$42 000 USD





"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."


"[B]efore this happened to me, I did not even know people can get phised through ad links. I thought it was just something that happens through dodgy emails."


"You could be right. It might be fake. But you just don’t know. I got scammed 1 BTC last week. Literally clicked on an ad in Microsoft Edge for Blockchain.com but it was a phishing site. Who would think Microsoft would allow scammers to easily use their platform. Fair enough I was stupid to fall for it. For some reason I thought having 2fa I would be invincible, what an expensive fucking lesson. Having nightmares about it ever since, but people still called my post fake too. Man these scammers/hackers are the 2nd worse scum of the earth."


"Was the Blockchain.com exchange. Using Google Auth. Emails were not compromised. I’m stupid but if you type Blockchian in Microsoft Edge, the first ad that says Blockchain Wallet comes up. The phis[h]ing website only appears once on a new ip address. Really clever in disguising themselves."


"The website was spoofing. So as I entered the details. The website must have gained access to the real website. Unfortunately blockchain.com doesn’t have 2fa for withdrawals."


"Ok. So full details. When I entered my details, it asked for authorisation via email, it showed my Web Browser and Windows, which was correct (ip address is dynamic so didn’t take note of it), I accepted the notification. Then the log in asked for 2fa, entered that. The screen was ‘loading’ and took too long so refreshed the screen and entered the 2fa again. It still didn’t load into blockchain.com wallet so refreshed again and entered the 2fa. By then I started getting email notification that my Bitcoin was being unstaked. Then I panicked like crazy. Tried logging in several times but it kept saying IP address is locked so did not let me log in. Then got 2 emails saying BTC has been withdrawn. I fucking fainted no joke. When I came too, managed to log in. Account was empty. Contacted support and they said it was my account and seed phrase so was my fault for breach. They said there was nothing they could do. But surely even 1BTC should have required 2fa."


"Looking online at reviews of blockchain.com I am now thinking maybe they withdrew my Bitcoin."


"[M]ore people should talk in more detail about how they got scammed/ hacked/ phished then it will help others from falling victim too."

Blockchain.com is a web wallet where users can log in and manage their funds. Scammers created a fake phishing version of the website which acted as a proxy to the real website. Logging in and withdrawals require a separate 2FA code, however the user is tricked into providing the 2FA multiple times. First the provide it to attempt logging in, and then they provide it a second time for the withdrawal when thinking that their login has failed and needs to be retried. The subsequent 2FA codes are used to complete the withdrawal.


The issue comes about because the blockchain.com wallet uses the same 2FA system for both logins and withdrawals, and doesn't confirm withdrawals by email or provide any window in which a withdrawal can be reverted or cancelled. In general, using an online web wallet is less secure and the vast majority of funds should e stored offline.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.