Bitcoin Forum

Okay so long story short.

 

I donwloaded a program without AV because i thought Windows Defender was good enough.

 

This happened around 2 months ago: Downloaded the program, ran the setup installed it and ran it. All fine. In the next 2 hours, I have gone onto my emails to find out someone was in my yahoo mailbox and tried to get into my crypto online wallets which were empty. I bought bullguard antivirus straightaway and ran scan which found viruses. I changed my passwords, reinstalled windows and changed passwords again. I thought that was it. 300 dollars gone off my paypal account, and 15 dollars used to buy GTA V off my other paypal account.  I bought Ledger Nano S and stored 20 000 xrp on it, worth £10 000. Yesterday i woke up to find out that all my ripples from ledger have been moved to this adress which i suppose is the hackers address rUF5TKP4JNyXsHWjHYVWH7ugCB6FTabM8U.

 

Also the hacker who bought the gta has used a fake passport with my name on it to send to the game provider to prove "it was me" who bought it.

 

I probably wont be able to recover my life savings will I?

will be going to police station tomorrow also if they can help?

i had sensitive files on my pc, such as letters i wrote and pictures of my driving licence.

 

what can i do to make sure this does not happen ever again, and what else can the hackers do? Is my personal information for sale on dark web? Who knew 1 small application could ruin a life...

 

i am afraid they can take all my money from my bank accounts

According to some reviews about the BullGuard AV it has a poor or low score on malware protection it means that your PC still infected even you are using antivirus with BullGuard.

I hope that you can use a better AV like Kaspersky I'm not promoting it but I  use it for how many years and save my PC for many malware and viruses.

For now, there is no way to recover your lost XRP the only way you can do now is to make sure your PC is clean or format your whole PC but you can't save your files from your PC as you need to install a Clean OS.

What program is that? Always take caution when downloading and installing any program. Even without anti-virus (of course it's a must have), as long as you know what you are doing, you will not be a victim of a fraud software.


Can you show some logs here and let's check what are those. Can't draw out yet the real picture behind your case.


The moment some shitty activity happened to you and you suspects that your bank accounts have chances to compromised, you can asked your bank to take some necessary actions if withdrawal is not the possible or you don't want to initiate.

I also did scan my pc with malwarebytes and eset both came out clean. will post previous bullguard logs when i come home. I did change my bank passwords, and setup 2fa when setting up new payments.

Out of all the fatalities, which I’m not sure they are tied together in the same sequence of events, I can’t see how your XRP can be moved if it was protected by Ledger Nano S device. I’ve seen what I presume is your thread on XRP Chat (https://www.xrpchat.com/topic/29510-xrp-fund-stolen-from-ledger-nano-s/), and as far as I can see, only one of two things could have happened:

-   You had your 24 word seed stored or scanned on your PC, along with those other documents you mention.

-   You state in your post on XRP Chat that you bough the Ledger Nano S on ebay, and not at the official site nor official reseller. The device could have been pre-seeded by the seller, but you do state that you resetted it before creating the pin an so on.

Recently I stumbled upon an official announcement from Trezor that stated that there were fake Trezor One’s on the market, visually undistinguishable, being the only slight alteration that of the holographic seal on the product’s original box. The fake devices could have a limited set of seeds, known to the people behind them, and the reset process may be an emulation and not result in a random created seed really.
Although that was Trezor, Ledger may have fake Nano S on the market (see  Check if device is genuine (https://support.ledger.com/hc/en-us/articles/360002481534-Check-if-device-is-genuine) to revise this).

If the hacker could make a fake document like a passport and could pretend as you there is a big chance that your bank account is in danger.

To be safe it is better to transfer your money to your new bank account because they can request on the bank and use your documents to take your saving out from the bank and do the same in your PayPal account.

You already have been infected on the first time before you use a paid antivirus which I think the hacker already retrieve all files from your computer so if you save your important files in your PC without updated antivirus there is a big chance that they already have the important documents that they can use it for verification or to prove that they own your bank or paypal account.

About your XRP like the above said your ledger nano might be pre-seeded and someone could recover it to other wallets and transfer it to a new wallet.

1.) I'm very sorry to hear about your situation. You just made a bunch of rookie mistakes.

2.) If you are using a Windows computer, please download free editions of Anti-Virus, Spyware, and Malware. Here's what I have on my computer: Avast Anti-Virus, SUPERAntiSpyware, and Malwarebytes. Yes, I run on free editions.

3.) Please, please scan your computer with those programs almost daily if possible. Better than sorry!

4.) If you seek to purchase a hardware wallet to store your cryptos, never never buy an used one. Buy yours brand new directly from the manufacturer or trusted third parties.

5.) If you want to save your backup codes, seed words, etc. into text files, please save those in your encrypted flash usb and store it somewhere safely.

I hope it helps!

What program you download and take virus? And something is strange, how they take your coins from ledger nano s? The private keys never go away from ledger nano s. You save your passphrase on email or on your PC connected to internet?

Malwarebytes is a powerful tool compare to Bullguard so in case that they didn't detect any suspicious ones, it means that "maybe" your account/s got compromised on the other way around. Maybe a victim of phishing or something along those lines.

If you already changed your email passwords, setup2fa, bank passwords or any else then no need to be worried unless "someone" is targeting you intentionally.*

Well then will wait for Bullguard logs.

Sorry to hear.

If your crypto is stolen you cant get it back, unless you locate the hacker and persuade him to return it. Thats why it is so important to control and protect your private keys.

In the future it is better to use Linux or Mac instead of Windows (less chance of viruses). If you really want to use Windows, get a new harddrive and reinstall fresh. Store your passwords in encrypted text files or better memorize them. Dont use autofill feature of your browser or store passwords in unencrypted text files/documents. Research software before you install it and use a trusted antivirus software (not needed for Linux but necessary for Windows).

Ledger should have been safe but it sounds like you had a remote access virus. If you continue to use Windows for daily tasks, make a read-only Linux USB to send crypto with your Ledger. This will give you a safe environment to make and broadcast transactions. You could also keep your private keys completely offline and only connect to internet to broadcast signed transactions but 1) ledger should be enough 2) if you already have a virus, even this doesnt help.

Possibly you could report the paypal and bank transfers as unauthorized but I am not a lawyer.

Edit: Read that there could be compromised fake/used Ledgers. In this case, get a new Ledger direct from the company website (https://www.ledger.com/products/ledger-nano-s).

Okay,

I have located the hacker to own the facebook website called Geonomis, that talks about crypto mainly, what now? Passed the info onto the police but I dont think they will help, anyone know How I can contact Interpol?

Also the Log from malwarebytes:
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 20/12/2018
Scan Time: 18:36
Log File: 259f95f8-0486-11e9-ac20-309c2360b97e.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.508
Update Package Version: 1.0.8413
Licence: Trial

-System Information-
OS: Windows 10 (Build 17134.472)
CPU: x64
File System: NTFS
User: DESKTOP-BH2FIJ9\Jaro PC

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 313462
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 29 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)
(end)


BULLGUARD LOG SKIPPED FILES:

appdata\local\google\chrome\user data\default\cache\f_01218b
appdata\local\google\chrome\user data\default\cache\f_01218c
appdata\local\google\chrome\user data\default\cache\f_01218d
appdata\local\google\chrome\user data\default\cache\f_01218e


\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\constraintindex\apps_{432e426d-c922-4e9e-985e-95806603debf}\
appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\constraintindex\apps_{bd9d1a26-0373-468c-96af-4f551010da35}\
c:\program files (x86)\microsoft visual studio\2017\enterprise\common7\ide\commonextensions\microsoft\nodejs\node_modules\node-gyp\node_modules\tar\test\cb-never-called-1.0.1.tgz
c:\programdata\bullguard\sentrytemp\googleupdate.exe.f01fd5f945645906a32d88d3f9cb6397
c:\programdata\bullguard\alertreports\alertmetadata2\71c66a0b1e714f8bfbf9e201cc5cfdac.7z
c:\windows\system32\wbem\performance\wmiaprpl_new.ini

Are these skipped files viruses?

Both returned scans as negative, no viruses found except the skipped files on bullguard

I recommend you to use MacOS or Linux. Try to avoid from Windows operating systems as there are many viruses targeting windows users

This is a tragedy. I personally think that security should be a habit, not just relying on anti-virus software. My personal habit is to download new software. I will install it in the virtual machine first, confirm that there is no problem, and then install it on the physical machine. PS: I use the anti-virus software Defender that comes with Windows.

As DdmrDdmr mentioned it was probably saved to his computer which the hacker got it easily through his files. I feel sorry for the situation of OP, that's not a good incident to welcome the new year.

With the address given, I also see that "geonomis" through https://bithomp.com/explorer/

See the image:
https://i.imgur.com/mIPZFkz.png

Unfortunately, antiviruses can only do so much to protect you. Some of the security should be on your side, and not to fully rely on the antivirus. Looks like quite an expensive mistake. Also, I suggest that you do a re-install on your operating system instead, just to be 100% sure. We can't be 100% sure if any antivirus can remove the malware on your computer.

Here's where I'm quite confused; you didn't save your Ledger's recovery seed on your computer.. did you? Because if you did, that nullifies the point of having a hardware wallet in the first place.

Anyway, update us OP.

I would suggest anyone who has malware related issues to register on the Malwarebytes forum and open a thread in the Windows Malware Removal Help & Support section. Post detailed information there and someone will surely help you out as they have a lot of experience with a lot of different malware and viruses.

https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/

I don't think that interpol will have jurisdiction with the case especially if you are the only known victim of that person, they cannot even extradite the hacker to your country for the charges you will be bringing up to them. The only thing you can do right now is to make sure that he won't flush out more money out from you, I still do recommend to clean out your computer even if you have done it right now. Also what others have said about you transferring your money to another bank account is a good idea.

Gone through the XRP chat and people there also look puzzled. There guess is the 24 word seed is get leaked to the hacker or since OP purchased device from the ebay so hacker already tampered the device.

I would not continue using a compromised Operating system and possibly backdoors that might be installed on that system. A lot of the legitimate software used to remote to systems are undetectable by AV software and this hacker might have configured this on your system already. <I suggest a re-installation of the OS>

The hacker could have even signed up with your account on other Dark websites that might get you into trouble in the future. The verification emails might be deleted, so you will not even know about it.  ::)

I suggest that you create another email account and slowly migrate your services linked to the old account to the new account that are not compromised.  :P  

Unfortunately there's nothing you could do since most probably the perpetrator is living in another country and its highly likely the coins are either cashed out or spent.

The best antivirus is yourself. Avoid sketchy files and when in doubt, run them in a sandbox.

It is hard to trace people especially the hackers for they are knowledgeable about it and could remove or fake locations on tracing a hacker. This is the mindset of a hacker and probably this is an uphill battle for you to identify the hacker unless you do some entrapment or set up that will lead to exposure of his/her identity.

True that. Got scammed before so being helpless really sucks.