Blockchain.com is losing customers funds

Last Updated on March 30, 2021 by Filip Poutintsev

How it all started?

On an unlucky day last year, I tried to sign up to my Blockchain.com mobile wallet, only to discover that the system had kicked me out. Since this often happens on mobile apps, I tried the same on PC. I was, of course, using 2FA (two-factor authentication) with my email. Surprisingly when logging in, I didn’t receive such email. I tried several times, waited for long, but emails never arrived. As I was unable to login into my account, I decided to contact Blockchain.com support.

Since Blockchain.com has such lousy customer support, it took over 2 weeks to get an initial reply, and then it took another week for them to understand what was the problem about. It appeared that someone had changed my 2FA email.

There are only 2 ways to change 2FA email

1. By logging into the account and changing the email.
2. By using this form.

Obviously, for the first option, you need to log in first, and for that, you need to complete 2FA.

But for the second option, you don’t need to pass 2FA; you only need to know the Wallet ID and the email. Wallet ID is a long 36 character code. It’s impossible for someone to guess it like they could guess your email. But Blockchain.com staff has access to this Wallet ID, they can see in the system which email is associated with which wallet ID.

Thus potentially a Blockchain.com employee could look up this information and change 2FA without anyone’s knowledge for his own email. The system is supposed to send a notification to the original email to prevent unlawful 2FA change, but I never got that email. There could have been a bug in Blockchain.com mailing server or more likely someone disabled email notifications on purpose.

It’s clear that my email was not compromised, as in that case the hacker would have just logged in with 2FA code sent to my email and moved the funds out. There wouldn’t be a need to change 2FA email and take a huge risk by waiting until it’s done.

Blockchain.com support suggested me to change 2FA back to my email and provided to me an email account that was set as new 2FA. By this point, I already have realized that my funds were stolen. I dug details of my previous transactions to Blockchain.com wallet and checked in the Bitcoin explorer what happened to them afterwards. All funds were transferred to unknown wallet just 1 day before I discovered problems with logging in.

When bringing up this theft to Blockchain.com support, they started to blame me for what happened and after some time stopped replying completely. I sent multiple emails to different blockchain.com email accounts, but they were all ignored. I even contacted Blockchain.com founder Peter Smith on Telegram (his account is @onemorepeter) but he ignored me too. It was clear that Blockchain.com did not want to investigate this theft.

I started searching online and discovered that there were many similar cases

https://bitcointalk.org/index.php?topic=5301006.0
https://bitcointalk.org/index.php?topic=5185385.0
https://bitcointalk.org/index.php?topic=5318009.0

All these cases follow the same script

1. 2FA has been mystically disabled or changed
2. Funds were stolen from the account

This is just a small number of similar cases found after quick search. In reality there’s hundreds of them, a bit too much to call it coincidence or to blame the users? And most likely, this is still only the tip of the iceberg, as not everybody will write a public review about how they were robbed or scammed. If you calculate the total amount of fund stolen, we are talking about tens millions of US dollar.

Scenarios that did not happen for sure

My email was not hacked. I know this because I get notifications of all logins from new devices to my other email account. I can also see logs of all logins to the account with date, time and IP address. And there were no suspicious activity.
No one but me had physical access to my devices. I never leave them anywhere unattended, and they are always protected by a password, which no one knows expect me.
My computer or phone were not hijacked remotely. I have up to date anti-virus software and after this incident I ran diagnostics, which didn’t find anything.
I had not visited any phishing site nor have entered by blockchain.com wallet credential anywhere else.
Staff of email service provider did not access my email without leaving any trace, as then there would be absolutely no reason to request 2FA change.

What really happened?

There’s a known 2FA security flaw on Blockchain.com that allows a hacker to disable 2FA without needing to authenticate with 2FA first. This allows the hacker to login to the wallet with just Wallet ID and password. As shown in the article, Blockchain.com has known about this flaw for ages but they still haven’t done anything to fix it.

As Blockchain.com staff has access to wallet ID, an employee can easily steal this information and sell it to criminals or use it himself. The passwords can be cracked with brute-force, or more likely there was either a data leak from Blockchain.com or perhaps passwords are not stored as securely as they claim to be stored, and there is a way to decrypt them. Which would mean that an dishonest employee could be behind this.

2FA email change is also a strange backdoor left on purpose. The user cannot reset the password, but for some reason, he can reset 2FA. When the likelihood of losing access to 2FA email, is almost non-existing since email accounts can be recovered much more easily, in case of a lost or forgotten password. It’s an obvious design flaw, and it would be interesting to know the motives of adding such vulnerability to the wallet.

The inaction of Blockchain.com

Since the victims have notified Blockchain.com customer support, Blockchain.com was aware of this from the start. However, they didn’t interfere and let it happen for a long time. It’s unknown if they have fixed the issue today or if the security flaw is still present. As a dishonest company, all Blockchain.com cares about is cover up this theft. There’s no information about Blockchain.com conducting any investigation, notifying law enforcement or compensating the damage to the victims. If an dishonest employee was truly behind the theft, knowing how Blockchain.com acts, it’s likely that they decided simply to fire him and sweep the incident under the carpet, only for PR purposes.

So far the only only reaction from Blockchain.com has been legal threats, towards the people who have exposed their security flaws.

Do not use Blockchain.com wallet!

Due to development mentioned above and the lack of reaction from Blockchain.com’s side I would strongly advise everyone to withdraw all funds from Blockchain.com and never use it again. Blockchain.com has done everything to hide several security breaches, and the crypto community can no longer trust this company.