My complaint:
I am writing regarding a serious security breach on my Gate.io account, resulting in an unauthorized withdrawal of $14,400 in USDT on June 5, 2025, at approximately 20:09. Despite your platform’s multi-layered security measures—including password, email PIN, SMS PIN, Google Authenticator, and facial recognition for unknown wallet withdrawals—the hacker bypassed Howell executed this theft, bypassing critical safeguards. I demand a thorough investigation into how this was possible, particularly the apparent failure of the facial recognition feature, and immediate action to assist in recovering my funds.
Details of the Incident:
My account was compromised, and the hacker accessed my Gmail and Google Authenticator, likely via session cookie theft, allowing them to intercept email and SMS PINs. The final SMS PIN was entered into a fraudulent on my laptop, which I believe was a man-in-the-middle attack.
The USDT was transferred to address 0xd3fa2f07abdcded869417a1bd2f16c6e6cd26d68 (TxID: 0x509e5a24cfc2b2d5719410e47568489cf2a313f84358a7dd9dceaf8b4628e2ae) and subsequently moved to other addresses (e.g., 0xf833afa46fcd100e62365a0fdb0734b7c4537811).
Critically, your facial recognition feature for unknown wallet withdrawals failed to activate, allowing the hacker to transfer funds without verification. Additionally, your platform typically logs users out after three days of inactivity, yet my session remained active for five days, enabling the hacker to exploit it. This suggests a failure in your session timeout mechanism.
Concerns and Demands:
Facial Recognition Failure: Your platform’s facial recognition feature is designed to prevent unauthorized withdrawals to unknown addresses. How was this bypassed? Was there a system misconfiguration, or was the feature disabled without my knowledge? I expect a detailed explanation.
Session Timeout Issue: Gate.io’s standard policy is to log users out after three days, but my session was active for five days, allowing the hacker to access my account. Why did this occur, and what measures are in place to prevent such lapses?
Fund Recovery: I request immediate assistance in tracing and recovering the stolen USDT. The transaction details provided above should aid your investigation, and I expect collaboration with blockchain analysis services to track the funds to addresses like 0xf833afa46fcd100e62365a0fdb0734b7c4537811.
Security Improvements: I urge Gate.io to review and strengthen its security protocols, including session management and facial recognition, to prevent future incidents.
This breach has caused significant financial loss and distress, and I am deeply concerned about the apparent vulnerabilities in your platform’s security. I expect a and detailed response within 48 hours, including a full report on the investigation, steps taken to address the facial recognition and session timeout failures, and progress on fund recovery. If necessary, I am prepared to escalate this matter to regulatory authorities.
Thank you for your immediate attention. Please provide updates via this ticket or directly to my email.
Suggested solution:
still not much help
