Bitcoin Forum

Hello all members and readers outside the forum.
I would like to tell you my story that happened to me yesterday morning with I have been fithing till today.
It is extremely important due to highly increasing interesting in crypto currencies across the globe.
Especially for newcomers excited about all of this amazing crypto currency world that want to invest their money in.

OK so.

About three weeks ago I decided to enter the world of cryptos. I wanted to invest some my money and diversify my investition into different alternate coins couse everything told me they will grow in the long run and it is good thing to do so (most of them are deflationary by definition).
So I joined the forum, read a lot, felt amazded by all of this, install new wallets everyday, more or less popular or completely new coins.

Eventually i picked my top 10 best to invest at that moment in my opinion. Bought BTC and exchanged them for those cryptos. So during next two weeks I had more or less I wanted in my wallets. Durring those days I ofcourse encrypted every wallet I had.
I watched the charts every day, tried a little arbitrage between markets (with little success) that let me buy more and fill my investmens with new coins.
I was happy and very excited during all those days. It runned smooth and nice. I felt secure.

Then yesterday morning I had some BTC on Cryptsy and wanted to buy some Digitalcoins (it was about 1100).
So I bought them and sent to my DGC wallet.
At that moment I remembered that I had a feeling that most probably I didnt encrypt one of my wallets and wasn't sure it was Digitalcoin wallet or not. I had there something like a 1900 DGC.

So I opened my wallet, waited to sync and in a second after it synced then instantaneously -1900 DGC has been sent from my wallet to other address. And second after that my newly bought 1100 DGC came to me from Cryptsy. I am quite new in all and first thought was it is some error or something but? Here is the screenshot:

http://i41.tinypic.com/2j4zwx3.png

Trannsaction id:
http://dgc.cryptocoinexplorer.com/address/DG5phm55dZiWwX5oknkJJgKkULMeXtFCoF
Thief address: DG5phm55dZiWwX5oknkJJgKkULMeXtFCoF  

Other withdraw (2013-11-27) is a desperate rescue of my own coins to another wallet (created on other PC) but later more about it.
Aha, and my wallet was encrypted.

So I became really suspicious. Maybe there is a trojan or something like that in my OS? I started to look at Windows Process Manager I have open all the time at second monitor but nothing suspicious there.
So I opened CCleaner and there found something weird looking:

https://images.weserv.nl/?url=i39.tinypic.com/2nkjoup.png&fnr

It was almost obvious that something like this shouldn't be in my autostart. So I tried to close it, delete it throught CCleaner but everytime I did that it was auto enablem again!

So I think ok, let's go to this directory. So I clicked C, Users, Pawel and .... ? Where are "ensuy" and "qfiyp" directories?
THERE WEREN'T VISIBLE despite I had "show hidden files and directories" checked.

So I put the address C:\Users\Pawel\ensuy into address bar and what happened? Screen shaked and all of my windows were immediately closed.
At this moment it was obvious something really scarry is going on and felt hugely unsafe.
I opened command console, went to C:\Users\Pawel typed "dir" but those directories were also not visible in listing.
Co I typed manually "ensuy" and "qfiyp" and then I was in:

https://images.weserv.nl/?url=i43.tinypic.com/ori5w4.png&fnr
thecoin-qt.exe

And some other not visible files (there were more than this visible on listing).

My still ongoing antivirus (AVG) did not catch anything!

I tried to delete it manually through cmd but it didn't help. I tried restart in Safe Mode, still nothing. Can't get rid of that.
Even when I tried to delete it directly from registry keys it did not help.
So I started to search internet and downloaded some antimalware software. After full scan it found those files and after reboot I could delete them from autostart, registry keys and from those directories I mentioned above. But I still cannot delete those directories despite they were empty.


So what next!? I asked myself.
I started to open my wallets one by one and change the passphrases. But one question was on my mind: "If I change a passphrase when I am not synced becouse blocks are loading, then is my newly encrypted wallet sent to the network or not?!"
I did not know the answer for that question (now I know) but what else I could do I though.
The problem was I didn't opened most of my wallets since several days and lastly there is so huge traffic on market that blocks were loading and loading endlessly.

I felt a little bit more secure after delete of this trojan or whatever it was. But I had a strong feeling that something is still very not right and that it was most probably a keylogger couse how it is possible for somebody to send money from my wallet without knowing my password?
I started to change all my passwords, for email, markets, everything.. but I had this strong feeling that I shoudn't do that on this system anymore. Maybe there is already installed rootkit or any other who knows what?
Then I also started to think, where it was installed? I checked the data of "thecoin-qt.exe" and realized it was just after I decided to enter to this crypto world!
I also put this phrase into google and there was a match:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AAB/detailed-analysis.aspx
This is it, or branch of it, very similar.

I searched though my browser history and my memory and rememered that at the very begining of my journey when I was so turned on and installed everywallet in excited rush there was one new alt coin project I felt weird about.
!!!   https://bitcointalk.org/index.php?topic=333160.0    !!!

I remember exactly when I downloaded this client and wanted to click on it, something told to me DONT. Thread looks weird, no community around... but he provides source codes (yeaah and you didnt check them and also how could you know what is in that .exe DUMB ASS!).

I remember I deleted it quickly after installation couse I feel it was weird. BUT IT WAS TOO LATE - REMEMBER THAT NEWCOMER!

Then I found those thread, looked at last post and... everything became clear...  I had a trojan\keylogger\and who knows what more.


So I moved to my brothers PC (his computer was shut down for weeks couse he is in another country right now so hacker couldn't reach it).
To be sure I turned off internet connection on my laptop.
Firstly I started to download my most valuable wallets so I started with Megacoin which I invested most of my money.
Blocks loading, I see amount of my MGC on it and waiting.

Then..

Synced..

Puh!
http://i41.tinypic.com/2dmd21j.png
To: MA6CFTXYwQwBKmLBT8A3x9zzT6rYAG2RDf
Debet: -8406.00 MΣC
Kwota netto: -8406.00 MΣC
ID transakcji: 91c1167e94e13f70dd5dfc777bf4d3295dc45f7a062eb14be484ebbbd122bf88

So I realized, YES IT WAS KEYLOGGER AND EVEN MORE COUSE HE STOLE YOUR WALLETS!


At that point I didn't belive at all if my laptop is safe right now or not so I changed every password for every website, forum, market, wallet, etc. And started to download my other wallets and change passphrases of every of them again.
Also started to create new wallets of all my coins (I WILL NOT USE those wallet address that you see on the screens anymore) with another new passwords.


I sit till 4:30 am loading blocks, changing passwords, creating new wallets, securing them, sending coins to them (if there was above 0 ...) and had very unpleasant feeling everytime wallet got synced...


Till morning next day (it is today) I slept few hours couse didn't have anymore power, super tired, even right now.
And he also stole all mine
Primecoins:

http://i42.tinypic.com/1zl4nbd.png
Status: 3407 potwierdzeń
Data: 2013-11-25 21:16
Do: AKfSuxQDE1Q8YQWKbhLGVvTAfG6jzrJ5tg
Debet: -112.30 XPM
Prowizja transakcji: -0.04435538 XPM
Kwota netto: -112.34435538 XPM
ID transakcji: 4bb9e53613a697d4af0d2681634535b4a038e723e1c2e6924f1c4433ba14a375


and


Peercoins


http://i41.tinypic.com/fz5kbp.png
Status: 131 potwierdzeń
Data: 2013-11-27 09:52
Do: PWYWk7tNT78AdcY4c58VbtuVMTbHS7WgZQ
Debet: -55.00 PPC
Prowizja transakcyjna: -0.01 PPC
Kwota netto: -55.01 PPC
ID transakcji: 2abd81835bc8b1db41e7965be235a1e4f498be02302a578117725004d02dd848

What is intersing in above screen why his withdraw that happened after mine was confirmed and mine no?

--------
Right now I finished everything and struggling to install clean Win 7 on my laptop (there are some problems as always with .ios's from Windows, I have my key ofcourse). I am very tired but a little bit happy I saved almost half of mine diversified wallets...

I know it was silly from my side and I should be more careful. You know how it is when you are super excited about something. You can easliy became thoughtless about thins you normaly care about.


I am no admin here of course but I would suggest this thread as a WARNING and also some instructions how to detect that something is not right and our wallets and computers could be in dangerous.


I strongly suggest to all of you to check your systems like I described above. Even if you did not install this wallet I mentioned.

Why?!

We are at the begining of new upcoming era of virtual money, virtual wallets. My case is simple and it was quite easy to avoid it but remember, new technologies always attracts thiefs with their new ways of robbing us. This will not be the last time someone of us will last money. They for sure working on something right now and I strongly suggest - BE EXTREMELY COUTIOUS with your coins and wallets. Install not only antivirus couse but also anti malware software and hide your wallets as deep as you can.


So in sum I have lost about: 1900 Digitalcoins, 8400 Megacoins, 112 Primecoins and 55 Peercoins.

I took a lesson I will never forget. Learn from my mistakes...



TO THE THIEF THAT ROBBED ME

I know you actively look through this forum. Most probably you have new account and still are with us.
I belive in people and if you have some empathy in yourself, please give me back my money. At least some.
Here are my new adresses:

Digitalcoin:
DFUiUnDGQYAGPmoXrXeQgAVz7uborYfHgz

Megacoin:
MAMbeVmzwpBhyyA1u39vyFNmZCEUbUM5rk

Peercoin:
PWwjLApspBX8PE3ECwPfSs2HWje1euAjqs

Primecoin:
Ad7L8CSnWvWXCh8mBTrDvkAp2tX9BbmyiW


--------------
For all of those that read that far. Thank you a lot that I could share my story with you and please take care about your coins.

Wish all of you smart, growing investments.

Pablo

ps. sorry for my English, it is not my native language.

I'm really sorry for your loss:

notes:

1. Linux-

2. Compile-

3. Untrusted source -

https://images.weserv.nl/?url=img15.hostingpics.net/pics/881830logo.jpg

THCoin? That was your first mistake there. This is why It's a bad idea to download new coins that spring up out of nowhere.

Yes, I also mentioned that. I know it is also my fault.

Shitty knockoff of weedcoin :D

https://bitcointalk.org/index.php?topic=219748.0

THC Coin had a keylogger?  :o

I didn't download it, thought the name was stupid and its purpose could only be used for illegal things.

You did the right thing. I envy you :/
Most probably if I would be little more experienced those days, not a total newbie I would do the same. My bad.

Thank you very much for this, much appreciated. I wish you best of luck in recovering all of your lost coins

Thanks. Glad you appreciate it.

Thanks for the heads up! I often check my puter for malware and shit.. I know about them keyloggers.

Sorry about your coins - what a nightmare.
Thanks for your detailed analysis of what happened - it reminds us all to be wary.

avira + hitmanpro + malwarbytes anti-malware = gg any virus

Will try FOR SURE, haven't heard about hitmanpro.

whoever this dbag is needs to go and shove himself in a meatgrinder. what a dick! >:(
mine it yourself dont steal from other people if i had some coins i'd donate but sadly i just started mining a few days ago for the first time ever.

I hope you will mine something, nowadays it is really hard.

Wow that really sucks.

I'm pretty sure the thieve's main DGC address is:

http://dgc.cryptocoinexplorer.com/address/DM9UGWJyPWfU4XdHWU3iGWwFmexba5fKQ4

Pitty that we can not do much with this. That is the other side of crypto currency.

Sorry that this has happened to you. Although it was a mistake on your end.
Try linux next time, and less "suspicious" coins.

Yep I admitted it. But it is still no excuse for the man behind it. But you know there will be more advanced methods of wallet attacks. Right now I'm creating fortress from my PC before install anything from net.

wow....

I'm sorry for your loss, but when I did reach to read this...


made me so :o

I did all new wallets, change passwords etc. on another, not virused computer (my brothers) if you mean that. Format and installed clean new Win on laptop.

This.
Or, at least, separated Win machines under virtualbox (very easy to use).

I also thought about it. Will do for sure. Even today.

Ah and important note.
I mentioned in my first post of this thread that I was not sure if I change passphrase for wallet then is it sent to whole network or not before synced?.

And no it is not, whoever has your wallet with your previous pass can do that  until you synced with your wallet with new password.

I think this is big disadvantage of current desktop wallets.

or just have one where you keep wallets. Have 0 software aside from security (unless you can use linux).

Yep at this moment I am also downloading linux iso and will install it on VM. All of that + anti-keylogger and I will feel a bit more better.

I feel very sorry for your loss!   :(

But maybe you can take comfort in the knowledge, that your example will be a warning to all the cryptocurrency users. I will immediately secure my altcoin wallets, that's for sure!

For BTC I use an offline wallet (armory). Are there any offline wallets for altcoins as well?

Sorry to hear about that. At least you can learn from it and now know how to better secure your funds for next time. If you don't mind me asking, how much in USD did you lose total?

Also, if you're just investing in lots of coins and not planning to spend them, there is no reason to even use wallet clients (I can only speak for the couple of alts I own, not all) - I have almost all of my funds stored in paper wallets that were generated on an offline computer that never has and never will be connected to the internet (old thing that doesn't even have wireless). Even if my main computer were to be completely taken over, the most someone would be stealing would be some random family photos, maybe my Facebook password, and some pron that they could just stream for free anyway.

I only keep a tiny fraction of funds in a hot wallet for spending, but at this point I mean can you even spend megacoin and all the others anywhere anyway? So no point keeping them hot.

Yes I wrote this thread also for that - to warn the others, especially new ones. I don't know about offline wallets for other altcoins.

How much I lost you can count from my first post. I wrote there how many and which coins I lost, it is also visible on screenshots.
Personally I didn't invested "that much", the coins just went extremely high from day I bought and if I would lost the amount (from my bank account) that their are worth right know, then it woud hurt me very badly.
I had encrypted wallets but right now on my newly installed os I also downloaded anti-keylogger.. Just in case.

That's why i ask often to provide the checksum of the client files, read -> https://bitcointalk.org/index.php?topic=347391.0

Do you have a wallet password for sending transaction?

Yes but it will be a huge limitation on future growth of Crypto.  Not everyone uses linux, most assume that when you have a strong password and an anti-virus system you are safe.
People losing very large amounts of money to theives needs to stop in the crypto world.  The people doing it are modern day bank robbers.

That's very good idea.

Ofcourse, I had for every wallets and have completely new ones for new wallets.

Right now, after everything I've been through, apart from anti-malware and anti-virus I highly suggest also anti-keylogger software.

Personally i think it was installed as a root kit, might wanna look at sophos anti rootkit too.

I also consider this possibility. Reading about Sophos anti rootkit right now.

I am sorry for your loss, I remember that thread and caught out the guy early on. I installed it on my laptop I use for testing dodgy things like this and I got a blue screen! I knew something wasn't right, took awhile before someone actually believed me when I said "Don't use it!".

When loading the .exe it says some crap like "can't find .dll" which is actually in the folder with the .exe. When you move those .dll's into your SYSWOW64 folder, as the dickhead THECOIN op says as a fix, the script gets installed and gives you a blue screen (did for me). You reset your PC and the script is loaded on start up.

Loading up Task Manager and clicking on the Processors tab will show the script zippin up and down the list with the Image name disguised as "svchost.exe", if you look at the description it should say something like "V 3 script" (i can't remember, original post deleted). Trying to close that process will give you a blue screen.

I fixed the issue by simply removing 2 of the .dll's from the sysWOW64 folder  (chances are it made people use more .dll's , I only used 2 before I got a blue screen) and then closing the process, blue screening and restarting.

I then used malwarebytes anti root kit and kaspersky to make sure nothing was left.

I must state I never went through the trouble of trying to install it and mine coins, I knew something wasn't right when it blue screened my laptop. The script loads when you click the .exe, duck know's what happens when the .exe is loaded with all the .dll's in place.

How close you were... Good that you are ok. To be sure I made a format and installed bunch of anti-everything software.

You should at least consider dual-booting Linux if you are serious about cryptocurrencies. Proprietary software, including antivirus software, is difficult to trust if no one knows what it is supposed to do.

Thank you for taking the time to make this post. I too almost fell into that trap out of excitement. I got so far as downloading the .rar but never touched it. Just deleted it in fact and am running Sophos lol

I have some extra BQC I can give you if you like, I know it doesn't make up for the amount of other coins you lost to the trojan though :|

Do you have a BQC address? I can send you some DevCoin too?

So good you didn't do it, gush... Install anti-keylogger just in case, just to be more sure. I use Zemana Antikeylogger Free.
I had to created all new wallets for every coins I had so these are my new addresses if you are so kind.
Thank you in advance:
BBQ:  bJgipKnD3hEU4gBkPv31vCdd6gKsmwS2Dt
DVC:  12Qp4wjwGRwMzjTiFe8qZ1FMxEHBvEzsXo

Bless you.

Any specific flavour of Linux that should be used? Or is it a case of all are just as good or a lot better than windows so it doesn't matter?

Very proficient with pc's/mac's but haven't really used Linux much, what's a good version for a laptop just running Linux and wallets, need no other features at all besides security concerns.

I think any of well developed linux distribution would be good enough. You can install it on Virtual Machine. Problem is not every altcoin wallets has linux client and sometimes if it has it is really hard to make it running for person that sit on linux first time.

Some client can run under Wine.
Be aware that the wallet will be created inside the Wine folders.

Coins sent! Please be careful next time :P

I found out the guy's name who did the whole scam. Along with his address and phone number. I've given this information to a couple of members here as well as pabloangello.

Why not make it public?

Because it's revealing personal information publicly, I will send the information to whoever wants it, privately.

So basicly we have right now all the data of that guy.
Name,
address,
telephone,
Company name,
Facebook profile

He is from USA I am from Europe. What can I do with such an informations? Can I contact to police or some other law enforcement in USA that deals with such a internet crimes?
Is here anyone with such a knowledge what can I do in this situation?

The embassy of your country, and the local police there. His company also. You could contact all his friends and at least make him feel guilty.

I would assume that stealing digital property from someone over the internet has consequences and laws prohibiting such actions.

I most certainly will contact to embassy to help me with the local police.
Do you think is it worth to write him an email to give him opportunity to give me back the coins and if he will not then threaten him that I will contact embassy and local police etc?

The problem with this is that you were most likely not the only one affected by this fraud. If nothing is done, more people will continue to be robbed by this guy.

What is the estimated value of the stolen coins in BTC or USD?
First contact him and his friends. If he doesn't return them make sure you contact the embassy and local police.

It is about $5880 considering this moment prices from http://coinmarketcap.com/

Try using a firewall like comodo. Set it to "Custom Policy". It will prompt you any unknown process that tries to connect to the net. Of course only allow process you know and trust.


Also try to use virtual machines  for new altcoins. you can just transfer them later. If the new coin has proven legit and reports of malware activities

If you do not want to use virtual machines you can use Sandboxie. Create one sandox for each coin. and launch the program using one sandbox. Just be sure you do not delete the sandboxes.

Thank you for your advices. I already have done all of that. Antivirus, anti-malware, anti-keylogger, VM with Ubuntu.

Be sure your pc is clean

For sandboxie. Be sure you have not yet execute the client in your PC. otherwise C:\Documents and Settings\User\Application Data\<Alt Coin>have already been created with the wallet.dat and if you use the default address in your transactions. Sandboxie will be useless.


If you already executed the client before you even used sandboxie. You have to manually transfer the C:\Documents and Settings\User\Application Data\<Alt Coin>. To the sandbox foler.

Sh..t his e-mail doesn't work: Delivery to the following recipient failed permanently.

If you really have acurate information about him and plan to go to the police trough the embassy, I wouldn't reccomend trying to reach him before the authorities are on the case.
I'm far from an expert on this but it seems to me best not to get involved personally.

yup i seen this a couple weeks ago on another coin..

and you should never have gotten that far into trouble.. unless your a noob

im a bloody Nazi if anything coughs i lay hell fire on it.. and its always a false positive when i get worked up
i also had a PC repair business 8 yrs ago for a decade so i have been there and done that on endless machine i could never count.
i don't use AV software.. I AM antivirus software lol

watch out for miners too i catch and expose them on a regular basis..

and by the way Autoit is just an old automation program.. i tried it out in like 2004

use Linux is a dumb solution a and i only do when i wanna rape losers wifi lol
the answer is get better at using windows.. it's not hard to ..use proper judgement.
notice on that topic i flamed hell out of that guy ? rather, than downloading it like a dope head lol

If i was running AV software i would get a 1,000 hits and i have had my own shit flagged too many times before.
I'm a cracker and a coder and need the tools to do my job.. AV software is a crutch for nubs to provide a false sense of security.

get smarter.

edit:
and by the way new guys *if you think your infected disable the internet asap
and for the love of god stop using any logins on anything anywhere !
this guy said he started logging into wallets one after another..
i bet if he stopped when the first one went bad he would have saved a lot of money.
so ya do that and get help..

this.  you are best off with at least 2 or 3 pc's.


 and  do not do your mining on your business pc./wallet pc.  and your wallet pc should be only  for moving coins etc.

That's quite a lot now.

    
I WAS JUST THREATENED BY SOMEONE WHO GOT HACKED!
https://bitcointalk.org/index.php?topic=353364.0;topicseen

that is realy the most shit with anti virus software for us how need our special tools every day!
my olly plugins, ida, pe detectors and all that stuff makes my antivirus crying every second... but cant keep away real viruses! grrr!
mostly i also turn it off... if i set my special tools to permanent ignore list, on next start the antivir again alarm on same tools... this realy sucks.

also if heuristic scanner is bad from the antivir, a newly programmed virus targeting or walles cant be detected by antivirus aslong as the signatures are not included, and for that it takes a while and needs some infected systems already to get the antivir adding the new signs.


but i have a cheap idea for a linux wallet!
maybe i programm such thing when i have time for it.
i thinking of using a raspberry pi with lcd screen and just some buttons with internal wlan mini stick
powered from accu pack all in a small case.
this gives everyone a cheap linux standalone system with wallets controlled my lcd and buttons without
the need of a real computer.

such raspberry is about 30€ and possibilitys are endless with it.
it can made secure can always keep wallet db uptodate and if you need to send someone some btc,
just grap your little box and send instand...

i already have programmed sources by me for controlling lcd with buttons for a standalone miner.
it should not be to mutch work to make it working to controll different wallets with it.

cases for the raspi with integreated lcd and buttons i could 3d print.

if someone have more time as me aktually, i can give out my sources and shematics
to programm such thing...

Man, I am really sorry for your loss and thanks for such a detailed post for others to take their precautions too.

However, this doesn't look good at all. Before threatening people, you should at least have tried to verify it's the right person.

I can finally post on this thread now that I'm not a NO0B anymore...

Pabloangello -- Sorry those bastards tricked you with "THE COIN" ... I had no idea they existed when I registered my domain.  I'm sure you went on a rampage after the attack, looking for any shred of evidence to catch this asshole and you got a bit carried away when you thought you had a suspect.  No hard feelings man, but please don't publish my private information on here or bother any of my relatives.

I already told you that I will not publish your information anywhere like the forum exposure. It was a lot of suspicious coincidences with in time, coin, name of project. You don't have to be scared of anything if you are not author of that thread with virused coin.

I think scenerio was like that: It was a keylogger and it had to have also possibility to send wallets to the thief. He had passwords and logs from my keyboard so he opened wallets on his computer, sent coins to his addresses and then when I opened one of my wallets he also had and knew password for, then after sync, coins suddenly dissapeared couse information from blocks reached my wallet.

sorry about your loss,  you did show me about ccleaner.exe. I download and test this on my machine.
Any other utilities you use to clean up your PC?

Format C. Change every passwords for every website/market/etc you use (good if you have another computer to do that). Create new wallets for every coins you have and transfer there your coins as soon as it's possible.

Under every transaction we can see the exact date when it occurs. Dates where different from the moment wallet synced, like a several hours to 2 days before.