I can't emphasize this enough.

Get a real wallet. A software wallet without the need to trust a centralized server. Electrum is probably the best option for OP.




There is no IP filtering or anything else inside of the electrum network, BUT a few countries (russia at least) seems to block electrum traffic.
I can't fully confirm this, but multiple cases lead to the theory that the majority of ISP's in russia DO block electrum traffic.

I don't know whether this is the case for thailand, but i believe it is not.

Dear OP, electrum is definitely worth a try! Way better than any web wallet available (security-wise, privacy-wise and availability-wise).

If you don't even try to answer our questions, we can't help you.

If you truly want our help, answer our questions (at least in an anonymized way). I mean.. you obviously created a throw-away account.
We don't know your identity. If you have used some 'shady market', noone will be able to link it to your personal details.

At least TRY to answer our questions. They are NECESSARY to help you.

---

Please.. i am sick of these pointless posts.

There is NO reason to backup wallet addresses. They are publicly available and visible by EVERYONE.

What you meant to say (i believe) is whether he has a backup of his private keys.. But even this is NOT RELATED to this topic.
He sent coins to another address. He could delete his private keys if he wanted to (and everything else too). It doesn't change anything regarding his problem.


Do this community a favor and don't post 'helpful replies' in the technical support sub. Thank you.

Take the encoded transaction, and double hash it with sha256.

Note that bitcoin is using little-endian.




You can broadcast the same transaction (same inputs, outputs.. exact same TX) as often as you want. 'Broadcasting' simply means sharing the signed transaction with everyone 'you know'.

If you want to double spend, there are multiple ways to do. The most easiest is to create a transaction with the RBF flag.
This allows you to 'bump' the fee (while also changing the 'receiving address').




Wait for at least 1 confirmation (recommended).
Or don't accept RBF-tx's (not recommended).

You should in fact ALWAYS wait for 1 confirmation before releasing any digital goods etc..

If there is no chrome vulnerability which allows an extension to break out of the isolated environment (which i doubt currently), your local machine is not compromised.
Even if there were such a vulnerability, i heavily doubt that these developers would be able to exploit it.

Your saved passwords SHOULD be safe (again, if there is no vulnerability OR the developer aren't intelligent enough to make use of a potential vulnerability).

Your keepass database (local KeePass, not browser extension LastPass) is safe.
Your desktop wallets are safe too.

If the add-on had full access to each site you visit (which it probably had), all passwords which you have entered while it was installed can be (and most probably are) compromised.
Each data entered into the browser while it was installed can be compromised.


But the most important thing is, your local machine is safe.

You are probably the most intelligent person on the world.

I wonder why noone has successively 'hacked' (just using this word brings discredit on you) bitcoin yet 
Maybe because the whole world consists of retarded idiots (besides of you of course) ?


ECDSA is safe if used correctly.
The highest risks of 'hacking' (better: cracking) those keys come from a bad implementation (e.g. trough faulty implementation; side-channel attacks).

We are talking about 256 bit curves here..
It is defined over prime fields and has no known vulnerability. The currently 'best attack' is Pollard's rho.

Thanks for pointing out. I somehow missed the URL 

I have filed a report regarding this browser extension.




Not only somehow, but most probably simply trough stealing cookies from the browser.

Stealing cookies is quite an easy approach to gather access to an account, logged in from the browser.

You can regard cookies as an identifier. Anyone who has this explicit cookie (which is assigned to user X in the database of website Y), has access to he account.




Well.. to be honestly.. you basically asked for it. Installing shady add-on's with 1 rating AND using a web wallet is crying to get funds stolen.

While i do not support the behavior of stealing funds, this is one of the lowest-effort-steals i have come across on this forum.
The only one to blame, definitely is your 'admin'.

If your 'admin' was logged into the account AND the addon has rights to 'view all sites and interact with them' (has to be accepted when installed), then the addon can do whatever it wants to.

Blockchain.com is a web wallet. Each other type of wallet is more secure than a web wallet.

However, this shouldn't happen. A malicious addon can indeed steal your funds this way.




He probably(!) doesn't need to format his laptop. Changing all passwords wouldn't hurt (at least those saved in chrome AND from sites visited while the addon was installed).




Malicious addons have been used since years to steal secret information (passwords).

Might give us information about the addon, so that we can report it to google ?

Your wallet generates a new receiving address for each transaction.

It still contains ALL created private-/public- keypairs. You can receive funds as often as you want to the same address (even if it is not recommended privacy-wise).

The fact, that you didn't receive your 'refund' yet, is that either (1) your wallet is not synced/connected or (2) the transaction hasn't been broadcasted yet.

Check your address in a block explorer (e.g. https://blockchair.com/ or https://www.blockchain.com/).

You have mentioned it yourself:



If you are not involved into wash trading or anything other illegal, you don't have to worry.

If you however are involved into shady things, this might take longer than you want it to last.

In the end, binance is a globally acting company. They won't steal your funds and risk their reputation.

According to the website it doesn't have a WiFi chip at all.

I believe the transmission from the cobo vault to the mobile phone happens via scanning QR codes, and the broadcast itself is happening from the mobile.

However, a hardware wallet which claims to be extremely secure 'because of no communication channel' while at the same time using updates via a SD card, shouldn't be taken too seriously.
Without any further information about the EXACT handling of firmware updates, one could theoretically create a malicious update (spread via mobile application vulnerability for example) to compromise the cobo vault.

Note that i do not intend to say that there is a vulnerability, i am just mentioning the 'easiest' way to eventually attack this wallet (without further information about this wallet).
No wallet is 100% secure.

You can take a look at this topic: https://bitcointalk.org/index.php?topic=5064946.msg47684089#msg47684089

There are several links to resources provided (and links to parser to do it yourself).


Another way would be to download and completely sync bitcoin core (with the -txindex parameter), then write a small script which parses each transaction and checks whether the receiving address still has funds.

Using a parser from the above link probably is easier and faster tho.

You are right, thanks for pointing it out!

Not that i have only assumed 7 (instead of 4) and 11 (instead of 8 ) bit checksum, i have also made a very embarrassing mistake (256 - 11 = 253)  

Each time i read that i have to smile inside of me.

The btrash network couldn't even properly handle the first few 23 MB blocks without struggling heavily.

Multiple 32 MB blocks would bring that network down, and still.. someone is even more delusional to propose 128 MB blocks 


Regardless.. both of these coins are going to die after the men behind them have made enough money. It is just a means to an end.
It makes me quite angry (and sad) that these few people steal money from a big userbase who believes the 'flippening' is going to happen.

Rainbow tables can't be applied in this case.

There are no 'shortest' seeds. Seeds are randomly chosen.
12 word seeds have an entropy of 121 124 bits (last 7 4 bits are a checksum) and 24 word seeds have an entropy of 253 248 bits (last 11 8 bits are a checksum).


Rainbow tables can be used when looking for passwords by having large dictionaries with the initial password and the correct hash being stored together.
In case of finding hashes, you simply search the dictionary for this hash to find the corresponding password.

But since seeds (which are represented by 12-/24- word mnemonic codes) are random, there is no attack surface using rainbow tables.

---

Edited for correctness

Did you try to use an online wallet (not recommended at all) or where you trying to deposit BTC into a site (e.g. for buying stuff) ?
This makes a huge difference.

Usually, 'random' websites are not to be trusted.




If the transaction is confirmed (which it is), the operator of the website DID receive your coins.
The fact that your 'wallet' (i guess you are referring to the credit on the specific site) is empty, means that either (1) there is an error handling the payment server-side (less probably) or (2) you have been scammed (more probable).

Without telling us what website it was (.onion site?), we unfortunately can't tell you whether it is a scam or not.




Your only option is to contact the administrator / support of the website.
If they don't send it back to you voluntarily, there is no way of getting it back.

A salt should be somewhat random. So definitely not an email address (which is guessable in like 5 to 10 trials).

Anyways, the math behind the seed words is 'sufficient' (more than safe). You don't really need an additional salt for security reasons.

While it doesn't harm you in any way (except maybe for the case where you don't find / forget your salt and cant recover your wallet), it doesn't increase the security of your wallet.

It can add plausible deniability, but security-wise it is not necessary.

The technologies mentioned by ETFBitcoin do not decrease the size of the blockchain (not necessary at all).
They decrease the size of a transactions which will result in more transactions being able to fit into one block.




Storage scaling problems ?

The size of the blockchain isn't a problem at all. Storage is getting cheaper each year, way faster than the blockchain can grow.
9 years of BTC gave us ~180 GB. With a 1TB HD at about 60$, thats not even close to being a problem.

The scaling 'problem' is the amount of transactions the bitcoin network can handle, not the size of the blockchain.


If one doesn't want to store the whole blockchain on their computer, they are free to use a pruned node which allows to set the maximum amount of storage the node is allowed to occupy on the HD.

I never said that one should have his private keys stored unencrypted.

Linux is - by definition - safer than windows in daily usage.

In a targeted attack, it doesn't make any difference. That's correct.
But why would any commercial malware creator (its all about money - that's always commercial) target linux user (who by default have more knowledge regarding security) if the market share of windows is 95%+ and linux less than 2% ? This wouldn't make any sense.

The majority of malware IS coded for windows. When using your computer like any standard user does, the chances of getting infected on a linux machine is WAY lower than on a windows machine.


So, while linux per se is not more secure than windows, the risk of getting malware onto your computer is way lower. This makes linux machines safer in daily usage.

Failures in upgrading the firmware or ledger live ?

I never had any problems with ledger live and only once a problem with updating the firmware (which could easily be resolved within a few minutes).

AFAIK, there was no firmware update the last few months. These are pretty rarely.




This is not a problem at all.
Since ledger has revamped their code base, you are able to store more wallets on your ledger (especially those which share the same codebase, e.g. BTC and all forks).

The space is limited to prevent malware being loaded onto the ledger (due to low amount of storage available). This is a 'security feature', not a bug/problem.

Uninstalling/installing applications doesn't take longer than 10 seconds..




Didn't face this problem with non-shit-coins (BTC, ETH, etc..) yet.




I haven't faced this issue yet either.

You don't need to generate compressed/uncompressed public keys and segwit-/legacy- addresses for each iteration.
It is enough to only test the ones where the decrypted private key is a valid private key (checksum helps here).

This reduces the 9025 iterations (based on your post) to a fraction.


But.. even with 9025 iterations (if you'd have to generate compressed/uncompressed public keys and all 3 types of addresses) it would NEVER take 6-8 hours on a modern machine.
With a somewhat modern graphic card, this won't take much more than a minute.