Bitcoin Forum

Hello all,

So for a while I had been away and came back to find a wallet emptied. You can see how quickly it happened here:
http://106.187.103.143/address/1LNFx7QQkpmam9jLjpyd52QqiVfahix9gQ

I move some Bitcoin in. 20 minutes later is off to Germany (I assume a VPN, etc.). I see it then splits off to a bunch of wallets. I then see it goes on a bit of a journey of fragmentation.

OK, I am no fool. It is lost. However, is there any way for me to at least understand the nature of such an attack. To your eyes is this some lone wolf or something more sophisticated.

Frankly I think this means I am done with Bitcoin. I've been super safe for years, but then in 20 minutes someone manages to relieve me of roughly 500e in Bitcoin.

I use electrum.

The computer with your private key is compromised. Period.

If you are not using offline wallet function of Electrum, you are not super safe.

Cheers, I expected as much. Ugh. But yes, it is the only way they could do it right? They would not even have needed the private key, but simple a RAT to execute the transaction. Lesson learned.

Windows / Mac / or Linux ?

ohh...sad for your loss..

recently heard a guy hacked a members account just chatting with him on Skype and a man writing something secretly in arabic about selling databases..i dont know what the hell is going..i will suggest you to keep all the amount of btc in deep-freezer and hide your private key very secretely.

thank you.

Windows 8 machine hence the small amount on there. I don't consider it a major loss and granting it's a Windows machine am hardly surprised. I'll do a few scans and then clean install. The former I am just curious about. There's no especial time when I've been not careful even on this machine.

I do normally. This is the money I just like to have on my Windows wallet for general use. I don't keep anything substantial on the same machine.

nothing suspicious among the process on the task manager? some unknown folder in the local or %appdata% path?

what netstat -on say? you should have checked those before formatting

but it could always be a hidden rat or rootkit or something else

Was your Electrum encrypted? Portable or standalone version? Are you sure this 14HXNqSefPtNfDyHtfeMv1Hngx3W5JfgW6 is not a change address?

Do you have Teamviewer on your machine by any chance?

What antivirus software and firewall are you using, and are you using the firewall's default settings or your own custom settings?

Some firewalls aren't much good unless you use your own extremely strict custom settings. Windows built in firewall is almost useless.

Nothing suspicious though I'm doing a bit of a hunt now (I have no reformatted yet as there is now nothing on the machine worths stealing).

I'm going through everything now to see what may about rootkits.

Encrypted yes, albeit with a password only for it, I am not sure about it being a change address. It looks from the blockchain like a deliberate move of Bitcoin movement from someone and I do not use a German VPN.

No Teamviewer though I may come back to you all on that.

It's about as locked down as a Windows machine can get so they were determined or were waiting a while to get me.

Actually this change address could be a possibility. Let me check. Need to be careful here.

OK, yes, so I guess my security is better than expected. The 1BTC I must have spent. The change address wallet still has it's amount. I just need to do the boring recovery part now. Thanks all.

What does your Electrum balance says? Bottom left. Also the transaction is first relayed by German IP, but that does not mean this is the person who took it.

Did you send 1BTC before all that happened?

Glad everything worked out! It's not boring, nor recovery. They are still safe in the change address, if you want them out of it, just send them to another.

You can disable change addresses from options if you don't want to be confused in the future.

Checking now. It's possible someone has stolen the private key. And yes, I believe now I must have. I reviewed my records and sent 1 BTC to Bitfinex on that day. Just trying out the change wallet address now. Still awaiting regeneration from seed.

Thanks. I am positive it was an error on my part. Fixable hopefully!

Hacked by confusion. So nothing is lost after all?

I would still make a new private key with a new password just to be safe. Would suck If it was compromised after all..

So you paid 500e to learn that your machine is compromised. Not a bad deal if you could afford it.

you can use a hardware wallet in the future for better security:

https://bitcointalk.org/index.php?topic=899253.0

I don't think it was lost - sounds like OP has the money but its in a changeaddress that isn't being shown by electrum.  curious to know if he got it resolved!  I think he did and moved on without updating the post.

So it was finally hacked or did you send it to another address?

Hello all, machine is not comprised. I'm in a change address situation and trying to restore. The Bitcoin is there. I simply need to work out how to get it back. Seed is not working. It's in 'stasis' for now.

So you dont see the coins in your electrum balance? How can it be possible that your funds were sent to a changeaddress that doesnt show up in electrum. Its the first time i read something like that?  :o

Electrum not even has a blockchain that could be compromised.

Anyone?

Go to the Address tab in Electrum.  Open the Change and Receiving lists.   Ignore the (closed) Used entries.  You should see all your coins.  If you do, you don't need to do anything, everything is working as expected.

Also if it shows in the "Balance" field in the Status bar, it is there, you don't need to do anything.  The wallet is still controlling the coins and will send them when you want to send them.

To be honest it just sounds like you got confused and assumed the worst.  I don't think you need to "Restore" anything.  And if you do restore, it will be in the same state, so won't relieve your confusion.  You just need to understand what you're looking at.

Why in the fucks of fucks of fucks do people still keep doing shit online and wonder how they got hacked.


Where is buddy that keeps going on about anti viruis is enough and we are all skizo mental cases... 

THIS right here is why you have to be anal about your wealth.....


If your passphrase has EVER EVER EVER been typed online it's useless that is what it comes down too.

DID
YOU
TYPE
YOUR
PASSPHASE
WHILE
ONLINE?

If so it is comprimsed no quesitons.

so did you lose your bitcoin at the end or what, i am confused, was the electrum wallet compromised?
 i am confused even if the bitcoin was sent in change address the total amount is going to be correct and that is what is shown at the bottom of the window

Yes, but he maybe did not see it or something.

Regarding the claim that the transaction originated from germany, the "relayed by IP" refers to the node that first picked that transaction up and relayed to the other nodes in the network. The person can be from another side of the world.
OP should first wipe his computer clean. A new password isn't that important. If it is a non-physical attack, the password wouldn't matter since the attacker can't get the encrypted private key in the first place. No use anyway. If you are using a wallet which generates private key based on your password... You should stop. Consider this as an expensive lesson learnt, don't install suspicious programs and don't go to suspicious websites.

There are a dozen methods to safekeep your btc with a lot of resources on best practices online.

Most important rule:

If you have enough btc to warrant it, then get a dedicated device to manage it, and store your priv keys offline.

When I originally looked at the transaction he provided, it seemed to show sending 1btc to bitfinex.com and the rest to a change address.
I thought it was unusual for a hacker sophisticated enough to pull this job over (some RAT or etc) but not really cover their tracks.

Hopefully OP didn't lose that change address privatekey some how.

I've looked. Fairly sure it's a lost public key. As I do not keep my keys in the same place it got lost somewhere in the ether. The coins are fine, but I cannot access them. So just a ye olde be cautious how you store your keys story. I take care of my Bitcoin, but this one is just an old fashioned fuck up on my part.

I don't consider it a major loss. It was not a hack. Just dumb on my part. Maybe a good time for everyone to have a look and make sure everything is in order. Nothing I can do, but all my own idiocy.

I am a little confused, if the change address belong to the same wallet in your electrum from which you sent the funds to bitfinex or wherever then you should control the funds in that change address, have you tried "send from" just right click on the address and select send from and send the money 'to' the address you are sure of that you control.

If not, export the keys and it should contain the private key of the change address as well. I think you should move this thread to electrum, someone might know a way to get hold of your funds.

Hey if you're still looking for a solution and don't won't to wipe your computer, then download zonealarm (http://www.zonealarm.com), it's a very powerful. I've been ratted and infected many times over during my MMORPG gamer days, after trying out a combination of firewalls and antivirus, i found that the overpowered Jagex approved tool was capable of mitigating 99% of these attacks. Either this or use AVG (http://free.avg.com/) to try find and quarantine programs with suspicious characteristics.

Solutions like this will not work in all cases. Many malware are capable of being stealth and many can't be detected. Other than that, OP's problem has already been solved.

I wasn't aware OP's problem has been solved, but I'm aware that some malware are capable of being stealth or having polymorphic abilities, which is why I recommend AVG as an alternative. In my days of programming I haven't met a software capable of penetrating the security implementations provided by zonealarm.