Bitcoin Forum
December 13, 2024, 01:00:36 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Stolen coin report - 5 BTC wiped from blockchain.info MyWallet  (Read 2295 times)
asoltys (OP)
Newbie
*
Offline Offline

Activity: 19
Merit: 0


View Profile
April 09, 2013, 06:25:28 AM
 #1

I setup a wallet for a friend of mine at blockchain.info several months back and it's just recently been emptied of 5 BTC: https://blockchain.info/address/1BCBgPjdZsheEq6mtfBTDQx3rX3seY2ioC.  Strangely there was 0.31594303 left in tact which I've just moved to an address under my control.  The unauthorized transaction was https://blockchain.info/tx/d37bfd5a31e3535c0be745d8c94aca7603f8afa9c5264204a0ab142dc56424d9

I checked her "archived addresses" and although there are some in there, the offending address 1JR4byfx89UCn6dyVzfvtoD37iDdneJGS4, is not.

She changed the main password on the account after I set it up for her and said she had a secondary password on the account although now that she's given me the new password I'm logged in and there doesn't seem to be a secondary one set.  Blockchain's logging feature was disabled.  I checked with her and she wasn't using the mobile app, just logging in from her laptop and her work PC.  She said she had been logging in to the account every few days to "check the wallet".  Unfortunately I guess she didn't know that you could check the address balance without logging in.  I feel bad because this started out as an account for me to pay her back $10 for lunch when bitcoins were $5 so we never bothered with cold storage.  She bought 3.35 BTC off me for $150 last month as an investment.  There are also some minor transactions to the address that I sent while doing some testing.

The original password I set on the account was foxconn123 (an inside joke) and she had it changed to foxconn321 when it was hacked -- so not particularly strong.  I presume she had backups emailed to her but am not sure.  Since she didn't use a new address after changing the main password a compromised backup file could have been encrypted with either the original or new password I suppose.  Possibly bruteforced?  Or do you think she might have a keylogger installed on one of her machines?  Any other thoughts or suggestions?  She said she had had trouble logging in to the site the other night and got a spinner icon and a message saying something along the lines of "changing wallet identifier".  I know blockchain.info was having some server issues yesterday but not sure how that could relate to these coins going missing.

Thanks for reading,
Adam
Twerka
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 09, 2013, 06:27:34 AM
 #2

keylogged using sme public PC? That's my guess.

The worst enemy of Bitcoin is Mt.Gox exchange.
demzie
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250



View Profile
April 10, 2013, 02:29:11 PM
 #3

foxconn123 and foxconn321 as passwords? WTF! And you leave the key in the door when you leave the house?

No serious, use their double auth method at least.
And passwords like these: GbSKj#gFzUv3eJ3Ad!kR6hwYC6Ub$cGCzDW

Hehehe
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
April 10, 2013, 02:49:52 PM
 #4

foxconn123 (an inside joke)

Ohey, maybe you can change it to "swordfish". No one will ever guess that.
zebedee
Donator
Hero Member
*
Offline Offline

Activity: 668
Merit: 500



View Profile
April 17, 2013, 10:49:51 PM
 #5

Anything in common with this?

https://bitcointalk.org/index.php?topic=173149.msg1869132#msg1869132
Wardrick
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000


View Profile
April 18, 2013, 01:14:13 PM
 #6

If she hasn't done a complete virus scan and/or reformatted her computer, I would do that before you create any other passwords or accounts. If you can virus scan the public computer too to see if there's any sign of a virus/keylogger.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!