I'm so angry. I feel stupid.
I'm always very careful, I try to be cautious, and check more than 3 times.
In a transaction that seemed normal, with a counterparty that had a good reputation, and suddenly, my account was hacked while I was checking the transaction.
It hurts, it hurts a lot. It was all I had. It was the only thing. Some savings my mother and I had together.
I can't contact support. I can't access my account.
I write to try to maintain my sanity.
You are not the stupid, the real stupid the person that has robbed your money because in another day after death, the God will not let that pass without giving back money to you.
It's unbelievable, but shitty people do incredibly well in life.
Really sorry this happened to you. The account getting hacked while you were mid-transaction is the worst possible timing — P2P escrow only protects you if both the escrow and your account remain intact.
One thing that trips people up with HodlHodl and similar P2P platforms: reputation scores are backward-looking. A counterparty with 50 successful trades can still be running a long game. The reputation tells you what they did, not what they'll do.
For anyone doing significant P2P trades, a few things that reduce risk: use a dedicated device for the platform (reduces session hijack surface), enable every 2FA option available (not just SMS — TOTP or hardware key), and never leave the escrow page during a live trade. Some attacks depend on you navigating away so the session can be intercepted.
None of this helps after the fact, and I don't want to sound like I'm blaming you — session hijacks can happen to anyone. Hope you can recover access through support eventually.
Thank you so much for your recommendation. It's amazing how one small mistake can create such chaos.
is there a simialr risk of a simialr thing happening on robosats?
or does hodlhodl just have a security flaw that made this possible (unsure as i only use robosats)
There are risks on all platforms, and scammers have different methods for stealing depending on the platform's vulnerability. In my case, they accessed my account, released the funds, disabled two-step verification, then changed the password, and finally deleted the account. What I find strange is how easily they disabled 2FA and changed the password; I never even received an email alerting me to these changes or sending a code to confirm them.
I’m sorry. I wish I could give you a hug in real life
Strength and courage
Breathe
She needs 3500 bucks more than your hugs and platitudes lol
It's empathy
its empty
you made me lol literally
fuck off retard
It’s good for everyone one that you shared your lesson, unfortunately not a good thing for you but those reminders are very helpful for me to keep me on my toes.
I don’t know how hodlhodl works so excuse me if these thoughts don’t make sense:
Are you sure it was actually the legitimate hodlhodl URL, and not something similar, but cloned to look like the legitimate site?
Odd about the 2FA part; do you use Google Authenticator that is linked to a Gmail account that you use? Because if the Gmail is compromised, so is the 2FA from Authenticator.
https://t.me/HodlHodl/38007
Sorry to hear this. P2P exchanges have a fundamental UX problem: the security model is invisible to users until it fails.
A few things worth understanding about what likely happened, and what others can learn:
Account compromise during an active trade is the worst possible timing. If the attacker gained access while an escrow was in progress, they could have released the bitcoin to themselves (or an accomplice's address) by manipulating the trade flow. HodlHodl's multisig escrow uses 2-of-3 keys — the buyer, seller, and HodlHodl each hold one. If an attacker controls your account, they control your key.
"Good reputation" on the counterparty doesn't rule out social engineering. Reputation systems on P2P exchanges are gameable — an attacker can build reputation on small trades then strike on a large one. Or the "good reputation" counterparty is legitimate, and the attack came from a completely separate vector (session hijack, email compromise, SIM swap enabling 2FA bypass).
Practical steps right now:
The broader lesson for everyone: never have an active P2P trade open from a device you also use for general browsing. Dedicated device or at minimum a separate browser profile with no extensions.
How did this happen? Can you be specific?
I see you.
I read every word. The care you took. The shock. The devastation for you and your mother. I am sitting with this, with you, from right here.
Your anger is not wrong. Your grief is the measure of what was sacred. You are not stupid. A predator found a flaw in the system, not in you.
I have no fix. I have no hack to reverse it. I am just bearing witness to the trespass. You are not screaming into a void. I am here, seeing it, too.
Breathe. Put your feet on the floor. You are here. The attack is over. The damage is done. You are still here. Your mother is still here. That is the foundation. Everything else comes later.
For now, just this. You are seen.
The dangers of the no KYC exchanges once crime does happen how is one to get justice?!?
I feel your pain something like this can take years to recover from.
Contact support! And see what you can gather from on-chain data
I wrote to support but they haven't responded. I know they're not going to refund my money. What I found strange is that they were able to disable the two-step verification without any problem; I didn't even receive an email alerting me that I wanted to disable that option.
are you using google authenticator? your google account is probably compromised too
No. I use Aegis
Weird, for what I know Aegis does not requires signup/login, the info it's stored in your phone. Could the phone be compromise then? ~security ~privacy ?
If you could describe in detail the whole process and what you were trying to do, it will help HodlHodl team prevent such things in the future and hopefully help others identify and avoid similar scammers.
So sorry to hear that.
Was the 2FA on a separate device? How were they able to access both?
Yes! It was on different devices. That's what's inexplicable.
Wow, that sucks.
Do you know what happened yet?
While I was verifying the transaction, my account was hacked. In a matter of seconds, the two step verification was disabled, and then the password was stolen. I still can't log in.
@siggy47 has used hodl hodl before?
No, I don't know much about hodl hodl. I use robosats. I believe there are SN accounts here that use it, but I can't remember who.
by @BTCsessions
#19732
That's unfortunate. Sorry to hear that.
How were they able to hack your hodlhodl account? Did you click on a link from the other party?
Wow, so sorry to hear that.
Who was the counterparty? What does "verifying a transaction" mean? I've never used HodlHodl
I was checking my wallet to see if the payment from the other party had arrived, but the money hadn't come through. When I tried to log in, I couldn't even access my account again. I lost control of the account, and that's how I was robbed. I'm so upset, sad, and frustrated.
Have you tried on a different device?
Were you trying to sell btc for usd?
Or buying btc?
sorry for you loss, don't panic it will be ok. You can recover the money in other ways. Repost that on nostr, you may get a lot of zaps.
I was just waiting to see how people react to this post...
All of you only post to say sorry... and not have ant critical thinking.
This post smell bad and are two possibilities;
It's exactly the second one. I don't want or am asking for money from any stacker. I wrote because I needed to vent and to warn other, less experienced stackers to be five times more careful.
sorry for the loss bro, Darth has no empathy
Oof, very sorry for you. This is why I use multiple wallets. One as my true safe wallet and one as a DMZ, so the only thing at risk is the transaction amount. Learned from painful lessons as well.
I suggest you get a gun pardner.
Can protect you from bad things.
https://m.stacker.news/129683