40 BTC Gone - Please Help Me Understand What Happened

[mport1]

Today when I logged onto Blockchain.info, I noticed the 40+ BTC I had in my wallet were gone and had been sent to this address 1GvmpUY1RdR5zf7jDZnpjfuBnoCz3S2xSS at 12:20am Aug 2nd.  I'd appreciate some help to understand what happened, and if possible, how I can get the BTC back.  I'm not a tech person, so it's been a struggle to learn what I have about Bitcoin...

Here is the transaction information.  https://blockchain.info/tx/3ea2a7343d5623058ac7cc403d82e4fc9a351ef0e8818f1fe0d1b3351e6ad434  Please let me know if there is more information I can provide that would help.

I had previously used a paper wallet, but transferred my money back to Blockchain to enable easier transactions.  I was using 2 factor authentication with an SMS code being sent to my phone to be able to access my wallet.  I did not notice this at the time, but now that I checked, a wallet authentication code was was sent to my phone at 12:17am Aug 2nd.  I do not recall ever seeing this until now.

Thanks in advance for your help.


EDIT: Further info also posted below.

After doing further investigation and digging through old emails, I've learned the following.

When I first signed up to Blockchain, I stupidly emailed myself my Blockchain username, password, mnemonic/security phrase, and wallet address.

Later on Blockchain emailed me an encrypted wallet backup.

After reviewing the IP addresses that have accessed my Gmail (https://security.google.com/settings/security/activity), I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th.

Is this the likely scenario? That my Gmail and/or iPhone was compromised?  And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?  If so, is it possible to locate the person who accessed my Gmail from that IP address?


To answer another question above. When I imported my paper wallet back to Blockchain, it was to my original wallet address that I'd used from the beginning.

[1714923525]

1714923525

[1714923525]

1714923525

[1714923525]

1714923525

[autodidactic]

Have you scanned your computer for viruses?

[mport1]

Have you scanned your computer for viruses?

I'm running virus scans with Symantec and McAfee now.  Would it be possible for them to get to my wallet with a virus because of the two factor authentication?  Again, sorry I know very little about computer technology.

[autodidactic]

It would be highly unlikely although possible you had some kind of remote-host trojan.

[autodidactic]

When you exchanged your paper wallet in. Did you see the amount immediately reflect in your wallet after the alloted amount of confirmations?

[mport1]

When you exchanged your paper wallet in. Did you see the amount immediately reflect in your wallet after the alloted amount of confirmations?

Yes, and when I transferred money back to Blockchain, it was mid-May.

[gweedo]

if possible, how I can get the BTC back.

Nope.

[Dabs]

What is your phone model and OS version? Android? Iphone? Is it rooted or jailbroken? What apps are installed? The answers to those questions may give you clues.

[mport1]

It is an iPhone 4s.  I have not modified it by rooting it or jailbreaking it.  

I've got quite a few apps installed.  Are there any that may be of concern?  Ones I used for Bitcoin are the blockchain app and Authy.

It is an iPhone 4s and it looks like the version is 6.1.3.  I have not modified it by rooting it or jailbreaking it.  

I've got quite a few apps installed.  Are there any that may be of concern?  Ones I used for Bitcoin are the blockchain app and Authy.

[cbeast]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

[mport1]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

[escrow.ms]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

He means, did you used some old wallet address by importing private key or sweeped your funds to new address on blockchain.info.

Ps: did you downloaded some app on your pc, or given access to someone else?
or did you sent backup to your email?
Maybe your email etc got compromised.

[cbeast]

Have you imported any publicly known addresses into your wallet rather than sweep them? I lost 45 BTC once due to that mistake.

I'm sorry, can you explain what that means?  I've tried to learn as much as I can about this stuff, but I'm still effectively a beginner.

If someone gives you a private key and you import it into your wallet, the wallet may use it as a change address. If you gave someone a private key from your wallet it would have the same effect.

[tclo]

This is definitely troubling and I'm seeing this happen more and more lately it seems.  And it sounds like you even had the two factor authentication enabled.

I've read a couple of threads about people who have the blockchain app on a rooted phone and that's how it got hacked into. I uninstalled the app from my Android phone after reading that.

But the SMS verification doesnt' even work that well. It's telling me that I can't even log into my wallet because it won't send another SMS code..say:

Reached daily limit for medium priority sms messages

How is it just "medium priority" for me to even get into my wallet?   Ok don't mean to hijack your thread and I will start a new one.

But thank you for sharing this issue with us and you have my sincere sympathies...bitcoin is still a dangerous world in a lot of ways.

[Hawkix]

The 2FA for Blockchain is just a "gimmick" and prevents only to steal your funds using your password. If someone got access to your private keys, he does not need to log in into Blockchain at all.

Even when you imported private keys from paper wallet, anyone with the access to private keys can ANYTIME transfer the funds from that address.

If your password is trivial (like less than 10 alphanums with both case), one can restore your private keys from your AES encrypted backup of Blockchain info.

[mport1]

Thanks for the help everyone. After doing further investigation and digging through old emails, I've learned the following.

When I first signed up to Blockchain, I stupidly emailed myself my Blockchain username, password, mnemonic/security phrase, and wallet address.

Later on Blockchain emailed me an encrypted wallet backup.

After reviewing the IP addresses that have accessed my Gmail, I noticed one that appeared to access from an iPhone that I did not recognize. It was also a Verizon network iPhone and the IP address was mapped to about 30 minutes outside my city. This was on July 18th (and the theft happened on August 2nd).  Potentially also of note, I used public wifi at a hospital on July 30th.

Is this the likely scenario? That my Gmail and/or iPhone was compromised?  And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?  If so, is it possible to locate the person who accessed my Gmail from that IP address?


To answer another question above. When I imported my paper wallet back to Blockchain, it was to my original wallet address that I'd used from the beginning.

[Lohoris]

And would this explain why I recieved an SMS text from Blockchain 3 minutes before the theft?

For this situation, it would be super-useful to have a "panic-lock" feature, that allowed you to "one click – no questions asked" to lock your account for a set period of time (say, 12h).

Sure, you would kind of risk denial of service, but if your wallet id is already compromised, you're going to lose your wallet anyway sooner or later.

[natb]

If you got an SMS txt before the theft, that means the two factor authentication kicked in... So how was your wallet stolen? Perhaps it was the encrypted wallet backup and password in your email?

[Dougie]

If someone had managed to gain access to your private keys then you'd not have been sent the 2 factor code so someone has gained access to your phone, either when you're not looking or via a virus. I'd think back to that date to see if any techy 'friends' were playing with your phone. A virus you can't do much about but at least you could confront a friend.

[mport1]

If someone had managed to gain access to your private keys then you'd not have been sent the 2 factor code so someone has gained access to your phone, either when you're not looking or via a virus. I'd think back to that date to see if any techy 'friends' were playing with your phone. A virus you can't do much about but at least you could confront a friend.

Just so I can understand, if the thief did not actually have access to my phone (physically or remotely) to get the 2 factor code, would he still have been able to send the money from my wallet?

On Blockchain, it says the following: "Lost Two-factor Authentication Details.  If you have lost your two factor authentication details your wallet is still fully recoverable. All we need is reasonable proof you are the account owner which can be provided by completing the form linked below."

It then asks for information that could have been gleaned from emails in my Gmail such as wallet identifier, secret passhprase, email address, etc.

If that 2 factor code would still be necessary under those circumstances, I would venture to guess that somebody gained access to my phone through a virus of some kind as you suggested.  I don't have any tech savy friends who were with me at the time that would have the first clue about doing something like this (and my phone was with me in my room that I'd barely left all day because of a surgery recovery.