Hacked

[dchou]

E-mail travels around the internet unencrypted so anyone listening on a network connection where there's a chance of e-mail passing through is in a prime spot to steal wallets.

This.  So much this.

So many people don't realize that nearly every email they send bounces around the internet completely unencrypted in plaintext for hackers to read.

If your password protecting your blockchain.info wallet was weak, then a hacker could capture it as it travels from blockchain.info to Google, and then check it against a rainbow table.  The 2 factor is only for logging into the website to receive the encrypted wallet.  Once they've got the wallet, they don't need the 2FA at all.

My best guess would be a password that exists in a rainbow table, but I suppose there are other possibilities.

Virus scans came up pretty clean ... one trojan Troj/JSRedir-BV

However, I did look back in my email history.  My last wallet backup was May 28th.

Also, I did get a few "Authorize log-in attempt" warnings emailed to me on July 15th and July 4th.

"An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:

Time: 2013-07-15 07:55:45
IP Address: 87.118.91.140 (Germany)
User Agent: Mozilla/5.0 "

The location does appear to match the location on the transaction in blockchain.info:
https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840

I ignored the warning at the time, since I had 2FA on.

The stolen coins have now been moved.
https://blockchain.info/address/15B9RyqJGrJcqKmyMr8QUEocif9ATYuXBP

[1713573620]

1713573620

[1713573620]

1713573620

[1713573620]

1713573620

[cp1]

One trojan isn't pretty clean.

[smscotten]

One trojan isn't pretty clean.

Depends. Whenever I do a virus scan I end up with dozens of OMFG messages. They are all Windows viruses and trojans from the 1990s, sitting in some piece of spam in my email archives that I didn't bother deleting 15 years ago. I consider that clean. *shrug*

[dchou]

Thanks for everyone's input on this.

The prevailing theory seems to be that the wallet backup file sent to gmail was compromised.

The only other fact is that I did have an unauthorized login attempt on my blockchain account a few weeks back.

[astrolabe]

How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

[dchou]

How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

8 letters and 2 numbers

[smscotten]

How good was your wallet password?  Could you post a similar dummy password here?  Thanks.

8 letters and 2 numbers

Unlike access to a computer system or a website where the administrators can simply not accept logins more more than once every two seconds and slow down brute force hacks, if someone has your wallet, they can sit there all day running automated scripts against it.

Someone using a desktop PC could get an 8 letter, 2 number password in a few days. Someone with more substantial processing power? A couple hours. The NSA? Probably less than a second.

My life became much easier when I abandoned memorizing passwords and started using a password manager. I no longer have passwords shorter than 17 characters, and most of them are between 23 and 60 characters long. All with mixed case, variable quantities of numerals and punctuation, and wherever the systems allow it I include characters from multiple languages in the high unicode registers.

&}vbrشJh7ç1SφH@NmMfIu/^Cyf4""Auzpה=)XЯQ7v«6AZ0zhɣ

…isn't a half bad password, except that now it's been posted to a public forum.

Edit to add: https://howsecureismypassword.net/ is a fun place to test out combinations. Best not to put actual passwords in there, of course. According to that site, the above password would take a desktop PC 74 untrigintillion years to crack. Frankly, I'd have to look up what an untrigintillion is but I think it involves a whole mess of zeroes.

[cp1]

How does the wallet backup work?  Is it encrypted with that 8 letter 2 number password?  What hash does it use?  Post the hash of your password and I bet someone finds it in a lookup table.

PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.

[dchou]

How does the wallet backup work?  Is it encrypted with that 8 letter 2 number password?  What hash does it use?  Post the hash of your password and I bet someone finds it in a lookup table.

PS If you know where to download these premade private key hash lookup tables send me a PM -- I'm curious to look at one.

PM'd

[gbl08ma]

Some search results for Troj/JSRedir-BV:
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSRedir-BV/detailed-analysis.aspx
http://www.pc1news.com/news/1512/ebay-spam.html

Looks like something that appeared back in 2010.
My guess is that you accessed some page with malicious javascript embedded, and somehow the thing managed to stay in memory until your next login to blockchain.info, where attackers could get the password and the encrypted wallet. Or it may have been a trick using iframes, not so sure if that's possible and how it works.
Malware that replaces the JS files executed by the browser when on the blockchain.info wallet could also do it (since the thing runs on lots of JS), but from what I remember blockchain.info implements file signature checking to prevent tampering (or am I confusing with a browser extension that actually does that?).
Or you simply got tricked into logging in to a blockchain.info site that wasn't actually the true one... but that wouldn't get them the encrypted wallet, and your username and password alone wouldn't be enough because of the two factor auth thing.

[btcton]

A lot of phishing has been going on recently, perhaps you were a victim?

[cp1]

It looks like it's AES encrypted -- I bet your password was already in a table somewhere.

[dchou]

It looks like it's AES encrypted -- I bet your password was already in a table somewhere.

Yes it's AES encrypted.  If you could PM me a table location, I can do a lookup.

[cp1]

I've never actually found one, I should go searching one of these days.

[Moebius327]

Many reports on hacked macs today. I doubt your mail was compromised.