I use (multiple) hardware wallets.. or I would have lost everything.
I also use a dedicate PC to do my crypto stuff.
I'm also not 100% noob concerning the computers/IT stuff.

And considered all the above, howsoever, I still get robbed of something.
Analyzing the situation AFTER it happened, it's easy. There's like ten things that I could have done differently to avoid it (of course!), but the point is that a life is long a life... and sometime you can't be perfect every single day, otherwise we will live in the paranoid and fear.

- I should have paid much more attention to the wallet used, opinions on Reddit, guide on the web, an apparent legit website weren't enough.
- The fact that no AV/scans found anything wasn't sufficient to call the file safe.
- I could have used a VM to do this stuff (I have like 5 VM's installed on my machines, that are only a click away);
- I could have paid much more attention to how to use my trading platforms (leaving it open while not being at the PC is stupid if looked after..);
- And finally the luck (unluck): my daily hours (and dinner time) are normally different, that day I got delayed by other stuff, in 99% of others cases I would have been at the PC soon enough to block it before;

It's all about "imperfections" concatenate with each other and I consider myself very lucky to have adopted hardware wallets from the very begging and using 2FA on every exchanges, so while I learned a lesson for "cheap" (cheap if compared with your amount) I won't consider myself "completely stupid", I'm not perfect as every other human, maybe for the next months.. years.. I will pay much more attention than usual, but i'm sure that one I eventually forget to be extremely paranoid and I may do the same mistakes again.

My idea is: don't be a complete bloke (in example: don't leave your wallet full of money on a bench in a mall), but neither don't start to be paranoid (don't hide your money in a cave, under a rock, protected by lions), because if you start to be extremely paranoid you won't live anymore. so where you hide your hardware wallet seed? What if someone will find it? Did you split in 4 parts sending it 3 places around the world? do you remember all the 24 words by memory? What if your memory will not be good anymore? And stuff like this... you will always live with an "acceptable risk".

Tnx. And yes, I spedicified: "Due to the low amount involved I can use the EU small claims...".
That's the amount they stolen from me, and that's the reason of why I'm proceeding against Cherry Servers. In the end I'm interested to have back my money, I don't care who will pay.

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).
I may have more chance to settle this due to their negligence, than try to find the "hacker", because it would cost me more money in lawyers than what they robbed.

The EU law exonerates the providers/host of the illegal activities conducted on their network/servers provided that they are unaware of it, while obliges them to react immediately as soon they became aware of the illegal conduct. The email sent by Valerian is clear evidence that they became aware of it, but not having reacted immediately, they became co-responsible of every subsequent damage. Hopefully it will make progress.

Honestly I will not investing much time in this, I mean I won't go in Lithuania to talk to them, and surely I won't spend another cent on this.

@Valerian: if you may provide to me in private the original conversation you had with Cherry Servers, it will greatly help!

I downloaded the fake BCD wallet, i think it was Electrum-BCD-3.1.2-portable.exe from electrumdiamond.org (that is now closed/suspended).
What fooled me was the guides on Reddit to claim your forks.
Of course I downloaded the malicious software, I'm a little surprised that the AV's didn't caught this as apparently it's pretty old, not 0-day stuff. However still my mistake, I shouldn't have used the PC where I trade.


I limit the firewall usage coz I'm behind a NAT, while you still exposed to the outgoing connections that can be exploited only by a malicious software running on the PC, that is the case. It's the first time that a file passed through my checks and scans. I would have probably authorized the wallet network traffic anyway ...maybe the firewall would have caught the RAT after the installation, but it's all assumptions here.

What I know is that even while knowing the infections, no scan have found it (I also give it a pass with malwarebytes), I had to trace it back "manually".

And it wasn't a traditional RAT, there was no "fake" app starting with my PC, and no port listening (it wouldn't have worked while behind a NAT without a proper port forwarding or uPNP). It was the app calling the remote server from my PC, and the app was a perfectly legit instance of notepad. I mean if it wasn't for the network activity, I would have never found it.

So they well obfuscated the code to not get caught, and used notepad as wrapper (proxy) to run the malicious code (you run the legit process as suspended, and they you gonna use the allocated space to run your own code).

Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.

- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;

Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).

Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!