Mysterium is insecure

Several months ago I downloaded the mysterium dVPN app for my machine and used it as a general purpose vpn. Mostly for getting around region locks on specific content for places like Netflix and YouTube. However, once I made the transition to finances being handled through the protocol, things took a bad turn.

I was the victim of a MITM attack sometime in early February, and as a result had around $5000 in XRP fraudulently transferred to the attackers address.

Throughout my process in seeking recourse/recovery of the assets I have reached out to the team multiple times only to be stone-walled and given the bog-standard customer service replies, with little to no help in retrieving data from that day or really anything that I could use in my investigating and reporting this theft to proper authorities.

What frustrates me the most is the fact that this MITM problem has been reported before on different subreddits, and the devs obviously haven’t fixed the problem within their protocol, otherwise this wouldn’t have happened. The accounts compromised were only the ones I used while connected to Mysterium. No words or phrases were used in either the username or the password so a dictionary attack is out of the question. The only weak link in my security practice was this network. I have contacted all other parties involved in this mess, and have narrowed it down to being Mysterium as the sole reason for someone having stolen $5000 from me. I will never be using this project ever again, and will be telling everyone I know to stay as far away from it.

To pass their service off as completely secure is an exaggeration at best, and a straight-up lie at worst.

Since you are making some pretty serious claims (and I have not read about this MITM issue before), I would be interested in hearing what the specifics your situation were. For example: was this on an exchange?

As you may be aware, a VPN (decentralized or not) should never be assumed to be safe and should be backed up by server->client encryption such as HTTPS, or other data encryption protocols. Now I’m not sure what your situation is, but as a message to all users of any VPN: a VPN is not intended as a data encryption protocol between a website and you!

I really doubt that the VPN has anything to do with this. Could you give us more info on how this happened?

Did they log into your account and the somehow bypass the 2FA?

Usually when you make a crypto transfer, they require you to verify via a password or clicking on a link sent by email. Did that web site not have these standard protocols implemented?

Hi, we’re sorry that you went through this. The team has been meeting to investigate how this could have happened and what are the possible ways you were compromised.

I see from your other comments that you think this was a spoofing case. Binance has also provided guidance on how to avoid these kinds of traps - https://www.binance.com/en/support/faq/360001556551

And a similar case here - https://www.reddit.com/r/CryptoCurrency/comments/7qgr90/binance\_phishing\_website/

We located the provider address you gave us and said you were connected to at the time, but they don’t appear to have any sessions on our testnet… Can you please send an email to [email protected] and we can work together to solve this?

For example, we need information like the browser you used, whether you used secure websites with SSL certificate, whether you received alerts when you tried to access the exchange page warning you that it wasn’t HTTPS secured? Maybe you have a browsing history enabled and you can check on those dates what you have been visiting?

We need all these details to find out what “weak link” may have exposed your browsing.

With Mysterium, the Wireguard protocol is used as the main VPN tunnel solution. It ensures fast and secure communication between you and the provider. Everything that is transferred through this protocol is encrypted. When your data leaves the VPN provider it’s encrypted with symmetric keys that are used underneath the HTTPS protocol used on the website. However, if plain HTTP is used, this data can be read by anyone after exiting the VPN.

You should always behave in the same manner in terms of secure habits even when using a VPN: i.e. check the SSL certificates of the websites you enter data, carefully check the urls you open.

Some more info about the types of certificates: DM (Domain Validation), OV (Organisation Validation) and EV (Extended Validation).

DV is less secure in terms of how easily you can get it. For example, even with Let’s Encrypt automation, so don’t expect this one to be appearing on more or less secure portals.

OV - is a bit better certificate in terms of signing, but the CA does not investigate the organization making the application as deeply as it should. CA just contacts organizations that it authenticates and that’s it. Also, CA validates the ownership of the domain as in DV case, but this can be easily faked.

EV in this sense is a much more extensive process. Any serious organization should use the EV validated certificates, especially in the areas where payment card data can be entered or any crypto credentials.

As you see, when browsing it’s really important to “behave” securely and always watch on markers that browsers are providing: SSL or not, what validation type did the certificate pass.

You still need to use protocols like HTTPS to avoid MITM attacks. A VPN cannot stop this if you do not use services over HTTPS and so this doesn’t seem to be a Mysterium issue. If you can provide more details about the service you were using when this happened then we can narrow down the problem.

You would still have suffered this attack if you were using other VPNs, like NordVPN, ExpressVPN etc.

​

EDIT: There is also no claim that mysterium is “completely secure”.

kind of a misleading thread

Also, here’s a post on the ethereum subreddit about mysterium and its shortcomings.

https://www.reddit.com/r/ethereum/comments/6eznfj/my_thoughts_on_mysterium_network_and_how_its_a/

I ALWAYS use HTTPS. Its enabled by default on Binance’s site as well.

They didn’t break into the Binance account, the spoofed Binance’s site and gave me false deposit address information.

I sent you guys an email already. I also talked with Andzej about two months ago and have yet to get any really useful information regarding this issue.

No, Binance always uses HTTPS so it wasn’t that.

Well a node operator cannot see data that is wrapped within HTTPS so it must be something else in your pipeline or workflow. Are you 100% sure it was a MITM attack? There are many other ways someone could have stolen your funds.

I can absolutely confirm that it was a website spoofing. I talked to Binance and they have no record of the account I created ever existing on their platform.

Wait, I thought you said it was a MITM attack. Did you actually visit a site that you thought was binance, but actually wasn’t, and transferred your XRP there?

How is this MITM and not phishing?

The web address read as Binance.com, but technically speaking yes that is what happened.

then how is that an MITM attack?