An unknown hacker has stolen at least $300,000 in Augur and Ether cryptocurrency from Bo Shen, the founder of venture capital firm Fenbushi Capital, and one of the early adopters of many of today’s cryptocurrencies.
Shen is what cryptocurrency experts call a “whale,” meaning a person or organization that holds so much of a cryptocurrency’s value he can influence its price when moving funds.
It’s exactly this “whale” status that has made maintainers of the Augur cryptocurrency take notice that something odd was happening after the overall Augur trading price had abruptly fallen on December 6, 2016.
A few hours later, Jack Peterson, a developer for the Augur cryptocurrency, was announcing on Twitterthat someone hacked Bo Shen’s phone, took over his email address, and then his cryptocurrency accounts.
This allowed the hacker to move some of Shen’s funds. According to Peterson, the hacker had dumped large sums of Augur and Ether, which affected the trading price for both currencies.
Shen confirmed the hack
While initially there were only rumors, Shen later admitted the hack to CoinDesk. The Chinese venture capitalist didn’t provide exact details of how much the hacker had stolen but said the attacker managed to steal less than $1 million worth of Ether.
Shen didn’t confirm how much Augur he lost, but the hacker, who also took over Shen’s Twitter account, had allegedly bragged about stealing and dumping 110,000 Augur (around $300,000).
Poloniex, the cryptocurrency exchange through which the hacker’s transactions were processed, said on Twitter that they’ve investigated the matter.
“The trades in question were executed via an instant exchanger service, limiting what we can find,” Poloniex said.
Hacker took over Shen’s phone number from his mobile carrier
Peterson said the same hacker had attacked other members of the Augur cryptocurrency project in the past.
The developer also explained on Twitter how the attacker had breached Shen’s accounts.
“In every case their MO [modus operandi; mode of operation] seems to be the same,” Peterson wrote. “Social engineering of cell-phone carriers to get your phone number, then if you have a recovery phone number enabled in your email they use your phone to take over your email.”
“Once they have your email they can use password resets etc. to take over everything else,” Peterson also added.
The developer is recommending that cryptocurrency users avoid adding a phone recovery number to email accounts used for cryptocurrency wallets. He also points users to a blog post with a few basic security tips.
The hijacking of phone numbers at the mobile carrier level is a very common problem, of which the US Federal Trade Commission (FTC) has taken notice earlier this year.
Both Augur and Ether prices have recovered since yesterday’s news of Shen’s hacking. The Chinese investor also holds large accounts in cryptocurrencies such as Bitcoin, Ripple, Bitshares, and Factom, but not suspicious transactions have been reported so far.