|
Title: Have I been hacked? how? Post by: haimcn on July 07, 2013, 03:06:02 PM Hi
I'm not that newbie, or at least i thought so, but I think I have been hacked and I wondered if someone can hint on how. I used my account in blockchain.info for satoshidice gambling from address 16io8zfbhStqe9WVdHN3JLzc29D73okaoy. On Saturday, 45 minutes after a the last satoshidice transactions, an unknown transaction (https://blockchain.info/tx/c03c31067638033d8c75ad64ddc1dce1628a8d5ce10416f0d97890f5f3ab50a3) emptied my wallet. First, I assume I have nothing to do with it and the coins were lost, correct? Second, can anyone help me understand what happened? I used blockchain.info both on my computer and my Android smartphone. Thanks, Haim Title: Re: Have I been hacked? how? Post by: Mutated btc on July 07, 2013, 03:44:10 PM how many coins lost?
Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 03:45:29 PM Second, can anyone help me understand what happened? I used blockchain.info both on my computer and my Android smartphone. Do you have a strong passphrase?Did you contact blockchain.info's support? Title: Re: Have I been hacked? how? Post by: BurtW on July 07, 2013, 04:00:33 PM I am interested in the change address. Did they really clean you out but leave 0.0015629 in change on one of your addresses?
Is this one of your addresses? https://blockchain.info/address/1GhrHe13nFhAHMJ5UZLJJN1uaGHF6n4hN8 Title: Re: Have I been hacked? how? Post by: BurtW on July 07, 2013, 04:01:53 PM how many coins lost? 1.22747917 BTC went to this interesting address: https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDjTitle: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 04:17:54 PM Second, can anyone help me understand what happened? I used blockchain.info both on my computer and my Android smartphone. Do you have a strong passphrase?Did you contact blockchain.info's support? Thanks for the reply. Yes, I used strong passphrase but only single password... :( I contacted the support but haven't got response yet, I assume that they can do nothing about that. Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 04:19:11 PM I am interested in the change address. Did they really clean you out but leave 0.0015629 in change on one of your addresses? Is this one of your addresses? https://blockchain.info/address/1GhrHe13nFhAHMJ5UZLJJN1uaGHF6n4hN8 I agree the change is weird, it is not my address. Title: Re: Have I been hacked? how? Post by: ABitBack on July 07, 2013, 05:43:28 PM Second, can anyone help me understand what happened? I used blockchain.info both on my computer and my Android smartphone. Do you have a strong passphrase?Did you contact blockchain.info's support? Thanks for the reply. Yes, I used strong passphrase but only single password... :( I contacted the support but haven't got response yet, I assume that they can do nothing about that. You may have a key logger. Title: Re: Have I been hacked? how? Post by: BurtW on July 07, 2013, 06:22:52 PM I am interested in the change address. Did they really clean you out but leave 0.0015629 in change on one of your addresses? Is this one of your addresses? https://blockchain.info/address/1GhrHe13nFhAHMJ5UZLJJN1uaGHF6n4hN8 I agree the change is weird, it is not my address. If you go to the "Receive Money" tab in your blockchain.info wallet how many addresses are listed under each of the sub tabs "Active", "Archived" and "Shared" Make sure you go through all three and see if either of the addresses in question are listed there (especially the change address) Now more interesting questions: Do you have any remaining balance in your wallet or did they take everything from all addresses in that wallet? Are you using the web site directly or using a plug in (plug in is a bit safer)? Are you using two factor authentication? Are you using the web site only, android application only or a combination of the two? Do you have any other wallets besides your blockchain.info wallet? Do you use the password you use at blockchain.info at any other web site anywhere? Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 06:35:03 PM Thanks for the assistance.
If you go to the "Receive Money" tab in your blockchain.info wallet how many addresses are listed under each of the sub tabs "Active", "Archived" and "Shared" I have only 3 active addresses, 2 of them never had coins, and all of them are emptyMake sure you go through all three and see if either of the addresses in question are listed there (especially the change address) Now more interesting questions: Currently I have balance of 0.00.Do you have any remaining balance in your wallet or did they take everything from all addresses in that wallet? Are you using the web site directly or using a plug in (plug in is a bit safer)? I used the web interface, from Firefox and Chrome and from several computers...Which raise the question of where is the keylogger, if this is the explanation... ??? Are you using two factor authentication? No, though, I guess it wouldn't help for keylogger.Are you using the web site only, android application only or a combination of the two? Both, the transaction in question happened after some usage of the Android app.Do you have any other wallets besides your blockchain.info wallet? I created few addresses on my computer when I played with the client, nothing alive or with coins.Do you use the password you use at blockchain.info at any other web site anywhere? Not on the web, I won't use it anymore...Thanks. Title: Re: Have I been hacked? how? Post by: BurtW on July 07, 2013, 06:41:17 PM Are you using the web site only, android application only or a combination of the two? Both, the transaction in question happened after some usage of the Android app.This line of thinking might be worth some checking. The keylogger/thief/bad mojo may be on your phone. I don't think it is the ap but I have to ask, where did you get the ap? Assuming it is not the ap itself can you check your phone for malware? I still have to wonder, what the hell is up with the change? Why is there change? Where did it go? Strange. It is still sitting there. I guess you can monitor that address for movement. Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 06:51:48 PM I don't think it is the ap but I have to ask, where did you get the ap? The app is the formal blockchain.info app, I think I got it from the Play Store.Assuming it is not the ap itself can you check your phone for malware? I still have to wonder, what the hell is up with the change? Why is there change? Where did it go? Strange. It is still sitting there. I guess you can monitor that address for movement. I will try to look for malwares on the phone, will get some reading. The change is a good question indeed. :( Although both payment still sit in the receiver accounts and I can track them, I don't really have what to do with it. This is the essence of Bitcoin, anonymity, isn't it? I guess in the future, the network can develop a mechanism to mark "bad" address and then avoid taking payments from such address, today there is no such mechanism (I guess bigger thefts can be tracked and nothing can be done with them). Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 07:03:00 PM I guess in the future, the network can develop a mechanism to mark "bad" address and then avoid taking payments from such address, today there is no such mechanism (I guess bigger thefts can be tracked and nothing can be done with them). No, bitcoins are cash, there is no possible way to make such a thing work.Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 07:08:30 PM I guess in the future, the network can develop a mechanism to mark "bad" address and then avoid taking payments from such address, today there is no such mechanism (I guess bigger thefts can be tracked and nothing can be done with them). No, bitcoins are cash, there is no possible way to make such a thing work.Resolving these problems will make Bitcoin theft irrelevant and enable better security, and from feasibility point of view it is not hard at all. Title: Re: Have I been hacked? how? Post by: BurtW on July 07, 2013, 07:09:11 PM Next question, where did you get your keypair? In other words, did you generate the keypair externally and then import the private key or did blockchain.info generate the keypair (using javascript on your computer)?
Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 07:17:39 PM I guess in the future, the network can develop a mechanism to mark "bad" address and then avoid taking payments from such address, today there is no such mechanism (I guess bigger thefts can be tracked and nothing can be done with them). No, bitcoins are cash, there is no possible way to make such a thing work.Resolving these problems will make Bitcoin theft irrelevant and enable better security, and from feasibility point of view it is not hard at all. Cash is cash is cash. Or it's not cash anymore. If someone steals 1 dollar and then uses to pay a few apples at the groceries, you can't take that dollar from the grocery store, or the concept itself of cash is dead. So, no tainted coins. Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 07:25:06 PM I guess in the future, the network can develop a mechanism to mark "bad" address and then avoid taking payments from such address, today there is no such mechanism (I guess bigger thefts can be tracked and nothing can be done with them). No, bitcoins are cash, there is no possible way to make such a thing work.Resolving these problems will make Bitcoin theft irrelevant and enable better security, and from feasibility point of view it is not hard at all. Cash is cash is cash. Or it's not cash anymore. If someone steals 1 dollar and then uses to pay a few apples at the groceries, you can't take that dollar from the grocery store, or the concept itself of cash is dead. So, no tainted coins. Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 07:26:09 PM Next question, where did you get your keypair? In other words, did you generate the keypair externally and then import the private key or did blockchain.info generate the keypair (using javascript on your computer)? The keypair was generated in blockchain.info, I don't remember how (probably javascript)Title: Re: Have I been hacked? how? Post by: fxj on July 07, 2013, 07:29:13 PM IF your computer was hacked, there are so many ways this could have happened. You can't expect to find out how by asking here on the forum. To stand a realistic chance of getting the answer, you'd have to let somebody in the know examine your computer.
Read up on best practices for computer security and BC security, re-install your OS, get a new start. Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 07:32:54 PM Though, big money transfers are being done with marked bills, which gives the option to catch the thief. You can catch the thief, but you can't confiscate them from a third party if he was uninvolved and just happened to be paid with one such bills.And you can already try to do that with bitcoin: the ledger is public and you can look at the path that those coins will follow, eventually hitting a known address. Which might or might not be related with the thief. It likely won't. Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 07:38:39 PM Though, big money transfers are being done with marked bills, which gives the option to catch the thief. You can catch the thief, but you can't confiscate them from a third party if he was uninvolved and just happened to be paid with one such bills.And you can already try to do that with bitcoin: the ledger is public and you can look at the path that those coins will follow, eventually hitting a known address. Which might or might not be related with the thief. It likely won't. What I thought of is to block the address of the thief, that way he won't be able to pay anyone so there is no problem with confiscating money from uninvolved party. Take the theft from MT.Gox, the addresses are known and the coins are untouched, so if miners will refuse to mine transactions from these addresses only the thief will be harmed, it won't get the coins back but it will reduce the incentive from stealing. As I wrote before, now someone needs to find a way to prove that it is really a theft. Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 08:04:58 PM First, it is only an idea that I don't know how to resolve all the problems with it. This makes no sense.What I thought of is to block the address of the thief, that way he won't be able to pay anyone so there is no problem with confiscating money from uninvolved party. [...] As I wrote before, now someone needs to find a way to prove that it is really a theft. Again, cash is cash is cash. If you appoint some "higher authority" to decide that some cash is no longer cash, the whole currency becomes worthless. Again, this is not a problem that has yet to be solved, this is a problem that cannot be solved. It is not a problem with no known solution, it is a problem which is known to have no solution. Title: Re: Have I been hacked? how? Post by: Mr.Dreamanonym on July 07, 2013, 08:05:07 PM Hi I'm not that newbie, or at least i thought so, but I think I have been hacked and I wondered if someone can hint on how. I used my account in blockchain.info for satoshidice gambling from address 16io8zfbhStqe9WVdHN3JLzc29D73okaoy. On Saturday, 45 minutes after a the last satoshidice transactions, an unknown transaction (https://blockchain.info/tx/c03c31067638033d8c75ad64ddc1dce1628a8d5ce10416f0d97890f5f3ab50a3) emptied my wallet. First, I assume I have nothing to do with it and the coins were lost, correct? Second, can anyone help me understand what happened? I used blockchain.info both on my computer and my Android smartphone. Thanks, Haim What the fuck ! Title: Re: Have I been hacked? how? Post by: Lohoris on July 07, 2013, 08:12:48 PM That said, your coins are sitting here (https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj), and this is quite a strange address.
Created in march with two big (20, 24 BTC) transactions, fueled with some more strange transactions (with the same input address appearing multiple times in the same transaction), no outgoing transactions ever. Also, I'm not sure how the blockchain.info taint analysis (https://blockchain.info/taint/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj) works, but I find it quite odd that your source address appears with a count of 108, instead of 1 as I would have expected. Are you sure you have been robbed and you aren't trolling us all? Anyone who knows how that taint analysis works care to shed some light? Title: Re: Have I been hacked? how? Post by: conspirosphere.tk on July 07, 2013, 08:18:27 PM Maybe is better to be careful with BTC on smartphones:
'Master key' to Android phones uncovered http://www.bbc.co.uk/news/technology-23179522 (http://www.bbc.co.uk/news/technology-23179522) Title: Re: Have I been hacked? how? Post by: haimcn on July 07, 2013, 08:21:38 PM Are you sure you have been robbed and you aren't trolling us all? I wish!!I don't really have what to gain by that... Title: Re: Have I been hacked? how? Post by: Pastelarts on July 07, 2013, 08:30:12 PM Maybe is better to be careful with BTC on smartphones: 'Master key' to Android phones uncovered http://www.bbc.co.uk/news/technology-23179522 ARF ! Title: Re: Have I been hacked? how? Post by: meekstav876 on July 07, 2013, 09:50:02 PM I don't think you will get return your coins. :(
Title: Hacked too Post by: xenog on August 05, 2013, 03:16:04 PM My friend has an Android phone with Andreas Schildbach Android Wallet in it. Last night it sent all the bitcoins in the phone to that same Bitcoin address. We don't understand how it got hacked yet. We're investigating. This is the transaction:
https://blockchain.info/tx/211c135e58dc55bcce4c71dc02eae2dffc5a55387c29e8144bf1cd1e8878e52e Title: Re: Have I been hacked? how? Post by: 🏰 TradeFortress 🏰 on August 05, 2013, 03:35:02 PM FYI, Inputs.io has much stronger security features. An attacker signing in from a remote location would need to also compromise your email and PIN which is very difficult to keylog.
Title: Re: Have I been hacked? how? Post by: xenog on August 05, 2013, 04:16:47 PM haimcn, was your wallet generated using the Android Blockchain.info app or was it generated from a regular PC using the web browser interface to Blockchain.info?
Title: Re: Have I been hacked? how? Post by: johoe on August 08, 2013, 10:48:38 AM Hello,
The problem is that the bitcoin application generates bad signatures, reusing random numbers. In this case this transaction was the culprit: https://blockchain.info/de/tx/54ac98e2301b9c7fdab5cfe93907032cc1248f9d5995cee70f38e98ba93d2d7f (https://blockchain.info/de/tx/54ac98e2301b9c7fdab5cfe93907032cc1248f9d5995cee70f38e98ba93d2d7f) Can you confirm that the transaction (sending 0.02 BTC to 1DzUV...) was generated by the android app? You should send a bug report to the author of the app you used to generate this transaction. The problem is that it uses the same r-value b8e6c364b50eada68923eb07930b294411826e6068f0dcbe7514154881d75812 twice in the signature, which is enough to break the ECDSA signature scheme and reveal the public key (5HrE9sgmeWu6mW...). Everyone can break the key with this information. This problem occurs more and more frequently in recent times. Usually there is a transaction to the 1Hkywx.. address within a few hours after the bad transaction, so it seems someone has a script that monitors this problem. At the moment there are 147 exposed keys. The recent ones usually have a lot of transactions before the problem occurs, so it seems to occur rarely, but it occurs several times a month (worldwide). I hope this post sheds some light into the problem. Title: Re: Have I been hacked? how? Post by: johoe on August 08, 2013, 12:55:52 PM @Xeno-Genesis
For you the bad transactions were https://blockchain.info/tx/b6350f4339a59faf09bfc2a4086c2261598f46f257517ce53785145c964799bc (https://blockchain.info/tx/b6350f4339a59faf09bfc2a4086c2261598f46f257517ce53785145c964799bc) https://blockchain.info/tx/38fbb8a3ff718dd7c8006feb6aa9ed6add1772522781b0db95abb350a859220b (https://blockchain.info/tx/38fbb8a3ff718dd7c8006feb6aa9ed6add1772522781b0db95abb350a859220b) which use the same R-value in the signature. It is strange that the same random number was generated in two transactions that are four days apart. This doesn't fit the usual pattern. Which bitcoin client do you use? The stealing transaction occured less then five hours after the transaction that reused the R-value. Title: Re: Have I been hacked? how? Post by: Bitcoinnoob420 on August 08, 2013, 02:39:55 PM this happened to me recently they removed the funds from my gambling account.
Title: Re: Have I been hacked? how? Post by: winter on August 08, 2013, 05:10:30 PM crazy that it seems to be the android app
Title: Re: Have I been hacked? how? Post by: BurtW on August 10, 2013, 03:09:03 PM crazy that it seems to be the android app So far 55.82152538 BTC have been taken (see https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj) If what johoe says is true then this bug of every once in a while reusing the same random number may exist in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet. Perhaps they both use the same faulty random number generation library? It would be very interesting to look at all the libraries used by both applications and focus on the crypto libraries used by both applications. A third point of reference might be this: this happened to me recently they removed the funds from my gambling account. Bitcoinnoob420: please give us as many details as you can on your case. Did the gambling client in question use the android phone? johoe: can you give us more details please? Title: Re: Have I been hacked? how? Post by: Mike Hearn on August 10, 2013, 06:52:49 PM The version of Android you're on would also be useful.
Title: Re: Have I been hacked? how? Post by: wrend on August 12, 2013, 12:12:39 AM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://bitcoin.org/en/alert/2013-08-11-android We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one. If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup. Updates for other wallet apps should be released shortly. Some technical details of what exactly has gone wrong inside Android will be released once the upgrade process is reasonably compete. I will keep track of the upgrade status of each wallet app I know about in the post below. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJSB7jRAAoJEPLkhhyZiIFvpk8IAI34L0HsEj5wztFl18jQxj74 svaY+eY1mwgWZjjyZlCRlP42B3u5zF2jlh2+taRgM9DaXlECqa3euGe+EmHWirTU HTTNNg2ZFf7jvruUZ2tanl4Sv34/q/q8w81zL6uJAKK98ZBWuMQ9oPghW1erCAHv Ke5eoLzGdnwpAN817SLGL2iUgwMpJLu7Jx2HEhF2Yz7Yl1+ScLHzlXSZP65BlpI7 lNeJweQsC0PHPnumde/UIRdcTQqhciY/0xM7HHyrrn00AW56vu4l+/Hb9Mr9rpds Rx2UEvFXQ5KWX7e8E3+Wx2Rs/w5cYRwwsfzwWIYkoZaJ3ssaPaYAEr5YMO1bz24= =AFBd -----END PGP SIGNATURE----- Title: Re: Have I been hacked? how? Post by: winter on August 19, 2013, 04:28:07 PM seems like its at it again 1.8BTC was placed in that address
https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj Title: Re: Have I been hacked? how? Post by: Girzzzz on August 19, 2013, 07:50:05 PM Blockchain keeps wallet keys on hard drive. Do you have any friends familiar with BTC with access to your computer? It is a moment to copy wallet.dat :)
Title: Re: Have I been hacked? how? Post by: winter on August 19, 2013, 08:53:46 PM This is nothing to do with me i was just posting that the address got more money today
Title: Re: Have I been hacked? how? Post by: tendemo on August 25, 2013, 07:25:04 PM Sound frightening but good for the education purpose. Thanks for sharing.
|