Bitcoin Forum
November 19, 2017, 03:19:16 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Hacked - 22 BTC stolen from Bitcoin-QT v0.8.1-beta wallet on OS X 10.7.5  (Read 10439 times)
E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 01:59:20 PM
 #1

So here is what happened. Yesterday night, I withdrew BTCs from BTCT.co

Transferred: 22.65118847 BTC
  Payment Address: 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf
  Transaction ID: 248fefca0bae07642a39830d6f86a436c18f33855ec86e18794577f16421f5e7
  Site Fee: 0 BTC
  bitcoind Fee: 0.0005 BTC

Received them into my wallet and decided to send them to BTC-e (couldn't do it directly from BTCT.co as I had a locked withdrawal address).
Entered the all amount for transaction (previous to this, my wallet was empty as I rarely use it), entered my passphrase (around 25 random characters) and proceeded to send.
At this point Bitcoin-QT became unresponsive. I forced quit and restarted the application, and I got the message: "wallet.dat corrupt, salvage failed".
I retrieve the dat file from my daily backup and replace the corrupted one.
The wallet starts to sync, and my 22.65118847 BTC are still there.
I start again the process to send BTC to BTC-e, enter the passphrase, and at this point the app tells me I don't have enough funds.
I go to transaction and can see that the entire wallet is being transferred to 12YabLfo4W51EqU6amYNtopPJZjRJfU46U

I really don't want anyone to go through what I went in the last 14 hours. I therefore would very much appreciate any input from the community so as to understand where I messed up.

When that happened, I had Vanitygen Bitvanity running in the background. I also had Chrome running (gmail, btct,  btc-e, coindesk, etc. No dodgy websites). I m just trying to give any relevant info - let me know if I can provide anything more.

I m scanning the entire system with SOPHOS - it has done around 95% and found nothing.

Thank you all in advance for your input.


E.


[EDIT: Sorry, due to lack of sleep I just realised I had written Vanitygen instead of Bitvanity. Αpology for the confusion to samr7, author of Vanitygen on Github]

1511061556
Hero Member
*
Offline Offline

Posts: 1511061556

View Profile Personal Message (Offline)

Ignore
1511061556
Reply with quote  #2

1511061556
Report to moderator
1511061556
Hero Member
*
Offline Offline

Posts: 1511061556

View Profile Personal Message (Offline)

Ignore
1511061556
Reply with quote  #2

1511061556
Report to moderator
Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511061556
Hero Member
*
Offline Offline

Posts: 1511061556

View Profile Personal Message (Offline)

Ignore
1511061556
Reply with quote  #2

1511061556
Report to moderator
1511061556
Hero Member
*
Offline Offline

Posts: 1511061556

View Profile Personal Message (Offline)

Ignore
1511061556
Reply with quote  #2

1511061556
Report to moderator
DannyHamilton
Legendary
*
Offline Offline

Activity: 1974



View Profile
August 02, 2013, 03:38:02 PM
 #2

Was the 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf address generated with a vanity gen program, imported after receiving the private key from someone, or imported after being created as a brain wallet of some sort?

E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 04:03:26 PM
 #3

Was the 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf address generated with a vanity gen program, imported after receiving the private key from someone, or imported after being created as a brain wallet of some sort?

No, it was an address generated by Bitoin-QT wallet. I only generated a few vanity address so to experiment, and imported a couple in my wallet. I used an OSX application found on the net https://github.com/trevory/bitvanity - I scanned it and it came clean. This said, I wasn't going to trust the source and didn't intend to use generated address for any transaction.

Now that I look at this app, it does look a bit suspicious.

E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 06:17:02 PM
 #4

I was just made aware of this: https://bitcointalk.org/index.php?topic=25804.msg1995725#msg1995725


DannyHamilton
Legendary
*
Offline Offline

Activity: 1974



View Profile
August 02, 2013, 06:29:14 PM
 #5


Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 06:34:44 PM
 #6


Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Moebius327
Hero Member
*****
Offline Offline

Activity: 728


ARNA | PreSale - September 21st


View Profile
August 02, 2013, 06:38:54 PM
 #7


Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄▀▀▀▀▀▀▀▀▀▀▄▄
▄█▀░░░░░░░░░░░░░░▀█▄
▄█▀░░░░░░░░██░██░██░░▀█▄
▄▀░░░░░░░▄▄░░░░░░░▄▄░░░░▀▄
▄█░░░░░░░░▀▀░░░░░░░▀▀░░░░░█▄
█░░░░░░██░░░░░░░░░░██░░░░░░█
█░░░░░░▄▄░▄▄░▄▄░▄▄░▄▄░░░░░░█
█░░░░░░▀▀░▀▀░▀▀░▀▀░▀▀░░░░░░█
▀█░░░░░██░░░░░░░░░░██░░░░░█▀
▀▄░░░░▄▄░░░░░░░░░░▄▄░░░░▄▀
▀█▄░░▀▀░░░░░░░░░░▀▀░░▄█▀
▀█▄░░░░░░░░░░░░░░▄█▀
▀▀▄▄▄▄▄▄▄▄▄▄▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
[.
.WHITEPAPER.
.ANN THREAD.
]██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 06:43:57 PM
 #8


Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Thanks, good to know. I will from now on become way more paranoid.

I suppose my all wallet is now compromised. The best thing is just to delete the all thing since I have no BTCs left, no?
Also, any suggestions on how to be sure I fully delete the app from my system?

Kouye
Sr. Member
****
Offline Offline

Activity: 336


Cuddling, censored, unicorn-shaped troll.


View Profile
August 02, 2013, 06:46:56 PM
 #9

There is a chance the malware just took advantage of your wallet unlocking to push a TX, and not steal your private keys along.
I would keep the wallet just in case, since you might receive payments on one of his addresses, but start a fresh one anyway, too.

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
Moebius327
Hero Member
*****
Offline Offline

Activity: 728


ARNA | PreSale - September 21st


View Profile
August 02, 2013, 06:47:24 PM
 #10


Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Thanks, good to know. I will from now on become way more paranoid.

I suppose my all wallet is now compromised. The best thing is just to delete the all thing since I have no BTCs left, no?
Also, any suggestions on how to be sure I fully delete the app from my system?

You should format or use Time Machine? I am not sure about the second.

██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄▀▀▀▀▀▀▀▀▀▀▄▄
▄█▀░░░░░░░░░░░░░░▀█▄
▄█▀░░░░░░░░██░██░██░░▀█▄
▄▀░░░░░░░▄▄░░░░░░░▄▄░░░░▀▄
▄█░░░░░░░░▀▀░░░░░░░▀▀░░░░░█▄
█░░░░░░██░░░░░░░░░░██░░░░░░█
█░░░░░░▄▄░▄▄░▄▄░▄▄░▄▄░░░░░░█
█░░░░░░▀▀░▀▀░▀▀░▀▀░▀▀░░░░░░█
▀█░░░░░██░░░░░░░░░░██░░░░░█▀
▀▄░░░░▄▄░░░░░░░░░░▄▄░░░░▄▀
▀█▄░░▀▀░░░░░░░░░░▀▀░░▄█▀
▀█▄░░░░░░░░░░░░░░▄█▀
▀▀▄▄▄▄▄▄▄▄▄▄▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
[.
.WHITEPAPER.
.ANN THREAD.
]██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
▄▄ ▄▄ ▄▄
▀▀ ▀▀ ▀▀
██ ██ ██
E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 02, 2013, 06:58:20 PM
 #11

There is a chance the malware just took advantage of your wallet unlocking to push a TX, and not steal your private keys along.
I would keep the wallet just in case, since you might receive payments on one of his addresses, but start a fresh one anyway, too.

That might be it since the all wallet was emptied as soon as I entered my passphrase.
I don't think I will receive any more payments, will empty the remaining 0.0095 BTC and delete the all thing.

I m not using Time Machine, but I will keep this terminal offline until I m sure the threat is taken care of.

Just got an answer from Github:
Quote
Hi Eric,

If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.

Cheers,
Steven!

I m not sure if I should laugh or cry at this point.....

DannyHamilton
Legendary
*
Offline Offline

Activity: 1974



View Profile
August 02, 2013, 07:32:03 PM
 #12

Just got an answer from Github:
Quote
Hi Eric,

If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.

Cheers,
Steven!

I m not sure if I should laugh or cry at this point.....

I gave it a try as well.  Here's what I sent them:

Quote
After testing the executable binaries distributed through github in the following location:
https://github.com/trevory/bitvanity

It has been determined that these executable binaries are falsely advertised as providing a specific purpose, while in reality being intentionally designed to maliciously steal account information and destroy contents on the user's computer.

Multiple users have reported having valuable content stolen from their computer by this software.

This would appear to be in direct violation of the github Terms Of Service.  Specifically:

A.8. You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

G.7. We may, but have no obligation to, remove Content and Accounts containing Content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service.

and

G.11. You must not transmit any worms or viruses or any code of a destructive nature.

As such I expect you to immediately terminate the user's access to GitHub and remove their hosted content before any other users are unknowingly duped into installing this illegal malware.

I'll update with whatever feedback I receive.

E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 03, 2013, 01:06:00 AM
 #13


I gave it a try as well.  Here's what I sent them:

Quote
After testing the executable binaries distributed through github in the following location:
https://github.com/trevory/bitvanity

It has been determined that these executable binaries are falsely advertised as providing a specific purpose, while in reality being intentionally designed to maliciously steal account information and destroy contents on the user's computer.

Multiple users have reported having valuable content stolen from their computer by this software.

This would appear to be in direct violation of the github Terms Of Service.  Specifically:

A.8. You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

G.7. We may, but have no obligation to, remove Content and Accounts containing Content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service.

and

G.11. You must not transmit any worms or viruses or any code of a destructive nature.

As such I expect you to immediately terminate the user's access to GitHub and remove their hosted content before any other users are unknowingly duped into installing this illegal malware.

I'll update with whatever feedback I receive.

Very nicely handled - Thanks for getting involved.

It looks like Github took down the app:

Quote
This repository has been disabled.
Access to this repository has been disabled by GitHub staff due to excessive use of resources. Contact support to restore access to this repository. Read here to learn more about decreasing the size of your repository.

I suppose stating the truth would have been bad publicity.

DannyHamilton
Legendary
*
Offline Offline

Activity: 1974



View Profile
August 03, 2013, 02:17:56 AM
 #14

It looks like Github took down the app:

Glad to hear it. Thanks for the update.

E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 03, 2013, 02:54:09 AM
 #15

Just found out where I first read about bitvanity: http://www.btcpedia.com/generate-bitcoin-vanity-address/

Also, seems like this "Trevor Muller" (his Github pseudonym) has done other interesting things https://discussions.apple.com/thread/5045842?start=0&tstart=0

tabbek
Member
**
Offline Offline

Activity: 116



View Profile
August 03, 2013, 03:11:24 AM
 #16

im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

BTC  : 1GSeC7kgL4UYDmXCCPCvxYeR7vGDcru8gA
NMC : Mxm8mSr1wyqrLDNijHmUKiorUFFteYgks6
E.Sam
Sr. Member
****
Offline Offline

Activity: 391



View Profile WWW
August 03, 2013, 03:36:28 AM
 #17

im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

I would seems strange that 2 of us got all our BTCs stolen in a similar fashion while using Bitvanity. This said, I m scouting around the web trying to find similar cases and see it they were using bitvanity.
Would be great if someone knowledgeable could have a look at the code.

tabbek
Member
**
Offline Offline

Activity: 116



View Profile
August 03, 2013, 04:24:45 AM
 #18

Oh, dont interpret my post as some form of 'pro-bitvanity'.  just reports of the issue are enough to make me avoid it like the plague.

That being said, I think vanitygen is a different author, different program.  I dont keep any btc on the machine I use to generate vanity addresses, but I do have a wallet on it, and havent had any issues.

as always, always a good idea to review something yourself (like source) to evaluate the risks.

BTC  : 1GSeC7kgL4UYDmXCCPCvxYeR7vGDcru8gA
NMC : Mxm8mSr1wyqrLDNijHmUKiorUFFteYgks6
ajk
Donator
Sr. Member
*
Offline Offline

Activity: 447


View Profile
August 03, 2013, 04:24:51 AM
 #19

Just read through this entire thread, Extremely sorry to hear about your loss

is this only for Mac computers? I have a linux machine with vanity gen on it and this machine has not all but a fair amount of coins on it, is this only bad if your a Mac user?
vlees
Full Member
***
Offline Offline

Activity: 196



View Profile
August 03, 2013, 10:03:40 AM
 #20

Just read through this entire thread, Extremely sorry to hear about your loss

is this only for Mac computers? I have a linux machine with vanity gen on it and this machine has not all but a fair amount of coins on it, is this only bad if your a Mac user?

This is about the tool "BitVanity" which exists for Mac OS X only.

VanityGen (many platforms) is completely safe as far as I know. If you want to be sure, download the source code, review it and compile the tool yourself (VERY IMPORTANT; don't code review and then use the precompiled version).

BEEP BEP
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!