Forum users were being redirected to a phishing site, which was prompting the users to input two-factor authentication codes that were used to access user accounts and empty them of all their Bitcoin.
LocalBitcoins Forum Compromised, Reddit Users Report
According to a PSA on Reddit posted bu u/bitcoinbabeau, LocalBitcoins has been compromised and the site’s forum landing page has been redirecting users to a phishing site. Once at the phishing site – designed to closely mimic the actual LocalBitcoins forum in order to dupe users – users were prompted to login and enter sensitive two-factor authentication codes.
After the hackers gained access to the user’s sensitive account data, the accounts were then emptied of all Bitcoin.
Related Reading | ShapeShift Phishing Site Advertisement Tops Google Search Results
LocalBitcoins has “temporarily disabled” its forum according to the splash page message. The message also directs users to the LocalBitcoins sub-reddit, where horror stories are already being shared.
@LocalBitcoins has apparently been compromised. Users are claiming its forums were redirecting them to a login page that was a phishing website.
— Francisco Memoria (@FranciscoMemor) January 26, 2019
“Yeah I think I was the first to get cleaned out. 0.14btc. 5 victims going to one wallet. And that’s just one wallet we know about that belongs to the attacker,” reported u/tefl0ncc.
Another user claimed to be cleaned out of 11 BTC total.
One user posted the hacker’s wallet address, which appears to have only stolen 7.95 BTC across 5 transactions. This already amounts to over $28,000 in Bitcoin. However, additional wallet addresses may be involved considering the report of 11 BTC being stolen from another user.
LocalBitcoins Phishing Attack: Was DNS Spoofing to Blame?
As of the time of this writing, LocalBitcoins has yet to comment on the matter, but do appear to be aware of the situation considering their prompt response in taking down the forum.
How the attack occurred isn’t yet clear, however, it appears to be a fairly common DNS spoofing attack. Hackers use DNS spoofing to maliciously redirect users from one site to a fake one, usually designed to – just like in the case here with LocalBitcoins – steal user’s sensitive personal information, and use it to access the user’s accounts.
Not your vault, not your gold. https://t.co/ThSkkuXGqO
— Jesse Powell (@jespow) January 25, 2019
Reddit users also suggest that the hacker “used some sort of script to use the 2FA code entered by the user to withdraw the bitcoin.”
Related Reading | New Blockchain.info Phishing Email Threatens BTC Users
Last year, the popular Ethereum and ERC-20 token wallet MyEtherWallet was also targeted in a DNS spoofing attack. Users then logged into the fake site they were redirected to, allowing hackers to gain access to their funds.
Users can protect themselves by always double-checking the URL of the page they are currently on, and should always look for the lock next to the URL indicating that the page has a secure connection.