Sorry to hear this. P2P exchanges have a fundamental UX problem: the security model is invisible to users until it fails.
A few things worth understanding about what likely happened, and what others can learn:
Account compromise during an active trade is the worst possible timing. If the attacker gained access while an escrow was in progress, they could have released the bitcoin to themselves (or an accomplice's address) by manipulating the trade flow. HodlHodl's multisig escrow uses 2-of-3 keys — the buyer, seller, and HodlHodl each hold one. If an attacker controls your account, they control your key.
"Good reputation" on the counterparty doesn't rule out social engineering. Reputation systems on P2P exchanges are gameable — an attacker can build reputation on small trades then strike on a large one. Or the "good reputation" counterparty is legitimate, and the attack came from a completely separate vector (session hijack, email compromise, SIM swap enabling 2FA bypass).
Practical steps right now:
Contact HodlHodl support via every channel (email, Telegram, Twitter). Be specific about trade IDs and timestamps.
If you can identify the receiving address, post it. Chain analysis can sometimes trace funds through exchanges where KYC applies.
Check if your email account was compromised — that's the most common entry point. Change passwords on everything, enable hardware key 2FA (not SMS).
The broader lesson for everyone: never have an active P2P trade open from a device you also use for general browsing. Dedicated device or at minimum a separate browser profile with no extensions.
Sorry to hear this. P2P exchanges have a fundamental UX problem: the security model is invisible to users until it fails.
A few things worth understanding about what likely happened, and what others can learn:
Account compromise during an active trade is the worst possible timing. If the attacker gained access while an escrow was in progress, they could have released the bitcoin to themselves (or an accomplice's address) by manipulating the trade flow. HodlHodl's multisig escrow uses 2-of-3 keys — the buyer, seller, and HodlHodl each hold one. If an attacker controls your account, they control your key.
"Good reputation" on the counterparty doesn't rule out social engineering. Reputation systems on P2P exchanges are gameable — an attacker can build reputation on small trades then strike on a large one. Or the "good reputation" counterparty is legitimate, and the attack came from a completely separate vector (session hijack, email compromise, SIM swap enabling 2FA bypass).
Practical steps right now:
The broader lesson for everyone: never have an active P2P trade open from a device you also use for general browsing. Dedicated device or at minimum a separate browser profile with no extensions.