Bitcoin Forum
November 15, 2018, 05:32:26 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Transaction to wrong wallet 18btc (possible clipboard hack)  (Read 604 times)
patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 08:26:42 AM
 #1

Hi,
I don't know how this occurs, I try to send 18 btc to my jaxx wallet 15zZH9CGk1ygVitNq4RTvSDkZM3sqJjGKw from my electrum wallet 1GFj8brzMK2UqA5xd4tyQ4mXUSapaF5pnk and the result is this:

https://www.blocktrail.com/BTC/tx/9965e400ded39a03e5389a3de82145da0e1aeac111893c9ada65403dfa232e9f

This not seem my jaxx wallet: https://blockchain.info/address/1ESzuTV3cLcGg83ftWunucxppSrkH65Dem

Someone hack me and replace the address?

What's goin on?

Any help would be appreciated.
1542259946
Hero Member
*
Offline Offline

Posts: 1542259946

View Profile Personal Message (Offline)

Ignore
1542259946
Reply with quote  #2

1542259946
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542259946
Hero Member
*
Offline Offline

Posts: 1542259946

View Profile Personal Message (Offline)

Ignore
1542259946
Reply with quote  #2

1542259946
Report to moderator
1542259946
Hero Member
*
Offline Offline

Posts: 1542259946

View Profile Personal Message (Offline)

Ignore
1542259946
Reply with quote  #2

1542259946
Report to moderator
ranochigo
Legendary
*
Offline Offline

Activity: 1568
Merit: 1094

Somewhat inactive.


View Profile WWW
November 12, 2017, 08:35:11 AM
 #2

You might have a clipboard virus that automatically replaces the address on your clipboard to another that is owned by the attacker. Did you check the address before initiating the transaction? The inputs doesn't seem to be coming from your Electrum address though.

At any rate, it has opt-in RBF enabled. So as soon as possible, you have to make an RBF transaction to reverse it.

patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 08:36:23 AM
 #3

You might have a clipboard virus that automatically replaces the address on your clipboard to another that is owned by the attacker. Did you check the address before initiating the transaction? The inputs doesn't seem to be coming from your Electrum address though.

At any rate, it has opt-in RBF enabled. So as soon as possible, you have to make an RBF transaction to reverse it.

How can I make a RBF to revers it?
patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 08:41:19 AM
 #4

The only thing I can do with electrum is right button Increase fee
Thekool1s
Legendary
*
Offline Offline

Activity: 1064
Merit: 1058


One of the world's leading Bitcoin-powered casinos


View Profile WWW
November 12, 2017, 08:43:10 AM
 #5

Hi,
I don't know how this occurs, I try to send 18 btc to my jaxx wallet 15zZH9CGk1ygVitNq4RTvSDkZM3sqJjGKw from my electrum wallet 1GFj8brzMK2UqA5xd4tyQ4mXUSapaF5pnk and the result is this:

https://www.blocktrail.com/BTC/tx/9965e400ded39a03e5389a3de82145da0e1aeac111893c9ada65403dfa232e9f

This not seem my jaxx wallet: https://blockchain.info/address/1ESzuTV3cLcGg83ftWunucxppSrkH65Dem

Someone hack me and replace the address?

What's goin on?

Any help would be appreciated.


You have a clipboard virus, do a quick RBF, from another machine that's your only chance to recover your funds. Here is a guide to do that https://freedomnode.com/blog/75/how-to-fix-slow-bitcoin-transactions-with-replace-by-fee


The only thing I can do with electrum is right button Increase fee

Yes do that and send back to your address, but do that from a new machine.

patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 09:16:55 AM
 #6

Ok,

1) I backup wallet (unencrypted one) and stop electum.
2) Disconnect from internet, edit wallet json, delete "bad" transaction everywhere
3) Open wallet and send a new transaction:

 https://www.blocktrail.com/BTC/tx/a8fc35965d1fcda81948da0f1f744b91e57123aed5204e355f37491f6c7e67d9

Seems all normal, but still unconfirmed....
patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 09:29:50 AM
 #7

Should I do again with higher fee or just wait?
buwaytress
Hero Member
*****
Offline Offline

Activity: 798
Merit: 733


I bit, therefore I am


View Profile
November 12, 2017, 10:21:02 AM
 #8

Should I do again with higher fee or just wait?

Looks like you did it successfully. The fee's very safe even if the network gets even more bloated to a certain point. You've still got a 200 satoshi fee cushion above 1k per byte. It's now just a matter of waiting, keep pushing the tx... and stop broadcasting the first one. Just to be sure, I sent it for acceleration, don't know if the miner will discriminate between RBFs or see it as double spends. Guess we'll find out.

patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 11:32:26 AM
 #9

1 confirmation... https://www.blocktrail.com/BTC/tx/a8fc35965d1fcda81948da0f1f744b91e57123aed5204e355f37491f6c7e67d9
Ok, bitcoins are safe (for now)

Now the question is where the address 1ESzuTV3cLcGg83ftWunucxppSrkH65Dem come from?
hugeblack
Sr. Member
****
Offline Offline

Activity: 504
Merit: 355


Do it with passion, or not at all.


View Profile WWW
November 12, 2017, 11:51:08 AM
 #10

Many clipboard virus stories happen these days came from new sites that give free BCH , BTG and other unknown altcoins .

Some of them need to download and other work with one url only

check now and copy address and paste it if address change you must clean your pc and update antivirus .


about your trans Sorry for your loss but network now so busy so Just try to reduce fee of transaction and make it unconfirmed   

Spendulus
Legendary
*
Offline Offline

Activity: 2058
Merit: 1078



View Profile
November 12, 2017, 01:26:59 PM
 #11

1 confirmation... https://www.blocktrail.com/BTC/tx/a8fc35965d1fcda81948da0f1f744b91e57123aed5204e355f37491f6c7e67d9
Ok, bitcoins are safe (for now)

Now the question is where the address 1ESzuTV3cLcGg83ftWunucxppSrkH65Dem come from?

May seem crazy, it would be interesting to try another transaction, to see if it also is hijacked. Of course, a small one. (I would play with this in a virtual machine. But a real machine with a possible infection, that's a very different matter. The machine and contents needs to be isolated.)

Can you verify the presence or absence of a virus on your computer at this point? Remember that not uncommonly, a virus will be deleted and it will "re emerge" after a power off power on cycle or some other system event.

Another possibility is wallet software that has been rewritten.

Regardless, one must take the point of view that that computer, and it's contents, are unsafe for financial transactions.
AT101ET
Legendary
*
Offline Offline

Activity: 1806
Merit: 1044


View Profile
November 12, 2017, 05:23:54 PM
 #12

1 confirmation... https://www.blocktrail.com/BTC/tx/a8fc35965d1fcda81948da0f1f744b91e57123aed5204e355f37491f6c7e67d9
Ok, bitcoins are safe (for now)

Now the question is where the address 1ESzuTV3cLcGg83ftWunucxppSrkH65Dem come from?

May seem crazy, it would be interesting to try another transaction, to see if it also is hijacked. Of course, a small one. (I would play with this in a virtual machine. But a real machine with a possible infection, that's a very different matter. The machine and contents needs to be isolated.)

Can you verify the presence or absence of a virus on your computer at this point? Remember that not uncommonly, a virus will be deleted and it will "re emerge" after a power off power on cycle or some other system event.

Another possibility is wallet software that has been rewritten.

Regardless, one must take the point of view that that computer, and it's contents, are unsafe for financial transactions.


Technically you wouldn't;t even need to confirm/send the transaction but just try copying and pasting the clipboard address into the recipient address field. If it changes again then clean up your PC ASAP.
In the future always check the first and last few characters in the address field to make sure. Luckily you managed to save yourself this time Smiley
patinencomun
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 12, 2017, 06:03:40 PM
 #13

Possibilities:

- Copied and pasted address from Internet myself viewing bitcoingold coins...
- Clipboard hack, or any other hack. (Tried to reproduce the bug but It works normally no address change showing)
- Jaxx bug hack, it showed me some errors that I had ignored and re-installed

Sorry but I "cleaned and changed" everything.
I am sooooo lucky that today transactions goes very slow, thank you to everybody.
ABitBack
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
November 12, 2017, 09:08:01 PM
 #14

This is brilliant, I'm so happy for you! That hacker must have been so excited Cheesy

ABitBack.com - Shutdown due to Shiftcode gross negligence Domain for sale PM if interested
Spendulus
Legendary
*
Offline Offline

Activity: 2058
Merit: 1078



View Profile
November 12, 2017, 09:42:55 PM
 #15

Possibilities:

- Copied and pasted address from Internet myself viewing bitcoingold coins...
- Clipboard hack, or any other hack. (Tried to reproduce the bug but It works normally no address change showing)
- Jaxx bug hack, it showed me some errors that I had ignored and re-installed

Sorry but I "cleaned and changed" everything.
I am sooooo lucky that today transactions goes very slow, thank you to everybody.
lol man you won on that one, for sure.

One thing I will mention in closing. Always get the wallet software from original source, such as Github. Always verify with the file signature.

If it is suspected to be a virus, check all your flash drives and removable media for infection.
LoyceV
Legendary
*
Offline Offline

Activity: 1302
Merit: 2254


Self-made Legendary!


View Profile WWW
November 13, 2017, 08:14:44 PM
 #16

In the future always check the first and last few characters in the address field to make sure. Luckily you managed to save yourself this time Smiley
I wouldn't rely on this: a smart virus would pick up a vanity address from a server, so that the first and last few characters are the same. Also check a few in the middle, or even better: don't trust Windows with money.

I am sooooo lucky that today transactions goes very slow, thank you to everybody.
I was thinking exactly this, saved by high fees! I'm surprised your post starting this thread is so calm. Well done!

slate_main
Member
**
Offline Offline

Activity: 131
Merit: 11

Slate, Unrestricted global entertainment access


View Profile WWW
November 13, 2017, 09:07:21 PM
 #17

Time to clear that machine from where the first transaction was sent, always a rule to check the sect to address a few times visually! Mostly where the coins are sent, it is a one way street. There are more and more of these attacks, from phishing, fake mining software, web page malware, even remote viewing and control. Only visit sites you use a lot and be wary of third party 'free' services and even random cryptocurrency wallets, there are hidden attacks everywhere..

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1190
Merit: 1126


View Profile
November 13, 2017, 10:43:18 PM
 #18

In the future always check the first and last few characters in the address field to make sure. Luckily you managed to save yourself this time Smiley
I wouldn't rely on this: a smart virus would pick up a vanity address from a server, so that the first and last few characters are the same. Also check a few in the middle, or even better: don't trust Windows with money.

Windows is fine providing you can trust yourself on it. If not, demote your user account so you're not always an admin on it which will cut a few of the problems (though not all)

And I check the characters of addresses before sending them, it gets better when you send to the same addresses each time as you can remembr patterns between them. General rule of thumb for testing copies of new addresses - check the first FIVE and last FIVE character, it's very difficult for something to be able to produce a vanity address like that in a fast enough amount of time.
Also ensure you double check what you are signing before it is broadcast to check the address doesn't change between that point.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!