Bitcoin Forum
December 15, 2017, 02:57:50 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: I was robbed from my alt coins wallets - Extremely important - Be Cautious  (Read 9664 times)
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 04:00:16 PM
 #1

Hello all members and readers outside the forum.
I would like to tell you my story that happened to me yesterday morning with I have been fithing till today.
It is extremely important due to highly increasing interesting in crypto currencies across the globe.
Especially for newcomers excited about all of this amazing crypto currency world that want to invest their money in.

OK so.

About three weeks ago I decided to enter the world of cryptos. I wanted to invest some my money and diversify my investition into different alternate coins couse everything told me they will grow in the long run and it is good thing to do so (most of them are deflationary by definition).
So I joined the forum, read a lot, felt amazded by all of this, install new wallets everyday, more or less popular or completely new coins.

Eventually i picked my top 10 best to invest at that moment in my opinion. Bought BTC and exchanged them for those cryptos. So during next two weeks I had more or less I wanted in my wallets. Durring those days I ofcourse encrypted every wallet I had.
I watched the charts every day, tried a little arbitrage between markets (with little success) that let me buy more and fill my investmens with new coins.
I was happy and very excited during all those days. It runned smooth and nice. I felt secure.

Then yesterday morning I had some BTC on Cryptsy and wanted to buy some Digitalcoins (it was about 1100).
So I bought them and sent to my DGC wallet.
At that moment I remembered that I had a feeling that most probably I didnt encrypt one of my wallets and wasn't sure it was Digitalcoin wallet or not. I had there something like a 1900 DGC.

So I opened my wallet, waited to sync and in a second after it synced then instantaneously -1900 DGC has been sent from my wallet to other address. And second after that my newly bought 1100 DGC came to me from Cryptsy. I am quite new in all and first thought was it is some error or something but? Here is the screenshot:



Trannsaction id:
http://dgc.cryptocoinexplorer.com/address/DG5phm55dZiWwX5oknkJJgKkULMeXtFCoF
Thief address: DG5phm55dZiWwX5oknkJJgKkULMeXtFCoF  

Other withdraw (2013-11-27) is a desperate rescue of my own coins to another wallet (created on other PC) but later more about it.
Aha, and my wallet was encrypted.

So I became really suspicious. Maybe there is a trojan or something like that in my OS? I started to look at Windows Process Manager I have open all the time at second monitor but nothing suspicious there.
So I opened CCleaner and there found something weird looking:



It was almost obvious that something like this shouldn't be in my autostart. So I tried to close it, delete it throught CCleaner but everytime I did that it was auto enablem again!

So I think ok, let's go to this directory. So I clicked C, Users, Pawel and .... ? Where are "ensuy" and "qfiyp" directories?
THERE WEREN'T VISIBLE despite I had "show hidden files and directories" checked.

So I put the address C:\Users\Pawel\ensuy into address bar and what happened? Screen shaked and all of my windows were immediately closed.
At this moment it was obvious something really scarry is going on and felt hugely unsafe.
I opened command console, went to C:\Users\Pawel typed "dir" but those directories were also not visible in listing.
Co I typed manually "ensuy" and "qfiyp" and then I was in:


thecoin-qt.exe

And some other not visible files (there were more than this visible on listing).

My still ongoing antivirus (AVG) did not catch anything!

I tried to delete it manually through cmd but it didn't help. I tried restart in Safe Mode, still nothing. Can't get rid of that.
Even when I tried to delete it directly from registry keys it did not help.
So I started to search internet and downloaded some antimalware software. After full scan it found those files and after reboot I could delete them from autostart, registry keys and from those directories I mentioned above. But I still cannot delete those directories despite they were empty.


So what next!? I asked myself.
I started to open my wallets one by one and change the passphrases. But one question was on my mind: "If I change a passphrase when I am not synced becouse blocks are loading, then is my newly encrypted wallet sent to the network or not?!"
I did not know the answer for that question (now I know) but what else I could do I though.
The problem was I didn't opened most of my wallets since several days and lastly there is so huge traffic on market that blocks were loading and loading endlessly.

I felt a little bit more secure after delete of this trojan or whatever it was. But I had a strong feeling that something is still very not right and that it was most probably a keylogger couse how it is possible for somebody to send money from my wallet without knowing my password?
I started to change all my passwords, for email, markets, everything.. but I had this strong feeling that I shoudn't do that on this system anymore. Maybe there is already installed rootkit or any other who knows what?
Then I also started to think, where it was installed? I checked the data of "thecoin-qt.exe" and realized it was just after I decided to enter to this crypto world!
I also put this phrase into google and there was a match:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AAB/detailed-analysis.aspx
This is it, or branch of it, very similar.

I searched though my browser history and my memory and rememered that at the very begining of my journey when I was so turned on and installed everywallet in excited rush there was one new alt coin project I felt weird about.
!!!   https://bitcointalk.org/index.php?topic=333160.0    !!!

I remember exactly when I downloaded this client and wanted to click on it, something told to me DONT. Thread looks weird, no community around... but he provides source codes (yeaah and you didnt check them and also how could you know what is in that .exe DUMB ASS!).

I remember I deleted it quickly after installation couse I feel it was weird. BUT IT WAS TOO LATE - REMEMBER THAT NEWCOMER!

Then I found those thread, looked at last post and... everything became clear...  I had a trojan\keylogger\and who knows what more.


So I moved to my brothers PC (his computer was shut down for weeks couse he is in another country right now so hacker couldn't reach it).
To be sure I turned off internet connection on my laptop.
Firstly I started to download my most valuable wallets so I started with Megacoin which I invested most of my money.
Blocks loading, I see amount of my MGC on it and waiting.

Then..

Synced..

Puh!


To: MA6CFTXYwQwBKmLBT8A3x9zzT6rYAG2RDf
Debet: -8406.00 MΣC
Kwota netto: -8406.00 MΣC
ID transakcji: 91c1167e94e13f70dd5dfc777bf4d3295dc45f7a062eb14be484ebbbd122bf88

So I realized, YES IT WAS KEYLOGGER AND EVEN MORE COUSE HE STOLE YOUR WALLETS!


At that point I didn't belive at all if my laptop is safe right now or not so I changed every password for every website, forum, market, wallet, etc. And started to download my other wallets and change passphrases of every of them again.
Also started to create new wallets of all my coins (I WILL NOT USE those wallet address that you see on the screens anymore) with another new passwords.


I sit till 4:30 am loading blocks, changing passwords, creating new wallets, securing them, sending coins to them (if there was above 0 ...) and had very unpleasant feeling everytime wallet got synced...


Till morning next day (it is today) I slept few hours couse didn't have anymore power, super tired, even right now.
And he also stole all mine
Primecoins:



Status: 3407 potwierdzeń
Data: 2013-11-25 21:16
Do: AKfSuxQDE1Q8YQWKbhLGVvTAfG6jzrJ5tg
Debet: -112.30 XPM
Prowizja transakcji: -0.04435538 XPM
Kwota netto: -112.34435538 XPM
ID transakcji: 4bb9e53613a697d4af0d2681634535b4a038e723e1c2e6924f1c4433ba14a375


and


Peercoins



Status: 131 potwierdzeń
Data: 2013-11-27 09:52
Do: PWYWk7tNT78AdcY4c58VbtuVMTbHS7WgZQ
Debet: -55.00 PPC
Prowizja transakcyjna: -0.01 PPC
Kwota netto: -55.01 PPC
ID transakcji: 2abd81835bc8b1db41e7965be235a1e4f498be02302a578117725004d02dd848

What is intersing in above screen why his withdraw that happened after mine was confirmed and mine no?

--------
Right now I finished everything and struggling to install clean Win 7 on my laptop (there are some problems as always with .ios's from Windows, I have my key ofcourse). I am very tired but a little bit happy I saved almost half of mine diversified wallets...

I know it was silly from my side and I should be more careful. You know how it is when you are super excited about something. You can easliy became thoughtless about thins you normaly care about.


I am no admin here of course but I would suggest this thread as a WARNING and also some instructions how to detect that something is not right and our wallets and computers could be in dangerous.


I strongly suggest to all of you to check your systems like I described above. Even if you did not install this wallet I mentioned.

Why?!

We are at the begining of new upcoming era of virtual money, virtual wallets. My case is simple and it was quite easy to avoid it but remember, new technologies always attracts thiefs with their new ways of robbing us. This will not be the last time someone of us will last money. They for sure working on something right now and I strongly suggest - BE EXTREMELY COUTIOUS with your coins and wallets. Install not only antivirus couse but also anti malware software and hide your wallets as deep as you can.


So in sum I have lost about: 1900 Digitalcoins, 8400 Megacoins, 112 Primecoins and 55 Peercoins.

I took a lesson I will never forget. Learn from my mistakes...



TO THE THIEF THAT ROBBED ME

I know you actively look through this forum. Most probably you have new account and still are with us.
I belive in people and if you have some empathy in yourself, please give me back my money. At least some.
Here are my new adresses:

Digitalcoin:
DFUiUnDGQYAGPmoXrXeQgAVz7uborYfHgz

Megacoin:
MAMbeVmzwpBhyyA1u39vyFNmZCEUbUM5rk

Peercoin:
PWwjLApspBX8PE3ECwPfSs2HWje1euAjqs

Primecoin:
Ad7L8CSnWvWXCh8mBTrDvkAp2tX9BbmyiW


--------------
For all of those that read that far. Thank you a lot that I could share my story with you and please take care about your coins.

Wish all of you smart, growing investments.

Pablo

ps. sorry for my English, it is not my native language.

1513306670
Hero Member
*
Offline Offline

Posts: 1513306670

View Profile Personal Message (Offline)

Ignore
1513306670
Reply with quote  #2

1513306670
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513306670
Hero Member
*
Offline Offline

Posts: 1513306670

View Profile Personal Message (Offline)

Ignore
1513306670
Reply with quote  #2

1513306670
Report to moderator
1513306670
Hero Member
*
Offline Offline

Posts: 1513306670

View Profile Personal Message (Offline)

Ignore
1513306670
Reply with quote  #2

1513306670
Report to moderator
1513306670
Hero Member
*
Offline Offline

Posts: 1513306670

View Profile Personal Message (Offline)

Ignore
1513306670
Reply with quote  #2

1513306670
Report to moderator
digitalindustry
Hero Member
*****
Offline Offline

Activity: 798


wubba lubba dub dub


View Profile WWW
November 27, 2013, 04:26:47 PM
 #2

I'm really sorry for your loss:

notes:

1. Linux-

2. Compile-

3. Untrusted source -

tiny rick !
- https://voat.co/v/Contact/
- Twitter @Kolin_Quark
hilariousandco
Gold Member
Global Moderator
Legendary
*
Offline Offline

Activity: 1498


How does one bitcoin?


View Profile WWW
November 27, 2013, 04:31:43 PM
 #3



THCoin? That was your first mistake there. This is why It's a bad idea to download new coins that spring up out of nowhere.

pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 04:35:37 PM
 #4



THCoin? That was your first mistake there. This is why It's a bad idea to download new coins that spring up out of nowhere.

Yes, I also mentioned that. I know it is also my fault.

Hazard
Legendary
*
Offline Offline

Activity: 994


Internet Celebrity


View Profile WWW
November 27, 2013, 04:36:34 PM
 #5

Shitty knockoff of weedcoin Cheesy

https://bitcointalk.org/index.php?topic=219748.0

MisO69
Legendary
*
Offline Offline

Activity: 1526


My mule don't like people laughing


View Profile
November 27, 2013, 04:37:24 PM
 #6

THC Coin had a keylogger?  Shocked

I didn't download it, thought the name was stupid and its purpose could only be used for illegal things.

pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 04:38:58 PM
 #7

THC Coin had a keylogger?  Shocked

I didn't download it, thought the name was stupid and its purpose could only be used for illegal things.


You did the right thing. I envy you :/
Most probably if I would be little more experienced those days, not a total newbie I would do the same. My bad.

miffman
Legendary
*
Offline Offline

Activity: 1666


PGP ID: 78B7B84D


View Profile
November 27, 2013, 04:57:47 PM
 #8

Thank you very much for this, much appreciated. I wish you best of luck in recovering all of your lost coins














 

 

█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
BitBlender 

 













 















 












 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 05:20:21 PM
 #9

Thank you very much for this, much appreciated. I wish you best of luck in recovering all of your lost coins
Thanks. Glad you appreciate it.

VirtualCoinBuddy
Newbie
*
Offline Offline

Activity: 17


View Profile
November 27, 2013, 05:24:18 PM
 #10

Thanks for the heads up! I often check my puter for malware and shit.. I know about them keyloggers.

∞      YOU TOO CAN BE A MILLIONAIRE – INFINITECOIN Infinite possibilities –  http://infinitecointalk.org      ∞
glerant
Sr. Member
****
Offline Offline

Activity: 403


Far Out, Man....


View Profile
November 27, 2013, 05:30:10 PM
 #11


Sorry about your coins - what a nightmare.
Thanks for your detailed analysis of what happened - it reminds us all to be wary.



██████████████████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████████▄▄▄███████████████████████
███████████████████████████████████████████████████████████████████████▀▀▀████████████████████████
██████████████████████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████████████████████




...INTRODUCING WAVES........
...ULTIMATE ASSET/CUSTOM TOKEN BLOCKCHAIN PLATFORM...






Amph
Legendary
*
Offline Offline

Activity: 1722



View Profile
November 27, 2013, 05:31:23 PM
 #12

avira + hitmanpro + malwarbytes anti-malware = gg any virus
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 05:56:51 PM
 #13

avira + hitmanpro + malwarbytes anti-malware = gg any virus
Will try FOR SURE, haven't heard about hitmanpro.

zakorus
Hero Member
*****
Offline Offline

Activity: 741


View Profile
November 27, 2013, 06:09:46 PM
 #14

whoever this dbag is needs to go and shove himself in a meatgrinder. what a dick! Angry
mine it yourself dont steal from other people if i had some coins i'd donate but sadly i just started mining a few days ago for the first time ever.


                  ▄▀▀▀▄
                  █▀▀▀
                   ▀▀▀ ▀▄▄▀▀▀▄
                         █▀▀▀
                        ▄▀▀▀▀
                      ▄▀
                ▄█▀▀▀█▄
                ██████
                ▀█▄▄▄█▀
 
█████      █████▌ ▄▄▄ ▐█████  █████████
  ███       ███  ▐███▌  ███     ███  ▀▀
  ███       ▐██▌ █████ ▐██▌     █████
  ███  ▄▄▄   ███▐██ ██▌███      ███▀▀
▄▄███▄▄███   ▐████▌ ▐████▌    ▄▄███
▀▀▀▀▀▀▀▀▀▀    ▀▀▀▀   ▀▀▀▀     ▀▀▀▀▀
██
██
██
██
██
██
██
██

██
██
██
██
██
██
██
██
██
██
██

██
██
██
██
██
██
██
██
██
██
██

██
██
██

▄         ▄▄████▄▄▄
███▄     ▐████████▀
 ██████▄▄█████████
▀████████████████▌
  ███████████████
  ▀████████████▀
   ▄▄████████▀
 ▀▀▀▀██▀▀▀

 
             ▄▄▄
        ▄▄▄█████
  ▄▄▄████▀▀▄███
▀▀████▀ ▄██████
    █ ▄███████
     ███▀█████
           ▀█▌

      ▄▄▄████▄▄
   ▄████████████▄
 ▄████▀▀██  ▀▀████
 ████▀   ▄▄ ▐█████▌
 ██████▌ ██▀  ▐████
  ████▌   ▄▄ ▐████▌
   ▀█████▄███████▀
     ▀██████▀▀▀

          ▄▄▄ ▄▄▄
          █  ████
      ▄▄▄█▄▄▄▄ ▀
▄█████████████████▄
▀████▌  ███  ██████
  ███████████████▌
   ▀███▄▄▄▄▄████
    ▀▀███████▀▀
[/center
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 06:15:57 PM
 #15

whoever this dbag is needs to go and shove himself in a meatgrinder. what a dick! Angry
mine it yourself dont steal from other people if i had some coins i'd donate but sadly i just started mining a few days ago for the first time ever.
I hope you will mine something, nowadays it is really hard.

defaced
Legendary
*
Offline Offline

Activity: 1652


Franko is Freedom


View Profile WWW
November 27, 2013, 06:29:40 PM
 #16

Wow that really sucks.

Fortune Favors the Brave
Borderless CorpEXPANSETokenlabEXREXP.LIFEFranko Is Freedom
FiiNALiZE
Hero Member
*****
Offline Offline

Activity: 588



View Profile
November 27, 2013, 06:36:03 PM
 #17

I'm pretty sure the thieve's main DGC address is:

http://dgc.cryptocoinexplorer.com/address/DM9UGWJyPWfU4XdHWU3iGWwFmexba5fKQ4

▃▃▃▌▌  STORIQA  ▐▐▃▃▃▃
Global marketplace
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 06:38:49 PM
 #18

Pitty that we can not do much with this. That is the other side of crypto currency.

Lauda
Legendary
*
Offline Offline

Activity: 1694


GUNBOT Licenses -20% with ref. code 'GrumpyKitty'


View Profile WWW
November 27, 2013, 07:00:02 PM
 #19

Sorry that this has happened to you. Although it was a mistake on your end.
Try linux next time, and less "suspicious" coins.


          ▄▄█████▌▐█████▄▄
       ▄█████████▌    ▀▀▀███▄
     ▄███████████▌  ▄▄▄▄   ▀██▄
   ▄█████████████▌  ▀▄▄▀     ▀██▄
  ▐██████████████▌  ▄▄▄▄       ▀█▌
 ▐███████████████▌             ▀█▌
 ████████████████▌  ▀▀▀█         ██
▐████████████████▌  ▄▄▄▄         ██▌
▐████████████████▌  ▀  ▀         ██▌
 ████████████████▌  █▀▀█         ██
 ▐███████████████▌  ▀▀▀▀        ▄█▌
  ▐██████████████▌  ▀▀▀▀       ▄█▌
   ▀█████████████▌  ▀▀█▀     ▄██▀
     ▀███████████▌  ▀▀▀▀   ▄██▀
       ▀█████████▌    ▄▄▄███▀
          ▀▀█████▌▐█████▀▀
▬◉▬
▬◉▬
▬◉▬
▬◉▬
▬◉▬
▬◉▬
▬◉▬
▬◉▬
      ▄▄▄
 ▄▄█████████▄▄
  ▀▀▀▀▀▀▀▀▀▀▀
   █▌▐█ █▌▐█
   █▌▐█ █▌▐█
 ▄███████████▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄






▄█████████████▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
███████████████
██▀▀█▀▀████████
▀█████████████▀
pabloangello
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 27, 2013, 07:06:48 PM
 #20

Sorry that this has happened to you. Although it was a mistake on your end.
Try linux next time, and less "suspicious" coins.
Yep I admitted it. But it is still no excuse for the man behind it. But you know there will be more advanced methods of wallet attacks. Right now I'm creating fortress from my PC before install anything from net.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!