I just got hacked - any help is welcome! (25,000 BTC stolen)

[Alex-Z]

I somehow doubt it was a physical attack.  I really dont think its hard for malware to upload one single tiny file from your machine to theirs, and that's it all your money is gone.

Seems that the person responsible is probably ddosing blockexplorer in order to keep you from investigating for a little bit. 

[Capitan]

If there was a means to invalidate the thieves coins or to reclaim them then the same could be done to a legitimate user.
Bitcoin is a secure system only so long as you keep your wallet secured - and sadly it seems you were not able to adequately do so.

This isn't a reason to abandon bitcoin completely or to dismiss it as flawed, but of course it's understandable that you wouldn't want to reinvest after having lost so much.

Keep an eye on that address in block explorer and you might find transactions that end up at some publicly-identifiable address, that might give you some chance of identifying the thief.

I haven't looked at the block chain data structure, but is it possible to set up a service that tracks coins? Kind of like Lo-Jack for bitcoins? I'm not sure how that would work with fractions of bitcoins though. I'm not even sure how a specific "Bitcoin" is distinguished from any other, but my vague understanding is that that is how it works. So this would be a web app where people like the OP register the address of their stolen or lost bitcoins, and the website permanently watches the block chain for activity for the flagged bitcoins. Email/text notifications of course.

I'm not sure how useful that would be because I'm not familiar with what data is available and what isn't, in the chain. Thinking about it more I'm not sure there would be much value in it. Someone could falsely flag any random coins as being stolen from them, and how would anyone prove ownership? But if there were some way to prove that they were stolen, then this tracker app could be used as a clearinghouse by people and institutions who want to only deal in clean money. Exchanges could refuse any coins that are flagged as stolen, etc. One way to prove ownership might be to register bitcoins with this website when you get them, and the website somehow verifies your ownership. That would be a precautionary step in case you ever get robbed of BTC.

Eh. Anyone who knows more about how the chain works know if this kind of thing is feasible?

[Capitan]

Maybe one should state a new rule:

Don't hang around on IRC with a machine storing a lot of BTC.

I never did. I did backup my wallet.dat file to dropbox, wuala, and spideroak.

Once I read an article about employees of dropbox having access to users's files I deleted the wallet.dat file from there. I dunno, I doubt it was caused becaused someone had access to where i backed it up. It most likely means he/she (hacker) had access to my windows box and the UNENCRYPTED wallet.dat file.

The first thing I did when I saw this was restore the backup from these online storage sites, but still the transaction was still there so I could not invalidate one damn thing.

If you ever stored wallet.dat on dropBox unencrypted, I think an employee could get access to old versions of your wallet due to the fact that DropBox essentially stores a copy of every version of every file, as it changes over time. So even if you delete it from your hard drive i think you can go into DropBox web interface and get old versions of it. Presumably DropBox employees have this same type of access. This is why people store sensitive files on DropBox only if they are stored in encrypted containers (like a TrueCrypt volume).

TrueCrypt is annoying with DropBox though, because DropBox doesn't sync the changes to the container until after it is dismounted.

[DamienBlack]

Who had physical access to your computer around the time that your pool payout address was changed? They most likely grabbed your wallet at the same time they changed the payout address. By all the information you've given, this sounds like someone had physical access to your computer, copied your wallet and and later transferred everything out.

It is simple: who knew you owned a huge amount of bitcoins, and was near your computer when the pool payout address was changed? Seriously, make a list.

If you think no one has had access to your computer for long enough, who do you know that is slimy enough to actually sneak into your house? I give a 99.9% chance that this was a physical entry job.

Just to rule out the .1% chance that it was a hack, let me ask this: Have you downloaded anything recently related to bitcoins? A bitcoin generator? Anything that sounded too good to be true like a "free bitcoin program". If it was a trojan, it would most likely be targeted specifically at the bitcoin community.

P.S. I'm not sure I buy this story, but if it is true, you have my condolences.

[bodhipraxis]

there are many, many disturbing aspects to this story.
The comment regarding the client's possible vulnerabilities made me think --
a) "exploitable c code in the client" :: since jgarzik awarded the bounty to puddinpool back last fall, how reliable is the security audit for the open-source bitcoin Windows client?
b) although 'allinvain' online name also made me wonder, the quality of this person's responses inclines me to think they are honest. methinks that if we want the larger world to adopt BTC, we are going to have to be proactive in creating ways that theft and hacking doesn't overwhelm the bitcoin. Read the Economist article today: largely positive, except for the bit at the end which describes the 'nerd-centric' nature of the Bitcoin. If there is a vulnerability in the client, we need to find it.

[yeponlyone]

I'm looking into this as well. The thing is this happened at 12:00 in the afternoon when I was sleeping with all my doors locked. I would've noticed if someone physically had access to my computer. Also maybe someone stole the wallet earlier? I have to serious do some searching into who was at my place over the last month.

Do you sleep in the same room as your computer? a lock is quite to pick and .5mil is a heluva motivator, is your lock able to be locked from the inside and then the door closed? the reason i ask is because if it was locked when you woke then, well, it is much harder to pick a lock closed then open, and thus makes it unlikely someone came in and left. granted, a meatspace attack could have happened while you were taking a shower a month ago and the coed down the hall grabbed it then and waited till now.

but blockexplorer being down is steering me away from meatspace...

[bitcool]

With enough time and patience, finding out who stole the coins is possible. You need to have a software and keep watching the block chain and follow the "money trail".

All those stolen coins eventually have to reach an exchange if some one tries to convert to fiat. Even currently exchanges do not publish their receiving addresses,  I am sure they have certain unique characteristics. If you can identify one of these addresses in the money trail, you should contact them and get their cooperation. With so much in stake, it's hard to think they won't help. The good thing is, the more transactions this thief makes, the better chances you have.

Longer term, I think bitcoin community should refuse to do business with exchanges that don't publish their receiving addresses.  This is for their own good (avoid legal liability) and benefit the community.

EDIT: Just had 2nd thought on this, may not be a good idea. It's two edge sword.

[Alex-Z]

You guys honestly dont realize how unlikely a "meatspace" attack is?  Come on.

[Alex Beckenham]

With so much in stake, it's hard to think they won't help.

You think laundry operators will help?

[yeponlyone]

You guys honestly dont realize how unlikely a "meatspace" attack is?  Come on.

man, there are many people who would grab a half mil from their mom if they didn't think they would get caught. meatspace cannot be ruled out unless this guy is a complete recluse and nobody knows to connect his body to bitcoin.

[allinvain]

sry i have trouble actually beliving this, you just lost 500k$ and you have a problem with turning off your work pc? seriously?
personally i think this is a troll, but if not, then you did everything in your power to lose that money, short of posting your wallet.dat on forum for "safekeeping" and it most deffinetly was not a hack from far away, physical attack vectors are always 100X easier

if you dont know how to protect your assets they will find a new owner, that applies in both bitcoin and offline, someone having 500k$ under their bed and telling their friends about it will lose it very quickly too

I never said I can't turn off the computer. I said I can't turn it off at this very moment. I have to backup whatever important stuff I have left on it. I store in encrypted format password to some banking and other info. At this point I have to assume all that is compromised and eventually I have to go through the laborious task of changing everything! There are many things on my to do list.

I am not a troll.

[allinvain]

I didn't read too many pages in so I'll just throw my two cents in,
This sounds like a case of lack of security.
Trojan or not if you made as many backups and encrypted as much as you say you did
this shouldn't be a problem.
Nobody just has fat stacks of BTC/cash just lying around ready for anybody to take especially in this economy.
Next time encrypt your wallet.dat file copy it to an inaccessible folder in your smart-Phone like i do,
Delete the wallet.dat file from your computer.
Problem solved!

I did encrypt the wallet.dat file on 4 different locations - 3 online and 1 offline (USB stick). But that doesn't mean shit if the original bitcoin file is still on my PC unencrypted. It was stupid of me to trust my security that much. I should have spread the money around as many wallets as possible and also on a computer NOT running windows. Yes yes I know it's all very easy for you guys to criticize.

[yeponlyone]

sry i have trouble actually beliving this, you just lost 500k$ and you have a problem with turning off your work pc? seriously?
personally i think this is a troll, but if not, then you did everything in your power to lose that money, short of posting your wallet.dat on forum for "safekeeping" and it most deffinetly was not a hack from far away, physical attack vectors are always 100X easier

if you dont know how to protect your assets they will find a new owner, that applies in both bitcoin and offline, someone having 500k$ under their bed and telling their friends about it will lose it very quickly too

I never said I can't turn off the computer. I said I can't turn it off at this very moment. I have to backup whatever important stuff I have left on it. I store in encrypted format password to some banking and other info. At this point I have to assume all that is compromised and eventually I have to go through the laborious task of changing everything! There are many things on my to do list.

I am not a troll.

do you remember why you chose that name a year and a half ago? it really is some amazing freudian foresight.

[allinvain]

What do I get if I get your money back?

What do you want? lol I doubt you can get it back honestly.

[allinvain]

It's stuff like this that gives govt's a legitimate reason to shut bc down, unfortunately...  Banks have protection against this sort of stuff, at least.  If this was a really was remote cyber attack, which seems likely given the circumstances, I highly doubt the perpetrator is noob enough to start selling massive amounts of BTC on mtgox, which can probably be traced back to him.  Chances of the reversibility of this transaction are bleak at best, though from what I gather, that's supposed to be one of the fortes of bc.

My condolences to the OP.  Hopefully people learn from this.

True, this would not have been a problem in a bank. Foolish of me to hoard them. I should've just sold half of the damn things.

Lesson to me, lesson to the developers to do more to secure the wallet.dat file and the bitcoin balance.

[allinvain]

allinvain, you're not the only one.
Same hacker got to my mtgox account, he converted the USD i had to bitcoins and transfered them to the same address.

I'm not sure how he got in, if my pc is compromised or how this happened, i've been scanning and analyzing my pc for the past hours but nothing indicates a virus or whatever...

Wow you sure? wow this is awesome - well sort of - that I have corroborating evidence that I am not the only victim and that this is some hacker for sure. I can now rule out my friends stealing from me.

[Garrett Burgwardt]

No you can't.

It is far more likely that there are multiple attackers.

[allinvain]

Conveniently blockexplorer is down as well... Im sure many have their eyes out for you and surely someone could be hired to help you recoup your lose given the right incentive. Light speed and good luck OP.

Thank you Sir. I much appreciate your condolences. I would be glad to pay anyone a good chunk of those bitcoins to get them back.

If you guys had any idea how much I believed in BTC. I can't believe I managed to control myself from selling them all. I could've and I thought about it when it was at $30. Then I waited and waited even when it hit $10. I remember watching the price like a hawk. My big hope was that I could use them to start some sort of viable BTC business that would not only grow the value of my existing coins but of everyone else's.

[JeanLucPicard]

Ain't it wonderful? Free money for doing nothing. Who says crime doesn't pay.

It does, for a while. Until it doesn't. Without exception, every criminal enterprise is eventually discovered, and its perpetrators pay the piper. It's not because they are stupid, mind you, it's because they are greedy and develop a god-complex. Rarely if ever do you see someone who's bent on stealing other people's money stop after one or two successful heists....

I know this is little consolation to you, but you need to grow faith in the fact that he will pay for what he/she did.

[DamienBlack]

No you can't.

It is far more likely that there are multiple attackers.

Exactly. How would one hacker randomly have access to both of you? It simply isn't likely. Furthermore the attack vectors were different, one was mt gox, the other your wallet and pool payout. I see know similarities at all. There is still a 99.9% chance that this was a physical attack by someone who new you, knew you had bitcoins, and is around your computer a lot.