To the people who had their bitcoin/namecoin stolen, have you looked into the debug.log file to find RPC commands or SelectCoins ?
Search for the first 10 letters of the transaction hashs.
Here is a GUI send :
SelectCoins() best subset: 1.23 1.06 ... total 22.01
keypool reserve 126
CommitTransaction:
CTransaction(hash=098965f2b9, ver=1, vin.size=25, vout.size=2, nLockTime=0)
CTxIn(COutPoint(6554c9ecaa, 0), scriptSig=304402203c8f52bf2c25a8ce)
CTxIn(COutPoint(a0b776cee1, 0), scriptSig=3046022100c4b95389985809)
...
CTxOut(nValue=0.01000000, scriptPubKey=OP_DUP OP_HASH160 b3a0ff9fa3f2)
CTxOut(nValue=22.00000000, scriptPubKey=OP_DUP OP_HASH160 4701dd3e06ec)
keypool keep 126
AddToWallet 098965f2b9 new
MainFrameRepaint
AcceptToMemoryPool(): accepted 098965f2b9
Here is a RPC sendtoaddress :
ThreadRPCServer method=sendtoaddress
keypool added key 128231, size=101
keypool reserve 128131
CommitTransaction:
CTransaction(hash=710438e56f, ver=1, vin.size=1, vout.size=2, nLockTime=0)
CTxIn(COutPoint(3098238868, 0), scriptSig=304502202acb7a569d9c32f0)
CTxOut(nValue=4.68010990, scriptPubKey=OP_DUP OP_HASH160 d1ec6c940e5b)
CTxOut(nValue=0.29989010, scriptPubKey=OP_DUP OP_HASH160 33fe2eae2657)
keypool keep 128131
AddToWallet 710438e56f new
AcceptToMemoryPool(): accepted 710438e56f
Receiving your own tx or crafted by someone else :
AddToWallet 710438e56f update
SetBestChain: new best=000000000000673663b7 height=14910 work=402279768606933255
ProcessBlock: ACCEPTED
There is several ways to steal money :
1. Copying the wallet
Requires a physical access to the wallet. This can be a trojan (or an infected bitcoin/namecoin binary) that sent your wallet.
No trace in logs, except you receive "your" transactions (like any others) that are created on another computer...
2. Using the RPC command : sendtoaddress
Requires a local or remote access with an infected binary (bitcoin/namecoin/trojan/remote flaw/hole/etc)
You should find "method=sendtoaddress" in your logs.
3. Using the internal send functions
Requires a local or remote infected bitcoin/namecoin binary.
You should find a SelectCoins with a tx hash matching.
4. You put a backup of your wallet on dropbox (with the same login/pass as mtgox, or you wallet was stolen during the "no password" bug of dropbox)
We have a first response here :
http://forum.bitcoin.org/index.php?topic=22937.msg288852#msg288852All my bitcoins to 15Afx45asCysyNd9HE7xeZTkzLgDq2JCEx.
Nothing to be done?
My Bitcoin client shows a number of transactions to that address overnight while my computer was asleep and the current balance in the Bitcoin client is now zero.
This prove the full wallet file was stolen. Coins are sent to the same address as yours, so, we can deduce this is the same case...
=> never use that wallet again, because it contains a lot of other pre-generated and currently unused keys.
There is another case, for namecoin :
http://dot-bit.org/forum/viewtopic.php?p=715#p715Wallet file was stored on a secured linux box, and accessed remotely with a windows.
Edit :Binary releases on dot-bit are compiled by :
- linux 32/64 : myself (all versions)
- windows : grue (all versions) -
http://forum.bitcoin.org/index.php?topic=6017.msg251017#msg251017- mac osx : lebish (first mac release) -
http://forum.bitcoin.org/index.php?topic=6017.msg268981#msg268981