Scam Alert: Scammer targets BitBns user; Trader loses 63000 INR

A user lost 63000 INR (~900 USD) fiat, when his account was hacked by a serial scammer on an Indian Exchange.
The other user, whose account was used to steal the funds had no idea even his account was hacked and lost crypto worth INR 13000.
This happened with a Peer to Peer INR transaction. The exchange intervened, but too late to recover all the funds. Total amount was INR 195000.
Two hacked accounts, one exchange, hacker on the run with 76000 INR worth of crypto, here’s the whole story.

When an account of a user is compromised on an exchange, who is to blame?

Is it the exchange? Maybe their security is weak. Why did their system not alert of a suspicious activity? Why did the user not get any notification?

Another camp wants to blame the user. The user must not have 2FA, must have used a weak password and is a victim of a phishing attack, or just dumb enough to share confidential information such as one time passwords.

In today’s case, it is a bit more complicated. The exchange in question is Bitbns, the user who lost money, goes by the name Ram. The other user, who’s account was used to steal Ram’s funds, let call him Arjun, his name is changed on request. Even Arjun lost crypto worth 12-13k INR.

Buckle up, this is a long story.

Contents

1 Introduction to the characters
2 Series of Events
3 The Story of Arjun
4 What is Happening now?
5 Verifying Ram’s story
6 What good is an FIR?
7 To Summarise
8 Read More:

Introduction to the characters

Ram – A bitcoin trader who opened an account on Bitbns cryptocurrency exchange recently, it was approved by Bitbns on Oct 20, 2018. He lost his funds the same day.
Arjun – The user whose account was used to steal Ram’s INR, buy bitcoin with it and withdraw the BTC.
Bitbns – The exchange where the hack happened. The total hack was worth INR 195000, but Bitbns was only able to recover it partially, resulting in Ram losing INR 63000.

Series of Events

Date: October 20, 2018 08:00 to 12:00 – The approval

Ram transferred ~0.4 BTC to his first Bitbns Account.
His account wasn’t KYC approved, so Ram asked for an admin to PM him on the Bitbns telegram group, to request faster KYC.
Ram was messaged by a scammer, pretending to be Bitbns admin Nitin Vaid.
Scammer asked Ram for his email address (for kyc verification), once Ram shared it, scammer asked for an OTP. (When trying to reset password on Bitbns, the exchange sends an OTP to mobile and email).
Ram says he reported the account and deleted the chat. Never received an OTP, never shared any.
At this point, according to Ram, no password or OTP was shared with the scammer. But he cannot prove it as he has deleted this chat.

Date: October 20, 2018 12:00 to 16:00 – The Hack

Ram receives an email from Bitbns, confirming his KYC approval.
He sells his BTC and places an INR withdrawal request for INR 195000.
Ram shared his withdrawal queue (99 or 100), on the Bitbns Telegram group.
Around 15:00 Ram asks Bitbns admin Vaibhav Sharma, how much time it may take for the withdrawal?
Around 16:00 Sharma receives a text from Ram, he’s been hacked and has lost 1.95 lac INR.
Ram received three P2P INR depositor match. One for 100000 INR, one for 95000 INR and another one for 5000 INR. All three were confirmed immediately.

To put some context to it. Bitbns INR deposits and withdrawals are Peer to peer. That means when someone wants to withdraw INR, they will be matched with a user who needs to deposit INR. The depositor will send money to withdrawer's account, withdrawer must confirm they received the money, and only then depositor's bitbns account is credited.

Ram claims that all three transactions were confirmed immediately, but not by him. He never received an email from Bitbns that his P2P transaction is completed.

Coin Crunch India was informed by Prashant Singh, co-founder of Bitbns that email notifications are sent every minute. If the transaction is completed within a minute, the notifications won't be sent.

Date: October 20, 2018 16:00 to October 20, 2018 20:00 – The Investigation

Vaibhav began his investigation by asking Ram for his user ID around 16:05.
Meanwhile Ram reaches out to Nitin Vaid (the real admin) for help.
Vaibhav asks Ram if he confirmed the transaction without receiving the money – Ram says he never confirmed. Coin Crunch has been informed by Bitbns that the reference numbers entered in the request were also bogus.
Nitin accuses Ram of sharing the OTP with a scammer. To which Ram repeats he never shared OTP.
Nitin asks for screenshot of the chat with the scammer, Ram says they are deleted. Now, Nitin says he will do what he can but cannot promise anything.
Vaibhav informs Ram that the other user (Arjun’s) account has been frozen for investigation.
Vaibhav tells Ram that they are recovering his funds that Arjun used to buy BTC.

Date: October 20, 2018 20:00 to October 20, 2018 23:59 – The Recovery

Ram received BTC worth of 1.32 Lacs (~0.27 BTC), that was recovered from Arjun. The rest was sent out of Bitbns from Arjun’s account and cannot be recovered.

A little more detail on Bitbns P2P INR before we proceed. Bitbns allows a user to assign peers for a transaction. For instance, if you want to withdraw some money from Bitbns and a friend of yours want to deposit money, you can assign your friend's user ID to the withdrawal request, resulting in instant matching of the two. This saves a lot of time and comes in handy for large withdrawals.

In a statement by Gaurav Dahake, the CEO of Bitbns, claimed the following
1. The withdrawal amount is large and hence can never be matched in a day, Ram had entered the preferred user ID for matching the deposit. (Preferred user = Arjun’s ID). Ram denied he ever did it.
2. Arjun’s account was already compromised. Hacker used the funds to buy BTC and withdraw it. When Bitbns reached out to Arjun, he said he has confirmed a few BTC withdrawals, rest were frozen.
3. Ram’s account was accessed by a Nigerian IP address twice.
4. Logs on Bitbns show that Ram had confirmed the P2P transactions. Ram denied this.
Ram’s denial of approving transactions or assigning a peer, and access from a Nigerian IP address points to the fact that his account was compromised and controlled by the hacker. How? A theory comes to light when we speak with Arjun.

The Story of Arjun

Arjun is the main arc of the story that gives you a clue of scammer’s modus operandi. On the fateful day of October 20, 2018, a scammer pretending to be Nitin Vaid from Bitbns exchange contacted Arjun after he asked a query on the Bitbns group. The query was about fund transfer from Zebpay to Bitbns.

Arjun shared his email address with the scammer thinking he would help him. The scammer then presumably tried to reset the password for Arjun’s account.

On Bitbns, when you try to reset the password, an OTP is sent to mobile and email. The scammer asked for this OTP to Arjun and he shared it, believing the scammer is an actual Bitbns admin.

Bitbns asks you to enter a new password with an OTP sent to your email and phone

The scammer reset Arjun’s password, set up 2FA with Google Authenticator and began to scam Ram.
Once the scammer had received the INR into Arjun’s account, he purchased BTC with it and placed a withdrawal request.
But a withdrawal request must be confirmed from the email account and scammer did not have access to Arjun’s email address.
So scammer asked Arjun to confirm the request. Stating that this is test withdrawal to check if Arjun’s account is working properly. Arjun complied.
The rest as you know, is history. Arjun ended up losing his crypto worth INR 13000, he tells Coin Crunch India.

What is Happening now?

Ram is demanding that Bitbns give him the details of Arjun, so he can file an FIR against him. Bitbns is not willing to divulge that information.
When we spoke to Gaurav Dahake, he agreed to release all the information to an independent arbitrator if they want to check and verify.
On October 24, Bitbns users received an email with subject “Your Crypto is now safer than ever!”, and announced following security updates:
1. When user disables 2FA for resets password, withdrawal will be paused for 24 hours.
2. Resetting password will log user out of all sessions.
3. User can now log out from all sessions by clicking the button in profile section
4. Manually assigning peer requires 2FA authentication
5. All new IP addresses need to be verified by email.
Ram is also banned on Bitbns telegram group as Bitbns claims he’s spreading FUD by claiming the exchange is hacked and he is trying to connect any deposit or withdrawal issue to it.

Verifying Ram’s story

Everything would make sense if Ram did share the 2FA OTP with the scammer. We will know how the scammer logged in and exploited Ram’s account. But Ram denies it and sadly he has no evidence to prove it.

On the other hand, Arjun confessed to sharing the OTP with the scammer and is not complaining about his lost funds.

Bitbns logs say the IP address of Ram’s session is a Nigerian one, possibly VPN based. If Ram did not share the OTP, the scammer was still able to access Ram’s account, and we don’t know how.

Before you ask the question, why did Ram delete the chat with the scammer? Understand this, whenever you click on “Report spam” while chatting with a user on telegram X, three check boxes appear, checked by default.

Report Spam
Delete Chat
Block User

If you don’t pay attention, you will complete all three actions in a click of a button. It’s fairly common to do so after you have realised the other person is a scammer. But, pay attention next time, you never know when a scammer’s chat can come in handy.

On telegram android app, (not X), when we reported a few users, the chat was automatically deleted and user was blocked.

What good is an FIR?

Ram has been insisting Bitbns to release info on Arjun or the hacker to pursue a police complaint. Bitbns claims to not know who the hacker is. What’s left is Arjun and Bitbns has not released his info.

Now, what good is an FIR against Arjun? If the cops understand that Arjun’s account was compromised, Arjun will walk free. But what if they don’t?

Ram alternatively can file an FIR against the exchange, but once again the same possibilities exist. If Arjun says he was asked to share OTP and he did, will the cops believe that Ram was asked to share the OTP but he did not? There isn’t any proof.

Moreover, how are we going to stop the cops from arresting the real admins, as the scammers used their identity to scam people? Will the cops meticulously research the identity theft?

Authorities as we know are not very cosy to Bitcoin or other cryptocurrencies and exchanges. So for Ram, it is his hard earned money but on the other hand we risk opening a Pandora’s box. Maybe after this article, cyber crime can investigate it suo moto.

To Summarise

Two users Ram and Arjun’s accounts were compromised on Bitbns. Ram’s account was used to authenticate a transfer of INR that never happened. Arjun’s account got credited with that INR, which was used to buy BTC and some of it was sent out of the exchange. Rest was recovered and returned to Ram.

Arjun shared an OTP with a scammer that compromised his account. Ram also spoke to the scammer but claims he never shared an OTP. Bitbns has beefed up the security on the exchange after the incident.

A few things we all must know. Exchanges are never 100% safe. Telegram is full of scammers. Never share confidential information with scammers. Most importantly, do not trade huge amounts before learning about how the exchange works.

So the real question is, who is to blame for the debacle?