This is the story of Makrand, who got poorer by Rs 1.2 lakh last week within a few minutes. No, his bank or credit card account was not hacked. His Bitcoin (BTC) account on Unocoin, a trading exchange for the virtual currency, was hacked and money transferred out. The money has vanished since into ether.

Makrand is a fictitious name for our protagonist — he is a data scientist in Bengaluru and wants to stay anonymous because he is running from pillar to post on what to do next. This story is a real life account of what happened to him, and could happen to you too if you are thinking of stepping into the booming world of Bitcoins. Bitcoins have appreciated to over Rs 2 lakh for each BTC from about Rs 50,000 each late last year, placing it among the hottest financial asset class anywhere in the world.

June 1, 2:35 pm: Makrand logs into his Unocoin account on his smartphone app. He is logging in to purchase some Bitcoins. As soon as his transaction is complete, he receives an email from Unocoin, headquartered in Rajaji Nagar, a leafy northwest Bengaluru suburb, with a link for a password reset. This is immediately followed by another email confirming a password reset.

Also read: RBI cautions against use of bitcoins, other virtual currencies

Before he realises what is going on, there are two transactions for 0.40049 BTC, followed by another one for 0.3005 BTC, and then a third transaction for the same amount is attempted but doesn’t go through. Makrand is bewildered. Someone has hacked into and has syphoned off money from his Bitcoin wallet — all in a span of three minutes.

But, who?

By design, the nature of Bitcoin is such that transaction details are stored publicly on the network but the person or user behind any Bitcoin address remains anonymous until they wish to reveal themselves. Also, transactions once completed cannot be reversed.

“The thing with Bitcoin is that the users behind the transactions are anonymous until and unless they voluntarily reveal their identity,” says Makrand. FactorDaily met him and spoke with him several times on phone for this story.

Virtual money, real life hack

The hack was an odd coming together of events. To hack Makrand’s Bitcoin wallet, the perpetrator needed two things: access to his (Makrand’s) Gmail account to get the password reset link and access to his mobile phone number on which he receives the OTP (one time password) for transaction authentication.

How did the hacker get access to both in real time? “I have been using Google Authenticator for two-factor authentication in my Gmail account for years and my mobile number has not been compromised. The hack seems to have happened on the Unocoin server where both the password reset link and OTP are generated,” insists Makrand. (Unocoin’s response to this is below in the story.)

He dug deeper to find the source of the hack. On Gmail accounts, users can check the list of IP addresses — internet protocol addresses that are unique to every device on the earth that accesses the internet — from where their account has and is being accessed. According to Makrand, all the IP addresses that show up on this list during the time of the incident can be identified by him and are not suspicious.

But, Unocoin had sent a mail after the password reset happened with the date, time and IP address from which the reset had happened. According to that detail, the reset was done from an IP address based in Chicago, US from a service called QuadraNet.

These days, it is not very difficult to mask or fake your IP to another country. People often use third-party VPN services or their browser’s in built functions to achieve this, especially to access a geographically blocked content.

According to Makrand, transactions that happen through the mobile app do not need an OTP and are only required for browser-based transactions. He assumes that since he received OTPs for the fraudulent transactions they would’ve happened through a desktop device or browser.

It’s a goddamn hack!

As soon as Makrand realised his account was hacked, he tried moving his remaining balance out of his Bitcoin wallet to another wallet but that transaction was not approved. Thankfully, though, the hackers attempt to transfer Bitcoins out of Makrand’s account also were blocked.

“When a transaction happens it usually takes about four-five minutes from the Unocoin side for it to get approved. I called customer support and since there was no response, sent them a mail alerting them of the fraudulent transaction,” says Makrand. He then drove to the Unocoin office.

On the drive, he realised why the two transactions that went through in the hack of his Bitcoin account were relatively small. He felt that the transactions were done in parts because Unocoin has an auto-approval system for transactions below 5 BTCs making it go through quicker.

Also read: The next three months will be crucial for India’s risk-taking merchants of Bitcoin

On reaching the Unocoin office in Rajajinagar, he was met by a marketing staffer.

“I spoke to him and explained what had happened. He went inside the office and came back after about 10-15 minutes later and said that my account was blocked and the two later transactions (one from the hacker and one from Makrand) were also blocked,” says Makrand. “But the first two transactions had gone through.”

The Unocoin executive asked Makrand to file a complaint about the two transactions that went through and assured him that they would cooperate with the cybercrime police department for any investigation.

Makrand’s head was in a whirl. He had been introduced to Bitcoins early in 2016 when Unocoin had set up a pop-up shop at the business park he was working had helped him set up an account with a small amount of Bitcoins to get started. “I did not use the wallet for nearly a year and then started trading earlier this year.”

Unocoin sees a pattern

Early last week, during the Bitcoin market rally, Unocoin was getting an increased load of transactions, account verification requests and customer support queries.

Interestingly along with this rally, the company also had an uptick in the number of wallet hack reports. Hacks normally are three or four a month, which rose to nine cases.

“Given that the total number of user we have is about 2.7 lakhs, three to four (hacked accounts) are very less and we were able to handle that. So we try to analyse and see where the issue is and explain how it happened and how they can secure their account going forward,” says Sathvik Vishwanath, who cofounded Unocoin in 2013. (Quick disclosure: Blume Ventures, which is one of FactorDaily’s backers, is also an investor in Unocoin.)

The Unocoin transaction process had two different methods for authentication — via an OTP sent to user through email/SMS or code generated using the Google Authenticator app. In the case of OTPs by default, they were being sent to the users email and SMS.

Vishwanath says here lies the pattern: Most of the users who got hacked were using OTPs and not the Google Authenticator.

“Most of the time, what we have seen is whenever there is a report of an account being hacked, the user, instead of activating Google Authenticator, would’ve opted for OTP (SMS-based) and also have opted to get it on the email. The email would then be a single point of failure because the hacker will just use the forget password and then through the OTP which is coming to the same email, he will be able to log in and do a transaction,” says Vishwanath. This, of course, assumes that your email has been hacked in the first place.

Quick response: change OTP options

In light of the recent rise in hacks, Unocoin decided to change the default setting to send OTP to users via SMS only and not emails.

“Initially, we were sending to both (email and SMS) and even now we sent to both but the only change is that by default OTP to email will be off in the settings now,” says Vishwanath. The default was “on” before this. “It is not like a policy change but just a change in the default setting.”

According to Vishwanath, as a precautionary measure, Unocoin also reduced the automatic approval limit to 0.1 BTC temporarily. “We kept it like this for two days and then we were back to the normal limit, which is 5 BTC, after we confirmed it was not a problem at our end or our servers,” he adds.

Another pattern that the company observed was in the sequence of events that took place before the wallets of the nine users were hacked. “We were able to figure out at least the outline of what could’ve happened. In every case the ‘password reset’ (option) was used. Then, they got an email saying that the reset was successful. Then, transactions happened within the next 10 to 15 minutes,” Vishwanath says.

“And the entire chain of operations happens as soon as the user gets some Bitcoins into the account, which means the hacker is continuously monitoring the emails of the user,” the Unocoin CEO adds.

But, a twist in the plot

This Unocoin explanation doesn’t square up with Makrand’s. He claims to have activated Google Authenticator for his Gmail login and was getting OTP only via SMS, not email.

Vishwanath says, if this is so, the mobile device would have been hacked. “In such cases, the user’s mobile phone might be compromised because they have email and SMS access both on the mobile phone,” he says. Indeed, there are incidents of this happening, though rare.

Makrand stoutly refutes this. He says he has got his mobile phone tested from a security analyst and says that the device was not affected by any malware or compromised at the time of the hack. (Editor’s note: we can’t close this loop for you, dear reader. It is a ‘he says, she says’ situation for now.)

Vishwanath also feels that SMSes are also not the most secure way to receive OTPs. “Whenever there is an OTP involved, there are multiple parties getting involved because they have to actually transfer the information from our server to the mobile phone of the user. So, there is an SMS gateway, there is a carrier, and sometimes there will be app on the mobile phone which can read the SMS. It is not that secure yet,” he says.

On June 3, Unocoin published a blog post relating to such incidents that have happened on their service and mentioning a few details about the steps the company has taken. (It had earlier put out a banner notice on its website informing users about the change in OTP setting.)

“We couldn’t inform all customers. The plan was actually to introduce it by actually 10th of June or so but when the issue (hacks) started occurring, we thought rather than trying to inform every customer, let us do this and notified on the main site saying this is what we have done,” says Vishwanath.

Over to the cops?

According to Vishwanath, the first step when any cases of hack is reported is to check if its an internal problem. He is certain that Unocoin’s systems and services a safe and secure. “It was not a server compromise, because then all of our Bitcoins would get stolen, so it is happening at the user end,” he insists.

He feels that some users don’t take security seriously and, of course, hackers are getting smarter by the day. Also, he points out that of the nine recent hacks, eight users used Android devices — generally considered a less secure platform than iOS.

Unocoin is willing to share logs for logins and transactions with the affected user or authorities for further investigation. “We cannot find the IP behind the Bitcoin address, but we can definitely find the IP address of whoever logged in because we log the IP address of the users who logged in,” says Vishwanath. “If the user or whoever wants it for the investigation, we would be happy to provide that information. Whatever information we have on our end…”

To be sure, there have been several reported hacks at Bitcoin exchanges globally and in those cases, the losses were in the millions. A large Bitcoin theft occurred in August last year, when hackers broke into Hong Kong-based bitcoin exchange Bitfinex and stole nearly $70 million worth of Bitcoins.

The biggest hack so far took place in 2014 when hackers broke into Tokyo’s MtGox exchange and got away with over $350 million in bitcoins. According to a news report, nearly a third of bitcoin trading platforms have been hacked.

This is cold comfort for Makrand. Like we said earlier, he — or, rather, the real man behind the Makrand persona — is leaving no stone unturned in chasing his stolen money.

Also read: Bitcoins rally in India on the demonetisation move