this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
|
|
|
...
I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.
Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.
I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
there was another case in 2011: https://bitcointalk.org/index.php?topic=16457.0back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.
|
|
|
The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.netok thanks - I will
|
|
|
... So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action. Lithuania is also member country of Interpol, maybe they can do something to help you track hackers. yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do. I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.
|
|
|
I just signed up to ask some questions relating to your loss. By any chance did you:
1. Tell anyone you had that much money? 2. Tell anyone where it was stored? 3. Shared the email address online? 4. Chat with anyone about your accumulation/holdings? 5. Recently clicked/opened any weird emails/messages (these can contain the virus/backdoor especially in attachments)? 6. Any friends/co-workers/relatives that know about your wealth? 7. Any changes in network? Systems/security? Wifi? 8. Any suspicious nearby passers near your residence? Parked vehicles? Anyone near a cafe with access to wifi/laptops? 9. Any recent encounters? New website registrations?
These are some things to think about and you may want to retrace your steps to find out how this happened! Sorry I am not much help at this point.
1 no 2 no 3 4 no 5 no - but most likely an infected BCD wallet was the culprit 6 no 7 no 8 lol no 9 allīthe time every hacker needs a door into your system. Even if I would talk about these things with my neighbour they were not able to hack my computer. As I said before most likely the hacker was an organized crime gang, well prepared and they used this BCD wallet as a door into my system. It could have turned on RDP for them and started keylogging. So they were able to achieve total control over my system. There are theoretically other vulnerabilities - but these guys acted very professionally and very quickly. They even cleaned up their traces after their "work" - that was the reason Google identified them as intruders and closed my account.
|
|
|
I am from the same country, maybe i could help you. I have found something interesting while browsing on google. Will update you later on
ok - the bounty is 10% of the recovered sum
|
|
|
... In any case you should all report to the police, this is big money and you do not have to reconcile that it's all over and money lost. Too bad that you did not use HW before, when it is obvious that you have it in possession.
I was on the step to move everything out of the Laptop. By the way - the hacker group (I strongly assume it was an organized group) came from the same location which is mentioned here: https://anti-hacker-alliance.com/index.php?ip=46.166.165.80The company Cherry Servers replied to my email request on the case: Dear Sir,
Despite the best intentions, I'm afraid we cannot help you in this situation. We do not reveal any information about services associated with our prior or current clients to third parties. As our company is registered in Lithuania, we are only accountable to local law enforcement agencies in Lithuania and can only reveal such information to them when obliged to do so by local law or when a Lithuanian court order is received.
Sounds like they face this situation not the first time.
|
|
|
edit : after thought possibly they connected with RDP first them infected you with some other type or RAT or malware from the RDP connection. Is also highly possible.
hm yes - if that is the case then my system is still open like anything - at least meanwhile I installed https://www.spyshelter.com to see if anything dubious is going on - but probably I will have to change to a newly setup system - at least remaining cryptos are on a ledger now and 2FA backup codes are on paper only
|
|
|
Meanwhile I checked the RDP logs on my system in %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
It shows some entries on Dec 4th which do not exactly match the time of the hack. But there are also messages going back six months. The setting of RDP is turned off
|
|
|
Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.
I think they started their job right in the moment when I started the BCD client. That must have been around midnight. Google closed my account at 03:16 due to unusual activity. That time they already hacked my kraken account for which Email + 2FA is necessary. Later obviously they just removed their traces which Google recognized. First hand I would be changing the RDP port on your machine.
done
|
|
|
I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it. I also tried pinging but no response but nmap -sV -Pn 46.166.160.158 reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade. I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality. Very valueable remarks - thank you I also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me
|
|
|
My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.
I was not away - they did it very quickly and I could literally see how they drained my wallets.
|
|
|
Both with the Electrum version for their blockchains.
Are you sure that the Electrum versions were official ones? Could you link to the ones you used. Sometimes they aren't made by the devs of the coins. the links were these: BTCP from https://github.com/BTCPrivate/electrum-btcp/releasesBCD I do not remember the source but from my download history the version is Electrum-BCD-3.1.2-portable.exe most likely the BCD wallet was the culprit
|
|
|
... Can you please give us more information on this? What do you mean by "password safe"? Was it a mere .txt file? Or were you using a password manager? If so, what password manager specifically?
It was Safe+ : https://tinyurl.com/ycmetl2nI was just in the process of changing to Keypass because the developer of Safe+ seems to have abondanded his work. But it did a good job so far and I think this is very likely not the hacker.
|
|
|
Hello guys
I have a wallet with 2.82 bitcoins which i receive 2015 but i lost the seed and i dont remember the password. The wallet is created on Electrum in linux. Is there any way to recovery my bitcoins from the file? Thanks
short answer: no way there is a reason for the wallet.dat being safe if it is password protected
|
|
|
But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.
If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features.
Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid. Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services.
|
|
|
OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.
The coins were held in these locations (order corresponding to the list in my first posting): Currency Place DASH Qt-Wallet on Laptop BCH ElectronCash on Laptop BTC Binance.com BTC Kraken.com NEM Simplewallet on Laptop BURST Desktop wallet on Laptop BTC Exodus wallet on Laptop OmiseGo Exodus wallet on Laptop LTC Exodus wallet on Laptop BCH Exodus wallet on Laptop DASH Exodus wallet on Laptop Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains. I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything. (there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)
|
|
|
Yesterday in the very early hours of the morning Dec 4th I have been hacked and completely robbed out. The total of 1 Mio USD in different coins have been stolen from my system. I am still pissed off from my own shitty security. But things happened and I cannot go back in time. Here ist the list coins and transactions of the robbery: Date/Time Currency Amount Reference to Blockchain explorer Destination address 04.12.18 00:31 DASH 9000 https://tinyurl.com/y8fpvxln Xom6WhRTiAZhtiMzMQXCS4Aew1PB3v62Tb 04.12.18 00:36 BCH 613,291 https://tinyurl.com/yd2y3wdr Qpx5pyy9catx7sluuyzqr03fw3c93ahwms2qfhnznx 04.12.18 01:12 BTC 2 https://tinyurl.com/ybnrmvfq 1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP 04.12.18 01:20 BTC 1,7 https://tinyurl.com/y8s4c7kc 1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP 04.12.18 01:30 NEM 264992 https://tinyurl.com/ycr35va3 NBLI5G-ONLML2-5RY666-BQL2QS-IIMCJT-EUT5PJ-R7MF 04.12.18 02:14 BURST 7643993 https://tinyurl.com/yat7pjna BURST-2WVC-EJXY-TMMW-2SQRW 04.12.18 12:42 BTC 1,840 https://tinyurl.com/ycknktjx bc1qy8ypdjjqkh663j83k4zlv8cxw8nte08m042nxf 04.12.18 12:44 OmiseGo 2329,436 https://tinyurl.com/y9tuss5q 0xd26114cd6ee289accf82350c8d8487fedb8a0c07 04.12.18 12:45 LTC 117,602 https://tinyurl.com/y895dtvs LhpfUpX32CTyd8MekNJkdXAX9BZYUzHNtW 04.12.18 12:48 BCH 5,899 https://tinyurl.com/ydctqokv Qzhpt232rhktu2zzll55cf4vthyya8mtw5nsg9auu9 04.12.18 12:48 DASH 4,929 https://tinyurl.com/ya23s6y9 XerirSmDu9YjbdG641uNsg5tmnb2twvrgE I wish I never make this experience in my life - but I cannot turn the clock back. If anybody has a good idea how to track down the thief the reward will be 10% of the recovered sum or a minimum of 10,000 USD in case of success. There is one more information - the thief also tried to corrupt my Gmail account and Google gave me this information: Uhrzeit: Gestern, 03:10 Standort: Litauen IP-Adresse: 46.166.160.158 It can be checked here: https://tinyurl.com/y782ufvuI am looking desperately for any kind of help or ideas how to go on with this case. Thank you for any help
|
|
|
ja sieht so aus, als ob bitrefill.com ALDI Talk Nummern mit Eplus aufladen will. Ich will aber nicht so weit gehen, das wirklich auszuprobieren.
|
|
|
|