I just got hacked - any help is welcome! (25,000 BTC stolen)

[AntiVigilante]

PS: To everyone talking about encrypted wallets: It is possible to generate a receiving address on a computer that has NEVER been connected to the internet and never will be.  That address can receive coins (though they will obviously not appear in the GUI on the offline computer).  The computer and its (hopefully backed-up) keys can remain offline forever until it must sign a transaction transferring the coins elsewhere.  You could then transfer the wallet to an internet-connected workstation, send out whatever transactions are necessary, and then send the remaining coins back to a new address you've created on your "offline-forever" machine.  There is absolutely no need for a computer holding a destination address key to be connected to the network ever.

That's a good idea, but it doesn't help security if the network connected machine is compromised. The moment you copy over the wallet to send, it's compromised too. Also, you somehow have to be able to clean install the non-connected machine. If you do this by downloading an OS image, the download machine has to be clean to begin with etc. You can't really guarantee any of that, or expect the average user to do it.

A 'BTC bank' is one obvious solution, the question is whether you want to compromise the distributed idea by centralizing some aspects of it (similar to exchanges). I think the next big hero is whoever comes up with a decentralized version piggybacking off the existing blockchain network. Centralized versions could coexist of course, for if you want something like a 2 factor authentication method. A proper implementation could prevent unauthorized transactions from your wallet, even if your machine is compromised.

Jesus. (going blue in the face)

Just implement Unix file semantics on accounts and addresses: RECEIVE, SEND, OPERATE / VIEW (for accounts)

[dserrano5]

I have a friend with several thousand in his wallet (mined from earlier in the year) and he just leaves his laptop on without encryption and carries it around with him around town. I could have easily transferred the BTCs to my wallet while he was in the washroom.

Do it.

Then a day or two later, return him the money . He will learn the lesson.

[Gareth Nelson]

For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto

Actually, there are provably secure systems which have nothing to do with encryption, and very little to do with the idea of a OTP.

Do tell!

[jackjack]

I have a friend with several thousand in his wallet (mined from earlier in the year) and he just leaves his laptop on without encryption and carries it around with him around town. I could have easily transferred the BTCs to my wallet while he was in the washroom.

Do it.

Then a day or two later, return him the money . He will learn the lesson.

I approve this message

[kokojie]

I wonder if you had adequate antivirus on your windows machine? It'd be very hard for a trojan to take control of your computer if you had adequate security software, that can detect trojan behavior. Plus Win7 has some default security built in like UAC. I think it'd take a seriously good hacker (like top 0.001% in the world), to hack a windows machine, over the internet, with firewalled router + good security software + UAC turned on.

[Rob P.]

go to the police! 25k BTC are about $500.000, thats crazy! they can investigate and find out who it was.

Doubtful.  They'll take a report.  The people on these boards are MUCH more likely to be able to assist in a situation like this than the Police.  10 BTC says that when he states that "Bitcoins were stolen" they look at him cross-eyed.

Also, putting your BTC inside of a virtual machine on a Windows computer is no safer than having them on the Windows computer itself.  You can mount the VM drive to Windows, you can screen scrape, keyloggers will still get every key sent to the VM.

[Rob P.]

I am the flaw with bitcoin, but let's be honest the wallet should be encrypted. The developers should've put a very very high priority on this the moment bitcoin went over $1.

An encrypted wallet wouldn't have helped you.  If you had Malware on the system, especially a keylogger, they'd have your key for the wallet.

[michaelmclees]

Offer 5,000BTC to a private investigator to get the info you want.

[midnightmagic]

For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto

Actually, there are provably secure systems which have nothing to do with encryption, and very little to do with the idea of a OTP.

Do tell!

I can't, it would give away where my wallet is.. which I guess is kind of stupid, because why did I post to begin with then, right?

Stupid. Sorry.

Also, assuming you did lose your wallet, allinvain, when I read your story it was like a punch in the gut. Some hacker douche is into emo gut-punchery, and I hope you track those coins until the end of time, finally get a name, and then Hulk Smash. Good luck. :-( Come to think of it, though, why don't you call the police and get them involved? Open a case at least. You are paying taxes into their paycheques, and theft of this size is more illegal than smaller amounts.

[Bazil]

Hmm, since Lulzsec is claiming he caused the market correction, maybe he stole the bitcoins with a trojan to sell in mtgox for dirt cheap.  Can someone track down if those bitcoins went into mtgox?

[casascius]

I am surprised after all this time no one (including me) has suggested he post his debug.log.

That might narrow down how the coins got sent, at least can narrow down as to whether the coins were sent from his own computer (either by "meatspace" as suggested, or a trojan that allowed complete remote control) versus the transaction being initiated from a different machine.

Though I am not certain if debug.log could contain private keys.  I would hope not.

[dserrano5]

I think anything requiring "Updates" (Including Windows and certain GNU/Linux distros, most graphical browsers) is inherently insecure.

I ROTFL'd at this.

[bitclown]

This is an excellent opportunity for jgarzik to demonstrate how easy it is to track down these "pretty bleepin' dumb kids" who thinks Bitcoin is anonymous...

[allinvain]

I am surprised after all this time no one (including me) has suggested he post his debug.log.

That might narrow down how the coins got sent, at least can narrow down as to whether the coins were sent from his own computer (either by "meatspace" as suggested, or a trojan that allowed complete remote control) versus the transaction being initiated from a different machine.

Though I am not certain if debug.log could contain private keys.  I would hope not.

I can do that. Do you think that would expose anything to the hacker? I'll have to consult first with someone who knows better than me.

[phillipsjk]

I think anything requiring "Updates" (Including Windows and certain GNU/Linux distros, most graphical browsers) is inherently insecure.

I ROTFL'd at this.

That is because you don't understand how insecure modern computers really are. "Automatic Updates" are the equivalent of a security blanket: they may even protect you from some known attacks (like a blanket can protect you from cold). However, any software shipping with automatic updates enabled is not proven correct. Automatic updates also require you to trust the software provider not to be malicious or make further mistakes.

At the time of this writing, there is no such thing as as a "totally secure" live CD. Until August 14, 2009, I thought you could be safe by using "Read-only" memory to guard against attack. Then I read about an attack against a voting machine using a harvard architecture (Code is in read-only memory). They leveraged a single stack overflow into a full compromise of the machine using return-oriented programming.

It is possible to prove software is correct; it just takes time and expense few are willing to invest yet. For example, the L4 Mirokernel has been machine checked. Long term, software development houses need to start compiling their code on proven correct hardware as well. This will involve using ROM burners programmed using toggle switches and hardwired CRC checkers. The "proven correct" source code would have to be stored on microfiche or something similar.

But sometimes, I think may I have just gotten too paranoid.

Edit: Preview doesn't work for busy threads

[AntiVigilante]

Hmm, since Lulzsec is claiming he caused the market correction, maybe he stole the bitcoins with a trojan to sell in mtgox for dirt cheap.  Can someone track down if those bitcoins went into mtgox?

LulzSec only commented on it.

[bitstarter]

This story made it on Gawker! http://gawker.com/5811868/a-500000-geek-cyberheist   

 

[JusticeForYou]

Let me ask,

  Would you keep $25,000 dollars in your house?

  I am not judging one way or the other, but if 'someone' knows your computer has $25,000 on it, then you need to really protect that computer, not just from the internet and crackers. Don't let your wife/husband/kids near it. Keep it locked up in a safe, sort of speak.

 Curiously, not assuming you had bad passwords for online accounts, but was the one for the logon, 'simple'?

 Did you ever leave the room/home with it on? effectively leaving $25,000 on the desk?

 Might you have had a second computer with BitCoin client to transfer a large sum to as a sort of Savings, and then disconnect it from the internet?

 Of course now I presume, you have already thought of those questions.

If you care to discuss your, well, 'adventure', bring it to #bitcoin-court so others may learn.. and maybe provide advice.

Not that we are perfect, and we all make mistakes, the 'key' is to learn from them....

Best Regards,
The Bear

p.s. Hope your coins find their way home... but i guess they are there already, in the block chain, just have to get them back out.  

[Unthinkingbit]

There is something Mtgox could do to help prevent theft in future, and prevent the hacker from profiting from this theft.

In this case, and others where there is suspicious activity, there could be a trial date set on skype.  If the suspicious party does not appear for the trial, then the money in question is donated to charity.  For example the money could be split up and sent to each of the charities on this list:
https://en.bitcoin.it/wiki/Donation-accepting_organizations_and_projects

If the suspicious party does appear for the trial, then if their explanation of the transaction is good, the transaction goes through.  If the explanation is probably unbelievable, then the money in question is donated top charity in proportion to the unbelievability.  The judges for the trial could be drawn at random from developers and/or writers who have a public web site or blog.  If the amount in question is smaller than 1,000 USD, one judge would be sufficient, above that up to 10,000 USD three judges would be asked for, above that five judges would be asked for.

By removing the profit motive from theft, hackers would spend less effort to steal in the first place.  Since any money not sent to the suspicious party would be sent to charity, there would be no profit in false accusations.

[TraderTimm]

This story made it on Gawker! http://gawker.com/5811868/a-500000-geek-cyberheist   

 

Adrien Chen is a tool. Every story he's posted about bitcoin is only to cast it in a negative light. His writing style mimics that of a college freshman. You can practically see him giggling as he hammers out his prose.