Confusing blockchain.info transaction, please help

[wimple]

Hello,
I've had my coins transfered out of my blockchain.info wallet.
The addresses for my wallet are:

1Gw9XzNBMuZrQDoe7uj5gjddMatGvehemm
16d1LAJCUHQVkNstcmaFbTaHRmxeSZWxJD
1GZ7pfx8AtepqCt11vNNtoakvbqsHhWgAr
1EHPiacSctjDR36Lckg1yb2HMdZjfv696z
1CBDWMzjfJo9gHdfJj2cc7qu11UQgyS4tA
I've confirmed this by generating my private keys with bip39-master.

Now the strange thing is, I added these addresses to omniwallet, and before I knew it, the contents of these addresses ( which was only 25% of my wallet ), and the contents of another address are transfered to a new address, and I lose everything.

Time: 2017-12-19 17:16:33, transaction: af8a8265c425bc6aef49cce56a4cf89147c68639591faea3c3467fbadcdb450b
1GZ7pfx8AtepqCt11vNNtoakvbqsHhWgAr (0.04058 BTC - Output)
1GZ7pfx8AtepqCt11vNNtoakvbqsHhWgAr (0.07813 BTC - Output)
1EHPiacSctjDR36Lckg1yb2HMdZjfv696z (0.00001 BTC - Output)
1GZ7pfx8AtepqCt11vNNtoakvbqsHhWgAr (0.05564 BTC - Output)
16d1LAJCUHQVkNstcmaFbTaHRmxeSZWxJD (0.69800857 BTC - Output)
1CBDWMzjfJo9gHdfJj2cc7qu11UQgyS4tA (0.001 BTC - Output)
1JLE6ckXeLYcMQiGbCPDhsEFK56EiedGsw (3.18448379 BTC - Output)
                                                -->1GDKbbYJawqfajQfLh3FLpKxP3xKWnfTrk - (Spent) 4.04968358 BTC


There are two very strange things here.
1. Where did the mystery address 1JLE6ckXeLYcMQiGbCPDhsEFK56EiedGsw  come from?
2. What triggered everything going to the final location? - I've checked the BTC are still in that final address (1GDKbbYJawqfajQfLh3FLpKxP3xKWnfTrk ), so unlikely to be hacker .

Finally, how on earth do I get my coins back?
If this is too involved for this forum, can you point me to where I might get assistance?

Thank you
Wimple

[1715286446]

1715286446

[1715286446]

1715286446

[1715286446]

1715286446

[1715286446]

1715286446

[exstasie]

Now the strange thing is, I added these addresses to omniwallet, and before I knew it, the contents of these addresses ( which was only 25% of my wallet ), and the contents of another address are transfered to a new address, and I lose everything.

It sounds like you were on a phishing site rather than the official Omniwallet site. It's also possible you have a keylogger that swept the private keys when you copied and pasted them.

In general, I don't trust web wallets. But even more than that, I would recommend against importing private keys (that hold BTC or valuable alts) to any website. Scams are too rampant these days.

1. Where did the mystery address 1JLE6ckXeLYcMQiGbCPDhsEFK56EiedGsw  come from?

It looks to me like the hacker/phishing attacker imported your private keys into another wallet that included that address. He swept them all to another address.

2. What triggered everything going to the final location? - I've checked the BTC are still in that final address (1GDKbbYJawqfajQfLh3FLpKxP3xKWnfTrk ), so unlikely to be hacker .

For whatever reason, he wasted 0.00957563 BTC sending the output above to the same public address. It is the hacker. He swept all the funds into one address and they haven't left that address.

Finally, how on earth do I get my coins back?

They are gone forever. Sorry for the loss. You need to be very, very careful about downloading malware or visiting phishing sites. Your computer may be compromised already; you should consider thoroughly checking it for malware or formatting it before putting any more funds at risk.

New users should really stick to hardware wallets like Ledger and Trezor until they learn more about the security risks of cryptocurrencies.

[wimple]

Hi, thank you for your reply.
It's pretty much as I expected.
As all the addresses were used, even the ones I didn't generate ( I didn't make the external addresses ), I thought it looked like a sweep.

I used a bitcoin gold client Bitcoin Gold 1.1.5 from Bitcoin-Wallet-1.1.5.0.exe from http[Suspicious link removed] and put my seed in to that. Is it possible, the client ( or hacked version thereof ), posted the seed to a hacker? I'd like to figure out the hack vector.

Wouldn't a hacker quickly move the funds along? They are just sitting there.

Is there a way to see if the bitcoin gold for that seed is also gone?

Thank you again for your assistance.
G

[exstasie]

Hi, thank you for your reply.
It's pretty much as I expected.
As all the addresses were used, even the ones I didn't generate ( I didn't make the external addresses ), I thought it looked like a sweep.

I used a bitcoin gold client Bitcoin Gold 1.1.5 from Bitcoin-Wallet-1.1.5.0.exe from http[Suspicious link removed] and put my seed in to that. Is it possible, the client ( or hacked version thereof ), posted the seed to a hacker? I'd like to figure out the hack vector.

Yes, that's likely what happened. Did you download the client from the official Bitcoin Gold website? The link was removed. You might want to remove the http and .com so we can see where the download originated from. The official Bitcoin Gold site was even compromised for a couple days and people were downloading malware directly from there.

One more note on security since we're on this topic. If you are going to import your seed (or any private keys) to claim fork coins, you should always move your BTC to a safe, new wallet first. Your seed should have access to zero BTC when you import it into an altcoin client.

Wouldn't a hacker quickly move the funds along? They are just sitting there.

He already moved them to an address he controls. Now the money is his. I suppose he could try to obfuscate where they came from, but with the current network congestion it probably makes sense not to do anything.

Is there a way to see if the bitcoin gold for that seed is also gone?

There's a block explorer, but I'm not sure how to convert your BTC public addresses to BTG public addresses that you can look up there.

[wimple]

Not omni, def bitcoin gold wallet.
I downloaded from

 btcgwallet dot org.

program was a rebranded original client. It takes my seed, but actually shows BTC addresses ( none of them related to my wallet ). Just enough info to keep me distracted while my coins are transfered away.

I can share the binary if it would help anyone.

Any way to notify the site owners their downloads have been hacked? Or let me guess, this is a phishing site, and I downloaded from the wrong site altogether.

I did know I should have transfered by coins out before doing this. But I didn't. 'A fool and his money ... ' comes to mind.

Cheers
Glenn

[wimple]

Well, I did a little bit more investigating of the the scam software. Really simple actually.
It just sends your seed through email on a php mailer site.

Managed to get my BTG out even though the seed had been shared, so the malware people are busy collecting BTC and not bothering with BTG.

Peace.

[Patatas]

Well, I did a little bit more investigating of the the scam software. Really simple actually.
It just sends your seed through email on a php mailer site.

Managed to get my BTG out even though the seed had been shared, so the malware people are busy collecting BTC and not bothering with BTG.

Peace.

Greediness,that's where it lands you.
You lost your Bitcoins for some temporary BTG's,not a fair deal you got I guess...Did you manage to find out the email involved ? You got your BTG but they still have your seed so what makes you think they won't have access to your BTG's ? You need to give up on the addresses with a compromised private key..

[wimple]

Yes,
Just about the dumbest thing I've done.
Greed, yes. I actually think it's a relatively fair deal in retrospect. Screw around with seeds, download software off what is clearly in the light of day a dodgey site, combine that with my wallet seed and yes. I think I got what I deserved.
Lesson learned I hope.
As for their fake wallet software:
I decompiled their software, it's just a basic early electrum clone in c#.
It posts the seed through this phpmailer form:
btcgwallet dot org / mailer / index.php
Email address was: info at btcgwallet.org

All running out of asia.

Out of %50 spite, and %50 not wanting this to happen to anyone else, I wrote a small program that posts a random 12 word seed through this form every .01 seconds.
I'm pleased to see they've broken the mailer function page to stop my spam posts going through. It was probably impossible to distinguish from my fake seeds and any real seeds they collected. They've also disabled the function in their fake wallet download for now. I'll periodically send through 500000 fake seeds. It's not going to get my coins back, but I feel a teeny tiny bit better by doing this.
The form was used across a few 'wallet' sites, so, for now at least, a few people will hold on to their wallets a bit longer.

I've abandoned the wallet of course. Next wallet, uber safe, Trezor I think. Luckily I'd moved some coins out of my now lost wallet a few days before ....

Thanks for your input.

g

[Mi5h0]

Yes,
Just about the dumbest thing I've done.
Greed, yes. I actually think it's a relatively fair deal in retrospect. Screw around with seeds, download software off what is clearly in the light of day a dodgey site, combine that with my wallet seed and yes. I think I got what I deserved.
Lesson learned I hope.
As for their fake wallet software:
I decompiled their software, it's just a basic early electrum clone in c#.
It posts the seed through this phpmailer form:
btcgwallet dot org / mailer / index.php
Email address was: info at btcgwallet.org

All running out of asia.

Out of %50 spite, and %50 not wanting this to happen to anyone else, I wrote a small program that posts a random 12 word seed through this form every .01 seconds.
I'm pleased to see they've broken the mailer function page to stop my spam posts going through. It was probably impossible to distinguish from my fake seeds and any real seeds they collected. They've also disabled the function in their fake wallet download for now. I'll periodically send through 500000 fake seeds. It's not going to get my coins back, but I feel a teeny tiny bit better by doing this.
The form was used across a few 'wallet' sites, so, for now at least, a few people will hold on to their wallets a bit longer.

I've abandoned the wallet of course. Next wallet, uber safe, Trezor I think. Luckily I'd moved some coins out of my now lost wallet a few days before ....

Thanks for your input.

g

I admire what you're trying to do and how you standing up to them. I really do. Good thinking using that tracking bullet.
At least, it will be impossible (or very difficult) for them to scam others in this way. Kudos for that.