Coinbase finally replied; they cancelled the transaction for the 1 BTC purchase, but since it was already sent out, looks like they're eating that purchase.  SOL on the other 3 BTC as figured.

They indicated the activity was through my API from IP 66.18.12.197 in Dallas, TX.  That's about all the information they had.

The Bitcoin Tradr app developer also replied, went through a whole series of explanations to defer blame from them, including:

• My two-week old laptop was compromised during shipping from Costco and malware inadvertently installed and that my attempts to identify malicious software would be met with an 80% failure rate and I'd likely not know if I was ever compromised; and/or
• Suggesting that it was a close friend/family member/someone I personally know that jacked me; and/or
• Coinbase has weak API security

I guess that pretty much closes the chapter on this ordeal (unless someone can trace an IP to a specific physical address/person in Dallas; flights are cheap  ). Life goes on: convert to paper if long, don't release the API key to anything for any reason, and Bitcoin Tradr and Coinbase are blacklisted forever.

Yeah - over dinner I tried to explain BTC to the wife and why it's not like the bank or PayPal that I can simply call and dispute the transaction.  After a few moments she asked why I wasn't totally pissed about losing $3k... I couldn't do anything but chuckle about it.  That's not to say I'm not pissed, but no use staying mad about it. This does mark the first time I've been jacked on a financial transaction via the internet - talk about crap timing.  I'm trying not to be discouraged about BTC, but I'm just sitting here scratching my head as to how I could've better protected myself.



You'd think - but assuming that access was obtained via API, then apparently there's a loophole there.  Again, I make that assumption because the network activity per their website shows nothing but just my IPs logging on since the account was created. I don't keep my Authy codes laying around (write them down, screenshots, etc.) so the only other access weakness could be the Android phone?  I wouldn't even know where to start.  That's another lesson learned I guess is never engage in BTC transactions via smartphone. Until Coinbase responds with more information, I don't have much to go on and it doesn't sound like the web app developer has any method to audit or recall transactions (or if they do, they haven't expressed any interest in doing so).

Bah...

Well, no response from Coinbase six hours later, but the app developer for Bitcoin Tradr did promptly reply.  They indicated that they've never had a user's account hacked and the API is never stored on their side unless a user opts-in (did I? I don't know... what would a user opt-in for anyways).

A whole host of questions were asked, and there was also the suggestion of a Windows 8.1 vulnerability (but did not expand upon that). The laptop I'm using with their app is literally a week old, brand new shipped from Costco, is hard-drive secured (for work purposes), in my home office, and my wife has no idea what a BTC is, so the transaction certainly wasn't initiated on my local machine or phone. 

Coinbase's website doesn't show any direct activity on their website or mobile site that I don't recognize, so the transaction appears to have occurred external to Coinbase, and the ONLY app to whom I've release my API key was mentioned above.  Barring any super-secret malware or keylogger that has yet to be detected, all signs point to my API key compromising my account, and likely through the app somehow.

I did manage to close the attached bank account and backup credit card that was verified for instant purchases, so Coinbase is going to eat the $900 transaction.   

Anyways, such is the beauty and curse of BTC.  Things I'll do differently next time: NEVER release my API key, and convert to paper if long on BTC.

Guess I'll wait for another bubble dip and buy back in.  I'd like to know who basically stole 4 BTC from me so I can swing by their place, shake their hand for being so slick then break their knees... 

Beginning of December I jumped into the BTC fray, started with 3 BTC.  I figured I was long on these and *should have* converted these to paper, but let them sit there for the time being.

I turned on 2-factor authentication with Authy, and I did turn on my API to run a Windows app (Bitcoin Tradr) so I could have a running ticker on my metro panel.  I completed all the verification steps with Coinbase so I could start instant purchases down the road. Also, I downloaded the COinbase app to my Android phone.

Fast forward a month... I'm out working in the yard this afternoon and my email alert goes off and my heart jumps into my throat: 3 BTC transfered to a unknown wallet and Coinbase shows a pending transaction for 1 BTC and that was already transferred out as well.  Rush to the laptop, no BTC in my account, one pending purchase, and a total of 4 BTC moved out.

Immediately remove my bank account and credit card info from Coinbase.  No transactions showing on their websites, but I'm sure something will hit in the next day or two - both the bank and the backup credit card said they cannot preemptively stop a EFT transaction, so... dispute as fraud when it hits?

About 2 hours ago, looks like a bunch of new wallets were created on my account, not sure why...

Disabled API key, changed password, email Coinbase - no response as of yet.

The receiving wallet is 18XmFQ6YCsJDbtBxvQcNgyUNwh8MkpoMv4 - what's weird is when I look at account activity my IP address is the only one listed.

So, where'd I go stupid (besides failing to convert to paper) - was it the Bitcoin Tradr app? Is there a weakness in Coinbase's API hosting?

I figure I'm SOL on at least the three coins, the fourth one is kindof up-in-the-air, Coinbase may have to eat that one. If anyone has any sage advice I'm all ears...