Jump to content
yxxyun

a few user reported their gatehub wallet been hacked and XRP sent to r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k

Recommended Posts

31 minutes ago, Silkjaer said:

We have published an updated summary

 

Thanks for this @Silkjaer!

Can’t believe as well that Changelly is top one since that’s were my stolen XRP went and now cashed out.

@gatehub Silkjaer is pretty much doing your work lol. Yet you guys can’t even release a proper statement.

Don’t tell me your still investigating at this point of time been nearly 3 weeks now!!!

 

Share this post


Link to post
Share on other sites
7 hours ago, panmores said:

Probably safe to say now that the thief was a former employee and also took off with KYC data.

Iam glad, i never did a KYC on gatehub...

Share this post


Link to post
Share on other sites

@Silkjaer or anyone else who knows the answer.

The article by @Silkjaer says:  "The stolen funds were not in the custody of Gatehub — they were in accounts Gatehub had custody of the keys for."

Which keys are you referring to?  My understanding is that there is a "secret key," and with Gatehub there is also a "master key" in some cases, and also a "recovery key."  I believe the secret key relates only to the ripple wallet, and the master key and recovery key are to get into the Gatehub account, which gives access to the ripple wallets within the account.

Why would Gatehub have the secret keys?  I thought those secret keys are only held by the wallet holder.  If Gatehub had the secret keys, was that information disclosed by Gatehub on its website or anywhere else?  I would think that almost all of us who hold xrp in a ripple wallet believe that the wallet owner is the only person who has the secret key, and no one else.  And now it seems that is not always the case.  Wondering now what other wallet providers might be holding secret keys.

The article also says "Although they do provide custody service through 'hosted wallets', Gatehub is not an exchange, but a gateway to the XRPL decentralised exchange." 

My understanding is that Gatehub is both an exchange and a gateway (like Bitstamp is both an exchange and a gateway).  Not a big issue, but I am trying to better understand what Gatehub actually is.  

Thank you. 

Share this post


Link to post
Share on other sites
9 minutes ago, Alluvial said:

@Silkjaer or anyone else who knows the answer.

The article by @Silkjaer says:  "The stolen funds were not in the custody of Gatehub — they were in accounts Gatehub had custody of the keys for."

Which keys are you referring to?  My understanding is that there is a "secret key," and with Gatehub there is also a "master key" in some cases, and also a "recovery key."  I believe the secret key relates only to the ripple wallet, and the master key and recovery key are to get into the Gatehub account, which gives access to the ripple wallets within the account.

Why would Gatehub have the secret keys?  I thought those secret keys are only held by the wallet holder.  If Gatehub had the secret keys, was that information disclosed by Gatehub on its website or anywhere else?  I would think that almost all of us who hold xrp in a ripple wallet believe that the wallet owner is the only person who has the secret key, and no one else.  And now it seems that is not always the case.  Wondering now what other wallet providers might be holding secret keys.

The article also says "Although they do provide custody service through 'hosted wallets', Gatehub is not an exchange, but a gateway to the XRPL decentralised exchange." 

My understanding is that Gatehub is both an exchange and a gateway (like Bitstamp is both an exchange and a gateway).  Not a big issue, but I am trying to better understand what Gatehub actually is.  

Thank you. 

In Order to access the wallet you need the secret key. The secret key has to be stored on the server. With your login creditinals you can decrypt it and access your Wallet. Without it stored on the server you would have to type in it everytime.

Thats my understanding.

The problem seems that these encrypted keys were very weak encryptet.

Edited by Marvxrp

Share this post


Link to post
Share on other sites
6 minutes ago, Alluvial said:

Why would Gatehub have the secret keys?  I thought those secret keys are only held by the wallet holder.  If Gatehub had the secret keys, was that information disclosed by Gatehub on its website or anywhere else?  I would think that almost all of us who hold xrp in a ripple wallet believe that the wallet owner is the only person who has the secret key, and no one else.  And now it seems that is not always the case.  Wondering now what other wallet providers might be holding secret keys.

When a ripple wallet is imported in Gatehub, the secret key is stored encrypted by Gatehub. Whenever a trade is made, the Gatehub password would decrypt the stored secret, and sign the transaction. It was some kind of trade off between user friendlyness and security as stated earlier bij Enej.

Sadly, most people that have been hacked never traded, but only used gatehub as a wallet to HODL....

Share this post


Link to post
Share on other sites
9 hours ago, Alluvial said:

@Silkjaer or anyone else who knows the answer.

The article by @Silkjaer says:  "The stolen funds were not in the custody of Gatehub — they were in accounts Gatehub had custody of the keys for."

Which keys are you referring to?  My understanding is that there is a "secret key," and with Gatehub there is also a "master key" in some cases, and also a "recovery key."  I believe the secret key relates only to the ripple wallet, and the master key and recovery key are to get into the Gatehub account, which gives access to the ripple wallets within the account.

Why would Gatehub have the secret keys?  I thought those secret keys are only held by the wallet holder.  If Gatehub had the secret keys, was that information disclosed by Gatehub on its website or anywhere else?  I would think that almost all of us who hold xrp in a ripple wallet believe that the wallet owner is the only person who has the secret key, and no one else.  And now it seems that is not always the case.  Wondering now what other wallet providers might be holding secret keys.

The article also says "Although they do provide custody service through 'hosted wallets', Gatehub is not an exchange, but a gateway to the XRPL decentralised exchange." 

My understanding is that Gatehub is both an exchange and a gateway (like Bitstamp is both an exchange and a gateway).  Not a big issue, but I am trying to better understand what Gatehub actually is.  

Thank you. 

On Gatehub you either create a new XRPL account (wallet), and they generate an address and private key for you, or you import an existing XRPL account by entering your address and private key. When you trade on Gatehub (or send money, add trustlines …) their software is doing it for you – and it couldn't without knowing the private key.

However, they do not store this private key in "plain text", but encrypted with your password. So Gatehub cannot do anything with your account for you – only when you have signed in and decrypted the private key for the active session.

Since we have not received any details from Gatehub yet, except for an explanation of an API exploit, we (XRP Forensics) still find the most likely scenario to be a database hack (scenario 7 in https://medium.com/xrp-forensics/overview-of-the-gatehub-hack-f88a441c9203).

Either this hack happened a long time ago, and the hacker has spent years brute forcing the encrypting private keys OR the database also contained user information (hashed user passwords, e-mail addresses etc), and have cracked as many passwords as possible. If the latter, the cracked passwords could be used to decrypt the private keys. We have long believed that the database could have been sold on the dark web, making the hackers and the thieves two different groups of people.

If this is the case, the API exploit is only a "symptom" of the real problem.

Share this post


Link to post
Share on other sites
6 hours ago, Geekluca said:

Nice little bullrun for XRP. Too bad I don’t have a single XRP left

feel really sorry for you mate , keep your chin up , hopefully gatehub and ripple will do the right thing .

Share this post


Link to post
Share on other sites
1 hour ago, faz said:

feel really sorry for you mate , keep your chin up , hopefully gatehub and ripple will do the right thing .

I'm quite disappointed nothing is announced yet even the investigation is taking forever. Does ripple really bother? Considering the fact they were the ones who endorsed gatehub in a way. 

And Chris is one of the investors. That's the irony. Gatehub website says backed by. Backed by means what. 

All my investment and hope up in smoke now 

Edited by jlripple

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...