a few user reported their gatehub wallet been hacked and XRP sent to r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k

[AlessandroPiccione 1]

16 minutes ago, Hero_Member said:

If you do not trade, there is no need to keep it on an exchange. Create a new wallet on bithomp for example (and keep your secret safe!), and transfer the XRP there. Or get a Ledger...

I trade.

[Hero_Member 120]

Just now, AlessandroPiccione said:

I trade.

Then i would recommend Bitstamp and Binance, and warn you for HitBTC.

[Guest]

@gatehub Any updates?

Have another friend who just got an email today about the breach - he logged in and saw 260,000 XRP transferred on 5/31 as well. This was also an old wallet.

 

[GateHub 340]

We want to make it absolutely clear that:

• hosted wallets have not been compromised
• our cold storage has not been compromised 
• only a limited number of users that we have sent emails to might have been compromised

We will keep you posted.

[Xrylite 113]

5 minutes ago, Pablo said:

10 hours ago, JA8 said:

I suggest setting up a relevant sub forum / club here and inviting all of those affected to join. Are there any lawyers on this forum?

There's one or two including me but it's premature to bring in lawyers.

You're absolutely right. There are so many factors still being looked into before anyone can point fingers and carry pitchforks. The more people stopping by and giving fresh insight is certainly helping figure out where the issues may have arisen from. Honestly, it's likely that the aggregate feedback of people here have helped isolate out some possibilities, making it easier for GateHub to figure out what's going on.

They can work on investigating if they see anything logged behind-the-scenes, but it helps having first-hand experience for them to not waste time looking into the wrong thing. Things like sharing that there were no "suspicious login" emails suggests that they probably don't need to assume it's just a password breach; or the statements that it seems that it's happening almost exclusively to high-value accounts suggests that they have access to a wallet list to find who to focus on for the highest yield.

Also, as a sidenote, lawyers aren't all going to be specialized and knowledgeable in every aspect of law. For example, if someone does family law exclusively, they're not going to have very much to suggest on this matter outside of some best practices. It's the same reason why people in the IT field are assumed to be specialists in both hardware and software xD.

[Silkjaer 542]

On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.

The same day we made contact to Gatehub to make them aware of the potential security breach while continuing our independent investigation and contacting exchanges where the offender appeared to have laundered money.

On further investigation, we found several other accounts connected to the theft, leading us to 9 primary suspect accounts:

• rU6EsDCiHHYbTtA4uGGo8zaaiRz2sbDBST
• rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN
• rprMix9uYyQng5vgga1Vg8HTeBMCzaeM2i
• rUvPCdYJMzzGu9AFKrNeKgCTpxrpFc3RHt
• rJpKe5rbjgzzGJc1wm1xqKj6j4UjBQ6s48
• rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh
• rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX
• r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k
• rKZ14F9KT65chQ382M33U41a4eniGMAyfG

From analysing the data, we found the first likely victim to be 10,000 XRP (transaction 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41) on 2019-05-30 12:25:40 UTC.

As of writing this report, 2019-06-04 12:30 UTC, we gather that ~21,700,000 XRP has been stolen from 50-60 victims, of which ~12,300,000 have already been laundered through exchanges and mixer services.

We have while conducting the investigation kept contact with some of the victims, with Gatehub and with the exchanges used for laundering.

 

Scenarios

While there is still no conclusive evidence pointing to the centre of the attack, here are scenarios researched in our investigation:

1. Gatehub account hacks

From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.

2. Phishing

From interviewing victims, it does not appear that any of the victims had been victims of phishing attempts through, e.g. e-mails impersonating Gatehub.net

3. Repeating nonce

Since all victim accounts are older than December 2017, and while old accounts are more likely to be vulnerable to bad encryption implementation by transaction signing software, it seems not to be the case. To our knowledge, only a handful of accounts are vulnerable to this attack, none of which is the victims of this case.

4. Incremental nonces

While repeating nonces do not seem to be the core of the attack, it is still a possibility that a poorly implemented signing library has used incremental nonces, which makes brute force hacking a possibility. We have not been able to confirm or deny this theory.

5. RippleTrade migration

Since all victim accounts are older than December 2017, and many carry a RippleTrade username, bad practice in handling migration of user accounts could be the cause of the account access – however, it does not appear that all accounts are old RippleTrade accounts. Hence this is also unlikely.

6. Browser client hacking

While it is possible to retrieve user information by exploiting a vulnerability in the Gatehub.net API, we find it improbable to be the cause of the attacks. The victims are spread globally, and any such attacks would likely occur by sniffing access on a shared WiFi.

7. Old database leak

Since Gatehub.com is a hosted wallet provider, they store encrypted private keys. It is possible that an unknown database leak in the past has been exploited and private key brute forced offline until the offender found the funds retrievable sufficient.

 

Exchanges and platforms used to launder money (not complicit)

We have identified some of the largest recipients:

• changelly.com: 6,064,900
• changenow.io: 2,976,192
• kucoin.com:    1,081,500
• huobi.com: 930,000
• exmo.me: 136,940
• hitbtc.com:    115,028
• binance.com: 111,000
• alfacashier.com: 58,000

 

Overview

Yellow: Exchanges and accounts used to cash out exchanges
Blue: Victims
Red: 9 suspected accounts
Note: A few victims may have not been channeled through the suspect accounts and have had funds sent directly to exchanges.

A theft that involves multiple victims needs to be handled via law enforcement in various countries. We strongly advise victims to file a complaint with relevant authorities in their jurisdictions.

On behalf of XRP Forensics
https://xrpforensics.org

(Public members: @alloyxrp, Bithomp, @Silkjaer)

[Hero_Member 120]

6 minutes ago, gatehub said:

We want to make it absolutely clear that:

• hosted wallets have not been compromised
• our cold storage has not been compromised 
• only a limited number of users that we have sent emails to might have been compromised

We will keep you posted.

So people who really don't know how to create a new wallet, or can't transfer the XRP somewhere else should probably log into Gatehub and transfer all funds to the hosted wallet..

[at3n 317]

23 minutes ago, AlessandroPiccione said:

API exploit, GateHub API ? Do you mean PUBLIC web API ?  I opened a ticket probably 1 year ago asking for API ... they don't have it. Right?
(Ripple data API is not GateHub API)

Called it.

See my previous post here: 

 

[AlbertStroller 130]

Gatehub states it seems that all the hacked accts seemed to have their Ledger accts also hosted on GH. Could the breach have something to do with the method of extracting secret of ledger acct? There's a few vids from different accts on how to do this. Maybe one is nefarious.

[Xrylite 113]

6 minutes ago, Silkjaer said:

On behalf of XRP Forensics
https://xrpforensics.org

(Public members: @alloyxrp, Bithomp, @Silkjaer)

A lot of respect for you and everyone else involved with researching this. I don't know much of the backstory, but my impression here is it's something you all are doing out of a courtesy and you weren't hired to do this sort of research. Regardless of if that's true, that's amazing that there are people working behind the scenes to essentially help people on the Internet.

[Maeglin444 14]

12 mil XRP have already been laundered and cashed out at exchanges.  How does that even work?  Can’t it still be traced  to the exchange and then the exchange should KYC in place ?

[Pablo 6,697]

I've just been browsing the Gatehub site for the first time and couldn't find the Terms of Use or Legal information on their home page? If anyone can find that for me, please post or DM me.

That would have been a red flag for me by the way and should for all of you roaming the crypto-sphere. I can't comment on Gatehub's reasons but in any other situation it's the type of thing done to cut corners/cost and is typical of an organisation not focused on good corporate governance or risk management.

Also, for all affected users, I suggest you:

1. start looking up all representations and advertising presented at the time you opened your account on Gatehub (not those on the page today). Those representations and inducements will be critical should you need to make a claim down the track.
2. find the terms of use emailed to you at the time you opened an account on Gatehub (assuming this even occurred).

[eromyr 13]

27 minutes ago, Pablo said:

I've just been browsing the Gatehub site for the first time and couldn't find the Terms of Use or Legal information on their home page? If anyone can find that for me, please post or DM me.

That would have been a red flag for me by the way and should for all of you roaming the crypto-sphere. I can't comment on Gatehub's reasons but in any other situation it's the type of thing done to cut corners/cost and is typical of an organisation not focused on good corporate governance or risk management.

Also, for all affected users, I suggest you:

1. start looking up all representations and advertising presented at the time you opened your account on Gatehub (not those on the page today). Those representations and inducements will be critical should you need to make a claim down the track.
2. find the terms of use emailed to you at the time you opened an account on Gatehub (assuming this even occurred).

Grabbed them earlier today in case they changed/disappeared. Also, 1. and 2. above are critical. No further comment. 

https://cdn.discordapp.com/attachments/555840556383600666/585502172729573378/2019-06-04_-_Terms_of_Use_-_GateHub.pdf

https://gatehub.net/legal/terms

Edited June 4, 2019 by eromyr
Added Link to GH Site

[Sukrim 1,889]

46 minutes ago, gatehub said:

API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing.

We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys.

Which API call(s) specifically? When you say "authorized with a valid access token" do you mean "authorized with the user's valid access token whom the encrypted account information belongs to" or just "just a random user's valid access token" who then was able to access encrypted account information of other accounts?

[Selective 33]

42 minutes ago, Silkjaer said:

On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.

The same day we made contact to Gatehub to make them aware of the potential security breach while continuing our independent investigation and contacting exchanges where the offender appeared to have laundered money.

On further investigation, we found several other accounts connected to the theft, leading us to 9 primary suspect accounts:

• rU6EsDCiHHYbTtA4uGGo8zaaiRz2sbDBST
• rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN
• rprMix9uYyQng5vgga1Vg8HTeBMCzaeM2i
• rUvPCdYJMzzGu9AFKrNeKgCTpxrpFc3RHt
• rJpKe5rbjgzzGJc1wm1xqKj6j4UjBQ6s48
• rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh
• rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX
• r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k
• rKZ14F9KT65chQ382M33U41a4eniGMAyfG

From analysing the data, we found the first likely victim to be 10,000 XRP (transaction 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41) on 2019-05-30 12:25:40 UTC.

As of writing this report, 2019-06-04 12:30 UTC, we gather that ~21,700,000 XRP has been stolen from 50-60 victims, of which ~12,300,000 have already been laundered through exchanges and mixer services.

We have while conducting the investigation kept contact with some of the victims, with Gatehub and with the exchanges used for laundering.

 

Scenarios

While there is still no conclusive evidence pointing to the centre of the attack, here are scenarios researched in our investigation:

1. Gatehub account hacks

From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.

2. Phishing

From interviewing victims, it does not appear that any of the victims had been victims of phishing attempts through, e.g. e-mails impersonating Gatehub.net

3. Repeating nonce

Since all victim accounts are older than December 2017, and while old accounts are more likely to be vulnerable to bad encryption implementation by transaction signing software, it seems not to be the case. To our knowledge, only a handful of accounts are vulnerable to this attack, none of which is the victims of this case.

4. Incremental nonces

While repeating nonces do not seem to be the core of the attack, it is still a possibility that a poorly implemented signing library has used incremental nonces, which makes brute force hacking a possibility. We have not been able to confirm or deny this theory.

5. RippleTrade migration

Since all victim accounts are older than December 2017, and many carry a RippleTrade username, bad practice in handling migration of user accounts could be the cause of the account access – however, it does not appear that all accounts are old RippleTrade accounts. Hence this is also unlikely.

6. Browser client hacking

While it is possible to retrieve user information by exploiting a vulnerability in the Gatehub.net API, we find it improbable to be the cause of the attacks. The victims are spread globally, and any such attacks would likely occur by sniffing access on a shared WiFi.

7. Old database leak

Since Gatehub.com is a hosted wallet provider, they store encrypted private keys. It is possible that an unknown database leak in the past has been exploited and private key brute forced offline until the offender found the funds retrievable sufficient.

 

Exchanges and platforms used to launder money (not complicit)

We have identified some of the largest recipients:

• changelly.com: 6,064,900
• changenow.io: 2,976,192
• kucoin.com:    1,081,500
• huobi.com: 930,000
• exmo.me: 136,940
• hitbtc.com:    115,028
• binance.com: 111,000
• alfacashier.com: 58,000

 

Overview

Yellow: Exchanges and accounts used to cash out exchanges
Blue: Victims
Red: 9 suspected accounts
Note: A few victims may have not been channeled through the suspect accounts and have had funds sent directly to exchanges.

A theft that involves multiple victims needs to be handled via law enforcement in various countries. We strongly advise victims to file a complaint with relevant authorities in their jurisdictions.

 On behalf of XRP Forensics
https://xrpforensics.org

(Public members: @alloyxrp, Bithomp, @Silkjaer)

 

Adding to your amazing work 

Two things:

1 - Second transaction to the hacker's address was an Incoming transaction from Chloe Hunt (https://twitter.com/saidchloe)

2 - The hacker is moving out all the xrp and one of the addresses Is https://xrpscan.com/account/rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh

Which activated by Dave Dean