Bitcoin Forum
December 11, 2024, 06:40:19 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 »  All
  Print  
Author Topic: Armory 0.94.1 is out  (Read 12128 times)
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 23, 2016, 08:32:38 PM
 #141

Ok, I will now try to import all 5 wallets into wallet.dat on my bitcoin install and see if that restores the coins
goatpig (OP)
Moderator
Legendary
*
Offline Offline

Activity: 3780
Merit: 1375

Armory Developer


View Profile
May 23, 2016, 09:13:50 PM
 #142

Whatever it was appeared to push all my coins to this wallet:

18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF


I am hoping it's a bug.. I just spent money and time to lose money.. $2000 is alot of money for me.

This is 1/3rd of the story at best.

We are talking about 5BTC, split in 2 wallets, ~2.9 BTC in wallet A, ~2.1 BTC in wallet B.

On May 6th, 3 transactions in block #410492 moved coins from wallets A and B to address 18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF:

- tx 1&2 move all coins from wallet A. All coins in this wallet were split between 2 addresses. The spending tx each sweep one of these addresses.
- tx 3 moves all coins out of out of 1 address from wallet B, about 0.28 BTC.

In all cases, there was no change and all outputs were spent regardless of how small they were (a few were >0.02 BTC). This pattern is indicative of a private key sweep.

However, all transactions came with small fees. All fees were >0.002BTC. Considering one of these tx spends 10 utxos and another one 7, we're far below the proper fee/kB for quick confirmation. The fact that all 3 tx were confirmed within the same block with such low fees is possibly an indicator that they sat in the mempool for some time.

This to me doesn't characterize theft, rather deliberate private key sweeping. You would expect a thief targeting your private keys would be sophisticated enough to pay a 0.01 total fee on 3 tx stealing some 3 BTC just to get included in the next block.

This accounts for ~3.2 BTC. If the story ended there, and you claimed 3.2 BTC were stolen, then you would have more evidence supporting your claim than otherwise. The fee analysis alone is not strong enough on its own refute theft. However, you are claiming 5 BTC are missing, and the last ~2 BTC leave your wallet in a different fashion.

---------------

About half a day later, in block #410581, 6 transactions move coins from wallet B.

- 5 tx spend to address 1CDyeeCHcReYhfaeTb37Piwq8ZWqLtHU5o
- 1 tx spends to address 12DaNV3b6iSobe5uMwBELYdMkoLJ1V4eto
- 4 out of 6 addresses return change
- As a result of change, wallet B currently has a balance, albeit rather small. Nonetheless, this balance remains larger than some of the smaller utxos that were redeemed among all these transactions.
- The fee/kB density of these 6 transactions is over 2~3 times superior (guesstimate) that that of the first 3 transactions.

---------------

It is also notable that prior to these 9 transactions, you only spent coins once, from wallet B, in November 2015. This implies, in case you use online wallets, that you rarely if ever typed in your password to decrypt your private keys. The point is moot if your wallets are offline. On the other hand, there is not much to discuss if your wallets are online and unencrypted.

This observation narrows down the possible attack vectors. Since you didn't spend any coins for months prior to the event, this couldn't have been an attack on the recipient address (swapping a payment address for the attacker's), nor an adversary process trying to steal your password/encryption key or decrypted private keys in RAM. This also rules out RNG snafu.

Again this point is moot if you toyed around with your password a few hours before the coins moved. This comment in particular and this post in general should be a reminder that you need to provide as much details as possible if you hope to find out what happened to your coins. Your wallets only speak that much.

The only credible attack vector that remains is that someone has access to your encrypted wallets (physical access to your computer, cloud storage backup, infected machine, etc...) and your passwords (possibly brute forced if they are weak, again need more details here). However, this would contradict the sweeping pattern: why sweep private keys if you crack a wallet? Just spend it all in one go.

Still this doesn't explain why the attacker would sweep all keys from one wallet and only ~15% from the other, nor his spending pattern (you'd expect 1:1 spend address to wallet address, or a single address for all wallets), nor why he deemed useful to return change, nor why he paid low fees to steal >60% of your coins and much higher fees for the remainder, and lastly why he did it 12h apart.


bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 23, 2016, 09:58:28 PM
 #143

So I guess this is some type of trojan that has been sitting calling bitcoind every 10 minutes or something trying to extract private keys?

I'm trying to port over to bitcoin-qt now to verify. I don't know exactly how it was done. I remember it was a day I visited a litecoin website and installed litecoin.
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 23, 2016, 10:03:06 PM
 #144

There is some brief window in time that allows this to be read from bitcoind after unlocked?

bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 23, 2016, 10:04:20 PM
 #145

Wallets should not have been unlocked with bitcoind at those two times. I don't see how they can have my passphrase. Will update soon.

That address is still growing where coins have been transferred.
goatpig (OP)
Moderator
Legendary
*
Offline Offline

Activity: 3780
Merit: 1375

Armory Developer


View Profile
May 23, 2016, 10:55:34 PM
 #146

There is some brief window in time that allows this to be read from bitcoind after unlocked?

What has bitcoind to do with this? Have you imported your private keys into a Core wallet before this event? Armory wallets are entirely separate from the underlying node. Armory never communicates private nor public keys to the Bitcoin node, nor does it need to.

bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 12:15:54 AM
 #147

No, I haven't done this exported and imported before

I am still trying to figure out how to export from armory to a format I can use in bitcoin-qt console for function

importprivkey

I tried PrivBase58, PrivHexBE, SHA256(?) format but it would give me the error:

Invalid private key encoding (code -5)

achow101
Staff
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
May 24, 2016, 12:47:03 AM
 #148

So I guess this is some type of trojan that has been sitting calling bitcoind every 10 minutes or something trying to extract private keys?

I'm trying to port over to bitcoin-qt now to verify. I don't know exactly how it was done. I remember it was a day I visited a litecoin website and installed litecoin.
If you are calling Armory a trojan, then you are mistaken. It is not a virus nor is it malware.

No, I haven't done this exported and imported before

I am still trying to figure out how to export from armory to a format I can use in bitcoin-qt console for function

importprivkey

I tried PrivBase58, PrivHexBE, SHA256(?) format but it would give me the error:

Invalid private key encoding (code -5)
When you look at the Address key info, you want to use the "Private Key (base58)" or if you exported the key lists you want "PrivBase58", both are the same. You want to copy that string without spaces in order to import to Bitcoin Core. There is a handy little checkbox when you export the key list to "Omit spaces in key data". The key should start with a "5" (all uncompressed Bitcoin Private keys start with a 5). If it does not, then it is not the importable private key.

bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 01:53:48 AM
 #149

I am not calling Armory a trojan, I am talking about a trojan running at the same time as Armory trying to steal bitcoins.

Thanks, I am trying to import now. I am thinking of how this could be possible.
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 01:56:53 AM
 #150

I keep getting Invalid private key encoding (code -5) in bitcoin-qt console
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 02:04:17 AM
 #151

I have no way to verify this is correct in bitcoin core.

I need to export my wallets in core to make sure my coins are stolen.

importprivkey is not working on the armory exports
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 02:24:48 AM
 #152

It just doesn't make sense to me, I need to confirm in bitcore-qt

I'm working to generate payment in coins here.. have about 5..

Then one day armory just shows incorrect balances and the interface starts being buggy..

And so it's now a trojan or something that stole the coins but the interface is buggy so I can't tell

I want to export into bitcoin-qt core to see the balances there before I conclude someone must have trojaned my computer and stole  those from multiple wallets with passphase

But now I can't export to bitcoin-qt with any armory export?

Any ideas?
achow101
Staff
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
May 24, 2016, 02:35:47 AM
 #153

I am not calling Armory a trojan, I am talking about a trojan running at the same time as Armory trying to steal bitcoins.

Thanks, I am trying to import now. I am thinking of how this could be possible.
I keep getting Invalid private key encoding (code -5) in bitcoin-qt console
I have no way to verify this is correct in bitcoin core.

I need to export my wallets in core to make sure my coins are stolen.

importprivkey is not working on the armory exports
It just doesn't make sense to me, I need to confirm in bitcore-qt

I'm working to generate payment in coins here.. have about 5..

Then one day armory just shows incorrect balances and the interface starts being buggy..

And so it's now a trojan or something that stole the coins but the interface is buggy so I can't tell

I want to export into bitcoin-qt core to see the balances there before I conclude someone must have trojaned my computer and stole  those from multiple wallets with passphase

But now I can't export to bitcoin-qt with any armory export?

Any ideas?
It works fine for me. You need to make sure that you are not missing any characters and don't have any spaces in the private key.

P.S. You should stop posting consecutive posts like you are doing right now. It is very spammy. Instead, when you have some information to add and no one has responded yet, please edit your last post with that extra info.

AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
May 24, 2016, 03:52:12 AM
 #154

I remember it was a day I visited a litecoin website and installed litecoin.

Was it an unsolicited phishing link that encouraged you to install litecoin that day?

See also https://bitcointalk.org/index.php?topic=1478385.0;all
bitcoinron
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
May 24, 2016, 05:49:42 AM
 #155

Yes, it's confirmed in bitcoin core someone managed to steal all my coins out of all wallets in armory with passphases on the wallets

AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
May 24, 2016, 05:53:01 AM
Last edit: May 24, 2016, 08:09:00 PM by AussieHash
 #156

Armory's key points of differentiation are privacy and the security of cold offline signing +/- multisig lockboxes.

If you're not using an air-gapped cold offline signing process with Armory (especially if running windows), then you're no more secure than just using a wallet on a jailbroken phone.
goatpig (OP)
Moderator
Legendary
*
Offline Offline

Activity: 3780
Merit: 1375

Armory Developer


View Profile
May 24, 2016, 10:15:45 AM
 #157

Armory's key points of differentiation are privacy and security of cold offline signing +/- multisig lockboxes.

If you're not using an air-gapped cold offline signing process with Armory (especially if running windows), then you're no more secure than just using a phone wallet.

And he still hasn't provided that level of details. Are the wallets offline or online? How long are the passwords, do they contain easily identifiable tokens? Does he use the password same for each wallet? Has he manipulated his wallets within the week leading to the event and how? What about month? Has he changed encryption on his wallet recently? Does he has cloud storage backups? What password do they use? Does he know of the addresses that received the coins? Has he scanned his online machine for infection? Any logs we can look at?

I've spent enough time on this. Short of some new significant evidence, this is in the hands of the community.

bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
May 24, 2016, 05:41:17 PM
 #158

Armory is supposed to be used offline for maximum security. I trust it solely with all my bitcoin.

For you, use trezor in the future.

Stroto
Sr. Member
****
Offline Offline

Activity: 449
Merit: 251


View Profile
June 01, 2016, 09:25:10 AM
 #159

Question.

Is it possible to see the size of a tx before you send it? Either with direct sending or with the steps of creating an unsigned tx - sign & broadcast it?

I ask this because I made a transaction that had a huge size in kb and so an extremely low fee sats/bit that will take ages to confirm.

So next time I would like to prevent that.
goatpig (OP)
Moderator
Legendary
*
Offline Offline

Activity: 3780
Merit: 1375

Armory Developer


View Profile
June 01, 2016, 02:19:43 PM
 #160

Question.

Is it possible to see the size of a tx before you send it? Either with direct sending or with the steps of creating an unsigned tx - sign & broadcast it?

I ask this because I made a transaction that had a huge size in kb and so an extremely low fee sats/bit that will take ages to confirm.

So next time I would like to prevent that.

You can look at the raw tx after signing it, in the offline signing/broadcasting dialog.

Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!