Wallet Hack on 4/25

[tvbcof]

I don't buy it.  You just signed up for a bitcointalk.org account on 4/9/13, yet you have quite a lot more than 500 Bitcoins, and you've had a number of regular transactions since at least as far back as 9/14/12?  But on the forum, you're dabbling in microtrades of LTC and FC worth less than 1 BTC?

Nope, sorry.  You found a large recent transaction, then posted it as if it was yours.  You're looking for sympathy and free handouts.

Want to prove me wrong?  Sign a message with any one of the addresses from which your funds were supposedly stolen.

And that my friends is experience and good judgement.

Or an artifact of speed-reading.  I would not rule out the OP being a sock-puppet account (or just a fresh account.)  These are neither discouraged by the forum owner, nor would it be a bad idea to report a security issue.

It also may be the case that certain people are fairly involved with Bitcoin without having early (or any) involvement with this forum.  It's not unfair in my mind to classify this forum as something of a cesspool, and it is certainly a waste of time...particularly for those like myself who have limited self-control and much free time.

[1715034102]

1715034102

[silvereagle]

Actually been on here for just about a year - just never had any reason or desire to post until recently.

[Lgetty17]

When you say "hot wallet" do you just mean one linked to the Internet? Online wallet? What are the limitations of an offline wallet?

[zebedee]

have the bitcoin-qt client (behind firewall and encrypted wallet), blockchain.info (pretty tough password) and also have the address on my phone using bitcoinspinner for android (could be weak link).

My phone was hacked the other day (posted in off-topic.)  I didn't investigate it in detail...just wiped the phone and moved on.  I would have a lot of trouble trusting the phone for anything at this point.  Certainly not a bitcoin client or access to any on-line wallet with more than a few dollars worth of value.  I now don't use it for e-mail on my main e-mail account.  Just set up a secondary e-mail for very limited data and use which is a drag (vs. being able to check my mail e-mail from my phone.)  I guess I'll do the same with on-line wallets which should be easy enough.  I have a Windows machine but would prefer to not access any wallet with more than a few BTC from it as well so this will kill several birds with one stone.

Can you post a link?  I couldn't find a thread either in Offtopic or your history at a glance.

What phone?  What do you mean "hacked"?  Would like to know given I store up to about 10 BTC on my phone most of the time.

[silvereagle]

When you say "hot wallet" do you just mean one linked to the Internet? Online wallet? What are the limitations of an offline wallet?

By 'hot' i mean one connected to the network that can be used to send and receive.  'Cold' storage usually means setting up a key you can store things then printing out a paper wallet or something similar and not having the private key/wallet accessible by any means on your computer.

[silvereagle]

Looks like someone had a busy day yesterday.  Traced where some of my funds went and over 2500 BTC got dumped into this account all yesterday after being routed bunch of different places.

https://blockchain.info/address/16WcStW5Mef1KrmyC9pMBKzKdp5RFsFxjo

[Eich]

I love how you can watch your money being stolen from you LIVE and there's really nothing you can do. hopefully, during one of those jumps, someone catches on to it and returns the funds like in the case of Ozcoin.

Innovation will solve these issues unless regulation decides to stifle creativity.

[Meni Rosenfeld]

I have a customer who is a victim of this particular theft.

Here are his answers to piuk's questions.

Do you have a bitcoin app on your android phone? No
Do you have a blockchain.info wallet holding the address in question? Yes
If you have a blockchain wallet do you use a public alias the same as your bitcointalk, bitcoin-otc or irc username? No
Do you have accounts on one of the following sites: BTC-e, bitcoin-central or mining.bitcoin.cz? No
Do you reuse the same wallet password on different websites (specifically the above sites)? No
Do you read the BTC-e chat box? No
Does your browser have Java enabled? http://isjavaenabled.com - I have JAVA but I manually choose each time whether to run it

He insists that he is keeping a secure environment and that neither his computer nor strong password were compromised.

Any leads on what could have caused this? Or who the thief is?

Will reimbursing affected users be considered?

[der_troll]

I was asked to run Java last time I logged in to Blockchain.info. Is this supposed to happen? Think I'll transfer my Bitcoins to a paperwallet to be on the safe side...

[Remember remember the 5th of November]

I was asked to run Java last time I logged in to Blockchain.info. Is this supposed to happen? Think I'll transfer my Bitcoins to a paperwallet to be on the safe side...

That shouldn't happen, you were infected by Java, most likely. But how did Java exploit end up on Blockchain.info?

[der_troll]

I didn't press "accept", so I hope I'm safe. But I can't log into Blockchain now without it popping up... Maybe I should uninstall Java.

[Kaiji]

It's too bad that stolen bitcoins cannot be redflagged so they can't be spent or sold on exchanges. If every bitcoins previous chain of owners can be verified it shouldn't be too hard.

[SgtSpike]

It's too bad that stolen bitcoins cannot be redflagged so they can't be spent or sold on exchanges. If every bitcoins previous chain of owners can be verified it shouldn't be too hard.

It wouldn't be hard, but part of Bitcoins being Bitcoins is that they are fungible.  We'd be in for a whole huge mess if people started attempting to determine whether coins were stolen.  What authority do you go by?  If one person says funds are stolen, and another person says they were legitimately acquired, who do you believe?  What if you do not have services available to check the stolen-ness of coins prior to accepting them?  Not to mention, a proper criminal could simply send the coins to a mixing service, and then the taint would be spread across many different people and addresses.

This has been discussed many times before, and always ends up that no one wants to uphold any kind of taint on Bitcoin coins.  It just wouldn't work, and would largely kill Bitcoin.

[Kaiji]

It's too bad that stolen bitcoins cannot be redflagged so they can't be spent or sold on exchanges. If every bitcoins previous chain of owners can be verified it shouldn't be too hard.

It wouldn't be hard, but part of Bitcoins being Bitcoins is that they are fungible.  We'd be in for a whole huge mess if people started attempting to determine whether coins were stolen.  What authority do you go by?  If one person says funds are stolen, and another person says they were legitimately acquired, who do you believe?  What if you do not have services available to check the stolen-ness of coins prior to accepting them?  Not to mention, a proper criminal could simply send the coins to a mixing service, and then the taint would be spread across many different people and addresses.

This has been discussed many times before, and always ends up that no one wants to uphold any kind of taint on Bitcoin coins.  It just wouldn't work, and would largely kill Bitcoin.

I see you're point. Trying to make bitcoin owners traceable would also have similar problems. They only way would be to be able to secure a wallet with something more tougher to crack than a password. Same with emails, passwords are the weak link to their security.

[bitcoinminer]

For 0.78 BTC you just got a very inexpensive lesson in security.  Don't let those coins be spent for naught.

[demzie]

hmmzzz armory?

[Mike Hearn]

I am not convinced this has anything to do with Android. I've seen some chatter about brute-forcing attacks against blockchain.info wallets. Is it possible some older wallets have passwords that aren't strong enough? The b.i KDF is SHA1 repeated only a handful of times, iirc, because JavaScript is slow.

[organofcorti]

[...]
    Does your browser have Java enabled? http://isjavaenabled.com  -- Tough call on this one.  I've been running noscript for a week or so on Firefox on a fresh install, so should be protected there, but have had that address for a while and know I was on btc-e prior to installing noscript, so all depends when person would gotten my privkey.

Are you confusing Java for Javascript? Or does noscript disable Java now too?

[Mylon]

[...]
    Does your browser have Java enabled? http://isjavaenabled.com  -- Tough call on this one.  I've been running noscript for a week or so on Firefox on a fresh install, so should be protected there, but have had that address for a while and know I was on btc-e prior to installing noscript, so all depends when person would gotten my privkey.

Are you confusing Java for Javascript? Or does noscript disable Java now too?

noscript, if properly used disables all javascript and all other functionality other than plain html. Has been that way since I've been using it... which is for a couple years now.

[Anenome5]

...Sign a message with any one of the addresses from which your funds were supposedly stolen.

How does one even do that?