Jump to content

a few user reported their gatehub wallet been hacked and XRP sent to r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k

yxxyun

By yxxyun,
in General Discussion

 Share Followers 24

Recommended Posts

  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Silkjaer

On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the acco

Silkjaer

Reminder: There is no direct evidence pointing to Gatehub being responsible even though it may appear as the most likely scenario right now. Just be careful about jumping to conclusions What you c

GateHub

Hey all! We are aware of the matter and are looking into it. If anyone has any information please contact us at: security@gatehub.net   GateHub

Posted Images

AlessandroPiccione

AlessandroPiccione 1

Posted
Posted
7 hours ago, Borry said:

One thing is noteworthy about GH. Under "show secret key" you can simply see / get the ripple secret key. So, yes its stored somewhere (encrypted I hope?) But its definitely going via GHs website. Maybe the hackers found a way to retrieve this information. Anyway, this should be changed or at least removed (or only sent to the confirmed mail address).

Where can I find "show secret key" ? I can't find it in any section (Home, Wallet, Trade... Settings).

Link to post
Share on other sites
Dymac

Dymac 166

Posted
Posted
3 minutes ago, AlessandroPiccione said:

Moving the XRP (4k) from an old Ripple wallet in GateHub, temporary/permanently to an exchange like Bitstamp/YooBit/HitBtc or Ploniex is a good move? 
 

Don't keep any DA on any exchange. Get a Ledger Nano S or similar. 

Link to post
Share on other sites
Hero_Member

Hero_Member 120

Posted
Posted
10 minutes ago, AlessandroPiccione said:

Moving the XRP (4k) from an old Ripple wallet in GateHub, temporary/permanently to an exchange like Bitstamp/YooBit/HitBtc or Ploniex is a good move? 
 

If you do not trade, there is no need to keep it on an exchange. Create a new wallet on bithomp for example (and keep your secret safe!), and transfer the XRP there. Or get a Ledger...

Link to post
Share on other sites
Pablo

Pablo 6,591

Posted
Posted
9 hours ago, JA8 said:

I suggest setting up a relevant sub forum / club here and inviting all of those affected to join. Are there any lawyers on this forum?

There's one or two including me but it's premature to bring in lawyers.

What really needs to happen first is a proper triage: identify the threat, contain it, minimise exposure/loss and then do a root-cause and start thinking about legal/contractual remedies. In roughly that order. From what I'm reading here and on Reddit, we're still at step 1.

Link to post
Share on other sites
AlessandroPiccione

AlessandroPiccione 1

Posted
Posted (edited)
6 hours ago, at3n said:

This has not been proven, in theory the attackers only need the encrypted keys.

Something that no-one has mentioned yet, is the possibility of an API exploit. If the Gatehub API had a vulnerability that leaked encrypted keys to an attacker, that would be sufficient to allow a brute-force attack over time. That would be a totally different type of attack to a database breach.

API exploit, GateHub API ? Do you mean PUBLIC web API ?  I opened a ticket probably 1 year ago asking for API ... they don't have it. Right?
(Ripple data API is not GateHub API)

Edited by AlessandroPiccione
Link to post
Share on other sites
pvap

pvap 42

Posted
Posted (edited)

Forget about 2FA. Your secret key is merely encrypted and saved in one of gatehub’s database servers.

The only way to decrypt it is through the use of your password, with some unknown algorithm. This is why you can view your secret key just by inputting your password on the site.

Someone probably managed to retrieve all of gatehub’s database encrypted secret keys,  and then brute forced the heck of them offline.

The secret key just needs to start with an ‘s’ and have a fixed number of characters.

It was an inside job I guess... only way to know the decryption algorithm! I remember there were some tech guys leaving gatehub a year ago....

That’s why this is happening with old accounts only. As I said, someone probably left the company a while ago and took all the encrypted secret keys with him.

This person has probably been bruteforcing the decryption of these keys offline for quite some time now.

It’s just a two stepper really:

1- Bruteforce all the encrypted secret keys offline, with a powerfull processing machine;

2- Save all the decrypted secret keys starting with a ‘s’ and having a fixed number of characters;

3- Translate this list of secret keys to the corresponding public addresses;

4- Check their balances;

5- Steal everything you can;

Hopefully the hacker has no access to recent encrypted keys in gatehub’s database servers, since he’s left the company already... but others do!

That’s why I highly advise you to take your xrp off there and put it in cold storage.

Regards

Edited by pvap
Link to post
Share on other sites
  • Popular Post
GateHub

GateHub 340

Posted
  • Popular Post
Posted (edited)

Dear valued community members,

 

Recently, we have been notified by our customers and community members about funds on their XRP Ledger wallets being stolen and immediately started monitoring network activity and conducted an extensive internal investigation.

Although we have not identified any action or omission by GateHub that may have facilitated or allowed this apparent theft to occur, we apologize deeply to all of our customers for this issue and pledge to get to the bottom of it.

We already sent out an email to all users that might be affected as a result of suspicious API calls with instructions on how to protect their funds.

If you received an email from us, please read it carefully and act accordingly.

If you have not received an email from us, then we have no reason to believe your account was compromised.

While the investigation is still underway and we can not post any official conclusions just yet here are a couple of findings so far.

API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing.

We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys.

That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys.

All access tokens were disabled on June 1st after which the suspicious API calls were stopped.

At the moment we estimate that 58 XRP Ledger wallets were compromised. So far it looks like all the victims had their XRP Ledger wallets hosted on GateHub, but we cannot yet rule out that some wallets were not.

To conclude the investigation as soon as possible, we are working closely with a professional IT forensics team to determine whether our system was compromised or not.

Appropriate Law Enforcement Agencies were also notified about these thefts, and we will work diligently with them to help track the perpetrator who did this.

We will post an official statement after the internal investigation has been completed.

Last but not least, we would like to thank the community for offering continuous help.

If you have any information that might help us or law enforcement agencies, please contact us via security@gatehub.net.

 

Enej Pungercar

Founder and CEO, GateHub

Edited by gatehub
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Followers 24
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept