Bitcoin Forum
December 06, 2016, 02:11:43 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Attention! This address is stealing BTC now!  (Read 4735 times)
nakowa
Member
**
Offline Offline

Activity: 82


View Profile
June 29, 2011, 05:04:11 PM
 #1

This address is receiving stolen BTC!

15Afx45asCysyNd9HE7xeZTkzLgDq2JCEx
http://blockexplorer.com/address/15Afx45asCysyNd9HE7xeZTkzLgDq2JCEx

and this one:

1GB8MHka8SXSFbJMViwkP6ANufts1qGnhF
http://blockexplorer.com/address/1GB8MHka8SXSFbJMViwkP6ANufts1qGnhF

All my BTC have transferred to this address hours ago!

------------

I'm using mac osx, and I have made an encrypted disk image to store the wallet.

A possible leak is that I used same account name and password at MtGox and Dropbox, from the first, the password is compromised, and from the last, the wallet backup is stolen, even though I zipped the wallet file with a long password...
1481033503
Hero Member
*
Offline Offline

Posts: 1481033503

View Profile Personal Message (Offline)

Ignore
1481033503
Reply with quote  #2

1481033503
Report to moderator
1481033503
Hero Member
*
Offline Offline

Posts: 1481033503

View Profile Personal Message (Offline)

Ignore
1481033503
Reply with quote  #2

1481033503
Report to moderator
1481033503
Hero Member
*
Offline Offline

Posts: 1481033503

View Profile Personal Message (Offline)

Ignore
1481033503
Reply with quote  #2

1481033503
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481033503
Hero Member
*
Offline Offline

Posts: 1481033503

View Profile Personal Message (Offline)

Ignore
1481033503
Reply with quote  #2

1481033503
Report to moderator
1481033503
Hero Member
*
Offline Offline

Posts: 1481033503

View Profile Personal Message (Offline)

Ignore
1481033503
Reply with quote  #2

1481033503
Report to moderator
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 29, 2011, 05:11:42 PM
 #2

Follow them?

I am not sure if any threads like this have produced results that have helped, but I hope so, sorry about your troubles.

Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 29, 2011, 05:11:58 PM
 #3

From were?
GeniuSxBoY
Hero Member
*****
Offline Offline

Activity: 546



View Profile
June 29, 2011, 05:13:25 PM
 #4

from where?



how much?
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 05:15:45 PM
 #5

There have been several threads about people who's money was sent to the same group of addresses. We are still trying to figure out how the computers are being compromised.

Could you give us a list of bitcoin related downloads you have made.
Do you feel like your computer is susceptible to traditional viruses?
Do you have your wallet online anywhere unencrypted?
Have you run any namecoin binaries?

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
bitcon
Legendary
*
Offline Offline

Activity: 1050


www.bit-exo.com


View Profile WWW
June 29, 2011, 05:21:13 PM
 #6

are you running MS windows

3txx
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 05:26:20 PM
 #7

can anyone verify this adress:
18hMx774ULBKJKMbwo5reBm3zW8unJ92FW

?

my btc-client told me, I transfered the btc I got earlier from deepbit (but i didn't transfer anything)

DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 05:42:44 PM
 #8

can anyone verify this adress:
18hMx774ULBKJKMbwo5reBm3zW8unJ92FW

?

my btc-client told me, I transfered the btc I got earlier from deepbit (but i didn't transfer anything)

http://blockexplorer.com/address/18hMx774ULBKJKMbwo5reBm3zW8unJ92FW

The address had .02 in it then it got sent out.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
presha
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 29, 2011, 09:06:19 PM
 #9

my client sent 0.46 btc to this address today.. by itself.
im on win7x64 with latest updates, scanned the whole pc, checked open ports and autoruns.. and nothing.

i need help cus this is serious, if my antivirus and 4 anti-troyan apps say my windows is clean and it clearly isnt, there is something wrong.

1JnkNJrdDDUFywkz8KAMhN7jnFHXvt8JTe
darvil
Member
**
Offline Offline

Activity: 73


View Profile
June 29, 2011, 09:08:24 PM
 #10

my client sent 0.46 btc to this address today.. by itself.
im on win7x64 with latest updates, scanned the whole pc, checked open ports and autoruns.. and nothing.

i need help cus this is serious, if my antivirus and 4 anti-troyan apps say my windows is clean and it clearly isnt, there is something wrong.

I would in this case, format everything and start fresh.  But thats just me. 
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 29, 2011, 09:23:35 PM
 #11

my client sent 0.46 btc to this address today.. by itself.
Sure it was sent by your client, or did you store your wallet.dat somewhere else as well?  Look up the transaction ID in blockexplorer, and search for the first 20 bytes of it in debug.log.  (It is in ~/.bitcoin/ under Linux.  Have no idea where Wintendo stores it.)  If you see an "askfor tx transactionid" somewhere, the transaction was initiated by someone with a copy of your wallet.dat.  It looks like your own, because you have the same wallet.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 09:26:13 PM
 #12

@presha

A targeted virus, one that just opens wallet.dat and sends it off, one that you ran on your own accord, will not be detected by antivirus. No antivirus company yet looks for programs trying to access your wallet.dat.

Please tell us what you have downloaded and run lately so that we can find the program doing this.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
presha
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 29, 2011, 09:41:43 PM
 #13

@presha

A targeted virus, one that just opens wallet.dat and sends it off, one that you ran on your own accord, will not be detected by antivirus. No antivirus company yet looks for programs trying to access your wallet.dat.

Please tell us what you have downloaded and run lately so that we can find the program doing this.

I'm 99% sure now that someone hacked into my dropbox account, where I stored the first backup of my wallet.dat a few months ago, when I started mining. The file was compressed and with a rather long password, but I assume It wasn't a problem for some bruteforce app to crack it.
I'm so glad that this was my very old backup and I lost only 0.46 BTC (doing encrypted backups only on usb drives now)

btw http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/

goodbye dropbox...

1JnkNJrdDDUFywkz8KAMhN7jnFHXvt8JTe
HappyFunnyFoo
Full Member
***
Offline Offline

Activity: 125


View Profile
June 29, 2011, 10:01:03 PM
 #14

Dropbox didn't require a login password for a while a couple weeks ago.  Anyone storing a wallet file on dropbox should've promptly transferred the bitcoins to a new wallet file.
presha
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 29, 2011, 10:04:02 PM
 #15

Dropbox didn't require a login password for a while a couple weeks ago.  Anyone storing a wallet file on dropbox should've promptly transferred the bitcoins to a new wallet file.

thats why I'm leaving, got no email from them about this security issue, ridiculous
gonna try skydrive + truecrypt combo now

1JnkNJrdDDUFywkz8KAMhN7jnFHXvt8JTe
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 29, 2011, 10:17:10 PM
 #16

A possible leak is that I used same account name and password at MtGox and Dropbox, from the first, the password is compromised, and from the last, the wallet backup is stolen, even though I zipped the wallet file with a long password...
You knew about this, and didn't move your coins to a new wallet!?  If your zip file was password protected using the old standard zip password protection, it is vulnerable to a known plaintext attack.  Your wallet.dat contains many known strings of sufficient length.  Cracking it takes a few minutes at most on a normal desktop computer, no matter how long your password is.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 30, 2011, 12:29:35 AM
 #17

OP, how strong was your password on the zipped wallet that was on DropBox? How many chars, and what kind of mixture of lower case, upper case, numbers, punctuation, etc, did it contain?

And what format was the zipped file in? WinRAR?

I hate when people make these posts and make you ask every little detail in order to try to help them figure out what may have happened. It's like pulling teeth. Just fucking give us all the info instead of making us ask for every little thing. Don't make assumptions like "I'm 99% sure that XYZ happened" and then think that posting additional details is no longer of any use. You are of course free to make your assumptions about what might have happened, but at least post all the necessary info that is required to come to that conclusion. If you leave things out like the info I asked above, you leave the possibility in everyone's mind that your zipped & password protected file might actually have been impossible to brute force. And then the community still has no idea what happened in your case and we are no closer to figuring out how people are getting hacked, and your entire thread was a waste of everyone's time. That also leaves open the possibility that all the "I was hacked" threads are troll or FUD threads.

Sorry, OP, this is not meant to single you out. This is a common theme in all the "My BTC was stolen due to hack" threads.
davux
Sr. Member
****
Offline Offline

Activity: 289


Firstbits.com/1davux


View Profile WWW
June 30, 2011, 12:44:40 AM
 #18

Have you run any namecoin binaries?

Can you elaborate on why running namecoin binaries in general (and not just any binary) is risky?

1DavuxH9tLqU4c7zvG387aTG4mA7BcRpp2
México (Oaxaca) – France - Leeds
allinvain
Legendary
*
Offline Offline

Activity: 1988



View Profile
June 30, 2011, 01:21:15 AM
 #19

Sorry to hear about your loss nakowa. I hope you did not loose too much.

Please notify all the major exchanges about this so they can keep an eye on transactions flowing from those two addresses.


cmh
Newbie
*
Offline Offline

Activity: 21


View Profile
June 30, 2011, 02:00:09 AM
 #20

A firewall is better than an av scan to protect your wallet.dat Probably there will be more and more exe's that look for wallet.dat and upload to a server somewhere. A lot of time it will come in the guise of a special video player or something along those lines. Even with a firewall, people are inclined to grant internet access to it because otherwise, the video won't play.

In this case sounds like it was likely the copy on dropbox.com.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!