Here’s how someone stole 3 BTC from a CoinDCX user’s account

“So one issue that happened is a person from Haryana (state in India) who had 3 BTC in CoinDCX wallet was hacked of the whole 3 BTC on night of this 13th May.“

I am sure that by this time, the above viral message has reached you in one way or another and if it hasn’t, you aren’t paying enough attention to the crypto scene in India. In this article we will dive deeper into what exactly happened in this alleged hack of 3 BTC from a CoinDCX user’s account.

Short on Time? Here’s a quick timeline

Someone hacked into victim’s email and subsequently tried to log in to victim’s CoinDCX account.

After failing to enter correct OTP which is sent on Victim’s mobile, hacker used the “Resent OTP” option to receive OTP on victim’s email.

After logging in, Hacker tried to withdraw funds, which failed as OTP is sent on Victim’s mobile by SMS.

Hacker changed the 2FA from Mobile OTP to Google Authenticator. This could be done without any other OTP.

Hacker then used the new 2FA to enter OTP for withdrawing funds. Email verification link was accessed from Victim’s email.

All traces of the emails were wiped out as per the victim.

Incidentally the semi-viral message above started doing rounds since the last week of May, more than two weeks after the said incident occurred. Within a few hours CoinDCX was being questioned by Crypto twitter, telegram users, youtubers, crypto media and every other who’s who. Even CoinCrunch received messages from users to verify the story and confirm exactly what happened.

There are two reasons to not publish a story hastily.

One – If there is a hack and there is a loophole, it can be exploited again. So we have to try it out ourselves and see if the issues are patched before exposing it further.

Two – You need to hear or at least give a chance to both sides to explain their position. Of course you should not give them a platform to voice their opinion, that’s just shitty journalism and playing with people’s sentiment.

Now, after several days, it is time to bring to light what is possibly one of the stupidest mistake of everyone. Not the exchange, not the victim, of ours – you and me. We invented and propagated Bitcoin. I am just kidding. Obviously mistakes were made and we will talk about them in the article.

What The Hack

This might just be a revision for those who are familiar with the viral message but, it is important to the story. A user in Haryana, let us call him Ram, woke up on the morning of May 13 with 12 SMS from CoinDCX, each with an OTP. Some provided login OTP, some provided withdrawal OTP.

He noticed when he tried to login, that his account has been secured with Google Authenticater based 2FA. Ram had never activated it, so he did not know the code. He could not login into his own account.

So he contacted CoinDCX support, which religiously asked for his ID card and other documents for verifying the identity. Ram gives the necessary proofs, opens his account and sees his little over 3 BTC gone. His account was wiped clean.

Ram is a lecturer in a government college so 3 BTC is a significant amount for him, as he tells me, that’s pretty much all his savings.

Now, I know, you Crypto lovers want to say “Oh but why keep everything on exchange”, “Not your keys, not your bitcoin”, but we grew up learning that bank is where our money is safe, so if I buy my digital assets on an exchange, I will definitely think that exchange is where my assets are safe. Most people invest in crypto to make money.

Ram put his BTC on lending to earn interest from it. It is lucrative and he or anyone should not fear keeping their crypto on an exchange. After-all, exchanges spend a lot of money on marketing themselves as secure.

How did the Hack happen?

A hacker was able to access Ram’s gmail account. How? We don’t know. But as of now, it is certain that Ram’s gmail account was accessed by someone who subsequently was able to enter CoinDCX with Ram’s credentials.

Is Ram’s CoinDCX password the same as his Gmail Password? I asked Ram, he says no.

Was any other exchange where Ram holds an account affected? Ram says no.

Even with CoinDCX’s password, a hacker cannot access Ram’s account without an OTP that CoinDCX sends over SMS. That explains the several login OTPs on Ram’s mobile.

The hack can be separated in two parts. Logging in Ram’s account and successfully withdrawing the funds.

How did the Hacker Access Ram’s CoinDCX Account?

1. Hacker found Ram has an account on CoinDCX and managed to log in with his ID and password, we still don’t know how the hacker knew Ram’s password.
2. CoinDCX sent mobile OTP which was not accessed by hacker and hence they could not get into his account initially.
3. Eventually, the first loophole on CoinDCX was exploited – Hacker clicked “Resend OTP” on CoinDCX. This triggered CoinDCX to resend OTP not just on Ram’s mobile as SMS, but also on email. Hacker had the access to email. Boom! They were in.

If you try to resend OTP now, the OTP will not be sent on email. That flaw has been patched. But if someone says to me, you’re just believing the victim here and have no proof. I’d like you to take a look at this email I received when I had clicked on “Resend OTP” on May 25. When I tried the same thing on June 01. It didn’t work. To further solidify the argument that this was the case, the next screenshot shows the latest answer to the FAQ question on CoinDCX “What should I do, if I don’t receive one-time password (OTP)?

At the same time, the security protocols listed on the website have no mention of email OTP.

It is safe to say that at this point, any hacker with access to email of a user and the password to CoinDCX would have been able to hack in the CoinDCX account. But even WazirX sends an email OTP, so a hacker can enter WazirX account of user if they knew the password, right? Right. That’s why logging in is just the first step of the puzzle. A couple of security steps that are there on WazirX were not there on DCX when the issue occurred, which you will read further.

Time for question number 2, how did the hacker manage to steal the funds?

How did the Hacker Steal 3 BTC?

Once the hacker was in Ram’s CoinDCX account, they tried to withdraw the funds. After several failed attempts, the hacker was again able to exploit a small loophole in order to successfully remove the funds.

1. Hacker created a withdrawal request. A mobile OTP was sent to Ram.
2. The hacker can only enter an incorrect OTP twice, the system freezes for the user for 5 min after three attempts.
3. The hacker made a couple of attempts that were unsuccessful and froze the user account for 5 min every time.
4. Eventually, the hacker changed the Two-Factor Authentication from Mobile SMS to Google Authenticator. To make this change, no OTP is required.
5. Once the authenticator was set by the user. They simply created a new request for withdrawal and entered the OTP from the newly bound auth app.
6. Hacker already had access to Ram’s email, so they approved the email withdrawal request and the funds were withdrawn without hassle from CoinDCX.

All these steps were replicated by us on my personal CoinDCX account to verify the story and all of these worked the same way when we tested it on June 01.

How did CoinDCX react?

The official statement from CoinDCX released on Monday says the investigation is on going and the exchange will reimburse the user fully if it is found culpable of error.

But this statement is just a few days old. The issue occurred on May 13 and according to Ram, CoinDCX’s support staff investigated the issue for three days and came back to him stating that his email was hacked and hence they can’t do anything about it.

Coin Crunch cannot independently verify this particular interaction.

Ram says the exchange “wasted” a lot of his time and he wanted to complain to cyber cell, he mentioned that to CoinDCX. They had not paid attention to the issue and eventually it led to nowhere. Ram says he still haven’t received their Indian entity address from the exchange, which he asked ample times to raise a complaint, but he managed to acquire it by other means. He was blocked on both twitter and telegram by CoinDCX when he raised his concerns.

CoinDCX on the other hand was investigating the issue according to the statement sent to Coin Crunch. Every exchange has a reputation to protect and losing 3 BTC of one individual user is news that they wouldn’t want to be spreading without thorough investigation.

Personally, I have always been against blocking people who are raising concerns and it happens on all the exchange groups, not just CoinDCX. Most of these people then come to Coin Crunch Telegram group to raise the issue and we try to help where we can.

The day Coin Crunch Spoke to Ram, he refused to share his story as he was already in communication with Neeraj Khandelwal, co founder and CTO of CoinDCX. After assuring him that we simply wish to analyse the facts, Ram shared his side of the story to Coin Crunch.

Three weeks since the issue, Ram says he has approached the police and is also taking it up on twitter. For his privacy, we would refrain from stating his name or twitter handle on the post.

Whose Fault is it?

CoinCrunch took a meticulous approach on the subject by talking to Ram, also reaching out to CoinDCX and validating the claims ourselves. The issue at large is whether CoinDCX as an exchange made a mistake or whether Ram as a user was not careful enough.

Every platform has loopholes. The smart ones will find them and report. The notorious smart ones will find them and exploit. It matters what the platform does after someone falls victim to that loophole.

There are five security lapses in chronological order that we can clearly identify.

1. Ram’s email was compromised. Someone was able to access Ram’s email and identify he has an account on CoinDCX. That’s the first breach.
2. Ram’s CoinDCX Credentials were compromised. On CoinDCX, if you click “Forgot Password”, the reset link is sent to your email address, but an OTP is sent to the mobile to verify. In this case, we aren’t sure how the hacker received Ram’s CoinDCX password. Whether the hacker already had the password, brute forced it or was able to reset it remains a mystery for now.
3. Login OTP was sent on email. Ram’s login OTP was sent on mobile first and then on clicking “Resend OTP”, it was sent on Ram’s email which was already in control of the hacker.
4. No OTP required to Reset 2FA. There was no SMS OTP required to change the current system from Mobile SMS to Google Authenticator.
5. No withdrawal hold after 2FA was reset. CoinDCX did not deploy a withdrawal hold on the user account after the hacker switched it to Google Auth.

Let us talk about each one in slightly more detail.

Ram’s email was compromised and that is the first breach that led to everything else. But is Ram truly at fault? As an average user, we seem to not be very careful with our passwords and apps. Emails can be hacked but we ought to be sure that we don’t store data on emails that can lead to another major hack. It is advisable to use stronger passwords, change them frequently and verify what apps have access to your email from time to time.

The question here is whether the exchange can be held liable for funds stolen when the first breach was that of user’s email address?

Is CoinDCX at fault for sending an OTP on email? Many exchanges send OTP over email, including our very own WazirX. The necessary security to be maintained on an exchange is that no one compromise can be enough to steal funds. In this case just by accessing user’s email, the hacker was able to steal the funds. On WazirX, the withdrawal OTP is never sent on email, neither it is on CoinDCX. However, the mere fact that we can no longer receive email OTP on CoinDCX, means that the exchange itself has learnt from the incident and patched it.

I firmly believe that OTPs should not be sent on email and mobile both. They should be sent on one medium and another verification like by logging in to a new device, should be sent on another medium. In Case of CoinDCX, when a new device + IP combination is detected, a verification link is sent on email. Hence an email OTP is not a good idea.

Is CoinDCX at fault for not sending an OTP to user for resetting 2FA? In 2020, this is a major fail. How can a user change their security setting without a confirmation that they still have access to their previous security token? In 2017-18, almost every exchange allowed you to move to Google Authenticator without the need for an OTP. My company prepared Coindelta’s tutorial for setting up 2FA where no additional authentication was needed. The idea then was simple, moving from a less secure OTP based system to a highly secure OTP is a good thing, so no checks there. But its 2020, we should be securing accounts with the latest best practices.

By not putting a hold on Withdrawals after the 2FA reset, did CoinDCX make a mistake? Finally, yes. This is exactly where CoinDCX failed.

CoinDCX allowed a user to login from different device after re-sending OTP over email, allowed resetting the 2FA after failed withdrawal attempts and without an SMS OTP, and finally allowed the user to make a large withdrawal without any issues. This is not a good sentence to read.

A transaction as big as 3 BTC should have raised a few red flags, even if there was no halt on withdrawals. My theory is that the red flags are shut in the middle of the night so that genuine users don’t have to unnecessarily wait for withdrawals made at the time.

There you are, Coin Crunch reported the story from all vantage points and I am pretty sure no one will truly care about it because it’s just easier to yell “Exchanges are not safe” or “User should not keep Crypto in exchanges”.

All exchanges need to learn from their mistakes. Here, whether we trust an exchange or not, if it is ruled that CoinDCX was at fault, then the exchange must compensate the victim ethically. But do they have to? It depends on their own policies. This is also not the first time users have lost funds on Indian Exchanges.

Media, influencers, youtubers, analysts are not judges or jury. A thorough investigation will fill in the gaps of the above report, and it should be done sooner, rather than later.

What do you think about the issue? Let us know in the comments below!

Update: CoinDCX official statement was added.