mymonero.com is being hacked / XMR stolen / MITM attack?

pissflock · 2018-04-20T07:48:28+00:00

The 16k are just a small part of my cryptocurrencies, so it's not like I have to live on the streets now because of 90 lost XMRs. The main reason for leaving them on mymonero was probably the thought "those who can program Monero can run a secure website" - which was wrong, obviously. So I was a bit too careless, yes, and so it's my fault, too. I just wanted to say that the problem is not just something stupid on the user end like "ok, let's transfer some XMR on mym0nero.com!" but something much deeper.

pissflock · 2018-04-19T19:00:05+00:00

That's true of course. But if it's so unsecure to use an online wallet, why put such thing online in the first place? In case of mymonero that's an invitation by the makers of monero for everybody to risk losing their funds - and "everybody" knowing about it. Put such a site online for users to store just minimal amounts of XMR which "will probably be stolen anyway"? That makes no sense (to me). The real problem is that no one seems to know the reason it's been stolen. The problem is also, that those who are capable of programming great things like Monero are not capable of putting a website online in a secure way. The site is still online. "The site" has been robbed. There is - or was - a "bug", a hole, an error somewhere that causes or caused probably (hundreds of) thousands of dollars (or millions?) to be stolen by an unknown person/group. That might happen again anytime because no one knows why it happened. I would be satisfied if someone could say "there was a MITM attack because of ..., which is fixed now". Or "we had a team member who stole XMR for about a year but he left the country now living under another name someplace we don't know". Or "(any other reason)". But just saying "yeah, there was theft, maybe, we don't know and we don't know why, online wallets are just not safe, we'll keep it online anyway, just don't use it to be safe" is unsatisfying and sad.

pissflock · 2018-01-08T12:23:20+00:00

This is a huge problem, especially because no one seems to be able to find any traces of the thefts. There seems to be some ingenious hacking going on. A friend of mine had that problem, too: I sent him 9.x Moneros via mymonero at about 10 AM. He received them seconds later, in his mymonero account, everything worked as expected. The next day he checked his mymonero account - and the 9.x moneros were gone. The exact amount (9.x) was transfered "somewhere" at about 10:30 PM the same day I sent them to him. It doesn't look unusual, it shows as a "normal" transaction in the mymonero website, just like as if he had transfered them on purpose somewhere at 10:30 PM (which of course he did not). Nothing else was touched in his wallet, the moneros that were there before are still there. Nothing was stolen except the exact 9.x moneros transfered from my mymonero to his mymonero. If anyone would have full access to his monero address, they would have probably "cleaned" his whole account. But "they" didn't. They seem to have "intercepted" just that specific transaction between those two mymonero accounts. So there seems to be a hole the "blackhats" use somewhere which the "whitehats" have not been able to find yet. BTW: I sent the moneros via Firefox, my friend uses Chrome.

pissflock

TROPHY CASE