This is hard for me to write as I have felt like an idiot over this for weeks. Here is a story of a good amount of stolen BTC. If you don’t care for the story, you can skip to my recommendations, and please follow them so this does not happen to you!
It starts with me realizing on a Sat afternoon that Bitcoin Cash was at $800 and wanting to trade out of them I was at home and picked up my laptop. I googled the name of the exchange instead of using a bookmark and ended up on a bad link. You guessed it, a phishing site.
I thought I was login onto my PoloniEX account, but instead I gave my login to someone else. After the initial screen for the exchange, the site asked for my gmail credentials with a window that looked like the exchange under the premise of additional security. I had a moment of hesitation but not enough to close the window and start again. My urge to trade out of BitcoinCash after the spike was too big. The site operators or hackers got access to my gmail too.
Right away, I received an email telling me that there was a successful login onto my account (email 1). I did not think much of it since I thought it was me. I did not take the time to read it and see where the login was coming from (2017-8-19). I would have seen from the IP location that it was NOT me. A minute later, another email popped-up telling me that email notifications for withdrawals or 2 factor auth for withdrawals (not sure which one) was disabled (Email 2). That’s when I knew something was wrong. Fortunately, because I was on my laptop where the email message popped-up in the bottom right hand corner. Not sure if I would have seen it otherwise. I immediately changed my Gmail password to avoid mass destruction, asked google to recover the emails that were deleted from my account (as part of the security check after seeing the unauthorized PC that logged in). I took a minute to collect my thoughts and make sure my Google account was secure.
Minutes later, I submitted a ticket to the PoloniEx Support team which you need a separate login credentials for (now I know why). Sadly, I missed the email they sent back to me a few minutes later with instructions to freeze the account. I saw that a couple of hours later and froze the account. Acting within a couple of minutes may have changed the outcome, but one would have to be really quick to freeze the account. Best would have been to freeze it right as you receive the Login email notification.
From there it took until 2017-10-05, for me to gain access to my account. You read that right, almost 2 months. During that time, there was a long waiting period due to PoloniEX being understaffed (I assume), then a few weeks to re-authenticate me and finally unlock the account.
I was very nervous when I logged in, may be because I still had a slight degree of hope. In any case, I realized quickly what happened. All the coins I had, including BitcoinCash, and a few others, were sold for BTC using the exchange. Then, the BTC balance was transferred out. All that in 3 minutes.
Surprisingly, I was left with a fraction of a BTC and my whole STEEM balance. May be they wanted to be “nice” and not wipe me off completely. I am now moving on. This post is part of me doing that. I believe in the Blockchain & future of the industry, this won’t change my commitment. I am using my experience to learn and educate. Please read the below.
Recommendations for users:
Always use a bookmarked links for any financial transactions.
Best to do it from the place you usually do it from when things are quiet and normal around you.
Have 2 FA with google authenticator, not your phone number.
If anything looks fishy, start over. Nothing is urgent such that you cannot restart to be sure you are in the right place.
Do not give email credentials under any circumstances.
Only keep a small amount on exchanges and store your coins in a Trezor type wallet.
Recommendations for exchanges @poloniex (some may have):
Put more clearly in the email notification of a login where the login was from and instructions in case it is not recognized.
When there is a login and within one (or five) minute the 2 factor authorization for withdrawal is removed, let’s have a 24hour cool off period. It will protect people from hackers taking their coins before they can freeze the account without inconveniencing regular users. Who would remove 2 step verification for withdrawals and need to withdraw right away? If it is a legit withdrawal, one would be fine with the 2 step setting.
Please consider upvoting and resteeming this helpful post. Thank you for reading.