen for a long time. It’s unknown if they have fixed the issue today or if the security flaw is still present. As a dishonest company, all Blockchain.com cares about is to cover up this theft. There’s no information about Blockchain.com conducting any investigation, notifying law enforcement, or compensating the damage to the victims.
Due to the lack of reaction from Blockchain.com’s side, I would strongly advise everyone to withdraw all funds from Blockchain.com and never use it again. Blockchain.com has done everything to hide several security breaches, and the crypto community can no longer trust this company.
This is not the first time Blockchain.com (previously Blockchain.info) has lost users’ funds.
This article was originally published at HPC.
Disclaimer: All opinions in this article belong to the author alone and do not reflect the opinions of Hacker Noon as a whole. Please conduct your own thorough research before making and investment decisions, purchases, or withdrawals.