Liqui.io is a cryptocurrency exchange based out of Kiev, Ukraine. Earlier today, users reported a Ukranian IP had logged in and emptied their accounts. The reports came from the ethtrader subreddit and from the exchange’s trollbox. According to the exchange, someone is trying to brute force users’ accounts and 2FA should be activated immediately.
A few hours after a user posted a reddit thread claiming 3.5 Bitcoins have just disappeared from his Liqui account, the exchange posted the following tweet:
REMINDER: It is imperative to use unique passwords and 2FA for all services.
— Liqui (@Liqui_Exchange) July 27, 2017
According to this tweet, it doesn’t seem that the exchange operators believe their platform was hacked. However, half a dozen more users confirmed the allegations and specified that login attempts have been made from a Ukranian IP (22.214.171.124). One user said:
“Don’t hold anything in my liqui account but just logged in and see there were several failed login attempts yesterday from 126.96.36.199 (Ukraine) and several more attempts earlier in July, starting July 1st from IPs in Brazil & Vietnam. 9 failed login attempts in total, none of them from me. I have 2FA enabled so looks like it has saved my bacon.” –jesusthatsgreat
Another user found an abuse mailbox for that ip range, which is firstname.lastname@example.org. So if you have a Liqui.io account and noticed failed or successful logins from that IP address it would be a good idea to send an email to the above address.
If the perpetrator was smart enough, he used a VPN. However, if the criminal cracked users’ accounts from his home IP address, it is only a matter of time until his identity is revealed. Because the IP address used to login happened to be located in the same city / country as the exchange, many speculate that it may be an inside job. Taking one quick look at Liqui’s trollbox, it is evident that users are displeased with the situation.
It looks like, this was an attack targeted at the exchange. According to Andrew from Liqui:
“Someone trying to brute force users accounts. Usual routine for every exchange. Users should use unique passwords and enabled 2fa.”
While the platform should have had anti brute force countermeasures in place, it is also the users’ responsibility to secure their accounts with 2FA, especially if they hold significant balances. However, hindsight is always 20/20, so if you haven’t yet make sure to turn on 2FA.