Think I've had my Bitcoin QT wallet hacked

[toknormal]

Hi

The other day I was transferring 1.3 BTC to BTC-e. After a while my wallet became unresponsive and I had to force quit it. In the end I force quite the whole machine (a MacbookPro).

The scenario that this poster described is exactly what I experienced: https://bitcointalk.org/index.php?topic=266813.0

.. except mine wasn't anything to do with Bitvanity. What I suspect it might have been is that I downloaded a torrent of bootstrap.dat to get my wallet up and running quicker since I haven't used it for ages. I also had Skype open for a bit (mad in restrospect, I know).

Anyway, I know see this unrecognised transaction on Blockchain.info for 5.12 BTC leaving my wallet the same day I sent the 1.3 BTC. (By the way, I sent the 1.3 BTC while my wallet was unsynchronised - does that make a difference ?).

https://blockchain.info/address/13QiFz64rWk2mHiVFKjn1ahNLnqA9xzMrL

Now I'm cautious about opening my wallet again in case the rest flies out if it's been comprimosed. I feel a bit gutted about this. Any recommendations appreciated.

toknormal

P.S. I'm running Bitcoin QT v0.8.5 and the wallet was password encrypted (fat lot of good that did).

[1715451947]

1715451947

[1715451947]

1715451947

[1715451947]

1715451947

[toknormal]

Hang on - I've just realised that the 5.12 is the balance of an old April transaction, which according to my wallet at the time I sent the 1.3, was still unconfirmed. (I haven't had my wallet synced in ages).

Is this all an issue to do with not having my wallet synced or unconfirmed transactions ? Now I'm confused.

E.Sam's post convinced me I'd had my wallet compromised because the symptoms were so similar.

Any blockchain experts that can throw light on this much appreciated !

[HellDiverUK]

Only thing I can say is Bitcoin-Qt is unstable at best on Mac.  I don't trust it as far as I could throw it.

[nelisky]

I just skimmed your post, but I believe you are confusing things a bit; the 5.12 is the change from the 1.3 you sent, and the destination address of that part is likely just a change address in your wallet.

As for Bitcoin-QT on the mac, I do use it and while it used to die on me and lock up, the last couple of versions have been really stable, what version were you running?

If you feel you had your machine compromised you should start afresh, but remember to backup your wallet.dat first! It's in your user home (/Users/<username>/Library/Application Support/Bitcoin/wallet.dat)

In fact, first do a couple of backups and only then do anything else

Oh, and don't forget to backup

If it was just confusion, fire up your client and let it run until fully sync'd before anything else, chances are you'll find everything is in place as expected. But do update your client if not running an up to date version, and backup first!

[toknormal]

Hi nelisky

Thanks a lot for the reply. What you say starts to make some sense. So the wallet also uses internal addresses that I can't see ? Does that mean I can't load my (paper) private key into, say Multibit or I won't see those balances ?

I think agree, I need to sync the wallet in QT and take stock of everything.  The wallet says there are still 2 transactions from April that are unconfirmed - that's another thing I don't understand. I didn't think the wallet needed to be fully sync'd for the transactions to get confirmed.

Looks like it's going to take a week or 2 just to sync the wallet - I'm now totally paranoid about even downloading bootstrap.dat.

toknormal

[nelisky]

Hi nelisky

Thanks a lot for the reply. What you say starts to make some sense. So the wallet also uses internal addresses that I can't see ? Does that mean I can't load my (paper) private key into, say Multibit or I won't see those balances ?

The wallet does in fact store a few addresses (100) that you don't see, which are created ahead of time so they get included in backups of the wallet.dat file. These addresses are then used when you get change for your sends or when you request a new receiving address but, visible or not, they are active in the wallet, which means that once a block includes a transaction that touches those addresses your wallet balance and history will reflect them. Change is special as it the history will not show that address receiving funds (or at all) but balance will account for this. You still have full control over that change address, can dump the priv key, it is included in backups.

As for importing private keys, I don't get your question... If you are asking if you must load them into another client to see the balance, no, not at all. Your QT client balance will be correct *after all the necessary blocks have been loaded*

I think agree, I need to sync the wallet in QT and take stock of everything.  The wallet says there are still 2 transactions from April that are unconfirmed - that's another thing I don't understand. I didn't think the wallet needed to be fully sync'd for the transactions to get confirmed.

Looks like it's going to take a week or 2 just to sync the wallet - I'm now totally paranoid about even downloading bootstrap.dat.

toknormal

Transactions are stored in the wallet, blocks are not. So you will see all unconfirmed transactions from your wallet if you are downloading the blockchain from scratch, and the balance will be 0. As blocks come in that include the transactions in your wallet, these will appear confirmed and the balance is updated... you just have to wait.

A week or two sounds extreme, but I haven't started from scratch in a long, long time so maybe that's just what you'll have to wait. You can trust the official torrent bootstrap files though, as the client itself has checkpoints to prevent you from importing a bad one, but do your due diligence and, if you don't find a bootstrap file you are sure to trust, well, just wait

[toknormal]

nelisky -

Thanks again for all that detail. Now I remember change addresses from when I first studied Bitcoin months ago. I'd just forgotten about them.

The thing that caused me alarm was that the blockchain.info balance for my wallet address didn't agree with what I thought I had in there. The difference must be accounted for by the change addresses. I've also just read this article which was very useful.

http://www.reddit.com/r/Bitcoin/comments/1c9xr7/psa_using_paper_wallets_understanding_change/

The only thing I'm not sure about now is if all the change addresses share the same private key or not. (I presume they don't so you need to do a separate paper wallet for each). I like to keep a paper wallet but now I realise it's not the end of the story just to keep the public and private keys offline - there's all these change addresses as well.

This paragraph definitely applies to me but I think it's worth posting here for others:

too many people don't know about or understand change addresses.
This needs to be changed. Good post.
There is also a reverse example. This huge mistake is made by many people when they have been using a client like bitcoin-qt for a while, and decide to make a paper wallet using only the primary address from bitcoin-qt.
In that case, they believe that they are putting the entire bitcoin-qt wallet balance into a paper wallet. In fact, all they are doing is putting the balance for the PRIMARY bitcoin-qt address into the wallet. All the change addresses hidden to the user in bitcoin-qt will not go into the paper wallet.

Finally, apologies to readers of the thread for the (hopefully) unnecessary alarm in the subject title.