40 BTC Gone - Please Help Me Understand What Happened

[mport1]

Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd.  I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back.  I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin...

Here is the transaction information.  https://blockchain.info/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434  Please let me know if there is more information I can provide that would help.

I had previously used a paper wallet, but transferred my money back to Blockchain to enable easier transactions.  I was using 2 factor authentication with an SMS code being sent to my phone to be able to access my wallet.  I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd.  I do not recall ever seeing this until now.

Thanks in advance for your help.


EDIT: Further info also posted below.

After doing further investigation and digging through old emails, I've learned the following.

When I first signed up to Blockchain, I stupidly emailed myself my Blockchain username, password, mnemonic/security phrase, and wallet address.

Later on Blockchain emailed me an encrypted wallet backup.

After reviewing the IP addresses that have accessed my Gmail (https://security.google.com/settings/security/activity), I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th.

Is this the likely scenario? That my Gmail and/or iPhone was compromised?  And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?  If so, is it possible to locate the person who accessed my Gmail from that IP address?


To answer another question above. When I imported my paper wallet back to Blockchain, it was to my original wallet address that I'd used from the beginning.

[1714953628]

1714953628

[1714953628]

1714953628

[1714953628]

1714953628

[autodidactic]

Have you scanned your computer for viruses?

[mport1]

Have you scanned your computer for viruses?

I'm running virus scans with Symantec and McAfee now.  Would it be possible for them to get to my wallet with a virus because of the two factor authentication?  Again, sorry I know very little about computer technology.

[autodidactic]

It would be highly unlikely although possible you had some kind of remote-host trojan.

[autodidactic]

When you exchanged your paper wallet in. Did you see the amount immediately reflect in your wallet after the alloted amount of confirmations?

[mport1]

When you exchanged your paper wallet in. Did you see the amount immediately reflect in your wallet after the alloted amount of confirmations?

Yes, and when I transferred money back to Blockchain, it was mid-May.

[gweedo]

if possible, how I can get the BTC back.

Nope.

[Dabs]

What is your phone model and OS version? Android? Iphone? Is it rooted or jailbroken? What apps are installed? The answers to those questions may give you clues.

[mport1]

It is an iPhone 4s.  I have not modified it by rooting it or jailbreaking it.  

I've got quite a few apps installed.  Are there any that may be of concern?  Ones I used for Bitcoin are the blockchain app and Authy.

It is an iPhone 4s and it looks like the version is 6.1.3.  I have not modified it by rooting it or jailbreaking it.  

I've got quite a few apps installed.  Are there any that may be of concern?  Ones I used for Bitcoin are the blockchain app and Authy.

[cbeast]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

[mport1]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

[escrow.ms]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

He means, did you used some old wallet address by importing private key or sweeped your funds to new address on blockchain.info.

Ps: did you downloaded some app on your pc, or given access to someone else?
or did you sent backup to your email?
Maybe your email etc got compromised.

[cbeast]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

If someone gives you a private key and you import it into your wallet, the wallet may use it as a change address. If you gave someone a private key from your wallet it would have the same effect.

[tclo]

This is definitely troubling and I'm seeing this happen more and more lately it seems.  And it sounds like you even had the two factor authentication enabled.

I've read a couple of threads about people who have the blockchain app on a rooted phone and that's how it got hacked into. I uninstalled the app from my Android phone after reading that.

But the SMS verification doesnt' even work that well. It's telling me that I can't even log into my wallet because it won't send another SMS code..say:

Reached daily limit for medium priority sms messages

How is it just "medium priority" for me to even get into my wallet?   Ok don't mean to hijack your thread and I will start a new one.

But thank you for sharing this issue with us and you have my sincere sympathies...bitcoin is still a dangerous world in a lot of ways.

[Hawkix]

The 2FA for Blockchain is just a "gimmick" and prevents only to steal your funds using your password. If someone got access to your private keys, he does not need to log in into Blockchain at all.

Even when you imported private keys from paper wallet, anyone with the access to private keys can ANYTIME transfer the funds from that address.

If your password is trivial (like less than 10 alphanums with both case), one can restore your private keys from your AES encrypted backup of Blockchain info.

[mport1]

Thanks for the help everyone. After doing further investigation and digging through old emails, I've learned the following.

When I first signed up to Blockchain, I stupidly emailed myself my Blockchain username, password, mnemonic/security phrase, and wallet address.

Later on Blockchain emailed me an encrypted wallet backup.

After reviewing the IP addresses that have accessed my Gmail, I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th.

Is this the likely scenario? That my Gmail and/or iPhone was compromised?  And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?  If so, is it possible to locate the person who accessed my Gmail from that IP address?


To answer another question above. When I imported my paper wallet back to Blockchain, it was to my original wallet address that I'd used from the beginning.

[Lohoris]

And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?

For this situation, it would be super-useful to have a "panic-lock" feature, that allowed you to "one click – no questions asked" to lock your account for a set period of time (say, 12h).

Sure, you would kind of risk denial of service, but if your wallet id is already compromised, you're going to lose your wallet anyway sooner or later.

[natb]

If you got an SMS txt before the theft, that means the two factor authentication kicked in... So how was your wallet stolen? Perhaps it was the encrypted wallet backup and password in your email?

[Dougie]

If someone had managed to gain access to your private keys then you'd not have been sent the 2 factor code so someone has gained access to your phone, either when you're not looking or via a virus. I'd think back to that date to see if any techy 'friends' were playing with your phone. A virus you can't do much about but at least you could confront a friend.

[mport1]

If someone had managed to gain access to your private keys then you'd not have been sent the 2 factor code so someone has gained access to your phone, either when you're not looking or via a virus. I'd think back to that date to see if any techy 'friends' were playing with your phone. A virus you can't do much about but at least you could confront a friend.

Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

On Blockchain, it says the following: "Lost Two-factor Authentication Details.  If you have lost your two factor authentication details your wallet is still fully recoverable. All we need is reasonable proof you are the account owner which can be provided by completing the form linked below."

It then asks for information that could have been gleaned from emails in my Gmail such as wallet identifier, secret passhprase, email address, etc.

If that 2 factor code would still be necessary under those circumstances, I would venture to guess that somebody gained access to my phone through a virus of some kind as you suggested.  I don't have any tech savy friends who were with me at the time that would have the first clue about doing something like this (and my phone was with me in my room that I'd barely left all day because of a surgery recovery.

[cbeast]

Have you ever imported a private key that could have been seen by anyone other than hackers?

[BCB]

Sorry to hear about your loss.

Have you posted to https://bitcointalk.org/index.php?topic=40264.msg2814699#msg2814699

This sounds like a blockchain.info specific issue. 

I have read numerous threads recently where similar attacks are happening with blockchain.info wallets.

I regularly receive emails regarding unauthorized attempts to access my wallet, so it is clear that blockchain.info (any any other type of bitcoin wallet) are targets.

Unfortunately there are many attack vectors but by posting to the blockchain.info thread specifically maybe they can help you and other victims narrow down the options and prevent this from continuing to happen.

Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.

To be safe do a clean install of your OS or even better use a dedicated computer with no Java, adobe or flash to access bitcoin accounts.

[cbeast]

If you sync your local wallet to a compromised blockchain.info wallet, it will compromise your local wallet even if you never use your blockchain.info wallet.

[mport1]

Have you ever imported a private key that could have been seen by anyone other than hackers?

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

[DannyHamilton]

Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

Yes.

If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

That depends.  How did you generate the paper wallet?

[mport1]

Unfortunately is it not likely you will be able to identify the attacker (with out the help of the NSA) so you funds are probably unrecoverable.

Given that I've possibly identified the IP address of the attacker as mentioned previously (After reviewing the IP addresses that have accessed my Gmail, I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th), could I call Verizon to confirm that that IP address was not associated with my account?  If it was not, could I then file a police report on the matter to attempt to identify the individual using that IP address?

I know that is a longshot, and I've come to terms with the fact that I will likely never see that money again, but if there is a chance through that course of action, I'd take it.

Most importantly, I want to learn from this experience for when I purchase more BTC in the future, and provide a case study of what not to do for others so the same thing doesn't happen to them.

[mport1]

Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

Yes.

If you had a backup of your wallet sent to your email, and they had access to your email, then they could send money using the backup without ever having access to the 2FA

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

That depends.  How did you generate the paper wallet?

I used bitaddress.org and just created and printed one from there.  I know there are a number of other security measures one can take to make this process much more secure, but since I'm essentially computer illiterate (despite Excel and PowerPoint which I use for work...), I did not go through those procedures because I could not understand them.

[escrow.ms]

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

Attacker probably tried to login on blockchain first and later used your wallet backup.

[cbeast]

Have you ever imported a private key that could have been seen by anyone other than hackers?

At one point I moved everything from Blockchain to a paper wallet.  At a later date, I moved everything from my paper wallet back into my Blockchain wallet by using the "Import Using Paper Wallet" option.  Is this what you are referring to?

No. That should be fine as long as nobody saw your paper wallet. I mean that if you import any "free money" from a QR code private key, like from a puzzle or contest.

[DannyHamilton]

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

• You had a backup of your wallet sent to your email account.
• You had your identifier sent to your email account.
• You had your password sent to your email account.
• The thief has access to everything all of the above
• The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.

[mport1]

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

• You had a backup of your wallet sent to your email account.
• You had your identifier sent to your email account.
• You had your password sent to your email account.
• The thief has access to everything all of the above
• The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.

Got it.  Thanks for explaining this in a very clear manner.  This is very helpful for me as most of this stuff is way over my head.

I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.

[Raize]

I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.

You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.

Do you have 2FA on your Gmail?

[RandomQ]

Have you scanned your computer for viruses?

I'm running virus scans with Symantec and McAfee now.  Would it be possible for them to get to my wallet with a virus because of the two factor authentication?  Again, sorry I know very little about computer technology.

I recommend running Malwarebytes, and maybe avast, and as last resort Combofix

McAfee the last year has had the highest infections rates, only second to norton (As in running a AV and having a virus infection that it didn't detect)
(Computer Repair Monkey)


But it sounds Like what happened

You used a public WIFI, and someone sniffed your email address and password, logged into your email account and saw your blockchain account, tried to login got 2FA login prompt, downloaded your backup wallet and used your password you sent yourself to get your wallet keys, drained wallet.

Anyone else following the coins?

looks like they are being spent

[mport1]

I guess I'll contact Verizon just in case, but as you mentioned, the thief probably wasn't stupid enough to use an IP that could be traced back to him.

You might be surprised. If someone set up a fake public wireless in a specific location, they might have tried to work quickly enough to steal it right there from the same location.

Do you have 2FA on your Gmail?

No, I only had 2FA on Blockchain.

[Raize]

No, I only had 2FA on Blockchain.

Implement 2FA on your Gmail immediately.

After the MtGox hack, someone hit my Gmail account several times, enough that Google contacted me personally twice about it and, presumably, flagged me in their system as someone "likely to be hacked" in the future. If I wouldn't have had 2FA enabled due to another attempted compromise about six months prior to that, they wouldn't have been able to have identified this as an illegitimate attempt to "recover" my Gmail account.

My guess is someone set up a free public wireless and then ghosted your session using something similar to Firesheep or etc. If they can ghost your session, they can create a relevant cookie and then peruse your Gmail at their discretion, especially if you don't use HTTPS. It's not specified on that wiki page, but I'm pretty sure if someone runs the public wifi themselves they can do DNS and HTTPS man-in-the-middle attacks with ease if they have the right tools.

[SgtSpike]

Thanks for the clarification.  However, would this sort of attack still trigger Blockchain to send me the SMS code like they did 3 minutes before funds were transfered.

I'll make some assumptions here.  Specifically:

• You had a backup of your wallet sent to your email account.
• You had your identifier sent to your email account.
• You had your password sent to your email account.
• The thief has access to everything all of the above
• The thief knew how to avoid being identified

Given those assumptions, when the thief saw the identifier and password, they may have tried just logging into your blockchain.info account rather than mess with the backup.

When they discovered that you have 2FA (which would trigger the SMS code to you), they could move on to the backup from your email.

Once they have the backup, they no longer need 2FA.  They can use the information in the backup to send the bitcoins without ever accessing your account on blockchain.info.

Assuming the thief was intelligent, they would use a proxy (perhaps TOR?), so the IP address you have would be a proxy exit, and not the IP of the thief themselves.

This sounds like, by far, the likely course of action by the thief.  All they need to do is compromise your email address, and they have all the information they need right there.  And email addresses are compromised all the time, for a variety of reasons.

I'd put wifi packet sniffing as the culprit at a very low possibility.

[Raize]

I'd put wifi packet sniffing as the culprit at a very low possibility.

But how was his email compromised originally? That's the point I was trying to make.

While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.

I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.

[SgtSpike]

I'd put wifi packet sniffing as the culprit at a very low possibility.

But how was his email compromised originally? That's the point I was trying to make.

While he was at another location, he was likely asked to re-sign into his Gmail account. It could be at that point the password would have been sniffed through some form of MITM attack. Later on, the hacker would just sign into the compromised account, read the emails he sent to himself with all the details, then take the coin using any of those other alternatives.

I guess what I'm trying to do is not just gloss-over the "gmail was compromised" part.

Phishing or malware seems more likely, but you're right.

I consider wifi to be unlikely because you're assuming that:
- OP visited a compromised wifi
- OP logged in to his email using a compromised wifi and not using https
- Attacker knows about Bitcoin

If the attacker's purpose was to steal Bitcoins, he'd be much more likely to do it by targeting people he knows use Bitcoin.  Targeting random passerbys as they utilize the wifi would mean he'd probably have to search through thousands of email accounts before finding a single one that has a blockchain.info account, much less one who stores a significant amount in BTC.  By targeting, say, the MtGox list of email addresses with a phishing email, he'd be likely to get access to dozens of emails, all owned by people who use (or have used) BTC.

[bitpop]

inside job. now slowly look at the person closest to you.

[Dabs]

I think I know what happened. It's the RNG of Android devices. The k value or the r value or whatever. It was all over the news recently. But then you said you are using an iPhone4.. so maybe that's not it. Unless you've used the same wallet on an android device previously.

[ksteve96]

So whats the IP that accessed your account?  Just because it says in gmail that it was an Iphone, that doesn't mean it was.  User agents can be switched.
PM me the IP if you don't want to post it publicly.  It would be easy for me to check if it is a phone, router or proxy server (if it's online) by fingerprinting.  It is very possible it was a proxy though, you said it was 30 minutes from your city, if they tried to log in to your gmail from 1000 miles away, they would have had to answer the security questions.