Title: Corrupted Wallet? Or Hacked? Post by: sdub01 on January 11, 2021, 01:20:32 AM My husband did some BTC mining a few years back and had a wallet on a computer that went bad. He took the hard drive out to save it and later thought maybe he could find some.
We recently moved and found the hard drive of this computer that had the wallet on it. When we accessed the wallet we found a few bitcoin and decided we needed to secure it asap with all that is going on with bitcoin these days. We made multiple copies and ordered a nanoledger...which is yet to arrive. In the meantime, my husband sends a couple bucks worth of BTC to a friend to ensure the wallet is accurate. It worked. Friday he buys a tiny bit of bitcoin and receives it to his wallet on the desktop at office. At this time the amount on the wallet is still the same. (His office computer ledger is up to date). He then gives me the backup of the wallet and has me download bitcoin core-qt to my computer so that we can monitor it at home vs in his self-employed office. I start downloading the blockchain last week. Super slow of course. I load up the wallet in the meantime. It shows the same amount as my husband's computer had shown. Friday night my computer finishes syncing the core program up and it shows a *2 transactions* from the day before with all of our BTC being transferred out. Neither of us did this and no one else had access to the computer. We have done malware scans with no results. Teamviewer was on my computer and on his, but not open. When we follow the trail to see where the BTC went it is just sitting in a wallet with no other crypto but our amount. I would think if it were hackers they would have split it off by now and moved it elsewhere. Also, there was no password, I guess, on the wallet at my house...didn't think about that. My husband's work computer had a password. Written down. It doesn't show the change, but he can't access it now because the password doesn't work. Antivirus: - windows defender - malwarebytes on office computer and home lapton ran and showed nothing - mcafee Is there a chance it is a corrupted wallet vs a hack? Is there anyway for us to get it? Help please. (A sleep deprived mom and wife trying to help out).:-) Title: Re: Corrupted Wallet? Or Hacked? Post by: achow101 on January 11, 2021, 02:57:49 AM If the wallet is as old as you say, the keys for the Bitcoin is very likely on the wallet on his office computer.
What you are likely looking at is something referred to as a change output. Bitcoin operates with objects known as UTXOs, there isn't such a thing as "a Bitcoin". Each UTXO has some value, and when it is spent, it is spent in full. When you are sending Bitcoin to someone else, you are most likely sending an amount that does not exactly match the amount of the UTXO being sent, so the wallet will create another output in that transaction that sends the remaining Bitcoin back to yourself. The wallet will use a newly generate private key for this, and of course, it stores that private key as well. This change is much like change with physical bills. If you are paying for a $15 item with a $20 bill, the cashier will return to you a $5 bill. The same applies in Bitcoin. With modern software, the wallet will pre-generate thousands of keys. As it needs new private keys, it will first use one it has pre-generated. This is known as having a keypool. However very very old software do not have a keypool. They don't have any pre-generated keys and instead generate new ones as needed. If the wallet is indeed from as long ago as you say, it is very likely that the wallet file does not have a keypool. So when the change output was generated by sending Bitcoin to the friend, the change output went to a newly generated key that was added to the wallet file by the modern software. The modern software will have also added a keypool. However when you use the original wallet file, it will not have a keypool so it is unable to see the change output. Thus we get the situation you are in. When you are able, you should check the wallet on the office computer. It should show the correct amount of Bitcoin and the correct transactions. If it does, make a backup of that wallet and use that version of the wallet file from now on. Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on January 11, 2021, 10:34:51 PM Okay, thank you so much for the help. We were able to locate the key on the computer!
Now comes the second part of the issue. The password is not working. The password was used on Friday to send a test transaction to himself. I have a picture of the wallet password sent via WhatsApp (from him to me) and it written down. But he can't send any bitcoin at all from it even though the correct amount is now showing. As of note: When he entered the password he put as an example horse123 hosre123 and sent that as a picture. However, he must have re-typed it so it would go thru, or bitcoin-qt didn't flag it. He did send a transaction after that password so now we are lost. Is it possible the password got corrupted or something? Title: Re: Corrupted Wallet? Or Hacked? Post by: RickDeckard on January 11, 2021, 10:45:24 PM Okay, thank you so much for the help. We were able to locate the key on the computer! What might be happening is that he wrote the password wrong before sending to you via WA. I would triple check the password and try again. From what I know, passwords don't get corrupted, else we would be in a bad spot... Give it a couple of hours and try again with a fresh head. This seems to be a steamroller of emotions in the past hours (days?), so chances are you're typing the wrong password somewhere (perhaps mistyping an I for an l, or something like that) ...Now comes the second part of the issue. The password is not working. The password was used on Friday to send a test transaction to himself. I have a picture of the wallet password sent via WhatsApp (from him to me) and it written down. But he can't send any bitcoin at all from it even though the correct amount is now showing. As of note: When he entered the password he put as an example horse123 hosre123 and sent that as a picture. However, he must have re-typed it so it would go thru, or bitcoin-qt didn't flag it. He did send a transaction after that password so now we are lost. Is it possible the password got corrupted or something? Title: Re: Corrupted Wallet? Or Hacked? Post by: BitMaxz on January 12, 2021, 12:57:56 AM ~snip~ ..... It should be work if the password from the image is right. Check the image carefully you might be typing a wrong or extra letter/character sample instead of small l you put a big I or 1 or instead of zero 0 you put O. If not and you already tried all possible passwords then try to dump it using your password and pywallet.py. If you get the same issue when dumping your wallet there is a big possibility that your password on the image is not the right password. Follow the guide from this link below on how to install the python dependencies and download the copy of pywallet.py from this link below. - https://github.com/jackjack-jj/pywallet Then use this command: Try it first without the password. Code: python pywallet.py --dumpwallet --datadir=. > wallet.txt With password Code: python pywallet.py --dumpwallet --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE You can find the wallet.dat file under this directory path Code: C:\Users\YourUserName\Appdata\Roaming\Bitcoin If successful you can import those private keys to other wallets like Electrum it doesn't need to download the whole blockchain. Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on January 28, 2021, 03:24:12 PM Thank you for the previous help. So here is the issue now with a bit of a timeline. Of note, this all took place within Bitcoin Core QT
1/1/2021 -
1/7/2021 -
1/9/2021 -
Any further advice on what might have happened? Is it possible that the older version of our wallet being used in Bitcoin Core QT created its own encryption when the change was received to the new address? An additional issue we are having is that when we try to send the smaller amount to an Exodus wallet so that we can get it out of Bitcoin Core QT we get the following errors: "Can't generate a change address key. No keys in the internal keypool and can't generate any keys. Title: Re: Corrupted Wallet? Or Hacked? Post by: jackjack on January 28, 2021, 06:40:59 PM Code: He put a password on the wallet and made copies If so, using pywallet you can dump the wallet, with all the encrypted keys, right? Then there is no way around that, you must find the password that was set, maybe there is a missing character of something else but you need to find that out There is no password corruption possible and this thing is robust, you 'just' need to find out the real password If you can't, there are plenty of fuzzers around here and I think that if you are only a few characters away from the real password it will be recoverable Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on January 28, 2021, 07:46:24 PM Thank you for your response. Yes, the password was set in Core QT.
The issue is that the password that was set worked to access the smaller amount within the wallet, but not for the larger amount in the wallet. But it wasn't changed in between accessing them. We have both tried it as well as my husband's business partner tried it for us just in case we were typing it wrong. We continue to be able to type this password in to access the smaller amount. Title: Re: Corrupted Wallet? Or Hacked? Post by: jackjack on January 28, 2021, 08:47:35 PM Sorry to insist but can you confirm that you see encrypted_keys with pywallet?
I've helped many people and even small misunderstandings can lead to a great amount of lost time Quote The issue is that the password that was set worked to access the smaller amount within the wallet, but not for the larger amount in the wallet. This is not the issueWhen created, the wallet file contains around a hundred keys (let's say K1, K2, K3, etc, K100) Those keys contain keys you can see and some hidden change keys All are used to compute the displayed balance When you set a password you encrypt the whole wallet with this unique password, so all the initial keys are in there (One problem can arise when you made around one hundred transactions after the last backup but this doesn't seem to be the case here) Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? (check but don't write it here) Maybe you were actually hacked and this could confirm this Also I'm confused with this sentence of yours Quote We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. We have done the Python method, but since the password isn't working we can't access the private keys Are you talking about the same wallet file?As I wrote above, one wallet has exactly one unique password for all the keys And you say that you were 'able to access the original small change', so that would mean you know the wallet password Another questions When was the wallet created? Encrypted? What is your bitcoin-core version? What is your OS, Windows or Linux? Last thing: This may be about a 'change addresses'-related bug triggered on old wallets If you know the address that received the 'lost' funds, look for its info with this pywallet (download the new version, I just pushed it!) command output Quote python pywallet.py --wallet=path/to/wallet.py --find_address 1YoUradDress , if there is no output then answer all my previous questions and don't read belowIf it is there though you should have the key (if hacked then the coins would be gone though) The output should look like this: Code: { If you have this instead: Code: { If you can't get the "sec" value of your address, then come back here to tell us what errors you encounter and post them (without sensitive content though) If you can get the "sec" value then just download the Electrum wallet, import the private key and check you see the balance ( https://bitcoinelectrum.com/importing-your-private-keys-into-electrum/ ) DO NOT SHARE ANY OF THE "sec", "secret", "hexsec", "private" OR "encrypted_privkey" VALUES! Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on January 29, 2021, 01:05:29 AM Thank you for your thorough response. We will try all of these and be in touch.
Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on February 02, 2021, 02:31:00 PM Answers to the questions:
Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? Yes, we have all 3. We are able to view the address in python, so we were not hacked (that was our original fear). "Also I'm confused with this sentence of yours Quote We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. We have done the Python method, but since the password isn't working we can't access the private keys Are you talking about the same wallet file?As I wrote above, one wallet has exactly one unique password for all the keys And you say that you were 'able to access the original small change', so that would mean you know the wallet password" I think we actually ended up with 2 different wallet files. When the wallet was opened on Jan 1 of this year there was a small amount at one address within the wallet and a larger amount at another address within the wallet. I believe it forked once transactions began being made. When was the wallet created? Encrypted? Created a few years ago. Encrypted January 2021 What is your bitcoin-core version? When encrypted on Jan 1, 2021 was using most recent core version. However, changed to 0.17 last week to correct the error " "Can't generate a change address key. No keys in the internal keypool and can't generate any keys." that we were having with the smaller amount of BTC. What is your OS, Windows or Linux? Windows Here is the error we get in python (version 2.7) with privkey info removed: The wallet is encrypted but no passphrase is used Version mismatch (must be <= 81000) [ { "addr": "1Hxxxxxxxxxxx", "compressed": false, "encrypted_privkey": "xxxxxx", "pubkey": "04xxxxxxxxxxx", "reserve": 1 } ] Title: Re: Corrupted Wallet? Or Hacked? Post by: NotATether on February 03, 2021, 11:46:22 AM Quote The wallet is encrypted but no passphrase is used Version mismatch (must be <= 81000) It sounds like you have a newer version of the wallet.dat file that pywallet can't read yet. Maybe @jackjack can confirm if the wallet.dat format has indeed changed between the version of Core OP made the wallet with that existed in 2010 and 0.21? Or maybe the encryption format changed between 0.17 and 0.21 and encrypted wallets made in later versions can't be read in 0.17? ??? You appear to be having the same problem as https://github.com/bitcoin/bitcoin/issues/16091 , try the solution listed there which is to run 0.21 with the -upgradewallet switch and see if you can open the wallet file in that newer version. Title: Re: Corrupted Wallet? Or Hacked? Post by: HCP on February 03, 2021, 06:58:36 PM You appear to be having the same problem as https://github.com/bitcoin/bitcoin/issues/16091 , try the solution listed there which is to run 0.21 with the -upgradewallet switch and see if you can open the wallet file in that newer version. And again, as always... when trying to extract info from wallet.dat using scripts and/or using commands that can make irreversible modifications to wallet.dat like -upgradewallet, make sure you're working on copies of the wallet.dat... don't work on the original of your wallet.dat files! Title: Re: Corrupted Wallet? Or Hacked? Post by: jackjack on February 04, 2021, 10:37:17 PM Thanks for your answers that really clears things out!
Good news is the wallet still controls the money The bad news is that it's encrypted so you have to find the password, you can't do anything without that Command to try a password, please do it on a PC without internet, especially as you are using Windows: Quote python pywallet.py --wallet=path/to/wallet.py --find_address 1YoUradDress --passphrase "the-password" You can have two self-explanatory outputs: Quote The wallet is encrypted and the passphrase is incorrect [ { "addr": "13RhV5gEq5vWXeR6BrqK4tbqre63SSgSTy", "compressed": true, "encrypted_privkey": "a6c8a26001dfb1b6fabb73196ead96c7bb0a81c9490e27607dea7b4c0afa5195332136f955103a2 9295e8238079b7d3d", "pubkey": "031295da558de0efe0dbe904be9748ab44d3b59196079ed4dda6cba889a79d2fc2", "reserve": 1 } ] Quote The wallet is encrypted and the passphrase is correct [ { "addr": "13RhV5gEq5vWXeR6BrqK4tbqre63SSgSTy", "compressed": true, "encrypted_privkey": "a6c8a26001dfb1b6fabb73196ead96c7bb0a81c9490e27607dea7b4c0afa5195332136f955103a2 9295e8238079b7d3d", "hexsec": "8d1b71624b7bf8d5165cb9c77bea710173219b813da7c9ebc42a1997ad1064fe", "pubkey": "031295da558de0efe0dbe904be9748ab44d3b59196079ed4dda6cba889a79d2fc2", "reserve": 1, "sec": "L1x1EXNCt2mavzE7zT7Vrck57UfZFY8zHuEgcKaQFCknm3ztAGke", "secret": "8d1b71624b7bf8d5165cb9c77bea710173219b813da7c9ebc42a1997ad1064fe01" } ] Obviously you want the second one To be clear: the moment you have the "passphrase is correct" output with the hexsec/sec/secret values, this means you have the money back (except for the few more seconds needed to transfer it to an Electrum wallet) This also means that what you have on the screen is worth the whole balance, meaning that using a photo of it or an eidetic memory a person can steal the coins before you transfer them Try a couple of passwords with different capital letters, punctuation, space, etc If you really can't find the correct one: first stop thinking about that for a couple of days and try again, maybe you husband changed some 'i' to '1' or things like that If you're really stuck then you can use tools to bruteforce the wallet using what you remember of the password, doing modifications on it and other things Keep in mind though that depending on how well you remember it it may still take centuries to find it Some examples (that I never tried) you can find on Google: https://github.com/glv2/bruteforce-wallet https://github.com/gurnec/btcrecover They may not be applicable for your specific password problem, we may have to make a custom one Just try for now and come back to report success or failure Good luck! Note: "Version mismatch (must be <= 81000)" is just a warning, disregard it And yes, as HCP said above, keep copies of the original files Title: Re: Corrupted Wallet? Or Hacked? Post by: sdub01 on February 04, 2021, 11:34:24 PM Sounds good. Thank you for all the help. Will report back after have had a chance to try these.
|