Table of Contents
- How it all started?
- Scenarios that did not happen for sure
- What really happened?
- The inaction of Blockchain.com
- Other references
How it all started?
On an unlucky day last year, I tried to sign up to my Blockchain.com mobile wallet, only to discover that the system had kicked me out. Since this often happens on mobile apps, I tried the same on PC. I was, of course, using 2FA (two-factor authentication) with my email. Surprisingly when logging in, I didn’t receive such email. I tried several times, waited for long, but emails never arrived. As I was unable to login into my account, I decided to contact Blockchain.com support.
Since Blockchain.com has such lousy customer support, it took over 2 weeks to get an initial reply, and then it took another week for them to understand what was the problem about. It appeared that someone had changed my 2FA email.
There are only 2 ways to change 2FA email
1. By logging into the account and changing the email.
2. By using this form.
Obviously, for the first option, you need to log in first, and for that, you need to complete 2FA.
But for the second option, you don’t need to pass 2FA; you only need to know the Wallet ID and the email. Wallet ID is a long 36 character code. It’s impossible for someone to guess it like they could guess your email. But Blockchain.com staff has access to this Wallet ID, they can see in the system which email is associated with which wallet ID.
Thus potentially a Blockchain.com employee could look up this information and change 2FA without anyone’s knowledge for his own email. The system is supposed to send a notification to the original email to prevent unlawful 2FA change, but I never got that email. There could have been a bug in Blockchain.com mailing server or more likely someone disabled email notifications on purpose.
It’s clear that my email was not compromised, as in that case the hacker would have just logged in with 2FA code sent to my email and moved the funds out. There wouldn’t be a need to change 2FA email and take a huge risk by waiting until it’s done.
Blockchain.com support suggested me to change 2FA back to my email and provided to me an email account that was set as new 2FA. By this point, I already have realized that my funds were stolen. I dug details of my previous transactions to Blockchain.com wallet and checked in the Bitcoin explorer what happened to them afterwards. All funds were transferred to unknown wallet just 1 day before I discovered problems with logging in.
When bringing up this theft to Blockchain.com support, they started to blame me for what happened and after some time stopped replying completely. I sent multiple emails to different blockchain.com email accounts, but they were all ignored. I even contacted Blockchain.com founder Peter Smith on Telegram (his account is @onemorepeter) but he ignored me too. It was clear that Blockchain.com did not want to investigate this theft.
I started searching online and discovered that there were many similar cases
All these cases follow the same script
1. 2FA has been mystically disabled or changed
2. Funds were stolen from the account
That’s 11 similar cases on TrustPilot and 15 on Reddit: 26 in total, all recent. A bit too much to call it coincidence or to blame the users? Most likely, this is only the tip of the iceberg, as not everybody will write a public review about how they were robbed or scammed. If you calculate the total amount of fund stolen, we are talking about millions of US dollar.
Scenarios that did not happen for sure
- My email was not hacked. I know this because I get notifications of all logins from new devices to my other email account. I can also see logs of all logins to the account with date, time and IP address. And there were no suspicious activity.
- No one but me had physical access to my devices. I never leave them anywhere unattended, and they are always protected by a password, which no one knows expect me.
- My computer or phone were not hijacked remotely. I have up to date anti-virus software and after this incident I ran diagnostics, which didn’t find anything.
- I had not visited any phishing site nor have entered by blockchain.com wallet credential anywhere else.
What really happened?
2FA was clearly the only real obstacle for the thief. He changed the 2FA email and waited for weeks, until he could have accessed the wallet. This rules very unlikely possibility that a staff of email service provider would have accessed my email without leaving any trace, as then there would be absolutely no reason to request 2FA change.
2FA email change is also a strange backdoor left on purpose. The user cannot reset the password, but for some reason, he can reset 2FA. When the likelihood of losing access to 2FA email, is almost non-existing since email accounts can be recovered much more easily, in case of a lost or forgotten password. It’s an obvious design flaw, and it would be interesting to know the motives of adding such vulnerability to the wallet.
Since all other screnarios are ruled out, it leaves us with two possibilities of what could have happened.
1. There was a malfunction with 2FA system.
2. Someone from Blockchain.com, probably an employee, was behind the theft.
First Theory: 2FA Malfunction
It’s plausible that the theft was possible because of system malfunction on Blockchain.com due to which notification emails about 2FA reset were not sent to the users. Because there’s evidence that these cases happened during several months, it means that Blockchain.com had outrageously neglected security for a long period of time, which is unacceptable for a company that handles money.
For this theory to be true there would also need to be a data leak from Blockchain.com, so that the hacker would know email accounts, Wallet IDs and passwords of the multiple victims.
Second Theory: An inside job
It’s more likely that an unknown employee who had access to the system and user information was behind the theft. Mostly because it’s hard to believe that such large company would have handled their security so poorly.
In case it was the inside job, it probably happened like this:
- The employee looked up Wallet IDs and account emails in Blockchain.com system and requested 2FA change via the publicly available form.
- He disabled email notifications about 2FA change (possibly only for the specific account).
- Once the 2FA email was changed, he either used a brute-force attack to crack the password, or perhaps Blockchain.com passwords are not stored as securely as they claim to be stored, and there is a way to decrypt them. It’s also possible that there has been a hack of the Blockchain.com wallet the past, about which we don’t know since the data was not leaked to the public.
- After gaining access to the wallet, he withdrew all balance to his own wallet.
Combination of both
It’s also possible that both scenarios happened at the same time. There was a 2FA error, which was discovered by a Blockchain.com employee, but instead of fixing or reporting it, he used the opportunity to change 2FA emails of the account which passwords were leaked. The bottom line is that we really can’t know for sure what happened until a thorough criminal investigation will be done, since Blockchain.com is unwilling to conduct an investigation.
The inaction of Blockchain.com
Since the victims have notified Blockchain.com customer support, Blockchain.com was aware of this from the start. However, they didn’t interfere and let it happen for a long time. It’s unknown if they have fixed the issue today or if the security flaw is still present. As a dishonest company, all Blockchain.com cares about is cover up this theft. There’s no information about Blockchain.com conducting any investigation, notifying law enforcement or compensating the damage to the victims.
Due to development mentioned about and the lack of reaction from Blockchain.com’s side I would strongly advise everyone to withdraw all funds from Blockchain.com and never use it again. Blockchain.com has done everything to hide several security breaches, and the crypto community can no longer trust this company.
This is not the first time Blockchain.com (previously Blockchain.info) has been involved in scam, fraud, theft or otherwise lost users’ funds.
- Different type of case that took place nearly two years ago
- An informational website dedicated to Blockchain.com scams and abuses