Bitcoin Forum

I installed Bitcoin-Qt on my iMac, put some bitcoins in it, and locked the wallet.

When I wanted to make a new address to send some bitcoins to an exchange, it asked me to unlock my wallet. I entered the key, and the wallet application locked up. I had to kill the task. When I started it up, it said my wallet was corrupted. I restored my wallet from a backup, and discovered that all of my bitcoins (over 3 coins  >:( ) had been transferred. They had been transferred to an address I've never used before. In fact, I've never transferred any bitcoins out of my wallet.

Well, the fact that I lost over $USD300 in coins is bad, but I'll chalk that up to experience. What I'd like to know is how it was done. I can only guess that my computer has been infected with malware that was waiting for me to unlock my wallet so it could do a transfer. Is this a known hack?

Thanks,

Random8, bitcoin n00b

damn

That's quite disturbing!

Glad it wasnt me  :o

If a program that wasn't running on my Mac could connect to Bitcoin-Qt, it might be able to steal the coins, but I don't know how someone from the Internet could do it. I checked my router, and its firewall is running, which should prevent anyone from connecting to the wallet app from the Internet.

Random8

Are you sure that your BTCs didn't get transferred to a change wallet?  Perhaps you want to post the public keys so we can track the transactions on blockchain?

Seems like a user error, doubt you were hacked.

Lizard,

Thanks for looking at this. The info for the transaction is:

    Date: 6/17/13 19:42
    To: 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx
    Debit: -3.17115309 BTC
    Net amount: -3.17115309 BTC
    Transaction ID: c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2

I notice that the address has been used once before.

Regards,

Random8

Did this totally clean out your wallet?  I noticed 0.01 BTC left on 1Gi9WcK7gVufFf3eZ5jjK6nWRbPRcigLtH in this transaction.  Strange they did not totally clean you out.

bongwater,

That would seem like the most likely scenario, especially given that I'm a bitcoin (although not a computer) n00b. But, I've never even tried to send bitcoins, only received them. I have to make a correction to my original post -- I was trying to create a new RECEIVE key, in order to receive coins from an exchange. That's why I thought I was hacked.

Random8

Yes, they kindly left 0.01 BTC in my wallet.

Random8

What address were the coins sent to?

bongwater,

They were sent to: 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx

The wallet transaction info is shown in another of my posts, above.

Random8

And, is it just coincidence that the address starts with 1HeAK? Sounds like "Hack"?

Random8

yea you prob are infected. that sucks.

What do you mean that you wanted to make a new address to send to an exchange?

Sorry, my mistake. I meant to say that I wanted to make a new address to receive coins from an exchange. I was converting LTC to BTC. When I tried to create the new receive address, it asked me for the wallet password. I entered it, and that's when the hack occurred.

Random8

Maybe you restored the wrong wallet.dat?

No, it was the most recent backup, about 30 minutes prior, from my Time Capsule. Verified by the last modification date on the wallet.dat file.

Random8

I think It is hard to be hacked. may be you make a mistake

I wish I was more knowledgeable, but at this point I'm afraid I can't offer you any advice.  It looks like you're SOL.  

I'd recommend trying to recover any of your other wallets using a clean system.  I wouldn't restore from your backup.  Perhaps you could use a clean USB thumb drive and an linux boot disk if you don't have a spare machine.  

In the future I'd only do btc work with a machine purely dedicated to BTC and nothing else.  Also for any sites you use I would recommend against using passwords you've used elsewhere.  Sorry you got burned.

It does seem unlikely that you were hacked on a mac, but I can't explain it.  If you get more coins you might try an offline storage solution:  https://bitcointalk.org/index.php?topic=235584.0

Your mac computer must be infected by virus.

And you should not use the old wallet any more.

The problem is that the 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx address his coins were sent to already had 6.2 BTC from May 23.  The OP said he only had 3 BTC to his name, so unless he forgot about an additional 6 BTC he purchased earlier then it doesn't look good for him.

I'm pretty sure that somebody else got my BTC, and that they are not lurking in my wallet.  Here are some suspicious-looking lines from the wallet's debug.log file. Note the 1HeAK... address in the log, also the c60852... transaction address. For reference, here's how the wallet shows the transaction details:
=============================
Date: 6/17/13 19:42
    To: 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx
    Debit: -3.17115309 BTC
    Net amount: -3.17115309 BTC
    Transaction ID: c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2
=============================debug.log excerpt:
NotifyKeyStoreStatusChanged
SelectCoins() best subset: 1.36 1.04 0.23 0.19 0.19 0.09 0.01017547 0.01000882 0.01 0.01 0.01 0.01 0.01 0.000168 0.0000752 0.0000736 0.00007 0.0000576 0.0000576 0.0000496 0.0000496 0.00004 0.00004 0.00004 0.00004 0.00004 0.0000272 0.0000256 0.0000256 0.0000216 0.00002 0.0000176 0.0000104 0.0000096 0.000006 0.000004 total 3.17115309
CommitTransaction:
CTransaction(hash=c60852ef78, ver=1, vin.size=36, vout.size=1, nLockTime=0)
    CTxIn(COutPoint(b9e681b76b, 552), scriptSig=30450220563e080d95a17264)
    CTxIn(COutPoint(1dd8186b9b, 36), scriptSig=3045022058f6a23cb1df5e93)
... (similar lines omitted)
    CTxIn(COutPoint(327470ddcf, 813), scriptSig=3046022100d8f12b8c7f8f2b)
    CTxOut(nValue=3.17115309, scriptPubKey=OP_DUP OP_HASH160 b6892d5dd8bd)
AddToWallet c60852ef78  new
WalletUpdateSpent found spent coin 0.000004bc b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3
NotifyTransactionChanged b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3 status=1
WalletUpdateSpent found spent coin 0.01017547bc c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854
NotifyTransactionChanged c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854 status=1
... (similar lines omitted)
WalletUpdateSpent found spent coin 0.00004bc 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9
NotifyTransactionChanged 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9 status=1
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=0
... (similar lines omitted)
AddToWallet c60852ef78 
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=1
CTxMemPool::accept() : accepted c60852ef78 (poolsz 760)
Relaying wtx c60852ef78
NotifyAddressBookChanged 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx  isMine=0 status=0
=========================

Is there any virus scanner on mac?

Where did you download the wallet client from?

Yes, which client are you using.  That might help.

Is 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx in your address book? 

Sorry, I don't remember. I do recall that it wasn't easy to find one for Mac OS X. I did not build it on my machine, but downloaded a binary. It's Bitcoin-Qt version v0.8.1-beta.

What could possibly go wrong when you download a binary from an untrusted source and run it on your computer? :o

Random8

ahhhh very good question.

Bitcoin-Qt version v0.8.1-beta.

It looks like the address book is stored in the wallet.dat file. Since my current wallet.dat file is one that was restored from before the theft, it doesn't show that address. I saved a copy of the hacked wallet.dat file before I did the restore, but it's corrupted, so the wallet client can't read it. I can't see any addresses in the corrupted file when I use the UNIX 'strings' tool on it, even though I see some of my legitimate addresses when I do 'strings' on the current, good wallet.dat file.

Random8

Please retrace the exact steps you did to find the Mac version of the client you downloaded (searches, sites visited etc.) and let us know if you can find the place you downloaded from again.

I can't think of anything that could have lead to a copy of my wallet.dat file getting out. The iMac that I'm using never leaves my desktop, my Wifi is secured with decent security, the wallet.dat only gets backed up to my Time Capsule.

I really appreciate the comments and suggestions by the more experienced members. I'm not going to be putting any more BTC in this wallet. I'm going to be much more security-conscious when I set up the next wallet.

One of the ways that I believe someone could have hacked it is by connecting to my wallet client via a socket. I ran a little Perl server that listens on port 8333, but nobody connected to it. Unfortunately, that was after I closed down all incoming ports on my router firewall (I had only ssh, http, and minecraft ports open, and they were not directed to my Mac), so that's not conclusive.

Random8

In firefox I can right click on my downloads and go to the page I downloaded it from -- does Safari (or whatever you used) have something like that? 

I'll try, using my browser history, but it's going to be a long slog.

Random8

I'm using Chrome, but unfortunately, I deleted the download file once I installed the wallet app.

Random8

Would be great if you could do a virus scan and find out the virus signature.

Once they got his wallet.dat they also had to set some kind of trap to get his password.  I believe they got the wallet.dat between 2013-05-28 and 2013-06-03 but were only able to get his password at 2013-06-18 00:35:46.

This is based on the fact they totally cleaned out the previous victim but left 0.01 in this wallet.

Good news of sorts:  only two victims so far  >:(

The also left exactly 0.01 for the previous victim here:  

https://blockchain.info/address/1FoNFsB6xgWnY1xFqAdZbteKhvW1HVGA5G

and it is still there.  The previous victim may not even know the BTC are missing yet (?)

The perils of virtual money :-/

so bad

PFFT - Macs are less secure than everything exactly because of this bad information that has been marketed by Apple. I do virus removals for a living. OSX is ~15% of the market right now (and that's being very kind) but more than 60% of the virus removals I do are on macs. Mac users are generally clueless about computer security because it's 'well known' that 'macs don't get viruses'. They always seem amazed and confused when I find and remove whatever infection they have.

My advice would be - get a real os (there's nothing wrong with mac hardware, you can run freeBSD or other linux on it just fine). Or if you don't want to bother learning about computer security - get a nice android device and keep your wallet on that.

At the very least - get some sort of security software on your mac and/or some help to track down the infection.

Security software seems much easier for the average user than changing their OS.

You said you restored wallet from a backup.

Does backup wallet was encrypted?
Does backup wallet was in a safe place?
Someone else can physically access your pc or not?

Granted - but the problem with all security software is... it doesn't catch new stuff... first the virus has to be documented and a definition distributed for it... before the AV software is able to prevent an infection.

Just an example:

In the past 6 months there's been a FBI virus going around - it took all of 2 weeks to get a good def written and now all major AVs block it. About a week after that, the makers changed the methods used and updated it say DOJ instead of FBI... that one took almost a month to define and about 2 weeks later they pushed a new version (changed DOJ to ICE). And there still isn't a good removal method for that one.

fbi - wasn't present in sm. infection was a rundll.exe loaded item in a temp folder - and had a shortcut in windows startup folder.
doj - is present in sm (and causes reboot to normal mode). also loading through a runonce entry. removal be booting to smcp and creating a temp admin user that could then be logged into to remove.
ice - present in sm (and blocks use), breaks the machines ability to boot into smcp, recovery console and system restore partitions. Only way is recovery console off a cd/dvd or pulling the drive and cleaning it on another machine.

All of these virus ask for moneypak in varying amounts and threaten arrest and prosecution for illegal activity (child porn) if the user doesn't 'pay the fine'

The big 3 AVs (yes there are only 3 legit av networks and they all shares defs with each other):

Norton: can catch FBI & DOJ but can't stop ICE.
Mcafee: can catch FBI but not ICE or DOJ.
Eset: active methods got FBI and DOJ. was able to remove FBI even without a def. Doj was a able to stop it from loading (but wasn't able to remove until defs came out). ICE still flys right by it tho.

~

my whole point is - there's lag time between when a new virus deploys and the AVs catch up. The only really secure way is via a USB bootable optical media with wallet already on it - or a handheld device that has never done and will never do anything else.

Where did you download bitcoin-qt from? I hope it was from this forum.

Sorry to hear Random8, but that sounds like the location where you got the bitcoin client from was compromised or not a legitimate application.

For reference to all the pro-Mac people, the firewall on Mac OS is disabled... by default.  Push your "Mac is very secure" antics elsewhere -> coming from someone that has been in the IT support industry (with Macs as well) for the past 12 years.

suprising that it would be on a mac and also I dont understand why a wallet nneds to be installed on a system? is it generally more secure or what.

Yeah... so much more fraud and theft than with the traditional currencies.   ::)

Any other bitcoin related applications you have installed? I imagine its quite easy for an app to enable the bitcoind api and then hammer sendbitcoins request over the api until the user unlocks the wallet (which is a security flaw of you ask me. )

Sorry for your loss

Only what happens when you get a hardware error? Can you make a backup with those?

BIP 32 and a key phase, that you write down and lock in vault.

The most reasonable answer is a compromised client - the source is freely avaılable so not too hard to simply adjust code to send to a predefined address after some threshold, compile it for mac and then release it for download.

İ would download the client from a trusted source and compare at least file sizes and/or signatures if they are available. Decompiling and looking at source would also be interesting - maybe the address is hardcoded that would make the compromised parts easy to find.

Can you compare the checksum or hash of your downloaded client to the official one?

Yep, I can do that, as soon as I find an official version that's the same as mine. I'll let you guys know what I find out.

Random8

Did you store your private key on your mac? Private keys should be kept in cold storage (ie: offline computers). Perhaps a hacker found your private key.

Did your coins show up yet

Did you experiment with any other cryptocurrencies maybe one of them had a keylogger attached to it (or anything you've download lately) I don't know how vulnerable Macs are to website scripts (probably not very) but windows freely accepts virus attacks from tricky java codes if you're not careful.

I'm sorry for your loss of bitcoin

I wish you the best of luck in getting your bitcoins back

is it possible to get one's bitcoins back after they have been stollen? The whole system is built to be anonymous and has no centralization so there's no way to put insurance on the bitcoins is there?  ??? I would think once it's gone it's gone.

No way to get them back unless the thief gives them back.

Basically once they are gone they are gone.

I appreciate you are trying to help (or just get your post count up) but FYI when you install a client on your computer all your private keys are kept in the wallet.  That is the way it works.  Your question does not make any sense.  Your statement "Private keys should be kept in cold storage" also makes no sense.

What do you mean "show up"?  Show up from where?  We all know exactly where all 3.17115309 of his coins went. They are here:  

https://blockchain.info/address/1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx

consider it as a tip... loll

joking aside.. sorry about it...

Hope you get them back!