A data scientist, who prefers not to be named, in Bengaluru, India reportedly lost INR 1.2 lakhs ($1875) within a couple of minutes to hackers.

According to Factor Daily, the victim, an account holder at Indian bitcoin exchange Unocoin, logged into his account to purchase bitcoin. Soon after the transaction, he received emails from the exchange – one with the link for resetting the password, followed by another confirming a password reset.

Before he could comprehend, he could see two transactions for 0.40049 BTC and 0.3005 BTC, which the hackers drained from his bitcoin wallet. A third transaction for the same amount was also attempted, but couldn’t go through.

“I have been using Google Authenticator for two-factor authentication in my Gmail account for years and my mobile number has not been compromised. The hack seems to have happened on the Unocoin server where both the password reset link and OTP are generated,” he told Factor Daily.

The victim checked the list of IP addresses on his Gmail account and found nothing suspicious. However, an email sent by Unocoin after the password reset showed that the reset was done from an IP address based in Chicago, from a service called QuadraNet. As people often use third-party VPN to fake their IP to another country, the details could not be relied upon.

The victim reached out to Unocoin with the incident and added:

“I spoke to him [Unocoin marketing staffer] and explained what had happened. He went inside the office and came back after about 10-15 minutes later and said that my account was blocked and the two later transactions (one from the hacker and one from the victim) were also blocked. But the first two transactions had gone through.”

Unocoin steps up security measures

In the wake of such incidents, Unocoin has decided to send the login one-time password (OTP) only to the registered mobile number. The website currently displays the message:

“Dear Customers, going forward for security reasons, we will send Login OTP ONLY to your registered mobile phone number via SMS and NOT to your registered e-mail ID. However, Unocoin strongly recommends to use 2-Factor authentication using Google Authenticator for security purposes.”

In an update published on June 03, Unocoin has provided a basic outline of the sequence of the hacking process after it spoke to its customers:

“Based on our understanding of the same, the sequence of operation starts with the compromised mobile phone or email id which usually is due to the clicking of malicious links, running malicious scripts or installing malicious apps. The hackers are able to monitor the email inbox to see when there is bitcoin deposit. This is when the users are ending up getting the Forgot password link to their email inbox and getting the confirmation email that the password got changed successfully. In some cases, these two emails were found in the trash folder. The apps on mobile phones are so smart that the notification it sent you when an email arrived also disappears if you open that particular email over your computer – hence the user could miss this notification unless he is staring at his phone when the forgot password email arrived. OTP is getting acquired through the email inbox itself if such option is enabled by the user or through an app that can read an SMS. The story is a bit different for each customer but overall this is the outline.”

Unocoin emphasized that there has not been any security breach in its management, services, or servers.

“This is similar to someone’s Gmail id getting hacked and not the Gmail servers getting hacked”, it explained.

Besides sending OTP only to registered mobile number, the exchange has reduced the automatic approval limit so that it can call the customers to confirm their action before manually processing the BTC withdrawals. In addition, it has also forcefully logged out all the mobile app users and reset the credentials and API keys for its SMS gateway which handles the OTPs delivery to customers.