Bitcoins stolen from my Multibit wallet while off and password protected

[Aleksk]

I've opened my Multibit wallet after several days and noticed it has been cleared while being closed and under password. There is no way anyone could have access to my Mac or had my password. How could this happen at all?  I'm quite new to the game but I suppose there is no much I can do about it, however I cannot understand how is this possible... I've tried to google the issue but found just 1 user claiming the same so far... Any clue?

[Raghnar]

It had been "cleared" ?  You do seem new if that's the best way you can describe what happened.

Why don't you tell us if the coins were sent to another address....you can tell that from the blockchain.  Maybe you just don't have your wallet file loaded correctly or many other possibilities.

[Aleksk]

Sorry, my wrong - didn't realize I was so vague.

Yes the coins were sent to another address, this is the transaction http://blockchain.info/tx-index/157801501023f5f425e7634e9ea68754fe7adacf660ecb9589ee0f4d66e8174e

[Aleksk]

There is no way anyone could have access to my Mac or had my password.

You've never connected your Mac to the internet?

Here I meant no one had physical access to the computer - I was indeed connected online, however Multibit was off... if that changes anything...

[Mike Hearn]

Did you store backups or make copies of your wallet anywhere? Can you describe your password in general terms e.g. how long it is, what sort of password it is.

Also can you provide the output of running "ps aux" from the Terminal app?

As far as I'm aware nobody has reported malware that is capable of stealing encrypted MultiBit wallets. If there is now one in the wild, we need to find it.

[Aleksk]

Did you store backups or make copies of your wallet anywhere? Can you describe your password in general terms e.g. how long it is, what sort of password it is.

Also can you provide the output of running "ps aux" from the Terminal app?

As far as I'm aware nobody has reported malware that is capable of stealing encrypted MultiBit wallets. If there is now one in the wild, we need to find it.

My password is 10 alpha-numeric random digits with Upper and Lower case.

I didn't make a backup of the wallet yet as it's been just one week since I deposited my first bitcoin. I though the backup is more against lost and stolen hardware rather than additional security against hacking, so I was not too concerned about this. Would this actually help at all?

Anyhow, after I've noticed the stolen bitcoins, I've googled the issue and so far have found just another person claiming the same - he is even using Little Snitch, while I'm not, and didn't protect him either, so he is blaming the app.

Here is his post: http://www.reddit.com/r/Bitcoin/comments/1scd2n/914_bitcoins_stolen_from_multibit_wallet/

Could it be that someone could have access to my computer trough the Boing application? I was sharing some CPU power with WorldCommunityGrid for some Cancer Researches etc for the Ripple team... just trying to think what could be the scenario? They still had to hack my password however my concern is someone doing it remotely while Multibit was not open?? Another "funny" detail is that the address of the receiver was actually written in the send box, in case this could mean anything.


Below my ps aux:
USER             PID  %CPU %MEM      VSZ    RSS   TT  STAT STARTED      TIME COMMAND
macbook         6746  95.1  4.3  3959424 268396   ??  R     5:23pm  12:06.93 /U
macbook          382  32.0  9.2  5073048 577428   ??  S    Wed03pm 291:53.03 /A
_windowserver    127   8.7  0.8  3849696  48260   ??  Ss   Wed03pm  71:33.90 /S
macbook         1258   1.8  0.6  3131180  36596   ??  S    Wed06pm  80:35.40 /A
root              35   0.9  0.1  2461140   3968   ??  Ss   Wed03pm   0:37.22 /u
macbook         4368   0.7 12.0  3184172 757880   ??  UN   Thu04pm  34:31.98 /A
macbook          834   0.6  2.1  4244444 134424   ??  U    Wed04pm  40:50.55 /A
macbook          448   0.4  0.3   856600  19148   ??  S    Wed03pm  20:24.26 /A
macbook         6750   0.2  5.9  4302032 373916   ??  S     5:24pm   2:07.48 /L
root             146   0.1  1.4  3750428  85592   ??  Us   Wed03pm  22:16.28 /S
macbook          395   0.1  0.3  2601252  17784   ??  S    Wed03pm   0:28.89 /S
root            6794   0.1  0.0  2442016    708 s000  R+    5:42pm   0:00.01 ps
macbook         6763   0.0  0.1  2474184   3984   ??  S     5:28pm   0:00.04 /S
macbook         6762   0.0  0.1  2470784   7948   ??  Ss    5:28pm   0:00.05 co
macbook         6760   0.0  0.0  2446748   1168   ??  S     5:28pm   0:00.01 /S
root            6759   0.0  0.0  2447444    256   ??  Ss    5:28pm   0:00.02 /u
root            6758   0.0  0.1  2446888   3752   ??  Ss    5:28pm   0:00.02 co
macbook         6757   0.0  0.3  2509864  15808   ??  Ss    5:28pm   0:00.52 co
macbook         6755   0.0  0.1  2472280   5508   ??  Ss    5:28pm   0:00.09 /u
root            6754   0.0  0.0  2446712    860   ??  Ss    5:28pm   0:00.04 /u
macbook         6753   0.0  0.0  2448352   1032   ??  U     5:28pm   0:00.09 /u
macbook         6751   0.0  0.0  2469364   1900   ??  S     5:28pm   0:00.04 /u
macbook         6350   0.0  0.1  2469440   3576   ??  S     1:19pm   0:00.04 /S
_netbios        6293   0.0  0.0  2447312   1644   ??  SNs  12:55pm   0:00.13 /u
macbook         6214   0.0  0.0  2471252   2352   ??  S    11:48am   0:00.37 /u
root            4336   0.0  0.0  2446508    480   ??  Ss   Thu04pm   0:00.15 /S
macbook         4328   0.0  0.0  2487316    652   ??  Ss   Thu04pm   0:03.81 /S
macbook         4054   0.0  0.1  2517716   3176   ??  S    Thu03pm   0:02.03 /S
macbook         4053   0.0  0.0  2498328   2216   ??  S    Thu03pm   0:00.38 /S
macbook         3940   0.0  0.0  2469708    248   ??  S    Thu01pm   0:00.02 /S
macbook         3936   0.0  0.0  2446776    216   ??  S    Thu01pm   0:00.02 /S
macbook         3832   0.0  0.1  3798068   5540   ??  S    Thu12pm   1:27.63 /S
macbook         3631   0.0  0.1  3625940   9252   ??  S    Thu10am   0:13.26 /A
macbook         3624   0.0  0.0   654756    836   ??  S    Thu10am   0:00.47 /L
macbook         3622   0.0  0.1  1204068   5920   ??  S    Thu10am   0:13.12 /A
macbook         3589   0.0  0.0   638156    260   ??  Ss   Thu10am   0:00.38 co
macbook         3588   0.0  0.2  3964572  10104   ??  Ss   Thu10am   4:00.56 co
macbook         3073   0.0  0.0  2499276   2016   ??  S    Thu03am   0:00.53 /S
macbook         2662   0.0  0.0  2498348   1688   ??  S    Wed09pm   0:00.65 /S
macbook         2658   0.0  0.1   927832   5784   ??  S    Wed09pm   0:26.60 /A
root            1655   0.0  0.0  2471332    616   ??  Ss   Wed07pm   0:00.43 /u
macbook         1113   0.0  0.0  2456956      8   ??  S    Wed05pm   0:00.01 /S
macbook         1071   0.0  0.0  2448900    396   ??  S    Wed04pm   0:00.14 /S
_securityagent  1006   0.0  0.0  2470784    504   ??  S    Wed04pm   0:07.76 /u
_securityagent  1004   0.0  0.0  2452956    100   ??  Ss   Wed04pm   0:00.02 /s
root             949   0.0  0.0  2447836     16   ??  S    Wed04pm   0:00.18 /S
root             947   0.0  0.0  2452956     76   ??  Ss   Wed04pm   0:00.02 /s
macbook          845   0.0  0.3  4033412  21584   ??  Ss   Wed04pm   0:30.60 co
macbook          844   0.0  0.9  3980512  54220   ??  Ss   Wed04pm   1:09.36 co
root             807   0.0  0.0  2590688    560   ??  Ss   Wed04pm   5:43.21 /S
macbook          590   0.0  0.1  2527904   5784   ??  S    Wed04pm   1:50.23 /A
macbook          588   0.0  0.1  2527724   5204   ??  S    Wed04pm   1:44.20 /A
macbook          506   0.0  0.0  2499904   1756   ??  S    Wed03pm   0:00.75 /S
root             480   0.0  0.0  2474552    496   ??  Ss   Wed03pm   0:00.85 /S
macbook          445   0.0  0.0  2489240   1556   ??  S    Wed03pm   0:00.94 /S
macbook          444   0.0  0.0  2489832   1140   ??  S    Wed03pm   0:00.71 /A
macbook          440   0.0  0.2  2479816  10400   ??  S    Wed03pm   0:29.31 /U
macbook          425   0.0  0.1  2504944   3212   ??  S    Wed03pm   0:05.71 /S
macbook          421   0.0  0.0  3536108   2840   ??  Ss   Wed03pm   0:38.91 co
macbook          418   0.0  0.1  3572216   4644   ??  S    Wed03pm   5:13.74 /S
macbook          416   0.0  0.0  2498640   2984   ??  Ss   Wed03pm   0:01.32 co
macbook          410   0.0  0.0  2494824   1536   ??  S    Wed03pm   0:01.40 /S
macbook          403   0.0  0.2  2559028  12860   ??  S    Wed03pm   1:22.62 /S
macbook          400   0.0  0.0  2475392   1860   ??  S    Wed03pm   0:01.61 /u
macbook          396   0.0  0.3  2698752  19740   ??  S    Wed03pm   0:42.85 /S
macbook          394   0.0  0.1  2573544   9196   ??  S    Wed03pm   0:33.77 /S
macbook          391   0.0  0.2  3915536  12764   ??  S    Wed03pm   5:17.45 /A
macbook          388   0.0  0.2  2640112  12752   ??  S    Wed03pm   0:17.90 /A
macbook          387   0.0  0.7   832904  42704   ??  S    Wed03pm   3:13.30 /A
macbook          378   0.0  0.0  2488152   1896   ??  S    Wed03pm   0:03.49 /S
macbook          377   0.0  0.0  2480012   1028   ??  S    Wed03pm   0:00.54 /u
_coreaudiod      349   0.0  0.0  2453740   1796   ??  Ss   Wed03pm   9:35.90 /u
macbook          310   0.0  0.0  2460824    320   ??  S    Wed03pm   0:02.23 /S
_spotlight       291   0.0  0.0  2448852    124   ??  S    Wed03pm   0:09.08 /S
_spotlight       250   0.0  0.0  2470784    536   ??  S    Wed03pm   0:08.87 /u
macbook          245   0.0  0.0  2476028   2856   ??  S    Wed03pm   0:03.60 /S
_spotlight       243   0.0  0.0  2452956    156   ??  Ss   Wed03pm   0:00.68 /s
macbook          234   0.0  0.0  2471880   1712   ??  S    Wed03pm   0:01.14 /S
macbook          227   0.0  0.0  2509872   1988   ??  S    Wed03pm   0:13.75 /S
macbook          215   0.0  0.0  2481812    732   ??  S    Wed03pm   0:00.51 /u
root             213   0.0  0.0  2471580    620   ??  Ss   Wed03pm   0:00.20 /u
macbook          200   0.0  0.0  2446904     60   ??  S    Wed03pm   0:00.11 /u
macbook          193   0.0  0.0  2470520    360   ??  S    Wed03pm   0:00.05 /S
macbook          191   0.0  0.2  2489660  12132   ??  S    Wed03pm   0:40.36 /S
macbook          189   0.0  0.0  2469380    412   ??  S    Wed03pm   0:00.61 /S
macbook          183   0.0  0.0  2470604   2816   ??  S    Wed03pm   0:12.09 /u
root             182   0.0  0.0  2471828   2916   ??  Ss   Wed03pm   0:02.67 /S
macbook          177   0.0  0.0  2446088     32   ??  S    Wed03pm   0:00.09 /u
macbook          170   0.0  0.1  2472832   4120   ??  S    Wed03pm   3:32.66 /u
macbook          169   0.0  0.0  2487152   2968   ??  S    Wed03pm   0:07.39 /u
macbook          166   0.0  0.0  2453132    880   ??  Ss   Wed03pm   0:08.70 /s
root             165   0.0  0.0  2469968    344   ??  Ss   Wed03pm   0:01.05 /u
root             147   0.0  0.0  2512604    500   ??  Ss   Wed03pm   0:00.35 /S
root             145   0.0  0.0  2447132    372   ??  Ss   Wed03pm   0:00.37 /S
root             135   0.0  0.0  2447228    304   ??  Ss   Wed03pm   0:11.62 /u
root             130   0.0  0.0  2447624    468   ??  Ss   Wed03pm   0:00.51 /u
root             129   0.0  0.0  2469292    572   ??  Ss   Wed03pm   0:01.00 /u
root             119   0.0  0.0  2446704    260   ??  Ss   Wed03pm   0:00.37 /u
_networkd        118   0.0  0.0  2446792   1372   ??  Ss   Wed03pm   0:08.62 /u
root              73   0.0  0.0  2472028    680   ??  Ss   Wed03pm   0:01.30 co
root              71   0.0  0.0  2479304   2096   ??  Ss   Wed03pm   0:08.14 /S
root              65   0.0  0.0  2475036   1924   ??  Us   Wed03pm   0:10.19 /u
root              62   0.0  0.0  2446812    220   ??  Ss   Wed03pm   0:00.30 au
_appleevents      57   0.0  0.0  2470812   1000   ??  Ss   Wed03pm   0:00.48 /S
root              56   0.0  0.1  2485084   3856   ??  Us   Wed03pm   0:13.92 /S
root              55   0.0  0.0  2446288    756   ??  Ss   Wed03pm   0:12.30 /u
root              52   0.0  0.0  2432796     24   ??  Ss   Wed03pm   0:00.00 /s
root              50   0.0  0.1  2709844   3612   ??  Ss   Wed03pm   1:42.13 /S
root              49   0.0  0.0  2447768   1100   ??  Ss   Wed03pm   8:26.29 /u
root              45   0.0  0.0  2446276     12   ??  Ss   Wed03pm   0:00.01 /u
_locationd        44   0.0  0.0  2476660   2188   ??  Ss   Wed03pm   0:14.18 /u
root              43   0.0  0.0  2446204    104   ??  Ss   Wed03pm   0:00.08 /S
macbook           42   0.0  0.1  2554508   6844   ??  Ss   Wed03pm   0:30.97 /S
_mdnsresponder    39   0.0  0.0  2447736   1812   ??  Ss   Wed03pm   0:25.39 /u
root              38   0.0  0.2  2588436   9632   ??  Ss   Wed03pm   8:46.44 /S
root              32   0.0  0.0  2479548    640   ??  Ss   Wed03pm   0:02.89 /S
root              30   0.0  0.0  2446204      8   ??  Ss   Wed03pm   0:00.01 /S
root              27   0.0  0.0  2446728    260   ??  Ss   Wed03pm   0:00.29 /u
_usbmuxd          23   0.0  0.0  2458064    488   ??  Ss   Wed03pm   0:14.17 /S
root              22   0.0  0.0  2449076    972   ??  SNs  Wed03pm   0:00.46 /u
root              19   0.0  0.0  2459156    688   ??  Ss   Wed03pm   0:07.14 /u
root              18   0.0  0.0  2470784   1144   ??  Ss   Wed03pm   1:07.59 /u
root              17   0.0  0.0  2450048   1680   ??  Ss   Wed03pm   0:28.43 /u
root              16   0.0  0.0  2469868   1040   ??  Ss   Wed03pm   0:14.32 /S
root              15   0.0  0.0  2458096    988   ??  Ss   Wed03pm   0:11.98 /u
root              14   0.0  0.0  2472424   2524   ??  Ss   Wed03pm   1:06.34 /u
root              13   0.0  0.0  2470120   1596   ??  Ss   Wed03pm   0:04.67 /u
root              12   0.0  0.0  2485152    548   ??  Ss   Wed03pm   0:10.04 /u
root              11   0.0  0.0  2473576   2608   ??  Us   Wed03pm   0:17.13 /u
root               1   0.0  0.0  2456864   3072   ??  Ss   Wed03pm   6:52.29 /s
root             479   0.0  0.0        0      0   ??  Z    Wed03pm   0:00.00 (G
root            6793   0.0  0.0  2442724   2040   ??  Ss    5:39pm   0:00.02 /u
macbook         6792   0.0  0.1  2473108   7808   ??  Ss    5:39pm   0:00.23 co
macbook         6791   0.0  0.1  2446476   3312   ??  S     5:38pm   0:00.03 /S
macbook         6788   0.0  0.0  2442584   1200 s000  S     5:37pm   0:00.03 -b
root            6786   0.0  0.0  2446260   1992 s000  Ss    5:36pm   0:00.11 lo
macbook         6784   0.0  0.3  2533572  17676   ??  S     5:36pm   0:00.73 /A
macbook         6783   0.0  0.1  2451900   8464   ??  Ss    5:36pm   0:00.04 co
root            6772   0.0  0.0  2447236   1228   ??  Ss    5:30pm   0:00.04 /u
root            6770   0.0  0.0  2446756   1000   ??  Ss    5:29pm   0:00.05 sy
macbook         6769   0.0  0.0  2446804   1180   ??  S     5:29pm   0:00.03 /S
macbook         6764   0.0  0.0  2470072   2916   ??  S     5:28pm   0:00.06 /S

[Aleksk]

Just had a flash:

30min before this happened, someone tried to login into my gmail and google prevented it! I didn't realize immediately that actually was in the same day, as I've notice the stolen bitcoins just several days after...

Hi Aleks,

Someone recently used your password to try to sign in to your Google Account

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Monday, January 6, 2014 10:09:21 PM UTC
IP Address: 85.114.142.172 (afo7.torproject.afo-tm.org.)
Location: Germany


If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

[Mike Hearn]

Huh. I was actually tech lead of the team at Google that implemented the anti-hacking feature you saw. Good to know it's still working!

Your password sounds strong, but was it ever used for anything else? In particular, was it used for any websites? The fact that someone knows the password to your Google account strongly implies to me that it's due to a hack or password leak from somewhere rather than an issue with MultiBit itself, but we still should get to the bottom of it.

Making a backup doesn't reduce the risk of getting hacked, it increases it, because to hack a wallet you need both the password AND the wallet file itself. So the more copies of the wallet that are lying around the easier it is to satisfy the second condition.

Did you import any keys to your MultiBit wallet from anywhere, or did MultiBit generate them?

The ps output you posted is truncated. It's really the last column that's most important. You can send it to me in a private message if you want.

I wonder if we need to bump up the encryption strength. Ideally it would take several seconds to decrypt the wallet and I don't remember MultiBit taking that long.

[Aleksk]

Huh. I was actually tech lead of the team at Google that implemented the anti-hacking feature you saw. Good to know it's still working!

Your password sounds strong, but was it ever used for anything else? In particular, was it used for any websites? The fact that someone knows the password to your Google account strongly implies to me that it's due to a hack or password leak from somewhere rather than an issue with MultiBit itself, but we still should get to the bottom of it.

Making a backup doesn't reduce the risk of getting hacked, it increases it, because to hack a wallet you need both the password AND the wallet file itself. So the more copies of the wallet that are lying around the easier it is to satisfy the second condition.

Did you import any keys to your MultiBit wallet from anywhere, or did MultiBit generate them?

The ps output you posted is truncated. It's really the last column that's most important. You can send it to me in a private message if you want.

I wonder if we need to bump up the encryption strength. Ideally it would take several seconds to decrypt the wallet and I don't remember MultiBit taking that long.

I can only thank you for implementing this feature then, It saved me several time already in the last year

Your feeling of being a leak from some website where I used the password sounds reasonable to me. It still remains the mystery of someone doing the transfer remotely, while the Wallet was close, however perhaps this is mystery just for me, given my lack of technical knowledge?!

I have several passwords however the Multibit password I used was not unique, was one of the 3-4 passwords I'm usually using - despite this one being the last created, just few months ago.

No, I did not import any key to Multibit, neither Multibit generated them.

I've sent you in a private the ps outbut again...

Thanks for your interest Mike, really appreciated.

PS: I presume this IP address of the "hacker" does not helps us a lot in tracking anyone or anything ??

[PartsUnkown46]

the IP is TOR node, which is a anonymity network. so that doesn't help you.

you should look into keepass / lasspass / 1pass or something like that. You need 1 Masterpassword and then have a random pw to each website/tool/etc.

[Mike Hearn]

I don't know how they would obtain the wallet without having access to your PC, but it's perhaps possible that a copy of the wallet was in your Google account or some other online backup account, or perhaps you ran something which is how they obtained both the wallet file and the password. It's hard to say, remote forensics is very hard.

[spin]

Another "funny" detail is that the address of the receiver was actually written in the send box, in case this could mean anything.

Based on this I'd take a guess and say it sounds like they had access to the PC running multibit.  This could be physically or possibly through some remote desktop/vnc/teamviewer feature.  Do you have anything like this running?  With the same password as gmail?

How many other services you use has the same password as your gmail? 
How many other services you use has the same password as your multibit?

Password reuse is a big problem: http://xkcd.com/792/

[nurv2600]

This exact same thing happened to me, just a few days after I received 2 small donations into each of my Multibit wallets. Each wallet received 2 donations of 1 satoshi at ONE of it's many addresses (turned out to be spam, sending addresses started with 1Enjoy and 1Sochi). Meaning, whatever it was that made those donations knew what addresses were in what wallet; out of nearly 50 addresses, it chose one from each wallet, including one wallet with 1 address! Meanwhile, my coinbase addresses (not used for anything but buying coin and sending it out) received nothing. Seems as if something had knowledge of my Multibit accounts.

All but one was encrypted. Only the unencrypted one got stolen. Yes, I know, I know...but this was an account with not much in it, and it was on a Mac that always has the process list monitored like 20 times a day (I work in IT), and regular virus scans. I'm running another one now, but expect to find nothing. It's a laptop that's ALWAYS under my physical control, or locked up at home. I can only believe that if the security breach was on my end, it has to be Multibit itself, not something I did.

Here's the transaction that stole 0.086 BTC from me (thank god a small amount), and some from another account for a total of about 0.12 BTC: https://blockchain.info/tx/04c06700f24e48b9c4dc83f440e7bd15459fe685e6a34d2578c57df9f9816bb4

Any idea what I should do? I was thinking of investing more in Bitcoin, but I don't trust online wallets for just this reason, now it looks like local wallets are vulnerable too! How the hell did somebody get the private key of my Multibit address? My only other thought is if something got intercepted in transmission; when making a transaction from a local account like Multibit, is your private key ever transmitted (un)encrypted, or just the public address? Sorry, I know a bit about Bitcoin, but not everything.

[machinationus]

This exact same thing happened to me, just a few days after I received 2 small donations into each of my Multibit wallets. Each wallet received 2 donations of 1 satoshi at ONE of it's many addresses (turned out to be spam, sending addresses started with 1Enjoy and 1Sochi). Meaning, whatever it was that made those donations knew what addresses were in what wallet; out of nearly 50 addresses, it chose one from each wallet, including one wallet with 1 address! Meanwhile, my coinbase addresses (not used for anything but buying coin and sending it out) received nothing. Seems as if something had knowledge of my Multibit accounts.

All but one was encrypted. Only the unencrypted one got stolen. Yes, I know, I know...but this was an account with not much in it, and it was on a Mac that always has the process list monitored like 20 times a day (I work in IT), and regular virus scans. I'm running another one now, but expect to find nothing. It's a laptop that's ALWAYS under my physical control, or locked up at home. I can only believe that if the security breach was on my end, it has to be Multibit itself, not something I did.

Here's the transaction that stole 0.086 BTC from me (thank god a small amount), and some from another account for a total of about 0.12 BTC: https://blockchain.info/tx/04c06700f24e48b9c4dc83f440e7bd15459fe685e6a34d2578c57df9f9816bb4

Any idea what I should do? I was thinking of investing more in Bitcoin, but I don't trust online wallets for just this reason, now it looks like local wallets are vulnerable too! How the hell did somebody get the private key of my Multibit address? My only other thought is if something got intercepted in transmission; when making a transaction from a local account like Multibit, is your private key ever transmitted (un)encrypted, or just the public address? Sorry, I know a bit about Bitcoin, but not everything.

There is a wallet virus for mac's
Maybe a person with a program down-loaded your wallet.dat and spent it
its here:https://blockchain.info/address/1mKxvkc8BjGxgudcwgxshbQrh9GDWhkJg

Maybe a bad idea storing any wallet.dat on the file system of any machine with internet.?

[SHaaT3k]

The same thing happened to me.
closed wallet, 14 digit password and stolen Bitcoin.
There is probably no way to return them (some of) it?

[mpdas108]

Any updates, or clues to the cause of this...