I just got hacked - any help is welcome! (25,000 BTC stolen)

[allinvain]

so my only question is how can we be sure that this guy really had and lost all of this BTC? I mean really all a person would have to do is see someones posted address in there signature in the forums or in a reported block then post ehre saying please help me get it back! ( which translates to please help me steal this persons money for me!) lol.

But if this is in fact legitimate then i do feel empathy for you... to lose that much is horrible.. But to get that much is questionable...

I assure you it is legitimate. I have nothing to gain from this. In fact it may have been smarter to not even report it on the forum. But I figure I'd at least let everyone know about the hacker's address or to let them know that someone is out there with the know how to do this. I am not hte first and I will not be the last - mark my words.

What would you consider sufficient proof that I indeed controlled this balance?

[1714128152]

1714128152

[1714128152]

1714128152

[NO_SLAVE]

allinvain, you're not the only one.
Same hacker got to my mtgox account, he converted the USD i had to bitcoins and transfered them to the same address.

I'm not sure how he got in, if my pc is compromised or how this happened, i've been scanning and analyzing my pc for the past hours but nothing indicates a virus or whatever...

kwukduck,

if you indeed got hacked on mtgox we need more definitive information as to what happened. This is very serious for the whole bitcoin economy and other users of MTgox. 
Just based on your post I am stopping a USD transfer into MTgox.
Please elaborate on this rather serious matter.  What has MT gox said to you about this? NO communication? And of course there is no FDIC insurance.

 

[DamienBlack]

What would you consider sufficient proof that I indeed controlled this balance?

I have no doubt that you can provide proof that you controlled the balance. You cannot, however, provide proof that you do not still control the balance. This crime is unprovable. Bitcoin's strength is also its weakness.

[allinvain]

UNENCRYPTED wallet on multiple websites?

This is the most shocking part for me... he actually uploaded a half-million-dollar wallet.dat to the internet in the clear.

Wuala encrypts user side before uploading to the cloud, and I believe the same applies to Spideroak. OP mentioned he stopped using Dropbox as soon as he realized they don't.

Don't know what's shocking about that since it's very much not "in the clear" or "unencrypted".

However, this and other stories like it builds a case that there might be active attacks being made on Bitcoin participants, and if it's more than a few then meatspace explanations become statistically unlikely. I'd rather lean towards exploitable C-code in the client.

I agree. This is a very sophisticated attack on BTC users. Someone thinks we are a bunch of suckers.

It could be mining programs as well. I did run phoenix, ufasoft's sse miner, poclbm and numerious other mining programs on the machine that had the wallet.dat file. I upgraded the official client twice I think. I was/am running 0.3.21

Someone may wish to investigate the source code for all the mining programs - just to be on the safe side.

[allinvain]

If those coins indeed wound up on mtgox the thief can be identified as soon as he tries to get the money out of mtgox, no?

Yes if he is a stupid thief and tries to dump all 25,000 at once in one transaction.

I doubt he'd do that though.

[allinvain]

The more I read this thread the more absurd it gets

Work computer?
25k on computer used for browsing web?
UNENCRYPTED wallet on multiple websites?
Forensics can't do shit?

You must be either a troll or incredibly stupid. If it's the latter, and you obviously have no clue about online security, I suggest you still turn that computer off and hire someone reputable to take a look at it.

No it's my home computer. I use it to run online forums and other important stuff, plus it's trading forex right now and I had a trade going which I'm not sure if it closed successfully

the wallets were encrypted on all websites...I only had it once unecrypted on dropbox but then I deleted it when I read that their employees could read the files possibly.

the only unencrypted wallet was on my home computer...

Would you know if someone broke into your house? Who comes into your house regularly? Who has ever been in your house that knows about Bitcoin? Who knows you use Bitcoin at all?

Someone just posted that they got hacked and the funds got moved to the same address as I posted, so at this point I am operating under the assumption that this was not a meatspace attack. But I am looking at this side (meatspace) of thigs as well.

Man I'm having trouble replying to all these posts, so please forgive me if I seem to reply slowly.

[allinvain]

The more I read this thread the more absurd it gets

Work computer?
25k on computer used for browsing web?
UNENCRYPTED wallet on multiple websites?
Forensics can't do shit?

You must be either a troll or incredibly stupid. If it's the latter, and you obviously have no clue about online security, I suggest you still turn that computer off and hire someone reputable to take a look at it.

Yeah, I know he has over 800 posts. But "Allinvain"? The whole story reads like a very hip joke, or a deep cover sleeper troll.

"Allinvain" ----- get it?

heheh..you believe what you want. This is a very old IRC handle that I've used for 10+ years. I got irc logs to prove it too ..going back 5+ years. Allinvain is a handle I use on various forums sort of like a "throw away" forum account or handle. Ironically I was thinking of registering as "bitcoinguru" but I guess I ain't much of a bitcoin guru now..oh god the irony is killing me....

[DamienBlack]

It can't be "exploitable c code" in the client. Allinvein's pool payout address was changed. Someone had completely compromised his system, but he is saying anti-virus software has found nothing. Something able to compromise his system so thoroughly would have used a know vector, and the anti virus would find it.

All evidence points to the fact that his computer was compromised physically. Contact the pool operator and see if they can give you the exact time the address was changed. This is likely the exact time the thief was on your computer.

[allinvain]

the wallets were encrypted on all websites...I only had it once unecrypted on dropbox but then I deleted it when I read that their employees could read the files possibly.

the only unencrypted wallet was on my home computer...

If it's because of DropBox, know that as long as you hadn't done another 100 transactions since that point, a DropBox employee could use that old unencrypted backup and spend some/all the coins.

Yep...that could be! I don't think I done 100 transactions. I did receive a bunch of payouts form my mining efforts. I bought some vga dummy plugs but that's about all I did with that balance.

Like I said ealier on. at one point I did have the wallet.dat unencrypted on dropbox's servers..then I realized that I should not trust them and deleted the file..if that file doesn't get deleted permanently then hmm...I then stored the future wallet.dat files encrypted with AxCrypt on wuala first and then I found out about spideroak..so I copied the encrypted wallet.dat file there as well.

[allinvain]

I somehow doubt it was a physical attack.  I really dont think its hard for malware to upload one single tiny file from your machine to theirs, and that's it all your money is gone.

Seems that the person responsible is probably ddosing blockexplorer in order to keep you from investigating for a little bit. 

Yes this is a sophisticated attack. The very first thing I did was try to load up blockexplorer.com to see where the money went. Guess what, conveniently the site was down. Tried from another machine, it was down there too.

[allinvain]

Maybe one should state a new rule:

Don't hang around on IRC with a machine storing a lot of BTC.

I never did. I did backup my wallet.dat file to dropbox, wuala, and spideroak.

Once I read an article about employees of dropbox having access to users's files I deleted the wallet.dat file from there. I dunno, I doubt it was caused becaused someone had access to where i backed it up. It most likely means he/she (hacker) had access to my windows box and the UNENCRYPTED wallet.dat file.

The first thing I did when I saw this was restore the backup from these online storage sites, but still the transaction was still there so I could not invalidate one damn thing.

If you ever stored wallet.dat on dropBox unencrypted, I think an employee could get access to old versions of your wallet due to the fact that DropBox essentially stores a copy of every version of every file, as it changes over time. So even if you delete it from your hard drive i think you can go into DropBox web interface and get old versions of it. Presumably DropBox employees have this same type of access. This is why people store sensitive files on DropBox only if they are stored in encrypted containers (like a TrueCrypt volume).

TrueCrypt is annoying with DropBox though, because DropBox doesn't sync the changes to the container until after it is dismounted.

Wow crap. Yeah that could be another possible attack vector. I never knew that they store previous versions. I though the file was gone forever. oh what a noob I was..

[yeponlyone]

Someone just posted that they got hacked and the funds got moved to the same address as I posted, so at this point I am operating under the assumption that this was not a meatspace attack. But I am looking at this side (meatspace) of thigs as well.

um.. where was this posted??

[DamienBlack]

I personally doubt it was dropbox. The odds that someone who has access to files at dropbox knew what a wallet.dat was stumbled upon your file (which had been deleted) which happened to have half a million dollars worth of bitcoins on it is not even remotely likely. You were targeted by someone who knew what your bitcoin net worth was.

[allinvain]

Who had physical access to your computer around the time that your pool payout address was changed? They most likely grabbed your wallet at the same time they changed the payout address. By all the information you've given, this sounds like someone had physical access to your computer, copied your wallet and and later transferred everything out.

It is simple: who knew you owned a huge amount of bitcoins, and was near your computer when the pool payout address was changed? Seriously, make a list.

If you think no one has had access to your computer for long enough, who do you know that is slimy enough to actually sneak into your house? I give a 99.9% chance that this was a physical entry job.

Just to rule out the .1% chance that it was a hack, let me ask this: Have you downloaded anything recently related to bitcoins? A bitcoin generator? Anything that sounded too good to be true like a "free bitcoin program". If it was a trojan, it would most likely be targeted specifically at the bitcoin community.

P.S. I'm not sure I buy this story, but if it is true, you have my condolences.

Can't be that cause I was logged into the machine via RDP from work when the slush pool payout address got changed. I would've been disconnected from the session if someone tried to l go in locally.  

No I have never downloaded anything related to bitcoin other than mining programs.

[kwukduck]

NO_SLAVE

As i stated before i don't know how this happened, i have the feeling one of my machines is compromised. Since i haven't seen any other people complain about their mtgox accounts getting hacked i assume it was something at my end.
Then again i wonder why he got my MtGox account and not the wallet on my pc really...
I talked shortly to MagicalTux and submitted an email, he had to leave and no reply to the email yet.
I'll update whenever i know more.

Both, mine and allinvain's bitcoins have been sent to that particular address, so im assuming it's the same person or group that's doing this...

I'm working on backing up all my important data and reinstalling all pc's and flashing my phone... gonna be a shitload of work -.-

[allinvain]

I'm looking into this as well. The thing is this happened at 12:00 in the afternoon when I was sleeping with all my doors locked. I would've noticed if someone physically had access to my computer. Also maybe someone stole the wallet earlier? I have to serious do some searching into who was at my place over the last month.

Do you sleep in the same room as your computer? a lock is quite to pick and .5mil is a heluva motivator, is your lock able to be locked from the inside and then the door closed? the reason i ask is because if it was locked when you woke then, well, it is much harder to pick a lock closed then open, and thus makes it unlikely someone came in and left. granted, a meatspace attack could have happened while you were taking a shower a month ago and the coed down the hall grabbed it then and waited till now.

but blockexplorer being down is steering me away from meatspace...

I doubt it's meatspace. I sleep in a room right next to the computer room. Someone would have to crawl up the stairs and not wake me up to gain access to the computer.

[DamienBlack]

Your computer is open to RDP??? Well then, attack vector found. But you were still personally targeted.

[allinvain]

sry i have trouble actually beliving this, you just lost 500k$ and you have a problem with turning off your work pc? seriously?
personally i think this is a troll, but if not, then you did everything in your power to lose that money, short of posting your wallet.dat on forum for "safekeeping" and it most deffinetly was not a hack from far away, physical attack vectors are always 100X easier

if you dont know how to protect your assets they will find a new owner, that applies in both bitcoin and offline, someone having 500k$ under their bed and telling their friends about it will lose it very quickly too

I never said I can't turn off the computer. I said I can't turn it off at this very moment. I have to backup whatever important stuff I have left on it. I store in encrypted format password to some banking and other info. At this point I have to assume all that is compromised and eventually I have to go through the laborious task of changing everything! There are many things on my to do list.

I am not a troll.

do you remember why you chose that name a year and a half ago? it really is some amazing freudian foresight.

hahah..yeah I guess..I must be special in some supernatural way then...I chose that name cause at the time I was a bit more of a pessimistic thinker...that's all. All in vain is a play on words from a quote from the Bible...old testament..look it up..Solomon said it

[Capitan]

Is it possible that he was attacked due to something being compromised on one or more of the pools he's been using? I know Slush's pool was transmitting username and password in clear text. If Slush's setup were compromised an attacker could get user logins & pwd's to Slush's site. That could explain the payout address on Slush account being changed without the user's knowledge. Aside from the OP, there was one other instance of this happening being mentioned on the board. Or if something inside Slush's network is compromised they could easily pick up all the IP addresses of the pool's miners. Then the attacker would systematically scan those users' machines for security holes and infect all the vulnerable ones. I haven't ever used the tools or messed with this kind of stuff, but I know how to write code so it's clear to me that an attack like this could be done just by running a script. It wouldn't really take much effort. Or, no offense to Slush, Slush himself could be involved in some shady activities (I really mean no offense, I'm relatively new to the site so I don't know if he has some kind of high standing or established credibility here, if so, pardon).

If any users are using the same password on multiple sites that might be exploited to get into their PC. I think the focus on getting jerry-rigged programs and web apps set up in 1/2 a day has resulted in a ton of insecure stuff. People need to slow down and inspect all the new stuff coming online for security. Don't use the same password across more than one account.

No offense intended to the OP either, but his reaction doesn't seem realistic to the situation. I kind of had some doubts at certain points in this thread as to whether or not he was pulling our chain. People are trying to help him and he's not really providing any info that might help investigate what happened. His responses hardly answer any of the questions that were posed. He/she constantly attributes the problem to a hacked windows machine. Where is the evidence that this is what took place? I know that windows has a reputation of being insecure, but that doesn't automatically mean that was the attack vector. And anyone in their right mind who lost as much as the OP claims would not be talking about reformating their PC right away. If it were me I probably would just set that machine aside indefinitely with the hope that someone could examine it for evidence. But I understand that he might just be really emotional right now and not thinking clearly.


The two most likely sources of the attack seem to be:

1. An attacker found his IP via his pool mining activities (as in the hypothetical scenario I mentioned above), and did a mass attack on all the pool's miners. Some percentage of them might have been compromised. Or not.

2. A meatspace inside job; compromised his computer in advance, and took the BTC remotely. I don't see why the OP keeps saying it couldn't have been meatspace just because he didn't hear anyone enter his home. The attack could have been remote. He needs to really list all the people he knows IRL who were aware of his activities. From what I've read it's not that big a deal to social engineer someone you know IRL into running something that compromises their computer. Attackers sometimes just drop USB keys into the parking lot of a company they want to breach. Employees will often find those drives and out of curiosity plug them into the work machines and they are instantly infected. So someone the OP knows IRL could have passed something in an email, a USB thumb drive with a stealth auto-run trojan, or a CD/DVD with the same thing. Or the person used his computer sometime in the past to check their email or something, and when the OP wasn't looking, they planted a trojan on his Windows or Linux machines. They could have been monitoring him for a while to discover the passwords or whatever necessary to get to his wallet.

[allinvain]

Ain't it wonderful? Free money for doing nothing. Who says crime doesn't pay.

It does, for a while. Until it doesn't. Without exception, every criminal enterprise is eventually discovered, and its perpetrators pay the piper. It's not because they are stupid, mind you, it's because they are greedy and develop a god-complex. Rarely if ever do you see someone who's bent on stealing other people's money stop after one or two successful heists....

I know this is little consolation to you, but you need to grow faith in the fact that he will pay for what he/she did.

I have faith that I will end up making that money back and much more. I am a fairly entrepreneurial type and I have other things lined up that may work out for me. Life is funny though, you never really know what may happen, but right now I just gotta figure out a way to deal with the pain of this loss. It's not like I lost 1 BTC - we're talking here a very large portion of the BTC economy in the hands of some crook somewhere.

Thanks for your kind words though.