Table of Contents
How it all started?
On an unlucky day last year, I tried to sign up to my Blockchain.com mobile wallet, only to discover that the system had kicked me out. Since this often happens on mobile apps, I tried the same on PC. I was, of course, using 2FA (two-factor authentication) with my email. Surprisingly when logging in, I didn’t receive such email. I tried several times, waited for long, but emails never arrived. As I was unable to login into my account, I decided to contact Blockchain.com support.
Since Blockchain.com has such lousy customer support, it took over 2 weeks to get an initial reply, and then it took another week for them to understand what was the problem about. It appeared that someone had changed my 2FA email.
There are only 2 ways to change 2FA email
1. By logging into the account and changing the email.
2. By using this form.
Obviously, for the first option, you need to log in first, and for that, you need to complete 2FA.
But for the second option, you don’t need to pass 2FA; you only need to know the Wallet ID and the email. Wallet ID is a long 36 character code. It’s impossible for someone to guess it like they could guess your email. But Blockchain.com staff has access to this Wallet ID, they can see in the system which email is associated with which wallet ID.
Thus potentially a Blockchain.com employee could look up this information and change 2FA without anyone’s knowledge for his own email. The system is supposed to send a notification to the original email to prevent unlawful 2FA change, but I never got that email. There could have been a bug in Blockchain.com mailing server or more likely someone disabled email notifications on purpose.
It’s clear that my email was not compromised, as in that case the hacker would have just logged in with 2FA code sent to my email and moved the funds out. There wouldn’t be a need to change 2FA email and take a huge risk, by waiting until it’s done.
Blockchain.com support suggested me to change 2FA back to my email and provided to me an email account that was set as new 2FA. By this point, I already have realized that my funds were stolen. I dug details of my previous transactions to Blockchain.com wallet and checked in the Bitcoin explorer what happened to them afterwards. All funds were transferred to unknown wallet just 1 day before I discovered problems with logging in.
When bringing up this theft to Blockchain.com support, they immediately stopped replying to my messages. I sent multiple emails to different blockchain.com email accounts, but they were all ignored. I even contacted Blockchain.com founder Peter Smith on Telegram (his account is @onemorepeter) but he ignored me too. It was clear that Blockchain.com did not want to investigate this breach.
I started searching online and discovered that there were many similar cases
All these cases follow the same script
1. 2FA has been mystically disabled
2. Funds were stolen from the account
That’s 11 similar cases on TrustPilot and 15 on Reddit: 26 in total, all recent. A bit too much to call it coincidence or to blame the users? Most likely, this is only the tip of the iceberg, as not everybody will write a public review about how they were robbed or scammed.
If you calculate the total amount of fund stolen, we are talking about millions of US dollar.
Scenarios that did not happen for sure
- My email was not hacked. I know this because I get notifications of all logins from new devices to my other email account. I can also see logs of all logins to the account with date, time and IP address. And there were no suspicious activity.
- No one but me had physical access to my devices. I never leave them anywhere unattended, and they are always protected by a password, which no one knows expect me.
- My computer or phone were not hijacked remotely. I have up to date anti-virus software and after this incident I ran diagnostics, which didn’t find anything.
- I had not visited any phishing site nor have entered by blockchain.com wallet credential anywhere else.
2FA was clearly the only real obstacle for the thief. He changed the 2FA email and waited for weeks, until he could have accessed the wallet. This rules very unlikely possibility that a staff member from email service provider would have accessed my email and without leaving any trace, as then there would be absolutely no reason to request 2FA change.
2FA email change is also a strange backdoor left on purpose. The user cannot reset the password, but for some reason, he can reset 2FA. When the likelihood of losing access to 2FA email, is almost non-existing since email accounts can be recovered much more easily, in case of a lost or forgotten password. It’s an obvious design flaw, and it would be interesting to know the motives of adding such vulnerability to the wallet.
Since all these scenarios are ruled out, it leaves only one possibility of what could have happened.
What really happened?
Since we have not heard about the massive hack of Blockchain.com wallets and the number of victims is low, it’s safe to assume that this hack concerns only a low number of accounts.
Secondly, I think we can all assume that the security level of Blockchain.com wallets is not so low that someone from the outside could hack them, without Blockchain.com noticing it.
And thirdly, since Blockchain.com and its owners are wealthy, it’s likely that they would not risk their reputation over stealing a relatively low amount compared to their own wealth.
Thus the only plausible explanation is that someone working at Blockchain.com did this. This person probably works in the IT department and therefore has the skills and access to the system and user information.
How the theft was most likely done?
- The employee looked up Wallet IDs and account emails in Blockchain.com system and requested 2FA change via the publicly available form.
- He disabled email notifications about 2FA change (possibly only for the specific account).
- Once the 2FA email was changed, he either used a brute-force attack to crack the password, or perhaps Blockchain.com passwords are not stored as securely as they claim to be stored, and there is a way to decrypt them. It’s also possible that there has been a hack of the Blockchain.com wallet the past, about which we don’t know since the data was not leaked to the public.
- After gaining access to the wallet, he withdrew all balance to his own wallet.
Since the victims have notified Blockchain.com customer support, Blockchain.com is likely aware of this breach. It’s unknown if they have taken any actions in secret and found the criminal. We know for sure that there haven’t been any public investigation about this matter. Even if they found the person who did it, they probably only fired him (and forced him to sign an NDA). But as a dishonest company, they have not notified the law enforcement and did not try to compensate the damage to the victims. They only acted in a way that would favour them and their PR image.
I would strongly advise everyone to withdraw all funds from Blockchain.com and never use it again. Blockchain.com has done everything to hide this breach, and the crypto community can no longer trust this company.
This is not the first time Blockchain.com (previously Blockchain.info) has been involved in scam, fraud, theft or otherwise lost users’ funds.
- Different type of case that took place nearly two years ago
- An informational website dedicated to Blockchain.com scams and abuses