JUST HAD 0.92329 BTC STOLEN - HOW???

[Blazr]

Windows 7 and VMware from encrypted container running Ubuntu

Likely the problem is here, how good is the entropy of this encryption?

Yes I was thinking that it could be a problem with low entropy. Electrum uses /dev/urandom to generate seeds (with some filtering IIRC). /dev/urandom doesn't work so good in a VM, and if you are doing encryption in the VM too then you are gonig to deplete the entropy further. I wonder if it could be that OP's wallet was generated using poor entropy, and a hacker out there trying to crack weak seeds managed to crack the seed, much like the johoe bc.info hack. It's less likely though as the /dev/urandom in Ubuntu is pretty good, and probably safe enough, but I wonder if VMWare could change that or maybe even specifically the OP's VMWare configuration, as the LRNG uses lots of hardware inputs to make entropy. In any case I think the most likely scenario is that OP's machine is infected or the hacker found a backup or got the wallet some way like that.

[1714141782]

1714141782

[1714141782]

1714141782

[1714141782]

1714141782

[1714141782]

1714141782

[1714141782]

1714141782

[shorena]

Two things.

#1 OP move this into the Electrum section please. This will make sure people with more knowledge about Electrum will read the thread. The option to move a thread is at the lower left of the page.

-> https://bitcointalk.org/index.php?board=98.0

#2 Isnt Electrum 2 still in beta?

[bronan]

you mean a quote like : like like like like like like like like like like like like like

[redsn0w]

Another transaction : https://blockchain.info/it/tx/8a47c42aa28aefe9f47f28777c319265998730b6bf5fa0a3aadcd85f76c50906

This time with only 0.00003 bitcoin as fee. I'm so curious to see if he will add a blockchain.info tag also to that bitcoin address.

I'm quoting myself : aLL bTc in my handz SWX (https://blockchain.info/it/address/14GhadwWV4uaoxWZcNrnU3zWkTrtHbCF2T).

Electrum seed is different than the passphrase of a brainwallet, or am I wrong?

It is different, however it can be cracked in the same way, for example if you made up your own seed, one that is easy to remember, people often do things like this and if you do that it likely won't be very random and is vulnerable like a brainwallet. It is also possible that the hacker found the wallet file and noticed it was empty, so he set up his PC to sweep it once funds were transferred to it.

But it is so complicated to 'find' or crack 12 words (the electrum seed).

Wait, are you quoting your forum message or are you quoting "your" tag? 

Sorry for your loss OP. But I have a feeling this is done by a troll that might give it back eventually.

With " I'm quoting " I meant , quote my previous post because I thought the 'hacker' or who is managing the funds would be add surely the blockchain.info tag.

But it is so complicated to 'find' or crack 12 words (the electrum seed).

If your twelve words are all the same word it isn't. Sometimes people "pick" their own seeds that are weaker.

In that case it is very easy, but usually it is the wallet (itself) that generete the 12 words as seed and you can't decide (or better can't modify) those words.

[bronan]

nope looks like an official release

Well its possible that one would get the same one but its very unlikey given the possible combinations.
But i remember on safe seller putting a large sum for those who could open it with a bunch of numbers they asumed it would never happen.
The funny thing is a nice woman just did the lucky guess and got it out

[unamis76]

Sorry for your loss. This is pretty odd... I highly doubt of an error in Electrum (if it was, the hackers would have many stolen Bitcoin right now), this was more a targeted attack, or so it seems.

More info about OP's setup would be needed... VM software, recently installed programs, weird wallet behavior in the last few days, possibility of infected USB's...

[randayh]

Your running Windows? enough said...

[bennybong]

Windows 7 and VMware from encrypted container running Ubuntu

Likely the problem is here, how good is the entropy of this encryption?

Pretty strong. i use truerypt

[rokkyroad]

Always a good idea to use chkrootkit in linux installs. Install it, open a terminal, enter   sudo chkrootkit

It should show you anything suspicious.

[jonald_fyookball]

Sorry to hear about it OP.

There's really no substitute for cold storage I guess.

Still, I have some coins in my online PC with electrum
and they are still there.

Like someone said, strange they were moved within a minute
of getting received...seems to be a clue.

[Sarthak]

Mysterious theft! If you were an organization, I would have called it an "Insider Job" but you are an individual!
The hacker seems to be Genius! He got through such a secure computer system and hacked your wallet!
Why not try asking the hacker himself by sending a 0.0001 to his address and adding a public note on that transaction?

I'm really confused about this theft! How the hell did the hacker steal the coin?
Either the Hacker is a Genius or OP is trolling! (I don't mean I guarantee you are trolling)!

[inBitweTrust]

I'm really confused about this theft! How the hell did the hacker steal the coin?
Either the Hacker is a Genius or OP is trolling! (I don't mean I guarantee you are trolling)!

Or he was compromised in one of many other ways we have been discussing. Just because someone doesn't think they were compromised in certain ways doesn't make it so. Its not like his coins were stored securely either. They were on a windows box, using an SPV client, and likely had pirated software. This doesn't constitute secure by any means.

[bronan]

Or through the fake emails with so called offers and other crap which have an jar attached to steal anyones coins
I had hundreds of them and all get deleted before even reaching any of the people who open emails
There are so many ways people can infiltrate computers these days, even some alt-coins are released containing wallet stealers.
The list is darn long with the ways criminals have invented to steal.
I caught several mining trojans as well which where using the cpu/gpu of my friends computers

Sorry for your loss

[Sarthak]

I'm really confused about this theft! How the hell did the hacker steal the coin?
Either the Hacker is a Genius or OP is trolling! (I don't mean I guarantee you are trolling)!

Or he was compromised in one of many other ways we have been discussing. Just because someone doesn't think they were compromised in certain ways doesn't make it so. Its not like his coins were stored securely either. They were on a windows box, using an SPV client, and likely had pirated software. This doesn't constitute secure by any means.

I am not a technical guy but as I read the thread whatever you guys ask OP gives a positive answer! Makes me think he stored it in a 100% secure way! But I am learning.. Nothing is perfect!

[Quickseller]

Well either way I'm fucked. Accepting donations to my sig.. Fuck my dignity. hah

Based on the blockchain messages I would think that the hacker is likely reading this thread therefore I would suspect it was a more targeted attack as he likely knows the OP had an account here.

I think the chances are probably higher that the OP made the story up in order to try to get "donations". There are enough contradictions in this thread to suggest so.

The "hacker" only took funds from one address and having funds in only one address in an electrum wallet would be somewhat unusual, especially considering that change addresses are enabled by default.

[redsn0w]

Well either way I'm fucked. Accepting donations to my sig.. Fuck my dignity. hah

Based on the blockchain messages I would think that the hacker is likely reading this thread therefore I would suspect it was a more targeted attack as he likely knows the OP had an account here.

I think the chances are probably higher that the OP made the story up in order to try to get "donations". There are enough contradictions in this thread to suggest so.

The "hacker" only took funds from one address and having funds in only one address in an electrum wallet would be somewhat unusual, especially considering that change addresses are enabled by default.

He (the op) said :

can you send us a screenshot of your transaction log

Which one? From electrum? Or to electrum - because that came from an exchange.

Thanks

This is the transaction id: https://blockchain.info/it/tx/5cc872a7dc9bebb03290e9d537d57eba51056e764483a4f4ef4f6bc2bac66e0f

So I do not know if the OP is trolling or if he has really lost those bitcoins.

[Quickseller]

Well either way I'm fucked. Accepting donations to my sig.. Fuck my dignity. hah

Based on the blockchain messages I would think that the hacker is likely reading this thread therefore I would suspect it was a more targeted attack as he likely knows the OP had an account here.

I think the chances are probably higher that the OP made the story up in order to try to get "donations". There are enough contradictions in this thread to suggest so.

The "hacker" only took funds from one address and having funds in only one address in an electrum wallet would be somewhat unusual, especially considering that change addresses are enabled by default.

He (the op) said :

can you send us a screenshot of your transaction log

Which one? From electrum? Or to electrum - because that came from an exchange.

Thanks

This is the transaction id: https://blockchain.info/it/tx/5cc872a7dc9bebb03290e9d537d57eba51056e764483a4f4ef4f6bc2bac66e0f

So I do not know if the OP is trolling or if he has really lost those bitcoins.

Well it is somewhat unusual to have exactly zero bitcoin in your wallet IMO. Generally speaking when you buy something you are not going to be spending exactly all of what you have

[Blazr]

Well it is somewhat unusual to have exactly zero bitcoin in your wallet IMO. Generally speaking when you buy something you are not going to be spending exactly all of what you have

OP claims that he was transferring the funds from his bitcoin exchange into his brand new electrum wallet (that was my interpretation anyway) and that the funds were immediately sweeped into the hackers address.

I have no idea if he is lying or not, unless you trust the OP a lot you shouldn't donate as there is no way we can know if OP is telling the truth.

[redsn0w]

Well it is somewhat unusual to have exactly zero bitcoin in your wallet IMO. Generally speaking when you buy something you are not going to be spending exactly all of what you have

OP claims that he was transferring the funds from his bitcoin exchange into his brand new electrum wallet (that was my interpretation anyway) ...

Exactly, I have already quoted the post made by the OP. However this is a reply from ThomasV:

Sorry for your loss.

The fact that the coins were stolen immediately means that the hacker had your seed or your private key before the coins were sent to you;
he was probably running a script waiting for some coins to land on compromised or weak private keys.

One thing you can do is publish your seed; it does not make sense to keep it private anymore.

..and that the funds were immediately sweeped into the hackers address.

After 1 minute, it is not 'immediately' but he was 'very fast'.

[Blazr]

After 1 minute, it is not 'immediately' but he was 'very fast'.

Yes it usually takes about 1 minute for a transaction to propagate the network, so it took around a minute before the hackers PC knew the address had received money that it could steal.