Bitcoin Forum

I just deposited the above amount to one of electrum wallets. Almost immediately the balance was tramsferred to:

13GrQ46YQ3x3fp1p5eHrPKSsMaxjDY9VwC

tx: https://blockchain.info/tx/c92f9c265f0a7a9b7fec9184a0314545f8d3f2b3d6d53c240eec97a087826a00

Noth of the transaction have any confirmations, it just happen immediately. How is this possible and how can I get my funds back??? I cannot understand how this is possible. FML

My address:

https://blockchain.info/address/15WapDB1AsoKKp4vMTims836Jxn9mJdHJA


Help!!!  

Was it the entire balance of your wallet?

Was it an imported address?

Did you recently install anything Bitcoin-related or suspicious recently?

Do you have AV?

Was the wallet password protected and if so when did you last type that password?

I just noticed the hacker didn't leave much of a transaction fee and it says:

Estimated Confirmation Time   Within 6 Blocks

Can I use this to my advantage?

I am sorry to hear about that loss  :'(
You are a Hero Member now! Havent you heard that Bitcoin Transactions are irreversible?
The Best Option is to forget it!
Did you scan your PC? I highly suspect it has some malware!

It looks like your private key was compromised. Stop using that wallet and try to investigate how it happened.
Your computer might be infected so take that into consideration.
Unfortunately your funds are gone.

Yes all of it wiped out

No I'm very tech savvy

Yes I have AV - keep on top of security quite well and the wallet is on a VM

The wallet was password protected

WTF

Hey But see this quick! This might help!
https://bitcointalk.org/index.php?topic=35214.0

Shit! 1 confirmation!!!! fuck

Ohhhhhhhhh DAMNNNNNNNN!  :'( :'( :'( :'( :'( :'( :'( :'(

Really sorry to hear about that loss :(

That's ll the btc I had and really needed to make a purchase. What the fuck. This is the first time this has ever happened to me

Where did you store any backups or your seed?

Did you use the password anywhere else, and when did you last enter it?

I'm sorry to say, but the chances of you getting back the BTC are very slim. The transaction is already confirmed and the funds have left. Right now you need to figure out what exactly happened, doing so will prevent you losing anymore coins, and may help prevent others losing coins too.

Yeah I've read so many threads of people losing their coins. I'm screwed, might start a gofundme lol, I kid. Pissed off is an understatement

U could try www.bitundo.com... but it has already got a confirmation.

you pc/vm is infected, propably is controlled too(both are controlled i would say)

some rootkit can be obscured to any antivirus

Almost immediately? 

Yep pretty much

Wow! Interesting share! Have you ever tried this site?
I don't think its legit! I will try it right now and edit this post :)

Could something be wrong with Electrum?

Yes, I have seen the two bitcoin transaction:

- https://blockchain.info/it/tx/5cc872a7dc9bebb03290e9d537d57eba51056e764483a4f4ef4f6bc2bac66e0f  (his transfer to the electrum wallet)     
2015-05-02 10:24:40

- https://blockchain.info/it/tx/c92f9c265f0a7a9b7fec9184a0314545f8d3f2b3d6d53c240eec97a087826a00  (the second tx into the hacker address)   
2015-05-02 10:25:41


~ 1 minuted between the two transaction.

It's doubtful. It's quite common for hackers to immediately sweep funds out of addressess. This happens very often with weak brainwallets, once the funds are transferred in they are drained within seconds. I suspect the OP may have imported the address into electrum, or may have restored his wallet using a weak seed or such.

yes that is very strange to see this kind of transaction, sorry to see this one, :(  
how this hacker was quick in this transaction just delay of 1 minute ?

Can't find any evidence of an infection. I use VPN on my VM, can't figure this out  ???

i think so really socking to see this one, another transaction made within few seconds..

I've had much more btc in that wallet in the past. And I only fire up my VM to check my electrum which isn't that often. WHY ME AND why now. This is bullshit!

I do not know, it is really strange.





Have you downloaded something of strange in the past days/weeks?

What AV software are you using if I may ask? Have you used this specific Electrum wallet before (or any other addresses from the same seed)? Did you access the wallet before the funds were stolen - or were they just taken immediately after an initial deposit?

A VPN wouldn't really help you in terms of security for this kind of thing - more useful for privacy and anonymity.

It's too weird to be explained... It's as if it was a automated action. There is about a 1 minute delay between the 2 transactions.

What is the chances of someone sitting and waiting for you to make transactions to steal it immediately?

It's also a single use address... and it would most probably be mixed too.. so you stuffed, if it was not a electrum screw up.  :(

Sorry to ask but I only use Bitcoin Core.

Is Electrum like Brainwallet?

Because if it is then you should know that there is people constantly running brute force apps and waiting for a transaction to take place, then snatch the coins to their own wallet.

There was a post about this someweher in the forums.

Search for Brainwalet hacking and you will find it.

There must be a reason why this happens.

I don't know why you and why now, but for some reason your machine was compromised and it's perhaps your fault of not keeping your security at high level.


I am really sorry for your lost. But there is nothing you can do now. But what you need to do is:

-format the drives from the machine where your Electrum was installed and coins were stolen.
-use high standard antimalware, antivirus apps.
-never open suspicious links
-follow other security steps to keep your bitcoins safe.

Also you can keep an eye on 13GrQ46YQ3x3fp1p5eHrPKSsMaxjDY9VwC - only a little chance that you will be able to track those coins but worth a try.

Best regards.

Sorry for your loss and second yeah this is very strange that all this just happened so quick as someone was waiting but this is not very big amount. This is warning for others to take some extra security measure to keep their funds save. This is good at least others will be more active in future.

No I download a lot of software and I know a scam/trojan link when I see one
Yes I've used the same electrum wallet before but not much.


Oh and I use Avira, MS essential and Malwarebytes. I keep my Computers in order don't you worry ;)

this is one thing that is feared by users bitcoin, bitcoin loss caused by hackers. Hopefully there are no cases like this again

No, electrum is really different from the Brainwallet. The first one uses a seed of 12 words so it is really impossible to bruteforce it, instead the second one use only a password. I am still thinking that it was a computer problem.


OP can you explain again if you have stored the seed in some .txt file on the pc?

I store the seed in a truecrypt vault. In the past I haven't even bothered saving the seed for security reason. I jut backup my Private keys - which are encrypted

And the password on the wallet is not used anywhere else.

I am sorry for your loss bro.

Did anyone else have access to your PC?

What operating system were you running on the VM?

And what software were you using for that?

have you downloaded something suspicious yesterday or some time ago?, what is the last thing you downloaded?

A VM tries to keep bad stuff in, if the virus had infected your PC, doesn't matter if you were using a VM, however it would have to know and handle the fact that there is a VM.

There can also be issues with VM's and poor entropy, it's much less secure to put your wallet in a VM in some cases. OP, what operating system did you run in the VM? and what software did you use for it?

No I don't download anything suspicious. The last thing I downloaded was a new driver for my soundcard - from the official website

I was running linux. Ubuntu 14

I would suggest you to change your password for Bitcointalk and Email now. They may have been leaked.

I think we should all take precautions.  Thanks for the heads up OP.

 Me I have 1 copy of a paper wallet for my BTC and 1 copy of a paper wallet of my LTC in the local bank vault. Thats it only copies. I use coinbase to move dust about.
 and rarely use a wallet on my laptop again just dust if at all.

 If I had a wife I could misplace her..thus why above.......they know me at the bank so hell i could even lose the key :)

 If my accounts get stolen then something much worse is going on with the blockchain imho :)

 I suppose with my luck the 'meteorite' will take out my bank and the vault.....but have all my important docs in the bank anyway so wtf
 will be a clean sweep when i then start sleeping under bridges and riding the rails.... :)

Done and done. still can't find evidence of an infection. I use pretty good security and scan my computer twice a week at least. And my IP is never public. Damn. Anyone in the BTC lendng business? I really need that BTC!

Was this your VM OS or your regular OS that your VM is installed on or both?
What OS was your truecrypt installed on and was it on an isolated computer that wasn't Windows?
Was the VM software pirated?

Windows 7 and VMware from ecypted container running Ubuntu

can you send us a screenshot of your transaction log

I don't get it. This PC isn't used much and is always running a VPN. Is there any way there is something wrong with electrum?

Which one? From electrum? Or to electrum - because that came from an exchange.

Thanks

Potentially, but considering that there hasn't been a sudden onslaught of people saying they've lost BTC from their Electrum wallet it leads me to believe your case is more isolated. I take it your running Electrum on Ubuntu on the VM, which would tend to nullify the effects of most wallet stealing malware. Have a look for any RATs - might be that.

you are the only one who can access to your machine? sometimes i feel all those stolen money from local wallet, are because of bad friends or parent

otherwise there must be something wrong with electrum, a bug probably

Aha... that is likely the problem. Sorry for your losses but here is some advice and likely scenarios of how you were hacked.

Scenario 1-
1) Your windows system is rooted or has a keylogging trojan. Here is another tool to scan your OS-
http://usa.kaspersky.com/downloads/TDSSKiller
But be aware that no AV program catches all infections.

2) The hacker was able to compromise your encrypted VMware container by injecting a virus in an unencrypted GRUB bootloader or by simply logging your password that you type into your compromised host OS (windows) .

VM offers a degree of security but mainly protect against keyloggers and infections from within the container leaking over into the Host OS or logging keystrokes from the host OS and not the other way around.

Scenario 2-

1) You installed an infected pirated version of VMware
or
2) You have a vulnerable outdated version of VMware - VMware released security patches for an ESX server hypervisor

Scenario 3-

1) There is a small possibility that ubuntu was directly compromised if you installed some malicious software on it.

Have you attached an 'infected'  usb key on that computer? Maybe it is this the problem, who knows.




I do not think, OP can you repeat again the version of the electrum wallet (I can't find it in this thread) thanks.

Sorry for your loss OP I hope the thieves die a slow and painful death, thieving lowlife scum.....

Mysterious theft! If you were an organization, I would have called it an "Insider Job" but you are an individual!
The hacker seems to be Genius! He got through such a secure computer system and hacked your wallet!
Why not try asking the hacker himself by sending a 0.0001 to his address and adding a public note on that transaction? :)

I am really sorry for your loss.

Some mistakes you made with security to learn from.

1) You have no physical security or 2fa or hardware wallet securing your bitcoins. VMware doesn't protect you if your host is compromised.
2) You backed up your HD seed digitally in a encrypted container in likely the same computer that was compromised. When creating a wallet, this needs to be done on a completely clean uninfected system and you should back up this seed on either an offline linux computer or secured paper backup. Everytime you access that encrypted container or use the password for encrypting new items you are feeding the hacker the keys to access all that data on a compromised host.
3) You mentioned you download and install a lot of software which further increases your risks

I would investigate your Windows OS a bit further but ultimately you should wipe it clean and perform a reinstall and treat all your backed up data , all your external cards and drives, and all your pirated software as suspect.

There are trade offs with security but you are better using cold storage or hardware wallets in the future.

 Here is some more info-
https://bitcointalk.org/index.php?topic=858604.0

You should never secure most your bitcoins in a cellphone or primary computer especially if it is a windows host. The good news is that you just spent 220 dollars to find out your computer is compromised and to learn a valuable lesson in security. Not a bad price to pay for such knowledge.

Have you proofed if your address is on the first (lets say 500) pages of directory.io? It is almost unlikely but it is possible. Many people are trying all those private keys of first pages in the hope to find an account with some balance.

Which exchange, if I may ask? The culprit might be on that end as well... :)

Hmm... it is really not probable.




Nah, I do not think the fault is by exchange. Here the problem is the computer (at 99%).

Probably I am a little paranoid but every time I am creating a new bitcoin address I check first if it is among the first 10000 addresses. I even wrote a simple python script to check this :)

No one has access to my pc at all. I honestly can believe I've been hacked... all that trouble for 0.9btc? I've run scans with every tool out there... Nothing. This pc is hardly ever online, I don't ue it for browsing or anything. I'm stumped... and really pissed off.

@bennybong: If you reference to my post then you need to know that the computer does not need to be online in order to be unsecure. What I meant is completely independed from your wallet.

Read this to get what I meant: https://bitcointalk.org/index.php?topic=354518.0

Anti- virus software isn't foolproof and cannot catch many types of infections.

All it takes is one click on a link in a phishing email, one infected jump drive or external plugged in for a brief moment, visiting one page that has a 0 day exploit, 1 piece of infected pirated software or crack, or an insecure wireless AP. This is why you should never store what you cannot lose on a windows machine connected to a network or at least use a hardware wallet.

But 0-days? I only have a few new usb drives that I use... all that for 0.9 btc?

Aaaaand it's gone

https://blockchain.info/address/1FpsRjQXFgiGzLNwyb2UC7bDNkj99xwdnf

Look at the fucking tag eh put on the address! Cunt. He must be browsing this!

The attacker is unlikely to know what your balance until it is taken or attacking many people at the same time.

There are many 0day exploits in the wild and your computer if not properly patched with the latest flash/browser/OS patches can be vulnerable to older exploits as well.

Even if you use WPA2 on your local router , if you live in an apartment building and a hacker lives next door and can see your hotspot they can perform a dictionary attack or bruteforce attack on your wifi password and than serve you up a malicious page with a 0 day exploit.


No necessarily as its a safe assumption you would be reading that with or without this thread. He is definitely and asshole though.

Yeah I am actually pretty hot on security and pentesting. Which is why I'm so confused!

Interesting blockchain.info tag : YoUr MyStErIoUs ThIeF lolz


https://blockchain.info/it/address/13GrQ46YQ3x3fp1p5eHrPKSsMaxjDY9VwC

https://archive.is/xhdHz

Maybe the hacker is reading this thread, who knows?

Someone check with Electrum as well.

If you have any IT job or a job as a network administrator you are a much higher target for hackers and the NSA/FBI(remember many of them are corrupt as well)

You should always assume that whatever you have in your primary computer that you install software on and browse the internet with can be instantly compromised. I find that this is a good thing to expose myself to with small amounts of bitcoin as it is a cheap way of telling me my computer is compromised(never happened yet) If you do not use cold storage than you need to at least use a hardware wallet.

It doesn't matter that you are security conscientious as security is difficult to do right and all it takes is one mistake or one unlucky encounter.

Very weird, I would assume you maybe got infected by a trojan of some sorts. The way it went is strange, as you didn't input that address. Maybe your electrum installation is compromised?

Again, I'm going to go with the point of failure wasn't you, I would press that there is a failure point with the VPN.  If someone has your info, they could just wait for you to confirm signing the transaction then send it immediately thereafter.  I've read cases of botched tor exit nodes that pass fake blockchain.info credentials to users to log the credentials. 

was the btc cold for a while beforehand?  why were you moving it to this address?

Trust me. I'm on a boat, with a personal crappy old laptop. No one has been near this. My internet is 150kb/s tops and I hate it!

No it was fresh from localbitcoins. My VPN is iPedator which I trust

No. I have never tried. I'd be interested in your feedback as well...

Additionally, think about anyone else that has access or come in contact with your computer or any usb drive in the past. Additionally, since you are on a boat with a 150 kb/s connection that also brings 2 concerns to my mind : 1) you aren't keeping your windows box patched because of your extremely limited bandwidth. 2) You are using a wifi hotspot that is compromised.

The fact that you are so incredulous that you have been compromised is a security concern in itself as their are so many ways to be compromised with the way you store bitcoins. At most you should be upset and slightly shocked that you were compromised but aware that you made some security shortcuts and need to do better in the future.

NEw address has a new tag:

https://blockchain.info/address/1FpsRjQXFgiGzLNwyb2UC7bDNkj99xwdnf

wtf does that mean?!?

He's implying an Electrum vulnerability...?

Windows is up to date, I don't think the hotspot is conpromised. It's a very good system, I know the owner of this place and I've talking with the IT to try and get me some more speed! and I use VPN anyway (which I had to pay for.

it seems that this guy know that you was using electrum, at least the tag indicate so, could it be that he is exploiting electrum weakness?

Exactly... What's going on? Any other reports of this??

Wait, can I say one thing? .... and if it is only a joke by the OP (I'm only asking, but it could be possible).

The output can not be converted to an address.

Edit: looks like it can now. I thought bc.i did not show an address when I checked initially. Probably just lack of coffee.

Which version of electrum have (or are you) used (using) ? I think you didn't reply to my past question (maybe you didn't noticed it).

"3lectruM fail. More2come SWX"

Looks like there is a small chance this is a whitehat hacker who will return the funds and this is his way of proving the vulnerability , teaching you a lesson, and/or having fun.

It seems Electrum's security has been breached.

Huh?  You saying bennybong is joking? What?  You mean a prank?

It's not a joke guys  :-[

Probably Not. Check this...

https://www.blocktrail.com/BTC/tx/c8ab6cc860112ffc29f5a778b8f47fe862b9412ca96c13538468febe268f6d87

Ok thanks for the reply, however it is also interesting that the 'hacker' used 0.001 btc as fee :

https://blockchain.info/it/tx/c8ab6cc860112ffc29f5a778b8f47fe862b9412ca96c13538468febe268f6d87

It was not necessary in my opinion, and we know he also used the blockchain.info web-wallet to move those bitcoin.




It is only a blockchain.info tag , and it appears only in that site BC.info (http://blockchain.info)

"SWX" doesn't refer to any common initialism that fits in context so its likely his handle or who this hacker is trying to pin this theft on.

What version of electrum are you running? Where did you download it from?  Since you are using an SPV client what server did you connect to?

Why I am thinking the same thing? Sorry about your coins OP, but this is really strange TBH.

What else was in that computer?  No naked selfies I hope...

OP, was your VM machine running when the theft happened?

Thank god I'm using armory.

No one I know knows about bitcoin

Probably someone does.  He's following you.

It doesn't work  :-\
The last "Next" button doesn't work no matter how much you click it or how hard you click it :P

It isn't about bitcoin, they could have grabbed your btc incidentally when they saw you were involved. No one you know or are in contact with is technical?

No this a fairly new build (PC). ANd I've been isolated completely living on this boat.

Perhaps we should follow the hackers breadcrumbs...

3lectruM fail. More2come SWX

What version of electrum are you running? Where did you download it from?  Since you are using a SPV client what server did you connect to?

No one is willing to give that info in public right now.  It could be an Electrum vulnerability.

v2.1.1 downloaded from their website and i check the checksums. Server is autconnect.

A fake Electrum server  ::)

Was your VM machine running when the theft happened?

Is that possible? and is elctrum responsible for that at all?

Yes, This is a very likely possibility. Do not use auto-connect with SPV clients and select an older trusted server.


Anyone can setup an electrum server. https://github.com/spesmilo/electrum-server/

If it is indeed an Electrum bug, then they will compensate you for sure. But I'm not sure what kind of harm a fake server can do, since the signing of the transaction happens locally and no one should have the knowledge of your seed

If your VM machine was not running when the theft happens, then the weakness should be in the seed or private key

Fuck I've been screwed so many times. BFL, Avalon, mtGox, 50BTC, blackarrow. Fuck them all. Only got back in to BTC recently after about 4-5 months. I give up.

Living on a boat ? How u r getting the connectivity ? Is that internet connection reliable ? Are u in a river or in a sea ? Care to share a snap ?

Well either way I'm fucked. Accepting donations to my sig.. Fuck my dignity. hah :(

Yeah.  It's just one of those things, you know?  Fate, karma, cause and effect or whatever...  It's probably the whole universe trying to tell you that Bitcoin isn't for you.

This is a horrible thread!! Dude sorry about your luck.
I hope the breadcrumbs lead to something.

You got hit by all the above?! Outch.

Servers technically aren't supposed to be able to steal your bitcoin with electrum as it depends upon SSL for security . But the attacker could have used compromised SSL certs ...

https://www.reddit.com/r/Bitcoin/comments/2feox9/electrum_securityprivacy_model/

That on the same computer?  The hacker is probably reading this and licking his chops.  :D

lol no. fuck no.  :D

You have 2 computers on the boat?

A laptop (with elctrum) and a PC yes. Problem?

Yes, asking for charity is slightly inappropriate under such circumstances because:

1) This all could be an orchestrated ruse to get some free BTC and apparently small amounts of BTC is a big deal to you

2) You really need to secure you computers first and practice better security in general even if you have 2 devices (there could be cross contamination.

I am not assuming anything but that is kinda how it looks when people overtly ask for charity right after being hacked.

I'm just pissed of because I just spent the last of my cash and lost it almost instantly. fml

Oh and I'm a fairly respected member here. Do you think this some kind of scam?

Yeah, I think you are sincere and is just a very unfortunate experience. You still need to change all your passwords and do 2 reinstalls , and quarantine a lot of your data first until we know exactly how this happened. Hopefully he explains more details soon as he indicated.



No, I think you are sincere , but unfortunately many hero accounts are sold off.

A fake electrum server is highly unlikely. Electrum "server" is a bad way to describe it, they are essentially electrum "nodes". There is no trust involved when using an electrum server, they can tell what your IP is and what your Bitcoin addresses are, but they have no ability whatsoever to steal funds. A vulnerability that allowed the server to steal funds in the way the OP described is highly unlikely, as the only task the server does is let the client know about transactions their addresses received, and said information is verified by the client against other nodes.

Based on the blockchain messages I would think that the hacker is likely reading this thread therefore I would suspect it was a more targeted attack as he likely knows the OP had an account here.

It's weird that the bitcoins just arrived in your account and it got transferred in 1 minute. All say that Electrum is safe and this cannot happen unless your PC has been compromised. The transaction note as well is weird and if it's an error from Electrum, you can expect your money back as this might have happened with many other users as well.

well which are trusted servers for electrum ?
If i browse through that list i see alot of names but most look at least nasty

Shall I contact electrum do you think?

There is no need to trust your electrum server much, all they do is give your client transaction data about your addresses and that information is checked against other nodes. They do however have the ability to know your IP address and Bitcoin addresses, so you should only use servers that you think will respect your privacy and use Tor if necessary.

Good idea.

That isn't weird at all. This happens all of the time with hacked brainwallets etc

I am still thinking that it is not a problem of electrum, a 'bug'. Check again your personal computer.



Electrum seed is different than the passphrase of a brainwallet, or am I wrong?

Need to know if my friends are safe, if there is a flaw in electrum
My first question is did you try using any trojan scan tools

http://www.thewindowsclub.com/malware-removal-windows

Try at least to see if there is no nasty stuff on your computer, to make sure its not any of that.

lol non of my friends installed the 2.x they are on 1.9.8
 

Another transaction : https://blockchain.info/it/tx/8a47c42aa28aefe9f47f28777c319265998730b6bf5fa0a3aadcd85f76c50906

This time with only 0.00003 bitcoin as fee. I'm so curious to see if he will add a blockchain.info tag also to that bitcoin address.

Definitely do that. It seems to be an error from their end and I hope you get your money back.

Also, try to restore your computer to an earlier date when it was working fine to delete any virus (in case it was infected).


So fast? You mean his account was hacked from first? It's quite unlikely and since I have no experience with electrum, it can be a possibility.

It is different, however it can be cracked in the same way, for example if you made up your own seed, one that is easy to remember, people often do things like this and if you do that it likely won't be very random and is vulnerable like a brainwallet. It is also possible that the hacker found the wallet file and noticed it was empty, so he set up his PC to sweep it once funds were transferred to it.

I seriously doubt it is a bug in electrum, nothing in this thread has indicated so, it looks like OP's private keys were compromised somehow.

It's moved

https://blockchain.info/address/14GhadwWV4uaoxWZcNrnU3zWkTrtHbCF2T

I'm quoting myself : aLL bTc in my handz SWX (https://blockchain.info/it/address/14GhadwWV4uaoxWZcNrnU3zWkTrtHbCF2T).




But it is so complicated to 'find' or crack 12 words (the electrum seed).

Wait, are you quoting your forum message or are you quoting "your" tag?  ;D

Sorry for your loss OP. But I have a feeling this is done by a troll that might give it back eventually.

If your twelve words are all the same word it isn't. Sometimes people "pick" their own seeds that are weaker.

Likely the problem is here, how good is the entropy of this encryption?

Yes I was thinking that it could be a problem with low entropy. Electrum uses /dev/urandom to generate seeds (with some filtering IIRC). /dev/urandom doesn't work so good in a VM, and if you are doing encryption in the VM too then you are gonig to deplete the entropy further. I wonder if it could be that OP's wallet was generated using poor entropy, and a hacker out there trying to crack weak seeds managed to crack the seed, much like the johoe bc.info hack. It's less likely though as the /dev/urandom in Ubuntu is pretty good, and probably safe enough, but I wonder if VMWare could change that or maybe even specifically the OP's VMWare configuration, as the LRNG uses lots of hardware inputs to make entropy. In any case I think the most likely scenario is that OP's machine is infected or the hacker found a backup or got the wallet some way like that.

Two things.

#1 OP move this into the Electrum section please. This will make sure people with more knowledge about Electrum will read the thread. The option to move a thread is at the lower left of the page.

-> https://bitcointalk.org/index.php?board=98.0

#2 Isnt Electrum 2 still in beta?

you mean a quote like : like like like like like like like like like like like like like ;)

With " I'm quoting " I meant , quote my previous post because I thought the 'hacker' or who is managing the funds would be add surely the blockchain.info tag.




In that case it is very easy, but usually it is the wallet (itself) that generete the 12 words as seed and you can't decide (or better can't modify) those words.

nope looks like an official release

Well its possible that one would get the same one but its very unlikey given the possible combinations.
But i remember on safe seller putting a large sum for those who could open it with a bunch of numbers they asumed it would never happen.
The funny thing is a nice woman just did the lucky guess and got it out

Sorry for your loss. This is pretty odd... I highly doubt of an error in Electrum (if it was, the hackers would have many stolen Bitcoin right now), this was more a targeted attack, or so it seems.

More info about OP's setup would be needed... VM software, recently installed programs, weird wallet behavior in the last few days, possibility of infected USB's...

Your running Windows? enough said...

Pretty strong. i use truerypt

Always a good idea to use chkrootkit in linux installs. Install it, open a terminal, enter   sudo chkrootkit

It should show you anything suspicious.

Sorry to hear about it OP.

There's really no substitute for cold storage I guess.

Still, I have some coins in my online PC with electrum
and they are still there.

Like someone said, strange they were moved within a minute
of getting received...seems to be a clue.

I'm really confused about this theft! How the hell did the hacker steal the coin?
Either the Hacker is a Genius or OP is trolling! (I don't mean I guarantee you are trolling)!

Or he was compromised in one of many other ways we have been discussing. Just because someone doesn't think they were compromised in certain ways doesn't make it so. Its not like his coins were stored securely either. They were on a windows box, using an SPV client, and likely had pirated software. This doesn't constitute secure by any means.

Or through the fake emails with so called offers and other crap which have an jar attached to steal anyones coins
I had hundreds of them and all get deleted before even reaching any of the people who open emails
There are so many ways people can infiltrate computers these days, even some alt-coins are released containing wallet stealers.
The list is darn long with the ways criminals have invented to steal.
I caught several mining trojans as well which where using the cpu/gpu of my friends computers

Sorry for your loss

I am not a technical guy but as I read the thread whatever you guys ask OP gives a positive answer! Makes me think he stored it in a 100% secure way! But I am learning.. Nothing is perfect!

I think the chances are probably higher that the OP made the story up in order to try to get "donations". There are enough contradictions in this thread to suggest so.

The "hacker" only took funds from one address and having funds in only one address in an electrum wallet would be somewhat unusual, especially considering that change addresses are enabled by default.

He (the op) said :


This is the transaction id: https://blockchain.info/it/tx/5cc872a7dc9bebb03290e9d537d57eba51056e764483a4f4ef4f6bc2bac66e0f

So I do not know if the OP is trolling or if he has really lost those bitcoins.

Well it is somewhat unusual to have exactly zero bitcoin in your wallet IMO. Generally speaking when you buy something you are not going to be spending exactly all of what you have

OP claims that he was transferring the funds from his bitcoin exchange into his brand new electrum wallet (that was my interpretation anyway) and that the funds were immediately sweeped into the hackers address.

I have no idea if he is lying or not, unless you trust the OP a lot you shouldn't donate as there is no way we can know if OP is telling the truth.

Exactly, I have already quoted the post made by the OP. However this is a reply from ThomasV:





After 1 minute, it is not 'immediately' but he was 'very fast'.

Yes it usually takes about 1 minute for a transaction to propagate the network, so it took around a minute before the hackers PC knew the address had received money that it could steal.

Either it was the OP himself or it was someone monitoring OP very closely! Though he denies that people he know don't use bitcoins I think someone very close to him was behind this If his computer was as safe as he stated it here!

ignorant statement, linux isn't so much better in term of virus and company, and it's not even about the SO here, it's the container apparently

Ouch! Make sure to scan your PC.

That's not a brand new wallet:

I'm also wondering if the randomness of the key generation on a VM can be as good as physical machine

It isn't and neither is the entropy generated from a live linux cd either... but it would still be a very rare and odd attack because enough entropy is typically realized.  

Yup. He also claims to not be very tech savvy, however engages in things that would typically only be done by someone who is tech savvy

It is odd that the hacker is wasting his time taunting the victim as well with such a small amount. The hacker could be a sick loser I suppose that enjoys trolling.

In any which case I do not mind helping investigate and troubleshoot security for victims but it is a bad idea to reward those that practice bad security(SPV in Vmware on a windows box is poor security) when there are so many charities that are far more deserving.

So most probably the OP is not 'kidding' and he really lost those 0.92329 bitcoins. However the bitcoin is still in the last address ( TAG: aLL bTc in my handz SWX) from about 5 hours.

So even though this thread got moved to Electrum, is the consensus still that it probably had nothing to do with being an Electrum wallet?

Very unlikely as the SSL certs would have to be compromised, but perhaps a hidden bug that is making electrum work completely differently than designed.

Hey OP, what does "SWX" mean? Does it mean anything to you?

Damn that really sucks. I don't know what to tell you, other than the obvious:

I personally never played with Electrum because I only trust cold storage.

And Electrum + Cold Storage is also a possibility...

Simple... simple | a cold storage is an address generated offline (or better on an offline pc) so the use of the wallet is 'relative'. You can generate the coin also with another client/wallet , the important thing is "that the device/machine *must* be offline (better It should never be connected to the Internet *never*).

Correct.  You just have to make sure you generate the
seed on a machine that has never been online and
never will be.

Not never has been, only never will be again. The machine can be online 5 seconds before you generate the seed, so long as you ensure it will never connect to the internet again.

This includes network-capable printers if you're printing paper wallets, best bet is to physically remove the network card from the machine!

There is an attack vector where your machine could get corrupted while online and then use pre-determined random numbers
or a set of seeds known to an attacker.  So at that point it doesn't matter if the machine is offline,
the attacker caused the victim to unwittingly use a known seed/private key which the attack is
monitoring.

Note that you could mitigate this attack by rolling dice or flipping coins which the
ultra-paranoid should be doing anyway.

Another question: How long has the wallet been used? When is the last time you receive coins with this wallet?

The receiving address has never been used, it seems the key for that specific address was already compromised before the transaction happened. Since all the addresses in an Electrum wallet are generated by the same seed, it is very likely that the seed was compromised

Incorrect check my previous post. I am very computer literate and often very careful with my BTC.

No idea what SWX is, like I said, no one I kno knows I have any bit coin or what they even are! NO one has access to my PC. I've spent all night formatting and re-installing everything but I still can't work out if I was compromised or not.... Running in a VM with no other program except Tor and all unnecessary services disabled.

I'm stumped. And in a real tricky situation because I needed that BTC more than you can imagine.

FML

It goes without saying then that I'm screwed, and now broke Sad

Can't believe it. Time after time I've been scammed by vapourware or delays. Never been robbed straight up from my wallet

Donations welcome  :-[

Help a 'hero' out!

I don't think you will receive any donation from the forum users, because it seems really strange from you.

Bitcoin clients still need to generate a random R value when creating a transaction, and if that isn't random then it can allow an attacker to recover your private key. Thus, while using real-world entropy to generate your private keys is a good idea, be aware that your client still uses an RNG when signing and if it is weak you can easily lose coins. This risk will be mitigated once more Bitcoin clients have support for deterministic R values. I checked OP's transaction and it doesn't appear that this was the case this time.

That is not the case here; Electrum uses deterministic signatures (RFC6979).
The only way a weak RNG could be exploited is for the generation of the seed.

No me neither. Got nothing to lose though. I'm an honest guy I just really hope people don't think I'm making this up. I am just a small time bitcoin user with a roof over my head and place to rest my head. So I'm lucky in that respect. If anyone should be asking for donations it should be the poor souls in Nepal that really really need donations.

Just wish I hadn't lost all of bitcoin is all! :(

I think you have a trojan on your machine.

The blockchain record has the message:

The thief transfers to 13GrQ46YQ3x3fp1p5eHrPKSsMaxjDY9VwC -> 1FpsRjQXFgiGzLNwyb2UC7bDNkj99xwdnf -> 14GhadwWV4uaoxWZcNrnU3zWkTrtHbCF2T.

However I suggest you to pubblic your seed (as ThomasV said previously in his post). So the electrum team can investigate, but I do not think it is an electrum problem (at 99% is a 'machine' problem).

Have you checked your computer? A complete check.

---

For the question of donation, I think if it is (was) an electrum error ... ThomasV will repay you (why not?).

It's on the move:

https://blockchain.info/tx/c2eba70e624fbb4e5766beb2e4f630db8d1a5ae8bca52ef097376e0f0388479e

Don't even bother tracking! He will mix it soon or he already mixed it :)

Fuck sake. I sold my gopro to buy those coins. Unbelievable!

So is this a flaw in Electrum?

We will never know if it is a fault 'by electrum' or a computer problem... but the OP said:



When ThomasV asked the seed for a check.

Sorry if this is already answered. Which OS are you using? Have you tried to recover deleted file?

P.S. See http://wikihow.com/Recover-Deleted-Files-from-Your-Computer. If you are lucky, you maybe able to recover it.

He said he "shredded" it! It cannot be recovered! Shredding Files deletes it permanently and cant be recovered!

The coins have been joined in an address with similar small inputs and then passed through addresses with more coins, they have probably been mixed/are being mixed. I bet this is some new malware that's being widespread. Too bad OP shredded everything, otherwise we have many security experts around that could have analysed the system...

Even if he did, that doesn't mean his seed is definitely unrecoverable as you imply.

Electrum, until recently, truncated the wallet file before writing to it for each wallet save. This could leave the (possibly encrypted) seed in multiple blocks on the drive, depending on how often Electrum saved the wallet file, even if he shredded it. (Newer versions of Electrum create a new wallet file, and then unlink the old one, again leaving the seed in potentially multiple blocks).

MZ's questions are good ones.

Sorry But I am not a technical guy and I didn't get what you said :P
Anyway, "Shred"="Permanently Delete"! That's what I have heard till now! If that can be recovered either I am using an outdated technology or you are using a new one :P

In other words, whenever Electrum saves the wallet file, it does a normal delete, and then creates a new wallet file. If OP shredded his wallet file, he only shredded that most recently saved file. Other older copies of the wallet, as deleted by Electrum, might still be on the drive somewhere.

OK! Now I get it! But OP told he is very tech savvy how come he didn't knew about this?
 You have the capacity to make a hard thing easy to understand :D :D

By the way, looks like this wasn't the first time OP said he got hacked:
https://bitcointalk.org/index.php?topic=202087.0

Umm.... something suspicious is going on here methinks.

Here is a post he made another time his account got hacked:

It looks like in that case his account was hacked, but no money was stolen. That could have been another attempt to get attention

I would think it would be unlikely that the account would both get hacked and recovered inside of ~7 hours (the time between the OP was made in that thread and the time it was last edited).

I don't think so. There are too many inconsistencies in this story.

 - The thief targets a small wallet (0.92 btc), and tags his transaction with "3lectrum Fail" on blockchain.info.
   A real a thief in possession of an exploit would target large wallets first, and he would try not to attract attention on his exploit.
 - The OP ignores my first request to publish his seed, but calls for donations instead.
 - On my second request, the OP says that he is concerned about the security implications of disclosing his seed, which suggests that he still has the seed, or believes he has it.
   However, less than one hour later, he said that he has deleted (and even shredded!) the file containing it.
 - When I asked the OP if he has paper backup of his seed, he says he has none. Yet, in one of his first posts he said "That's ll the btc I had"
 - The OP claims to be "very tech savvy". However, he deletes his wallet file, preventing further investigation.
   A tech savvy person would not destroy evidence just after being hacked.

So, either the OP made up that story, or he has no clue about security.

His activity seem fishy! Seems like a pretty well made story! BTW btcchris told me seeds can still be recovered! Isnt that true?

Thomas, your genius never fails to delight :)

Sarthak, If you have an unencrypted wallet file, you can recover the seed but I think you would need to convert the raw data to a human-readable seed.

I also wrote a script where you can brute force the seed if you know one of the first addresses and had just one of the words in the seed written down incorrectly.

hey so now that all this is resolved and stuff, can you tell me what SWX means? :p

Try replacing the "W" with E and you'll get it :P


Well I am not a technical guy and didn't really understand seed,encryption and hashing things! Give the script to OP! maybe it helps :)

there's no script that gets your coins back from a thief (assuming story is true which is questionable)

No! I understand Bitcoin transactions cannot be reversed! I meant to say that even though the coins cannot be pushed back maybe the seed can be recovered with the script :)

if he deleted the wallet file and can't remember most of it, it's lost, and not that valuable now that the theft has occurred except for research.

Different PC, and my bitcointalk account was compromised through a session hijack. It's just got used to spam the hell out of the forum :/

This computer I'm using at the moment is very secure.

Please stop trying to taint my name. I respect this community and i'll be damned if you start calling me a scammer! ;)

Think what you will. Never thought I'd be on receiving end of this notorious witch hunting ;)

Thanks

I agree with the latter half of your statement, but not the former. Please read this earlier post (https://bitcointalk.org/index.php?topic=1045264.msg11272750#msg11272750)....

Maybe this is related to the fake electrum website:

https://bitcointalk.org/index.php?topic=1098340.msg11702869#msg11702869 (https://bitcointalk.org/index.php?topic=1098340.msg11702869#msg11702869)

It most likely is... Seems that the website has been around longer than we thought. The theif has also been getting quite a bit of Bitcoins, judging by his addresses balances.

Yes I think so: the latest download version on the fake site was 2.2!

It would be really nice if the OP could clarify if this was the case. I'm actually pretty curious, this thread drew quite a lot of attention...

This was most probably a fake story or OP is not what he claims to be. ThomasV summed it up well.

Dr.Web CureIt AV Scanner (https://www.freedrweb.com/cureit/?lng=en) (download) (https://www.freedrweb.com/download+cureit/gr/?lng=en)

haveged entropy daemon (https://web.archive.org/web/20150627021643/http://www.issihosts.com/haveged/) (how to setup) (https://web.archive.org/web/20150627021457/https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged)