My wallet was just hacked

[LizardBitCoin]

I wish I was more knowledgeable, but at this point I'm afraid I can't offer you any advice.  It looks like you're SOL.  

I'd recommend trying to recover any of your other wallets using a clean system.  I wouldn't restore from your backup.  Perhaps you could use a clean USB thumb drive and an linux boot disk if you don't have a spare machine.  

In the future I'd only do btc work with a machine purely dedicated to BTC and nothing else.  Also for any sites you use I would recommend against using passwords you've used elsewhere.  Sorry you got burned.

[cp1]

It does seem unlikely that you were hacked on a mac, but I can't explain it.  If you get more coins you might try an offline storage solution:  https://bitcointalk.org/index.php?topic=235584.0

[yuansuyi]

Your mac computer must be infected by virus.

[yuansuyi]

And you should not use the old wallet any more.

[cp1]

Ok, macs don't really get malware. unless specifically targeted for it. Macs are also very secure, and I really doubt you were hacked.

So question you locked your wallet, and then when you unlocked it crash, that means two things, one that your wallet was never unlocked. Which is the theory I am going with. I do think once you restored from a backup you should click new address and see if that address pops up. It also doesn't contain any fee so did you change your tx fee? I think this is just a freak thing and you have the address sitting your wallet. Unless did you run any java applications from the web, that is the only other way.

Also use -rescan, that will help a lot as well.

The problem is that the 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx address his coins were sent to already had 6.2 BTC from May 23.  The OP said he only had 3 BTC to his name, so unless he forgot about an additional 6 BTC he purchased earlier then it doesn't look good for him.

[Random8]

I'm pretty sure that somebody else got my BTC, and that they are not lurking in my wallet.  Here are some suspicious-looking lines from the wallet's debug.log file. Note the 1HeAK... address in the log, also the c60852... transaction address. For reference, here's how the wallet shows the transaction details:
=============================
Date: 6/17/13 19:42
    To: 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx
    Debit: -3.17115309 BTC
    Net amount: -3.17115309 BTC
    Transaction ID: c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2
=============================debug.log excerpt:
NotifyKeyStoreStatusChanged
SelectCoins() best subset: 1.36 1.04 0.23 0.19 0.19 0.09 0.01017547 0.01000882 0.01 0.01 0.01 0.01 0.01 0.000168 0.0000752 0.0000736 0.00007 0.0000576 0.0000576 0.0000496 0.0000496 0.00004 0.00004 0.00004 0.00004 0.00004 0.0000272 0.0000256 0.0000256 0.0000216 0.00002 0.0000176 0.0000104 0.0000096 0.000006 0.000004 total 3.17115309
CommitTransaction:
CTransaction(hash=c60852ef78, ver=1, vin.size=36, vout.size=1, nLockTime=0)
    CTxIn(COutPoint(b9e681b76b, 552), scriptSig=30450220563e080d95a17264)
    CTxIn(COutPoint(1dd8186b9b, 36), scriptSig=3045022058f6a23cb1df5e93)
... (similar lines omitted)
    CTxIn(COutPoint(327470ddcf, 813), scriptSig=3046022100d8f12b8c7f8f2b)
    CTxOut(nValue=3.17115309, scriptPubKey=OP_DUP OP_HASH160 b6892d5dd8bd)
AddToWallet c60852ef78  new
WalletUpdateSpent found spent coin 0.000004bc b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3
NotifyTransactionChanged b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3 status=1
WalletUpdateSpent found spent coin 0.01017547bc c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854
NotifyTransactionChanged c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854 status=1
... (similar lines omitted)
WalletUpdateSpent found spent coin 0.00004bc 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9
NotifyTransactionChanged 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9 status=1
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=0
... (similar lines omitted)
AddToWallet c60852ef78 
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=1
CTxMemPool::accept() : accepted c60852ef78 (poolsz 760)
Relaying wtx c60852ef78
NotifyAddressBookChanged 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx  isMine=0 status=0
=========================

[xiedidan]

Ok, macs don't really get malware. unless specifically targeted for it. Macs are also very secure, and I really doubt you were hacked.

So question you locked your wallet, and then when you unlocked it crash, that means two things, one that your wallet was never unlocked. Which is the theory I am going with. I do think once you restored from a backup you should click new address and see if that address pops up. It also doesn't contain any fee so did you change your tx fee? I think this is just a freak thing and you have the address sitting your wallet. Unless did you run any java applications from the web, that is the only other way.

Also use -rescan, that will help a lot as well.

The problem is that the 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx address his coins were sent to already had 6.2 BTC from May 23.  The OP said he only had 3 BTC to his name, so unless he forgot about an additional 6 BTC he purchased earlier then it doesn't look good for him.

Is there any virus scanner on mac?

[cp1]

Where did you download the wallet client from?

[BurtW]

Where did you download the wallet client from?

Yes, which client are you using.  That might help.

Is 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx in your address book? 

[Random8]

Where did you download the wallet client from?

Sorry, I don't remember. I do recall that it wasn't easy to find one for Mac OS X. I did not build it on my machine, but downloaded a binary. It's Bitcoin-Qt version v0.8.1-beta.

What could possibly go wrong when you download a binary from an untrusted source and run it on your computer?

Random8

[JordanL]

Where did you download the wallet client from?

ahhhh very good question.

[Random8]

Where did you download the wallet client from?

Yes, which client are you using.  That might help.

Is 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx in your address book? 

Bitcoin-Qt version v0.8.1-beta.

It looks like the address book is stored in the wallet.dat file. Since my current wallet.dat file is one that was restored from before the theft, it doesn't show that address. I saved a copy of the hacked wallet.dat file before I did the restore, but it's corrupted, so the wallet client can't read it. I can't see any addresses in the corrupted file when I use the UNIX 'strings' tool on it, even though I see some of my legitimate addresses when I do 'strings' on the current, good wallet.dat file.

Random8

[BurtW]

I have a theory related to your 0.01 remaining.  I assume they got a copy of your balance between 2013-05-28 and 2013-06-03, that would explain why they were off by 0.01 when they issued the transaction.

Perhaps you can think back to what you did between these dates.  Specifically anything that may have lead to anyone getting a copy of your encrypted wallet.dat file.  Any downloads?  Any strange behaviour?  Visit a public WiFi?  Visit any suspect sites, etc. between those specific days?  Did you backup your wallet.dat (encrypted) to any suspect sites?

[BurtW]

Please retrace the exact steps you did to find the Mac version of the client you downloaded (searches, sites visited etc.) and let us know if you can find the place you downloaded from again.

[Random8]

I can't think of anything that could have lead to a copy of my wallet.dat file getting out. The iMac that I'm using never leaves my desktop, my Wifi is secured with decent security, the wallet.dat only gets backed up to my Time Capsule.

I really appreciate the comments and suggestions by the more experienced members. I'm not going to be putting any more BTC in this wallet. I'm going to be much more security-conscious when I set up the next wallet.

One of the ways that I believe someone could have hacked it is by connecting to my wallet client via a socket. I ran a little Perl server that listens on port 8333, but nobody connected to it. Unfortunately, that was after I closed down all incoming ports on my router firewall (I had only ssh, http, and minecraft ports open, and they were not directed to my Mac), so that's not conclusive.

Random8

[cp1]

In firefox I can right click on my downloads and go to the page I downloaded it from -- does Safari (or whatever you used) have something like that? 

[Random8]

Please retrace the exact steps you did to find the Mac version of the client you downloaded (searches, sites visited etc.) and let us know if you can find the place you downloaded from again.

I'll try, using my browser history, but it's going to be a long slog.

Random8

[Random8]

In firefox I can right click on my downloads and go to the page I downloaded it from -- does Safari (or whatever you used) have something like that? 

I'm using Chrome, but unfortunately, I deleted the download file once I installed the wallet app.

Random8

[weniejoy]

Would be great if you could do a virus scan and find out the virus signature.

[BurtW]

Would be great if you could do a virus scan and find out the virus signature.

I doubt it is a virius, I have yet to see a wallet stealing trojan, or virius for mac. It was probably some java application he got from the web and it stole his wallet file.

Once they got his wallet.dat they also had to set some kind of trap to get his password.  I believe they got the wallet.dat between 2013-05-28 and 2013-06-03 but were only able to get his password at 2013-06-18 00:35:46.

This is based on the fact they totally cleaned out the previous victim but left 0.01 in this wallet.

Good news of sorts:  only two victims so far  

The also left exactly 0.01 for the previous victim here:  

https://blockchain.info/address/1FoNFsB6xgWnY1xFqAdZbteKhvW1HVGA5G

and it is still there.  The previous victim may not even know the BTC are missing yet (?)