[XPM] 7800 STOLEN - Please read / help

[paulthetafy]

On Friday night GMT I had a little over 7000 XPM stolen from a wallet that was encrypted.  My entire holding of XPM.  Just to add salt to the wound, I had been mining heavily for the 2 days prior and had over 1800 coins maturing. Over the weekend the thief continued to steal those remaining coins as they matured.   I'm now trying to piece together how this has happened.

Firstly I shut down all of my VPS's and personal machines.  Since maturing coins were still being stolen it meant that they must have had a copy of my wallet.dat rather than using my RPC.  I turned on a single miner and set it running a script to sendtoaddress 10 XPM and ran it as fast as I could in an effort to beat the thief.  Many thanks to spekk and a few others @ mcxnow for their help and quick thinking with this solution on Friday night.  The thief was obviously doing the same with a script attempting to sendtoaddress 10, as we "battled" all weekend to beat each other to send the matured amount.  I increased the number of miners running the script and with this method I managed to salvage 1100 coins over the weekend whilst the thief got 800.  So all up I have lost a little over 7800 coins.

Here is an example of one of the many transactions the thief made:

Code:

Status: 724 confirmations
Date: 19/08/2013 07:18
To: Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F
Debit: -10.00 XPM
Transaction fee: -0.01 XPM
Net amount: -10.01 XPM
Transaction ID: c0bcfde4fa1ac44d96edeb448bd5d7fa3ecf73f525e69058d69a01cf695c0400

The thief sent all coins to this address Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F.  Pool owners, please could you check to see whether this key is in one of your wallets and PM me if it is.  If not, is there anyway to check the transaction history/debug.log for incoming transactions from this address?  It's a long shot, but I'm determined to do go down every avenue to track down this person.  The only pool owner I know is RealSolid@mcxNow.  Please could people forward this to other owners so they can also check?

The wallet was encrypted, but I had been using it since the early days of XPM so there is a slight possibility that there was an unencrypted version on a VPS drive somewhere (that I'm no longer using).  I should state though that I have NOT been mining for several weeks until the 2 days last week when I tried out something new with Amazon ec2's - those instances were 100% using an encrypted wallet.  This can only indicate the wallet was stolen earlier.

I have only ever copied the wallet using scp so it does not exist on public dropbox or anything like that.

I have checked for a keylogger / trojan and don't think I have one, but who can be sure without a reinstall these days?

I have used VPS's from Digital Ocean, Amazon, Azure, and GoGrid.  Other than the new ec2's last week, all other VPS's were shut down several weeks ago.

I'm at a loss as to how this could have happened but I welcome any suggestions so that I can ensure it doesn't happen again.  As you can imagine I am absolutely devastated.  I am not a rich person and don't hold a lot of coins.  XPM was the first time that I had gotten in early and figured out how to scale cloud mining successfully and I manged to mine around 10k before I felt it was no longer profitable.  I sold some a few weeks ago to buy some mcxNow fee shares, 3k last week to pay off my early VPS fees, and the remaining 7k was my long term investment.  So other than the fee shares I had taken no profit at all out of what I had mined.  I'm now left with a very large bill for the ec2's I used last week and only the 1100 XPM I salvage to pay it with.

To the thief:- you probably think that stealing crypto is easy and inconsequential.  It might have been easy, but it is certainly not without consequence.  You're not the one who has to explain to their wife where this money has gone or why we have a large amazon bill to pay.  You're not the one feeling sick at the thought of having such significant amounts of money stolen.  You're not the one who has lost confidence in crypto.  But there is a very small chance you have a conscience - if you do please return my money to me at AKmhQzmDAPK8DCT97aVps87pN565kHzS1v and this will be forgotten about.

To everyone else, I urge you do make sure your wallets are encrypted and you are taking every precaution possible to secure your setups.

Thanks, a very gutted
paulthetafy aka paulscreen

[1714122042]

1714122042

[1714122042]

1714122042

[NWO]

Ouch! Over $5000 worth. You must have had a pretty mean VPS set up. Sorry to hear about your loss, hopefully some coins are returned. Something similar happened to me a while back as well.

[eule]

Perhaps he brute forced the root password and got into SSH/SFTP? If so, Fail2ban could have prevented that and i recommend every server user to install it. Those VPS mining guides, while useful, did not take malicious intent into account.
Sucks man...

[sympsin]

Sad story =/ Hope you to recover somehow

[vinne81]

Since maturing coins were still being stolen it meant that they must have had a copy of my wallet.dat rather than using my RPC. 

Why? They could have asked for unconfirmed transactions over RPC, dump the privkey of the block and import into their own wallet. This way, once the block matures, they can spend it.

I know this works because I do this very thing to group all my immature mined blocks into one wallet.

[usahero]

Sorry about your loss.

I have sent you small (0.15btc) donation to help you with your losses to the address in your signature.

txid: 0a393ac298ca893567b1746eea0455f916a3b2d979d4640db2bf0143522b0167

[paulthetafy]

Sorry about your loss.

I have sent you small (0.15btc) donation to help you with your losses to the address in your signature.

txid: 0a393ac298ca893567b1746eea0455f916a3b2d979d4640db2bf0143522b0167

thanks usahero, that was both unnecessary but warmly welcomed.

[crendore]

Damm that sucks paul.  That really sucks.

I guess the lesson to be learned here is not to hold your funds in a wallet that exists in many many places.  It would be better practice to be routinely sending those funds to a cold wallet which you have stored in a very safe place.

If it is like you say, a VPS vulnerability, i wonder if we will be seeing more reports about this in the near future, as there were a lot of other people mining on those same VPS's.

Best of luck,
crendore

[nfuse]

Damn that's allot hope you will find out who it was and how he did it! to ease your pain a little  (i know you are not begging) i send 10 xpm to your address, i know it's a small amount but maybe if 780 people do the same i enjoy crypto and like it very much. it's not only the crypto but the crypto community what make's it worth liking it so please don't lose faith.


Regards.

[paulthetafy]

Damn that's allot hope you will find out who it was and how he did it! to ease your pain a little  (i know you are not begging) i send 10 xpm to your address, i know it's a small amount but maybe if 780 people do the same i enjoy crypto and like it very much. it's not only the crypto but the crypto community what make's it worth liking it so please don't lose faith.


Regards.

thanks nfuse, I'm certainly not begging, but it is much appreciated.

[cryptohunter]

Yeah this is not good, i wonder how it would be possible to give wallets or funds even more security?

BTW - can you explain more how this works

"  I turned on a single miner and set it running a script to sendtoaddress 10 XPM and ran it as fast as I could in an effort to beat the thief"

Have you got a copy of this script that runs on ubuntu 64 bit?

I don't have any coin i guess worth anything like 7k  however would be good to know there is a way to thwart people stealing your coins to some degree. I don't see how it would work ? why was he only trying to draw 10xpm at one time, why did he not extract the coins in one large transaction?

[sumantso]

I don't have any coin i guess worth anything like 7k  however would be good to know there is a way to thwart people stealing your coins to some degree. I don't see how it would work ? why was he only trying to draw 10xpm at one time, why did he not extract the coins in one large transaction?

I would guess because the block value is a little over 10 XPM right now.

Really sorry to hear what happened to you, Paul. I had my Bter account hacked a couple of months back, and while my losses pales in comparison to yours, they were quite significant to me and hurt a lot.

Mail the shit out of all the exchanges and tell them not to accept any transactions from that address. Also keep a lookout to see where the coins move.

[paulthetafy]

I don't have any coin i guess worth anything like 7k  however would be good to know there is a way to thwart people stealing your coins to some degree. I don't see how it would work ? why was he only trying to draw 10xpm at one time, why did he not extract the coins in one large transaction?

I would guess because the block value is a little over 10 XPM right now.

Really sorry to hear what happened to you, Paul. I had my Bter account hacked a couple of months back, and while my losses pales in comparison to yours, they were quite significant to me and hurt a lot.

Mail the shit out of all the exchanges and tell them not to accept any transactions from that address. Also keep a lookout to see where the coins move.

Indeed 7068 were taken in one hit, then 10 XPM at a time when each block matured.  The blocks were all around 10.5 in value to be on the safe side and account for fees he was sending 10 at a time.  The script was simply...

Code:

#!/bin/bash
while true; do ./primecoind sendtoaddress <myaddress> 10.4; done;

[Titan]

Have you checked your ~/.bash_history file?
Everything you type to the console will be recorded there, including your plaintext wallet passwords, if you are not explicitly excluding them.

So it would be easy for an attacker who has access to the machine to steal the wallet and the bash_history file.
Are you aware of this security hole?

[paulthetafy]

Have you checked your ~/.bash_history file?
Everything you type to the console will be recorded there, including your plaintext wallet passwords, if you are not explicitly excluding them.

So it would be easy for an attacker who has access to the machine to steal the wallet and the bash_history file.
Are you aware of this security hole?

Wow I wasn't actually. But I had never unlocked a wallet on a linux machine until after the first coins were taken and I had to unlock in order to run the sendoaddress script.  Good to know for future though!

[Boomsling]

Woah dude, this sucks.

Hope you find out who it is and recover your coins.

What step can I take to ensure the security of my wallet??

[paulthetafy]

Woah dude, this sucks.

Hope you find out who it is and recover your coins.

What step can I take to ensure the security of my wallet??

Make sure it is encrypted from day 1 and make sure you dont have a keylogger!

[Boomsling]

Ive encrypted it from day one, I have the wallet.dat files.

What the safest way to store them? I guess leaving them on the desktop on the server isnt a good idea ?

EDIT:

Ive been thinking...

The thing is this thief has been successful and probably feeling pretty smug right now, he will most likely continue.

OP I've emailed ypool support to see if they can help and dropped a link tp this thread in the freenode XPM channel, Ypool are the only functional XPM pool that I know of.

I'll also drop links to this thread where I can to make people aware. I suggest that if anyone else know a good place to drop a link then to do so and keep this thread updated so we dont pester admins etc with dupe requests.

[hendo420]

Ive encrypted it from day one, I have the wallet.dat files.

What the safest way to store them? I guess leaving them on the desktop on the server isnt a good idea ?

I have a cold wallet that I keep on a flash drive.

I made a new encrypted wallet.dat and stored it on a flash drive, writing down the address.
This is my savings account flash drive. I have a cold wallet of every coin I take as payments.
They are all in the same password protected rar. I even have a copy of every wallet/client on that flash drive as well.
There is no way conceivable for someone to hack my cold wallet.  

I plan on eventually making it 2x flash drives and keeping one in my safety deposit box. This way If anything happens to the first flash drive I'm not completely boned.

Another way to store a cold wallet for long term is to put it in a password protected rar and email it to yourself. As long as Gmail is still alive and kicking you have a copy.
For shits and giggles, and so its "stealthy", Name the rar something like "Christmas Pics". If someone gets into your email they wont even think twice about trying to brute force your "Chrismas Pics" lol

[Boomsling]

Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?