Bitcoin Forum

Yesterday in the very early hours of the morning Dec 4th I have been hacked and completely robbed out. The total of 1 Mio USD in different coins have been stolen from my system. I am still pissed off from my own shitty security. But things happened and I cannot go back in time.

Here ist the list coins and transactions of the robbery:

Date/Time          Currency Amount      Reference to Blockchain explorer    Destination address
04.12.18 00:31   DASH       9000         https://tinyurl.com/y8fpvxln          Xom6WhRTiAZhtiMzMQXCS4Aew1PB3v62Tb
04.12.18 00:36   BCH        613,291     https://tinyurl.com/yd2y3wdr        Qpx5pyy9catx7sluuyzqr03fw3c93ahwms2qfhnznx
04.12.18 01:12   BTC        2                 https://tinyurl.com/ybnrmvfq        1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP
04.12.18 01:20   BTC        1,7            https://tinyurl.com/y8s4c7kc         1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP
04.12.18 01:30   NEM        264992       https://tinyurl.com/ycr35va3          NBLI5G-ONLML2-5RY666-BQL2QS-IIMCJT-EUT5PJ-R7MF
04.12.18 02:14   BURST    7643993       https://tinyurl.com/yat7pjna          BURST-2WVC-EJXY-TMMW-2SQRW
04.12.18 12:42   BTC        1,840       https://tinyurl.com/ycknktjx           bc1qy8ypdjjqkh663j83k4zlv8cxw8nte08m042nxf
04.12.18 12:44   OmiseGo  2329,436  https://tinyurl.com/y9tuss5q          0xd26114cd6ee289accf82350c8d8487fedb8a0c07
04.12.18 12:45   LTC        117,602       https://tinyurl.com/y895dtvs         LhpfUpX32CTyd8MekNJkdXAX9BZYUzHNtW
04.12.18 12:48   BCH        5,899       https://tinyurl.com/ydctqokv         Qzhpt232rhktu2zzll55cf4vthyya8mtw5nsg9auu9
04.12.18 12:48   DASH       4,929      https://tinyurl.com/ya23s6y9          XerirSmDu9YjbdG641uNsg5tmnb2twvrgE

I wish I never make this experience in my life - but I cannot turn the clock back. If anybody has a good idea how to track down the thief the reward will be 10% of the recovered sum or a minimum of 10,000 USD in case of success.

There is one more information - the thief also tried to corrupt my Gmail account and Google gave me this information:

   Uhrzeit:    Gestern, 03:10
   Standort:    Litauen
   IP-Adresse:    46.166.160.158

It can be checked here:     https://tinyurl.com/y782ufvu

I am looking desperately for any kind of help or ideas how to go on with this case.

Thank you for any help

OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.

The coins were held in these locations (order corresponding to the list in my first posting):

Currency   Place
DASH      Qt-Wallet on Laptop
BCH      ElectronCash on Laptop
BTC      Binance.com
BTC      Kraken.com
NEM      Simplewallet on Laptop
BURST   Desktop wallet on Laptop
BTC      Exodus wallet on Laptop
OmiseGo   Exodus wallet on Laptop
LTC      Exodus wallet on Laptop
BCH      Exodus wallet on Laptop
DASH      Exodus wallet on Laptop

Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

Very sorry to read.

Do you know how the funds were compromised?
Do you have malware on your system?

NPM has recently been compromised and coin stealing malware was found in packages from NPM do you use NPM?

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

edit* no need didn't see you were using windows..

I am not sure there is much can be done you could contact exchanges and make them aware of the stolen coins see if they show on any exchange.
I would also keep the system offline if the attackers have access they could attempt to wipe there tracks if the machine is connected again.

You could also run wireshark see if there are any strange packets or connections that might help though it may not be advisable to download anything onto the machine if you are reporting it to the authority's.
They may ask you preserve it as evidence.

Edit*  If you think it was a keylogger there may be some traces of were it set the logs to.

In your comment itself you have told how you got robbed, This mainly happens when claiming the hardfork coins, Before also lot of users got hacked due to it. Your first fault was that you are using same computer for surfing and saving your all important wallets and documents. Second fault using same password everywhere, this made easy job for the hacker to hack all your wallets and other online places.

But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.

If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features.

Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.

Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services.

Can you edit your op and not include url shorterners? It's not a great idea to use them especially if you've just said your computer has been compromised.

I think you should probably try to reevaluate what you have been using that computer for recently. Clearly something has got on it somehow and one million us dollars is quite a sum to lose. I'd suggest you consider getting an airgapped wallet $2000 on two computers isn't a very big amount to keep your security high by making one airgapped and encrypting it as much as possible.

I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.

I also tried pinging but no response but reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.

I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

You have to send an email detailing the whole issue to their abuse contact gotten from the domaintools search and maybe if they're reliable, they will try and help you out.

Hey. Really unfortunate on what happened to you. Hopefully this would be a lesson for you(an expensive lesson, that is). Please get a hardware wallet immediately if you're planning on re-buying cryptocurrencies.

Take note that while this is definitely a huge loss, remember that it's really not over for you. Money can be made back. Best of luck.

Can you please give us more information on this? What do you mean by "password safe"? Was it a mere .txt file? Or were you using a password manager? If so, what password manager specifically?

Are you sure that the Electrum versions were official ones? Could you link to the ones you used.
Sometimes they aren't made by the devs of the coins.

I am sorry to hear about your loss.

But.. storing all of your money on your every-day-machine and on online services basically asks for being robbed.

You should have AT LEAST had a dedicated machine only for storing cryptos.
A proper offline-wallet / watch-only wallet setup or a hardware wallet would have been favorable.

Take it as a lesson and first work on your mindset regarding security before storing any cryptos again.
In the end.. owning cryptos means knowing a secret. Keeping this secret safe is the only way to keep your coins safe.

My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.

As you said, no use to harp on your poor security behaviours. But let me tell you this, you have to all but give up on recovering any of the funds lost out of your wallets and exchanges. If those spends have all been confirmed, the best you can do now is try and track the receiving addresses and see if they belong to exchanges - that's where I'd liquidate stolen funds asap. Probably all gone either, but if you somehow identify the exchanges and they can act quick enough, funds can be frozen there and returned later, but be prepared to be able to prove ownership of originating wallets.

There's been precedent, and Shapeshift themselves have also been known to assist, but of course for figures far higher. $1m is a lot though.

It was Safe+ :  https://tinyurl.com/ycmetl2n
I was just in the  process of changing to Keypass because the developer of Safe+ seems to have abondanded his work. But it did a good job so far and I think this is very likely not the hacker.

the links were these:
BTCP  from   https://github.com/BTCPrivate/electrum-btcp/releases
BCD    I do not remember the source but from my download history the version is    Electrum-BCD-3.1.2-portable.exe

most likely the BCD wallet was the culprit

I was not away - they did it very quickly and I could literally see how they drained my wallets.  ???

With all the forks going on I am surprised we don't see more horror stories like this one every time I see a coin now that says 1:1 claim I become very wary.
Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.

I would agree this is not likely to be a loan wolf hacker or script kiddie if they went to the trouble of running via a vps then onto your system,

First hand I would be changing the RDP port on your machine.

The port setting for Remote Desktop Services is found in the Windows Registry. In order to change this setting we will need to change the Port Number value in the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Changing the port will stop them re-connecting to your machine in the short term.
I would also check your settings in windows control panel then go to remote desktop and turn it off (on by default)

You could also run netstat with some additional flags to see if there are any processes running on the machine that have established connections.
Or run TCPView and see if there is anything showing here that might give you a clue to how they penetrated your system.

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

Very valueable remarks - thank you

I also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me

I think they started their job right in the moment when I started the BCD client. That must have been around midnight. Google closed my account at 03:16 due to unusual activity. That time they already hacked my kraken account for which Email + 2FA is necessary. Later obviously they just removed their traces which Google recognized.

done

Meanwhile I checked the RDP logs on my system in   
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

It shows some entries on Dec 4th which do not exactly match the time of the hack. But there are also messages going back six months. The setting of RDP is turned off

They may have connected before the hack and just been sitting waiting though if there is entry for the 4th I would assume that indeed was the attackers connecting unless you use RDP yourself.
I think the RDP logs only show the initial connection from the peer to host.


edit :  after thought possibly they connected with RDP first them infected you with some other type or RAT or malware from the RDP connection.  Is also highly possible.

Oh damn. I'm not saying that it's the reason why you got hacked, but that app looks not-so-trustworthy in my opinion. How did you end up with that password manager? There are a few decent ones that should've ranked higher on Google Play Store.

hm yes - if that is the case then my system is still open like anything - at least meanwhile I installed  https://www.spyshelter.com  to see if anything dubious is going on - but probably I will have to change to a newly setup system - at least remaining cryptos are on a ledger now and 2FA backup codes are on paper only

I'm sorry for your loss, this was an expensive paid price of your negligence + extremely poor attitude to safety. As you have noticed, for part of the stolen coins are very likely responsible BCD and BTCP fake wallets - when you put your seed there, all BTC and BCH (if they shared same seed) are very easily stolen.

If you think you've been targeted attacked, ask yourself who all know you had that kind of coins in your possession ? Family, friends, acquaintances, girlfriend...

In any case you should all report to the police, this is big money and you do not have to reconcile that it's all over and money lost. Too bad that you did not use HW before, when it is obvious that you have it in possession.

I was on the step to move everything out of the Laptop.

By the way - the hacker group (I strongly assume it was an organized group) came from the same location which is mentioned here:
https://anti-hacker-alliance.com/index.php?ip=46.166.165.80 (https://anti-hacker-alliance.com/index.php?ip=46.166.165.80)

The company Cherry Servers replied to my email request on the case:

Sounds like they face this situation not the first time.

I am from the same country, maybe i could help you. I have found something interesting while browsing on google. Will update you later on

ok - the bounty is 10% of the recovered sum

Is it okay to ask why did you keep so much money in Cryptos and not in the bank? Did you have any thoughts of redeeming these Crypos to cash and saving the cash in your bank or in other ways of storing cash perhaps in several bank accounts, stocks, savings, fixed deposits etc.?

If you have more than just $1m that you lost - would you be doing it now after this incident?

Hope these questions are not too personal.

The OPs most major holding was 9000 dash. I suspect the OP had multiple Masternodes and probably fared quite well since 2012. I hope this wasn't all the accumulation and profits. It's a shame the OP probably picked up malware while trying to claim forked coins. That's why the only forked coins that I have claimed are the ones that my Trezor did for me. I may be missing out, but it isn't worth losing my coins.

How do you accumulate/earn 9000 dash?
Even if it takes several years that's a quite large amount of money.

The OP started in crypto at the latest in 2012. Even with lots of mistakes along the way, I'm sure it would have been mostly gravy at this point. Unfortunately, some ne'er do well helped themselves to his years' worth of blood, sweat, and tears. Also, I see from your profile that you started at the latest in 2015. Prices back then were dirt cheap compared to today's prices.

Maybe Lithuania is a safe haven for these kind of guys. I believed Cherry Servers should have at least tried to render some help. It is more reason why they have an abuse contact.
The length of time it would take to get their local judiciary system involved is enough time for the hackers to cover their tracks if they are as smart as I think.
I pinged their IP today; there's a response. I guess they are still online!

 :o What a nightmare, real horror!

I hope you get some response from the Luthetian police (for the provider).


PS:
(Mach doch mal einen Thread im Deutschen Bereich, das ist dort sicher auch von Interesse)

Maybe you’ve been targeted for a few other things in the past too then.
I think it’s probably best for you to uninstall and reinstall your os. Maybe even on s differnt hard drive to ensure nothing else is damaged. It’s likely they changed the logs during the hack so it wasn’t so it wasn’t as blatant. Maybe there’s more hidden than we know that they got access to...

Sorry to hear, I'm sorry for your loss.

I did some research into the IP address itself, and the server IP does have reported abuse here: https://cymon.io/46.166.160.28
I believe that suggests that at one point there was a DNS record for surge.loadedhost.net pointed to that IP. There's no guarantee this was the same company, but it may be a lead.

I'd probably contact Cymon to get more information on this / for them to confirm.

The domain has since been de-registered, but you may be able to get Whois History: http://research.domaintools.com/research/whois-history/search/?q=loadedhost.net

And IDK if loadedhost.com is connected to them, but there is some information here: https://www.lowendtalk.com/discussion/13365/loadedhost-com-dramathread
Phone number is NIgerian.

Hope this helps!

the IP was   46.166.160.158   - but your gues seems to be in the same range:    https://anti-hacker-alliance.com/index.php?ip=46.166.165.80 (https://anti-hacker-alliance.com/index.php?ip=46.166.165.80)

Oops, apologies, didn't realise the change. Must've found the something similar within the range.
I'll keep looking.

I just signed up to ask some questions relating to your loss. By any chance did you:

1. Tell anyone you had that much money?
2. Tell anyone where it was stored?
3. Shared the email address online?
4. Chat with anyone about your accumulation/holdings?
5. Recently clicked/opened any weird emails/messages (these can contain the virus/backdoor especially in attachments)?
6. Any friends/co-workers/relatives that know about your wealth?
7. Any changes in network? Systems/security? Wifi?
8. Any suspicious nearby passers near your residence? Parked vehicles? Anyone near a cafe with access to wifi/laptops?
9. Any recent encounters? New website registrations?

These are some things to think about and you may want to retrace your steps to find out how this happened! Sorry I am not much help at this point.

1 no
2 no
3 ???
4 no
5 no - but most likely an infected BCD wallet was the culprit
6 no
7 no
8 lol no
9 all´the time

every hacker needs a door into your system. Even if I would talk about these things with my neighbour they were not able to hack my computer. As I said before most likely the hacker was an organized crime gang, well prepared and they used this BCD wallet as a door into my system. It could have turned on RDP for them and started keylogging. So they were able to achieve total control over my system.
There are theoretically other vulnerabilities - but these guys acted very professionally and very quickly. They even cleaned up their traces after their "work" - that was the reason Google identified them as intruders and closed my account.

So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.

Lithuania is also member country of Interpol (https://www.interpol.int/Member-countries/Europe/Lithuania), maybe they can do something to help you track hackers.

I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.

Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)

I was thinking that surely someone couldn't be dumb enough to use their own IP for a hacking attempt. I know people are dumb but that'd be a new level...

It's likely it's owned by a vpn or someone providing a hidden service such as tor or open vpn also (less lists will be kept of these too).

I'm sorry for your loss.

The of dash was sent in a lot of addresses but the last tx in chain of 8,147.263 Dash  are in this address
https://chainz.cryptoid.info/dash/address.dws?Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC.htm

I will search for all coins later.  Maybe someone can contact exchange to ask if this address belongs to an exchange

The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.net

yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.


I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.

ok thanks - I will

Based on the amount of outputs, I wouldn't be surprised if they mixed them to be completely honest.

That's a hard road to follow, I'd say your best piece of information at this point would be the attempted Gmail access by far (ie: the ip address you have)

I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.

Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.

I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.

there was another case in 2011:      https://bitcointalk.org/index.php?topic=16457.0 (https://bitcointalk.org/index.php?topic=16457.0)

back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.

I'm sorry to hear this OP.  Did you by chance download your BTCD wallet from electrumdiamond dot com?

In May of this year (2018), I too was hacked by this malware wallet.  :-(

DM, if you would like to discuss.

Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:

According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.

Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe (https://github.com/eveybcd/electrum/releases/download/v3.0.5.3/Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe)
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe (https://github.com/ElectrumBTCD/electrum/releases/download/v3.1.2/Electrum-BCD-3.1.2-portable.exe)

It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018

I also noted that the Github user ElectrumBTCD (https://github.com/ElectrumBTCD) from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag

https://talkimg.com/images/2023/07/19/nuKom.png

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

https://talkimg.com/images/2023/07/19/nublW.png

My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

they must have obfuscated the code.. only after the hack their signature was added to virus total db and such.. the probablity that other people got hacked from this same wallet is high!

Hope you don't leave crypto after this.. as other member said, you are healthy and still can make money!

It leaves another company to contact for information. See https://github.com/contact/report-abuse

Github may be more willing to give more information regarding the wallet repo & the account it's under.

Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.

- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;

Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).

Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!

The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.

Oh there's no doubt they faked info. But an IP may correlate to one of the attacks.

Doing a quick WhoIS pulls up NameCheap as their registrar.
https://who.is/whois/electrumdiamond.org

I'd contact their abuse email as well to see if they can assist at all.
It seems the domain was registered more than a year ago: you may be able to find cached versions of their DNS.

http://research.domaintools.com/research/whois-history/search/?q=electrumdiamond.org

Feel so  sorry for OP. A few days ago, i made an article of how Not all crypto apps in App stores are safe (https://bitcointalk.org/index.php?topic=5081172.0). I didn't give much on other wallets and apps in Github but reading through your story, this is even more serious than phishing attempts through fake apps. Am going to update my thread using this experience (i hope it's okay) with major focus on the app in question so that new users can know how grave this matter can be.
I wish you all the best in an attempt to try and net that/those culprit(s)

ok - do not forget all the other scam wallet like fake BTCP etc. Nothing is safe before you are 100% sure about the source of an executable. And in case its possible that no virus protector shows an indication

Which wallet you download before an attack happened? Also some AV certainly are not top level protection and you mention AVG, Avira which in my opinion are very low on my trusted list. You probably installed remote access trojan (RAT (https://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan)) on your PC, and with that hackers can do almost everything.

You do not mention using of firewall which is very important, most people think that only AV is sufficient protection. When it comes to cryptocurrency I always use only the best security software+hardware wallets. I know you are trader, so you should be more careful in future. My recommendation would be to use one PC only for cryptocurrency, with top security software and without any torrent/suspicious files downloads.

Maybe it would be good to read : 5 Ways to Catch a RAT (https://combofix.org/5-ways-to-catch-a-rat.php)

Notice : Both links posted in this post are scanned with https://www.virustotal.com and they are safe to visit.

I downloaded the fake BCD wallet, i think it was Electrum-BCD-3.1.2-portable.exe from electrumdiamond.org (that is now closed/suspended).
What fooled me was the guides on Reddit to claim your forks.
Of course I downloaded the malicious software, I'm a little surprised that the AV's didn't caught this as apparently it's pretty old, not 0-day stuff. However still my mistake, I shouldn't have used the PC where I trade.


I limit the firewall usage coz I'm behind a NAT, while you still exposed to the outgoing connections that can be exploited only by a malicious software running on the PC, that is the case. It's the first time that a file passed through my checks and scans. I would have probably authorized the wallet network traffic anyway ...maybe the firewall would have caught the RAT after the installation, but it's all assumptions here.

What I know is that even while knowing the infections, no scan have found it (I also give it a pass with malwarebytes), I had to trace it back "manually".

And it wasn't a traditional RAT, there was no "fake" app starting with my PC, and no port listening (it wouldn't have worked while behind a NAT without a proper port forwarding or uPNP). It was the app calling the remote server from my PC, and the app was a perfectly legit instance of notepad. I mean if it wasn't for the network activity, I would have never found it.

So they well obfuscated the code to not get caught, and used notepad as wrapper (proxy) to run the malicious code (you run the legit process as suspended, and they you gonna use the allocated space to run your own code).

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).
I may have more chance to settle this due to their negligence, than try to find the "hacker", because it would cost me more money in lawyers than what they robbed.

The EU law exonerates the providers/host of the illegal activities conducted on their network/servers provided that they are unaware of it, while obliges them to react immediately as soon they became aware of the illegal conduct. The email sent by Valerian is clear evidence that they became aware of it, but not having reacted immediately, they became co-responsible of every subsequent damage. Hopefully it will make progress.

Honestly I will not investing much time in this, I mean I won't go in Lithuania to talk to them, and surely I won't spend another cent on this. :)

@Valerian: if you may provide to me in private the original conversation you had with Cherry Servers, it will greatly help!

EU small claims is only for claims up to 5000 EUR. But sure I will give you the conversation with Cherry Servers.

Tnx. And yes, I spedicified: "Due to the low amount involved I can use the EU small claims...".
That's the amount they stolen from me, and that's the reason of why I'm proceeding against Cherry Servers. In the end I'm interested to have back my money, I don't care who will pay.

npole2000 by what you wrote in your posts it seems that you possess fairly good knowledge regarding cryptocurrency and PC/online security. Unfortunately, you made just one mistake by downloading that fake wallet (if this is way how you get infected). In past such fake wallets only could steal seed or private keys, and now they become even greater threat. Because of that I only claim BCH via ElectronCash (https://electroncash.org/ is only legit site), and all other BTC forks have never been too important to me.


This is good move since you have that option, honestly I did not even know such option is existed in EU (for some reason only Denmark is excluded). By the answer Cherry Servers give to Valerian77 they are not obliged to disclose such information to anyone then "local law enforcement agencies in Lithuania".


I hope European Small Claims (https://e-justice.europa.eu/content_small_claims-42-en.do) can be of assistance in such a situation, be sure to let us know how the situation develops.

they are not obliged to any law enforcement other than their local in a first glance. But if they provide knowingly a platform for scammers, criminals and maybe terrorists then they will see how quickly they will be involved in international criminal cases also in other countries and compensation requests.

And considering the amount, the case actually might stand a chance. It seems there are quite a few people who have been affected, a class action may be the best route of action.

Going through the previous comments especially that of npole, I now understand that the attacker(s) used some really good obfuscation techniques to bypass detection systems.
I also believe that the attacker got a legit version of the Electrum BCD wallet and then modified it to contain his malicious payload.

I think a good prevention mechanism everyone should note is how to do data verification. In other words, I mean verification of MD5, SHA-1 and SHA-256 hashes. Its some cryptography stuffs!

So for an example, if Electrum releases a new version of software, they also release the checksum, which are random strings of text. Now, If I download that new release and I want to ensure file integrity, I run a hash function against that file and compare the result to what was shown on the official website; if they match, I then know that it is legit. If not, I know that it has been tampered with.

Its kind of what I think is best practice for critical systems such as where you store your financial data.

There's no way both the legit Electrum and modded Electrum's checksum can be the same except if you were MITM'ed whilst visiting a non-https site.

A way to do this on Windows:
Open up Powershell and use the command:
default is SHA-256

To specify the hashing algorithm, (based on the official site's specification)

and then compare the result to the hash the official site released.

Linux users: (Any of the three depending on which you want to view)

Stay safe, all.

If you have the real checksums they can be used to check the real executable. But what would prevent a scammer from creating new hashes for his malicious software? If the executable would be downloaded from his site then the hashes would also be from there.

Because of that I can just recommend anybody to use a dedicated device or hardware wallet for cryptocurrencies - do not expose your funds to thiefs and scammers. I wish I had taken these precautions myself in time.

I use (multiple) hardware wallets.. or I would have lost everything.
I also use a dedicate PC to do my crypto stuff.
I'm also not 100% noob concerning the computers/IT stuff.

And considered all the above, howsoever, I still get robbed of something.
Analyzing the situation AFTER it happened, it's easy. There's like ten things that I could have done differently to avoid it (of course!), but the point is that a life is long a life... and sometime you can't be perfect every single day, otherwise we will live in the paranoid and fear.

- I should have paid much more attention to the wallet used, opinions on Reddit, guide on the web, an apparent legit website weren't enough.
- The fact that no AV/scans found anything wasn't sufficient to call the file safe.
- I could have used a VM to do this stuff (I have like 5 VM's installed on my machines, that are only a click away);
- I could have paid much more attention to how to use my trading platforms (leaving it open while not being at the PC is stupid if looked after..);
- And finally the luck (unluck): my daily hours (and dinner time) are normally different, that day I got delayed by other stuff, in 99% of others cases I would have been at the PC soon enough to block it before;

It's all about "imperfections" concatenate with each other and I consider myself very lucky to have adopted hardware wallets from the very begging and using 2FA on every exchanges, so while I learned a lesson for "cheap" (cheap if compared with your amount) I won't consider myself "completely stupid", I'm not perfect as every other human, maybe for the next months.. years.. I will pay much more attention than usual, but i'm sure that one I eventually forget to be extremely paranoid and I may do the same mistakes again.

My idea is: don't be a complete bloke (in example: don't leave your wallet full of money on a bench in a mall), but neither don't start to be paranoid (don't hide your money in a cave, under a rock, protected by lions), because if you start to be extremely paranoid you won't live anymore. so where you hide your hardware wallet seed? What if someone will find it? Did you split in 4 parts sending it 3 places around the world? do you remember all the 24 words by memory? What if your memory will not be good anymore? And stuff like this... you will always live with an "acceptable risk".

@npole2000
that is the reason that security is very expensive for companies and anyone else

Thanks for sharing the guide... This is new to me and I am glad I learned it from here. Better to take some time figuring out how to be secure than being sorry.
Yesterday I just did a google search on how people claim forks especially the recent Bitcoin Cash Forks and realized how so many people are vulnerable to getting hacked.

Incidents have been there where fake websites claiming to be official sites while offering fake wallets for download pop up out of nowhere. sometimes someone claiming to give a guide of how o claim the coins give a link to a fake wallet/fake website. Hopefully, will people get sensitized about such dirty tricks.

"Bitcoin Diamond" was never safe. If altcoins and all forks in generals are scammy, well, "Bitcoin Diamond" was just a straight robbery. There were news about it:



https://coinnounce.com/bcd-bitcoin-diamond-scam-hard-fork-of-btc/

Well, this is insanity. No source code available and no blockchain? Anyway, I remember reading something fucked up about this fork and ignored it.

OP apparently also used the same password for password decryption as he used for online services? That's a no-no. And it seems you had a ton of money on exchanges too. Cmon guys, it's almost 2019. If you have 1 million bucks worth of crypto, put it 1 million bucks worth of effort into securing your coins, and remember to keep your coins in wallets within offline computers. Do not reuse passwords for online services. Pretty obvious stuff. Oh and try to avoid installing ANY altcoin software on the same computer you keep your bitcoins, and do not expose too much of your money outside of Bitcoin. Always check SHA-256 checksums if you are too lazy to compile source codes.

And the scammer is online again:

http://www.electrumdiamond.org/ (http://www.electrumdiamond.org/)

I just want to know how domain registry services and international police can allow these criminals to go on with their activities.

Yup I also see it... am also wondering how this continues to happen.

Also, I was just thinking, If we took the complaint to the GitHub team, is there a chance that they could take down the malware hosted on their website alongside with the criminal's account?

Not only that, but their registrar NameCheap & GoDaddy may be able to provide more information (https://who.is/whois/btcd.io)

Namecheap Abuse: https://www.namecheap.com/support/knowledgebase/article.aspx/9196/5/how-and-where-can-i-file-abuse-complaints

GoDaddy Abuse: https://godaddy.com/help/reporting-abuse-27154

Github Abuse: https://github.com/contact/report-abuse

GH at the very least will remove the repo.

It seems that cryptocurrency is not at the top of their list of priorities for now. If we consider how much total crypto market worth today, it is clear that they have some other priorities which generate much larger sums of money in terms of criminal activities. In addition, there is also the problem of education - to fight these threats we need educated people in the right places. One of the benefits of the Internet is anonymity, and we can see some bad people use that - they just switch form one hosting/country to another.

I report this site to : https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Let's shut them down as soon as possible >:(

this is funny (or not)

Namecheap never reacted to the ticket. GitHub seamed to have taken down the repository for some days. But now its up and running again.  ???

I think that for some people holidays have started a little earlier, at this time of year support may be slower than usual. Have you followed Namecheap rules regarding the abuse reporting? Maybe they consider your case as Fraud scheme and they will not assist you if report is not made to https://complaint.ic3.gov .

I have to admit it's strange that GitHub is reacted in that way, maybe they remove them, but they find a way to get back. Only thing we can do is to report them again.

Is there any progress in the investigation of your case?

yes probably - it would be a mess if another person would become victim of this fraud


yes there is - I will post the progress when it will not affect the investigation anymore

Painful to read this.

And now they've tried to clean up the mess by uploading another (clean) wallet?
https://github.com/ElectrumBTCDiamond/electrum/releases/tag/v3.1.2

https://www.virustotal.com/#/url/d6101b23974af1329c77ccf70e31e845884a8a8f91e49adccfc6476aea48d81b/detection

Nice try...

Yes - be careful with that one!! I checked it and it is the same malware as before.

Ouch..  >:(

Then the detection is pretty misleading...

Is OP said that he hacked via RD Connection?.
Are you using Dynamic or Static IP?
When you look over your PC is your computer log out itself?
To get the password is easy especially you download Virus wallet and your PC connected to Microsoft account. I think mobile connectivity more secure than home cable because the IP always changed every certain time because sometimes the cellular connection lost the signal. And make sure your firewall not too open to all ports.

For note, I'm an ignorant person and too paranoid about my security. I'm just installing KIS and local antivirus (Sometimes local more dangerous). And install every wallet in one computer and always online.

Yea, I wouldn't 100% trust VirusTotal when it comes to checking these. They've been wrong in the past

The code within the software could be more or less unprecedented to the virus detection systems

Hello!

I´m very sorry to hear this bad News about your Coins.
I hope, you can find here some help! You will see three Link´s "To report Internet Fraud".

https://badbitcoin.org/index.htm

Good Luck Buddy!
Best regards,
Evgen Bogdan

Once issues been experienced in the past is hard to entrust fully when relying to these services. Its pretty misleading indeed so its much better to be careful next time.
Sad to hear out on OP's loss. recovery would be impossible even you do know some information.

By the way if you're going to use a windows box forget using standard AV tools. Microsoft's Defender is useless, as is most of the normal AV tools. A bit of recompiling and a little salt and an executable with a full reverse command shell can be installed in no time.

Get a real EDR and AETD tool like SentinelOne, or Crowdstrike. They can usually spot fileless tricks in about 6-10 seconds, giving the attacker a pretty limited window to get a persistent session going. Granted they could loop but your system should scream about thousands of attacks being killed a minute, if you're not monitoring your system you're fucked.

Better option: 10 year old burner PC. Best option Kali type burner OS.

true

thanks - good hint

I feel very sorry for you. That is a lot of crypto ($1 million) to be scammed.

http://whois.domaintools.com/electrumdiamond.org/

If the scammer thief used Namecheap servers to host his website and Namecheap to register the domain it means Namecheap.com could have valuable information.

@Valerian77  => @Harkorede,


i'm sorry about the loss. i wish you will be able to recover partial coin if, not full amount.

i'll suggest any discussion should be made via pm. Harkorede, pls use PM when asking such question(s) in so doing Valerian77, can also reply and post detail info's to you via pm.

*Otherwise, is not adviceable to post such info's on the public board where everyone including the person behind the act can easily access.

Regard's

A simple premium version of avast for less than 15 buck per year could have help block these hacker's from penetrating or gaining full access into your system.

well, now we all have to provide useful information(s), help or guideline(s) when necessary b/c the deed has been done.

Please Check the history of the thread. The critical file has been checked by virustotal and was marked ok. Avast and other virus checks wouldn't have helped. Basically that was the trap I was running in.

To make Windows more secure anti keylogger, anti screen recording software and constant port checks need to be done. With my experience I would not use a non dedicated computer for crypto anymore - too late. For anybody: Use hardware wallets or dedicated computers without automatic updates

If the attacker reads this thread he will not get any information that he doesn't have already.

Regarding the method of hacking - it was a RAT attack in electrumdiamond. We understand the function of that malware pretty well now. From that and what was said before I recommend not to install anything whatsoever on your system what has not been electronically signed by a known entity. Virus and Malware check do not help to prevent such a scenario.

'without automatic updates'

Why?  ???

'without automatic updates'

Why?  ???
[/quote]

because 'automatic updates' deploy new code on the computer which is a risk on itself - even if the original software is from a trusted source the updates may contain malicious code

Let this sad incident be a reminder to anyone that happens to come across this thread: When you handle bitcoins or any other decentralized crypto, YOU are THE BANK.

You simply cannot be lazy about it, the higher the amount, the more important it is. BUT, while you are starting with "low" sums, take the chance to train yourself and get in the habit to do things properly.

The OP thankfully admitted some mistakes, but to summarize:

• Windows 10
• Same password
• Trying unknown software on the same PC

Seriously people, DON'T. Lets start with the beginning.

You should not use windows to handle these sums. Even if you see companies and large institutions using it, Microsoft has a long history of security faults. The OS might be OK for gaming and non essential stuff, but handling your money is something that should never occur to you. The solution is simple, use a different OS for serious tasks.

For example you can download a linux iso, put it in a thumbdrive and boot the computer from it to create and occasionally handle a cold wallet. You don't even need to install that OS in your computer if you don't want, just boot from it to do your banking and then shut it off. Someone mentioned kali, I don't recommend this. not only its very unfriendly to newcomers, but it logs as root by default. That is not a distro for protection, its for testing security, meaning: attacking (which you should never do without written permission).

How to make and handle a cold wallet:

Use newbie friendly distro like Linux Mint (https://linuxmint.com/) or Ubuntu (https://www.ubuntu.com/) to boot from usb, install a wallet like Electrum using the distro package manager; create a wallet and write down the seed words (1) in a piece of paper by hand (no printing, no photos). Once created don't bother with passwords, just print or photo your wallet addresses and turn off the PC.

From now on any money you send to those addresses are as safe as that paper with the written seed words is. It is offline (ie. cold), and no "hacker" can do anything about it.

But someday you may want to move those funds elsewhere:

Use newbie friendly distro like Linux Mint or Ubuntu to boot from usb, install a wallet like Electrum using the distro package manager; recover the wallet by using the seed words you wrote in that piece of paper by hand, do your transactions and turn off the PC.

Ideally you should keep a "cold" wallet for large sums, and a "hot" wallet (eg: in your smartphone) for daily needs.

By using an usb thumbdrive to boot a linux distro you are keeping separate your risky malware OS from your serious banking use. You could also install the "secure" OS permanently in another PC (old or not) to do your internet and online banking, and perhaps productivity safer, but keep using the boot from USB (livecd) method around when handling cold wallets, which you are not supposed to do very often. You can check any transactions going to your cold wallet by using any of the online blockchain explorers.

Now lets talk about passwords. Never EVER Re-use the same password anywhere, period. Use a password manager to generate a different random password for every site and service you use, and password protect that with a GOOD (2) password. If you have a password for your PC (which you should) make this also a good password different to the one in your password manager. Then every time you need to login to a site, use your password manager. This works better in a safer OS like Linux, BSD, etc; which is why permanently installing linux in another PC dedicated for such tasks is not such a bad idea (ie. your productivity separate from your gaming PC).

2fa is not panacea, but I'm not against you backing up the codes within the password manager, tho you could use a separate password file (with a different GOOD password) for that exclusive use, since you very rarely need the backups (only when your smartphone is lost); again much better to do this in a "secure" PC running a safer OS.


If this is too annoying and you'd rather trust your money to 3rd party institutions, fine go ahead and use a bank vault (maybe a good place to store a copy of your seed words). But remember when you are the bank, the responsibility lies almost entirely in you.

(1) Those seed words represent (are used to regenerate) your private key.
(2) A good password is something you can't find in a dictionary. You can easily scramble your passwords by mixing words and number together, preferably intermingled. Eg. say Table and 1988 could become T1a9b8l8e or tA19BL88E be creative and use your imagination for something only you can remember.

Good luck. Perhaps post a bounty in services for recovery?

Have you tried Namecheap's live chat yet? Tell them there to give priority to your ticket.

For some reason namecheap will neither react nor reply to such email except if, opp, ask his legal adviceser to compose and file this msg on his behalf to namecheap.

Passwords may be as good as they can. When they are stored in the same password safe the single password of the safe unlocks all of them. A password safe does not provide real security. At most it helps to distribute your passwords over many devices.



do not put backup codes in any password safe. They are only safe on paper and that only if they are read from the screen on a safe system. 2FA means to have a second independent source for the authentication - that is not given anymore if the backup codes are stored on the same system as the password - that is even true if a different password manager is used.

It is an scalability problem. Your brain isn't going to reliable handle 1000 random passwords. Same with 2fa backups. Tho be my guest if you trust more writing them down manually in a notebook, and hope that notebook does not fall in the wrong hands or gets lost.

Password managers encrypt their data file (or at least they should), provided you use a decent password, it should be no problem to store it even in google cloud. If you read the rest of my post, you should pay attention to the "secure computer" part, you can have that one air gapped, without any LAN or WIFI if you want.

You don't seem to trust password managers, perhaps because your password was keylogged when you opened it in your insecure windows computer. But that's not the password manager fault, you had a malware already intercepting everything. You should prevent this in the first place.

Thank you for all given infos, including @Artemis3.

On my side I set some rules :

- Permanent use of a keyboard input encryptor : however I do not know it's real efficiency, your opinions are therefore welcome.

- Each password used (and I use hundreds) is unique.

- All these passwords are printed on physical paper and stored in a folder. Of course in case of destruction of these documents (by fire, water etc ...) I could only blame myself. It should be noted that this solution suits me for the moment insofar as I do not have collossales sums in cryptos.In the case of op, I would secure even more it is obvious).

- I do not install special wallets (especially for airdrops)

There is so much more to say, but eveyone uses own method.I especially wanted to participate in this conversation to bring my humble point of view regarding the storage of passwords.

Good luck to all, especially op, you have strong nerves, well done! I wish you the best for 2019, wholeheartedly :)

A good idea is maybe having a separate laptop which is specifically used for the purpose of wallet transactions only

Another possibility is to buy a tablet or something and run a wallet there. If you dedicate it you probably won't be running other stuff, the problem then becomes updates and such. Eventually you just get a HW wallet or cold wallets and be done with it.

Those are good ideas. You have to think ahead, because when you are handling money you WILL become a target, either directly (you managed to attract someone's attention) or indirectly (phishing, malware, random probing, etc).

As for the keyboard encryptor, I'm not entirely sure of the usefulness of that. I guess its a race of who captures the keystrokes first...
You should have those passwords backed up in someway, in case the physical location gets destroyed (in a fire, flood, or such). Could be digitally using an encrypted file or password manager, or copies in a different places. But securing (and making) the copies becomes tricky; which is why I like the digital encrypting method more.

Cold "paper" wallets are very good when handled properly and its always a good practice to learn how to make and use them.

And never mix your leisure computer with your money handling operations.

I am not the only victim of these criminals. And I think they did not spy directly on me but on people who downloaded and used their trap like BCD wallet malware.


yes - I should have known it before. Now the damage is there. For sure I will not make that mistake again. And I will not recover from it anytime soon. I worked for many years to get together what has been stolen now.


honestly contacting the authorities is always a good step in this kind of situation. If it helps is another kind of question. I assume that most of these criminals make a failure former or later which directs them into prison. But does it help the victims? Most times not. Anyways it might help to keep some out of this criminal business - like this one:
Russian 'hacking genius' accused of $530 million 'dark web' fraud against Americans posed with tigers and crocodiles before his FBI-ordered arrest (https://www.dailymail.co.uk/news/article-5382427/Russian-hacker-played-exotic-animals-Thailand.html)

It was necessary to use only cold storage that the network machine never saw your private keys http://docs.electrum.org/en/latest/coldstorage.html
But DASH masternodes not working at this mode

NEM can return, please contact the developers

It is not 100% safe. A low level keylogger or kernel-based keylogger will be able to intercept your keyboard inputs before it gets encrypted.
this solution works better with touch screen inputs not with keyboard inputs.

The best is to combine it with typing some keys via visual keyboard. You can also trick the hacker by adding some random keytrokes (there are softwares that can generate it for you).

nothing will save you from a smart virus, it can even recover files from a cleaned recycle bin, so only cold storage is necessary

other people not touched yet, but this a large amount was

Well, the simplest change to make to more likely avoid such problems is to not use Windows.

Linux is not virus proof, but a much smaller and harder target for hackers.
Ubuntu is simple to install and easy to use.

Windows virus checkers do not detect 'viruses' they detect 'known viruses'
This case clearly shows that.
... and that is by design by McAfee years ago to ensure an ongoing income stream.

Botnets of 100's of 1000's of windows machines are not urban legends, they're fact.

If you wish to reduce you risk storing currency on a computer, use linux, but also understand how to do that safely.

maybe it could be an idea that you say but for some people it will add to the workload, which is still my mind why can it be easily hacked? I am also concerned about this incident, because this value is quite large.

As what have OP said, it was so sad to have been lost on that huge amount. I've learned those replies too it is very informative to avoid us in being to hack. I also used a laptop and all web wallet and Apps wallet are here so I am now aware that it might be lead to hack or any possibilities to be hacked.
Yes, that is good I dea. If we can't afford to buy hardware wallet, then, we separate our wallet to other device just like tablet.

Guys, please:
-never tell that you owe crypto
-use VPN
-use Linux
-use cold storage (or at least 2fa without the recovery option)

Antivirus software is pretty much useless against modern keyloggers or virus.  Windows can be really dangrous especially if you use cracked software or single guys :D

Unfortunately most of us use Windows and are so familiar with it, that is has been part of our lives. I've used Linux before but eventually gave it up because Windows has everything I need (apps-wise).

One way to not get hacked besides not keeping 'em on exchanges is to use common sense.

No matter how advanced anti-viruses could be, simply being careless won't protect your system from being compromised.

You could have a super-strong password to any offline wallet(s) but if you managed to get phished, its game over.

I feel sorry for you.  It can happen to anyone.  Problem is you had too many altcoin wallets on your machine.  You should have only run bitcoin.org core offline wallet compiled from sources.  

You should have used a dedicated, clean machine to access your coins or online accounts. And never web browse or install anything on that machine.  QT Wallets should be encrypted and stored on removable USB drives, only connected when sending.  Blockchains should be updated with dummy wallets.  You should have run 'core' wallet apps, not use online or third party wallets.  The 2FA devices should be dedicated hardware (old phones) and not connected to any network.  Why in the world did you use password safes?  BCD?  Really?  I did not even know they existed, I would not bother with any bitcoin splits.  I recovered BTG/BCH but this was done on an old PC with BTC moved to another wallet after the fork and before the recovery attempt.  I would not trust any wallet other than bitcoin.org core wallet.  If you're really paranoid, inspect the sources, compile from sources on a dedicated dev machine.

This is everyone's worst nightmare.  

Spend some money on dedicated 'POS' equipment and never touch it unless you move coins or access exchange accounts.  And keep the wallet, blockchain backup on multiple devices in multiple physical locations.

This just shows you, bitcoin is still in an early adoption phase.  It is still not for everyone.

PS. Why would anyone keep all these altcoins is beyond me?  Store your money in BTC in bitcoin.org core wallet and forget all the BS coins.

If this was accurate, you can contact these Exchanges (not customer service) for their cooperation. Kraken may be impossible but Binance might answer you.
An Email containing complete info on your ownership of the addresses' funds, Some personal info and/or Clearance together with a detailed explanation of your statement.

Why? Given that you have the Full Proof of ownership and you can proove that you're not the one who moved the funds,
Exchanges like Binance requires KYC policy to their users and they have the power to point you to any leads to the Culprit.
This can get you to a real person which can be questioned for more leads.
And even if it was withdrawn to a "Mixing" address (unless they tolerate crimes), you can also contact the service provider to provide the final address where the funds (2btc from Binance?) are being held.

But it's been quite long since the hacking incident, I can only assume that it was already laundered as "investments" to micro-earning sites or loans.

and ... the hackers wallet is online again:       http://electrumdiamond.org/ (http://electrumdiamond.org/)

I think Github has kicked them. They have renamed the executable to version 3.0.5.3 and put it into the file system download directory.

disgusting

You might wanna remove the URL. You never know some might download it, thinking its legit.

Any more information on this scam?

The bastard(s) is(are) still online with a new profile on github called "electrums".
It was made 9 days ago

https://talkimg.com/images/2023/07/19/nu6pv.png

https://talkimg.com/images/2023/07/19/nuRZH.png

I hope no one has fallen for their malware so far. I am going to try to report their profile

Basically Namecheap should remove their account for   "electrumdiamond.org". But it seems to be difficult to contact the Namecheap support at all.

If reported to the the law enforcement agencies why are the domain and Git still active?

Probably because they're too small of a fish to dedicate law enforcement resources to. This is unfortunately pretty common with internet crime. Don't expect the feds to do anything if you haven't lost significant amounts. (Although in this case, it does seem pretty significant)

It's really up to github to keep removing these projects really, which can be quite difficult if they just keep popping back up under new accounts.

If all parties played their part I have no doubt the scam numbers would fall all round.

People in the forum highlight them but then it is up to others (Github, domain registrar, web host etc) to ensure they do not get a chance to succeed in their scams.

I did a follow up and I can now confirm that the scammer's domain is no longer active.
The new GitHub profile was also removed.

Thanks to whoever took their time to report both the domain and the GitHub profile for abuse.