Bitcoin Forum

Normally my phone is switch off during night.
when was going sleep i still had 1.87btc

At 1.51 uk time (night) whole btc was wiped from device:

https://blockchain.info/address/15jVz8FmkynoU2dka1pdaNFs25WXuNfyAw

This is my wallet above.

Than at 1.57 same night i got back 0.97btc:

https://blockchain.info/address/15dj1qJYejZyq5gGsKqNbQsK92y1iET4o5


Can anyone tell me who and how stole my BTC? Where and how they was taken while device was switched off?

Anyone need more details to tell me what happened?

Keys are backed up on device but i did scan in for threats and nothing was found.

Now i keep what's left in paper wallet.out of reach for hackers.

I'm sure most of us have had times when we have accidentally dialed a phone number because the phone's touch screen wasn't locked and rubbed up against something to activate it to dial.   What's to say the same thing couldn't happen with a bitcoin wallet, accidentally launching a transaction?  If that were the case, the recepient could be someone saved in your bitcoin address book, possibly the last person you sent a payment to.  If it is that easy to send a payment with your android wallet (without asking you to confirm it), that sounds rather unsafe.

Yeah, you right. With this difference phone was switched off.
Read first instead commenting like that.

Probably not, sorry.


This is all speculation. I didnt do it, so I cant know for sure. All I can give you is some ideas what might have happended.

You dont need the device to send the coins. All you need is the private key belonging to that address. Since you are using a phone there are several ways this can go south. Rougly ordered by likelyhood IMHO:

#1 Malicous apps (esp. if you rooted the phone and used an alternative app store) that stole the wallet file and passcode to unlock it.
#2 Nothing was stolen but someone got the private key anway. There was (maybe still is, not sure) a problem with androids random number generator (RNG). see here: http://grahamcluley.com/2013/08/google-android-bitcoin-flaw/
While this is probably fixed your old private keys still come from a bad RNG, thus is it not as hard to calculate the private keys generated by an android phone before the RNG fix (or rather workaround).
#3 backup gone bad, more about that below
#4 Family member/roommate
#5 you sleepwalked and spend the coins in your sleep.


Paper wallet is the way to go, as long as the private keys where generated proberly. Bad entropy, bad randomness makes every form of propper storage bad. There are almost 2²⁵⁶ possible private keys. If your RNG can only generate 2⁴ different numbers you are fucked no matter where you store the key. So if you generated those private keys on a phone or otherwise limited machine you might want to research the used RNG a bit. Just in case.

Your backup on "device" was encrypted I suppose.
#1 Did you scan from an external device? E.g. if you have the backup on "D", did you scan from within "D" or did you boot from a DVD/CD/USB and scan from there?
#2 Was it encrypted by the encryption your app offers or did you add another (or more) layer(s)? https://en.wikipedia.org/wiki/Multiple_encryption
#3 keyloggers usually dont show up in a scan. you might need another tool for that.
#4 how did you transport the wallet to your backup? Did you maybe use an insecure channel (e.g. Mail) that might allow someone else to get hold of the wallet file and brute force your password?

Hi
thanks for reply.

phone is not rooted.
phone is secured with password so no one apart from have password.

All private keys was stored on device, encrypted with 16 letters and numbers password.

why if attacker got my keys returned 50% worth of btc?

device was checked for threats but nothing was found.

I know that device.dont have to be switch on to make.transfer.but how its possible if all keys was in he device and turned off.

I dont know. I actually dont even know which transactions you are talking about since you posted addresses.

I assume in TX_A your coins where stolen. 0.97182513 BTC to be exact. They are "on the move" ( see TX_B )
In which transaction did you get something back?


You cant tell if the keys are in your device or not. While the chance is very slim under normal circumstances, someone else could right now make a new BTC address and get your private key. If you have a good RNG this will not happen. The data you have is not exclusive. Anyone could "just" guess your private key.


TX_A https://blockchain.info/de/tx/7ff3f8f6eaeaa844a50f8065096a0e16948b69d766d792d29ae2e03cf0363025
TX_B https://blockchain.info/de/tx/fc4e097809c63be801f3e0590b2810dbbb83550909d9b9ac930cd4c7640fb227

First transaction was for 1.87btc and 6 minutes later I had received  .97btc back to my wallet. strange as he'll.  If u stealing you taking all not half.

Post the TX ID please, I dont see a TX that fits what you are saying.

will do it once back home.

stealer wallet start from 1 9 xx xx xx xx
and wallet which send back start from 15 xx xx xx xx

wallet 1 9 xx xx xx xx have two transaction for .45 xx btc

Simple, dont store a lot of money on an android wallet.

Tx for first 0.9btc gone https://blockchain.info/tx/80eabd633760661cf18aeda09a02cb4fe9313da836d2215da4508d226d53f833

Indeed, that's not the first that has happened. Those android wallets are not secure at all.

Guys what happened i dont know. I want to understand how this happened. Btc are gone and thats it.

Advices like that are useless and not bringing anything to this thread.

I have cold storage and using this at this moment.

Thanks, very interesting TX.

#1 it is in 2 blocks, so it was included in an now orphaned block (https://blockchain.info/block-index/438294) maybe thats why you got something back? Maybe they TX changed in those few minutes?
#2 it was made with the blockchain.info online wallet - so someone else defintly had your private keys for the used addresses
#3 it looks like the attacker used the shared coin service from blockchain.info the hide themself. Do all of the input addresses belong to you? If not shared coin was definitly used.

As much as i want to understand what happened this looks more suspicious.
I did checked all them transactions and input seems all mine.

Your problem is simple:

your android device is compromised, somebody hacked it and got your private keys. Most probably, the person hacked it days before.
Then, the hacker went to blockchain.info, introduced your keys and decided to robe only half. Why only half? Because probably the hacker knows you and didn't want to robe all your bitcoins, for emotional reasons.

So, who has been using your phone lately?
How many intelligent related people has access to your things? A son, a brother, uncle, a coworker, friend.... the fact that s/he returned half must tell you something.

Pin protecting the screen is useless. That protection can be very easily eliminated. The attacker could even have copied  your phone flash image into a computer in 2 minutes and return it to you without you noticing anything. Most phones are hackeable very easy just by knowing how to flash a ROM. Does any of your related know how to do so? Did you left your phone in some place for a while?

Note that the hack could have been happened in any time since you installed the application. Can be 1 week or 1 year or any time. So try to remember when you exposed your phone in such a way.