Bitcoin Forum
November 08, 2024, 11:23:55 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 [4] 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 »
  Print  
Author Topic: I just got hacked - any help is welcome! (25,000 BTC stolen)  (Read 381802 times)
Gareth Nelson
Hero Member
*****
Offline Offline

Activity: 721
Merit: 503


View Profile
June 13, 2011, 09:54:25 PM
Merited by vapourminer (1)
 #61

If you stored your wallet.dat in three online sites unencrypted, any one of those places could have possibly taken the bitcoins by loading that wallet.dat on their client then spending the coins.

Spreading the file out in multiple places isn not necessarily the best idea unless the file is securely encrypted by YOU and not the place that is storing it.

That's precisely what i've done for years personally (but for far less sensitive data - a MySQL dump of a website with 20k users including private messages - the "private" bit being what's sensitive).
Basically I encrypt the SQL dump with a stupidly long key and a passphrase made up of random letters and numbers only I know and send it to a bunch of reasonably trustworthy individuals to store.

For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto - any crypto system other than a one-time pad can fall eventually, and it only takes one smart and patient attacker to wait out the years/decades before cracking a bunch of wallet files and using them. I could get rich in BTC only to lose it all due to a silly mistake years ago.

One thing that I would advise for anyone with a large amount of BTC though is to split it up across multiple wallets, the majority of them completely offline and stored in physically secure locations. If I had something in the 6 figure range i'd definitely be paranoid about it.
allinvain (OP)
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 13, 2011, 09:54:55 PM
 #62

Looks like the thief is selling them on MtGox as we speak. LOL

Maybe. Who knows. It would suck if bitcoin price tanked because of me. God, that would be double worse for  me and for everyone else.


Gareth Nelson
Hero Member
*****
Offline Offline

Activity: 721
Merit: 503


View Profile
June 13, 2011, 09:56:20 PM
 #63

Once again: Encryption would not have protected anything. Encryption can protect stored data. It does not protect a wallet file that is in use, because it is accessed by the client and stored unencrypted in main memory.

In theory yes. Of course it would protect against stealing the wallet file. Normally you only need the data encrypted for doing transactions which is a very short time window. Especially with savings wallets which get accessed not very often. An encrypted wallet that stays encrypted even while the client is running would do tons in favor of security.
There is a big difference between getting one time access to a machine and having a program running to wait for the wallet to be decrypted in memory for 100ms.


Encrypt wallet, decrypt only when the user wants to send coins - interesting idea.
NO_SLAVE
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 13, 2011, 09:56:36 PM
 #64

Yeh, and the non geeks are going to be able to get and use BTC. Roll Eyes   Faith is quickly draining, except for the hackers stealing BTC. So amazing to me, is the general atheist, hard darwin belief most hackers and BTCs believers seem to espouse, and yet at the same time this naive belief in the goodness of humans and the "community".  REALLY Perplexing.

More and more crims showing up by the day, and the more the government associates BTC with silk road etc, the more crims will be alerted to the opportunities....
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 13, 2011, 09:57:24 PM
 #65

UNENCRYPTED wallet on multiple websites?

This is the most shocking part for me... he actually uploaded a half-million-dollar wallet.dat to the internet in the clear.

Even I wonder about hosting companies seeing the wallet.dat on people's web servers.

bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 13, 2011, 09:57:36 PM
 #66

Once again: Encryption would not have protected anything. Encryption can protect stored data. It does not protect a wallet file that is in use, because it is accessed by the client and stored unencrypted in main memory.

In theory yes. Of course it would protect against stealing the wallet file. Normally you only need the data encrypted for doing transactions which is a very short time window. Especially with savings wallets which get accessed not very often. An encrypted wallet that stays encrypted even while the client is running would do tons in favor of security.
There is a big difference between getting one time access to a machine and having a program running to wait for the wallet to be decrypted in memory for 100ms.


You always have to assume that the attacker knows how the client works. Anything else isn't security.

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 13, 2011, 09:58:46 PM
 #67

Once again: Encryption would not have protected anything. Encryption can protect stored data. It does not protect a wallet file that is in use, because it is accessed by the client and stored unencrypted in main memory.

In theory yes. Of course it would protect against stealing the wallet file. Normally you only need the data encrypted for doing transactions which is a very short time window. Especially with savings wallets which get accessed not very often. An encrypted wallet that stays encrypted even while the client is running would do tons in favor of security.
There is a big difference between getting one time access to a machine and having a program running to wait for the wallet to be decrypted in memory for 100ms.


Encrypt wallet, decrypt only when the user wants to send coins - interesting idea.


That's how I do it. I described it in a thread:
http://forum.bitcoin.org/index.php?topic=15068.0

Misspelling protects against dictionary attacks NOT
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
June 13, 2011, 10:00:04 PM
Merited by vapourminer (1)
 #68

I'm far more paranoid - I used a dedicated machine for BTC and only connected it to the network to do transactions.  Also sent most of my coins to an offline wallet all the way in the beginning - generated on a computer with no network connection, hand keying the address off the screen.  The only way Bitcoin or any other cryptocurrency will succeed in the future IMO is a hardware-based wallet (which is essentially what I have been using, it just happened to be in the shape of an old laptop).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
allinvain (OP)
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 13, 2011, 10:01:36 PM
 #69


The problem is that I can't shut the machine as this is my work machine.


It might be somebody you work with.

That may be possible too. There are many possibilities at this point. Question is how can I find evidence of this. Bitcoin is a double edged sword that is for sure. If I had all these funds in paypal I wouldn't be crying now lol..

Oh god...

Hawkix
Hero Member
*****
Offline Offline

Activity: 531
Merit: 505



View Profile WWW
June 13, 2011, 10:01:57 PM
 #70

I just read a part of allinvain's older posts. A day ago he noticed someone changed his payout address in the Slush pool. And he was using strong password.

Considering this, I think that the attack was committed from his own Windows machine. Someone got access (probably even physically).

It could be a sophisticated virus. But if it would steal his pool password, it could not grab his wallet. And vice versa. Would I design a worm stealing Bitcoins, I would not care about some pool payout address. I would just grab wallets.

So, someone who can gain access to your PC might stole your Bitcoins.


Donations: 1Hawkix7GHym6SM98ii5vSHHShA3FUgpV6
http://btcportal.net/ - All about Bitcoin - coming soon!
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 13, 2011, 10:03:06 PM
 #71

I'm far more paranoid - I used a dedicated machine for BTC and only connected it to the network to do transactions.  Also sent most of my coins to an offline wallet all the way in the beginning - generated on a computer with no network connection, hand keying the address off the screen.  The only way Bitcoin or any other cryptocurrency will succeed in the future IMO is a hardware-based wallet (which is essentially what I have been using, it just happened to be in the shape of an old laptop).

Yeah, that's what I would do if I had thousands of coins.

Misspelling protects against dictionary attacks NOT
allinvain (OP)
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 13, 2011, 10:04:25 PM
 #72

start making $2k per day.  After 10 days of that you'd have it back.

$20k != $500k


Please don't remind me Sad. That  25K BTC could've done a lot of good for the BTC community when I eventually would spend it on BTC related projects - which I had in mind to do. For example I wanted to set up the BTC equivalent of ebay, which I believe is one of the things that the BTC community needs - a strong auction site.

*sigh*

Maxxx
Member
**
Offline Offline

Activity: 70
Merit: 11



View Profile
June 13, 2011, 10:11:38 PM
Merited by vapourminer (1)
 #73

Computer forensics likely won't reveal the attacker, especially not after so much access to the data on your disk afterwards. To really get something with forensics the proper response is to image RAM while it is still running and then image the physical hard drives.

I know of a case where an individual lost 160k USD to a RAT (remote access trojan) and was unable to recover any of it because of how the USD was split up and pulled out of accounts via mules and sent to shady banks in Eastern Europe.

They were running Norton A/V on Windows and did not run Windows update or update their Java installation. The source of the attack was from a banner ad on a legit website which used a java exploit that had been patched for months. The RAT had a reverse proxy as well so the attacker actually used the individuals PC as a proxy to sign in to online banking.

Unfortunately, just encrypting the wallet file would not have fixed this problem, if it was malware and not someone in meatspace. Just as the bank used SSL/TLS for web management and included username/password and image through login. Bitcoin is no less and no more secure than any online banking.

Time is money. This means that if you have spare time, you can use it to make money.

Modular, open, and stack-able miner case.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
June 13, 2011, 10:13:05 PM
Merited by vapourminer (1)
 #74

You need to examine the possibility of this being meatspace theft.

You said something about a work computer.  A co-worker with a keylogger would have defeated an encrypted wallet (he'd have the encryption password).  Get over the encrypted wallet thing.  Also not windows fault.

You don't know that this was a due to a windows exploit.  As for an old wallet.dat file on some internet host?  Possible.

Meatspace is more likely.

It seems to me that you are imagining internet boogiemen and pimply faced russian script kiddies and placing your fear on windows exploits and unencrypted wallet files.

Sounds to me that you are much too trusting of people you meet in meatspace, because your fear is placed in the unknown in cyberspace.

None of that matters in a meatspace attack.  Physical access.

You told people about your BTC activity.  Meatspace.

Work computer?  Meatspace.

My point is that you don't know if it was a meatspace attack or a cyberspace attack.

But if it was a meatspace attack, you'll have a much better chance of tracking him there than in cyberspace.

College of Bucking Bulls Knowledge
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
June 13, 2011, 10:19:00 PM
 #75

If the guy is selling right now on mtgox he will be selling all of them as fast as possible.

Phone up or do whatever you can to get hold of mtgox, pretty sure this person would have loaded all the coins onto mtgox so even tho he isnt selling all of them in one go you could freeze his mtgox account and sort out the matter with evidence etc to make sure who the legit owner is.

That would be your best option.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
June 13, 2011, 10:21:06 PM
 #76

It could be a sophisticated virus. But if it would steal his pool password, it could not grab his wallet. And vice versa. Would I design a worm stealing Bitcoins, I would not care about some pool payout address. I would just grab wallets.

Nowadays it seems these payloads are now "multifunction" all-in-ones.

I once had a machine get infected with malware - it threw up the usual fake antivirus mumbo jumbo - and also had a folder full of temporary files.

In the temporary files, the malware had constructed a message that was left in cleartext and presumably went to the author: "eBay passwords found... none.  eGold passwords found... none.  Hotmail passwords found... none".  Fortunately all of these were "none" becuase I don't save this crap on my computer.

It also had all my keystrokes since the time I got the malware, which started out iwth an instant message to a friend, along the lines of "shit, I think I just got a virus".  I shut down and reinstalled my OS right away onto a different hard drive.

The idea that malware does "this" - so therefore it does not do "that" - is not a safe assumption.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Maxxx
Member
**
Offline Offline

Activity: 70
Merit: 11



View Profile
June 13, 2011, 10:26:01 PM
 #77

Meatspace is more likely.

I have to agree with this possibility as very likely as well. If the BTC was transferred from your physical computer by someone at the keyboard, computer forensics might yield useful data. Unless you keep messing up the datestamps on files via virus scanning.

With forensics in this case, it might be shown what other things occurred on the machine at the time of the transfer. Like, if it occurred at night at a particular time and there were only a few people in the building at that time.

The other possibility is that you were targeted online specifically. Just think if you've received targeted email, PMs, IMs, etc. Social engineering this way can be one of the easiest methods. Just look at HBGary Federal as an example.

Time is money. This means that if you have spare time, you can use it to make money.

Modular, open, and stack-able miner case.
Gareth Nelson
Hero Member
*****
Offline Offline

Activity: 721
Merit: 503


View Profile
June 13, 2011, 10:32:49 PM
 #78

It could be a sophisticated virus. But if it would steal his pool password, it could not grab his wallet. And vice versa. Would I design a worm stealing Bitcoins, I would not care about some pool payout address. I would just grab wallets.

Nowadays it seems these payloads are now "multifunction" all-in-ones.

I once had a machine get infected with malware - it threw up the usual fake antivirus mumbo jumbo - and also had a folder full of temporary files.

In the temporary files, the malware had constructed a message that was left in cleartext and presumably went to the author: "eBay passwords found... none.  eGold passwords found... none.  Hotmail passwords found... none".  Fortunately all of these were "none" becuase I don't save this crap on my computer.

It also had all my keystrokes since the time I got the malware, which started out iwth an instant message to a friend, along the lines of "shit, I think I just got a virus".  I shut down and reinstalled my OS right away onto a different hard drive.

The idea that malware does "this" - so therefore it does not do "that" - is not a safe assumption.

I've worked with AI systems that can self-modify based on particular goals with very high realtime performance in a very lightweight application. If I wanted to, I could combine a selection of attack vectors as primitive actions in the goal system, code a set of rules for finding pool-like sites in browser history and wallet-like files and give it the goal of "obtain as many bitcoins as possible". Such a system would be capable of getting an enormous number of coins through a worm attack in a very short amount of time.

The thing is though, i'm not a worm author - this would require a specific overlap of "worm author", "bitcoin user" and "AI knowledgeable" that is very very rare.

Much more likely is a local compromise - occam's razor would tell us to ignore the unrequired entity of an external anonymous party on the internet to explain this theft. I'd look at coworkers and the staff of the remote backup services myself.
r2k-in-the-vortex
Newbie
*
Offline Offline

Activity: 19
Merit: 0


View Profile
June 13, 2011, 10:34:39 PM
 #79

sry i have trouble actually beliving this, you just lost 500k$ and you have a problem with turning off your work pc? seriously?
personally i think this is a troll, but if not, then you did everything in your power to lose that money, short of posting your wallet.dat on forum for "safekeeping" and it most deffinetly was not a hack from far away, physical attack vectors are always 100X easier

if you dont know how to protect your assets they will find a new owner, that applies in both bitcoin and offline, someone having 500k$ under their bed and telling their friends about it will lose it very quickly too
Freakin
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 13, 2011, 10:41:13 PM
 #80

If the guy is selling right now on mtgox he will be selling all of them as fast as possible.

Phone up or do whatever you can to get hold of mtgox, pretty sure this person would have loaded all the coins onto mtgox so even tho he isnt selling all of them in one go you could freeze his mtgox account and sort out the matter with evidence etc to make sure who the legit owner is.

That would be your best option.

MtGOX has $1k/day, $10k/month cashout limits.  He won't get far selling them all on MtGox rapidly.


Pages: « 1 2 3 [4] 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!