help needed Bitcoin stolen or missing?

[chenchunyu88]

https://blockchain.info/tx/53c2dcafd2d4aae6165fe9b7a7608fde0965085bd4729c01e7d7375566a114ad
 This transaction is not made by myself and around 3.364 BTC gone. There are to possible reasons: 1. Bitcoin-Qt software doesn't work properly when experiencing hardware issue. 2. My computing get hacked.

Here is a little description about my settings: I have 2 windows 7 desktop running with the same bitcoin wallet. One desktop use local disk for the Bitcoin data (wallet, blocks, and etc.), the other use store the Bitcoin data on a network drive via iSCSI. I access these two PCs using teamviewer and require two password: the teamviewer password and the password for the machine. If anyone need to send money, he would need a 3rd password for the wallet. I thought this was secure enough.

What happen was I did a upgrade to my Synology DSM (the network drive) on Feb, 17, 2014 around 12:00 at noon. So basically there was an error for on bitcoin-qt saying that "it cannot access the data". I didn't really visited those two PC for 2 days and they stay running because a few miners are connected to them or use them as proxy. Today I found that about 3.364 BTC are sent to another address from one of my address and I think it almost drained the total amount of BTC in that address.

So I am wondering if it's hardware+software issue or some hacker issue.

If it's a hacker, why didn't he/she also steal BTC from other addresses in the same wallet. And why didn't he/she drain my litecoin wallet as well. And the BTC sent has never been spent. It doesn't make any sense.

If it's a hardware+software issue, do you think if there is any way to recover them.

[chenchunyu88]

Here is my log for the machine runs BTC data on a network driver.

It seems that there is no log at all since 2014-02-17 16:45:10

2014-02-17 16:45:09 AcceptToMemoryPool: 128.70.116.18:8333 /Satoshi:0.8.6/ : accepted 31278784b29559bb8ceb124f0317e3b5d3982880a6f6dbc995ad2c73b176c6aa (poolsz 1247)
2014-02-17 16:45:10 AcceptToMemoryPool: 46.162.85.226:8333 /Satoshi:0.8.5/ : accepted 3bbe9ff21b4f5ac1d7078294c44fbc185a6cafbef66e346b14f2534fac418a9d (poolsz 1248)
2014-02-19 17:28:37











2014-02-19 17:28:37 Bitcoin version v0.8.6-beta (2013-12-05 13:11:26 +0100)
2014-02-19 17:28:37 Using OpenSSL version OpenSSL 1.0.1c 10 May 2012
2014-02-19 17:28:37 Default data directory C:\Users\DIY\AppData\Roaming\Bitcoin
2014-02-19 17:28:37 Using data directory d:\BitCoinData
2014-02-19 17:28:37 Using at most 125 connections (2048 file descriptors available)
2014-02-19 17:28:37 Using 8 threads for script verification

[DannyHamilton]

I have 2 windows 7 desktop running with the same bitcoin wallet.

This is a very bad idea. At best it will lead to confusion.  At worst, if you are not very careful, it can lead to losing bitcoins.

If it's a hacker, why didn't he/she also steal BTC from other addresses in the same wallet. And why didn't he/she drain my litecoin wallet as well. And the BTC sent has never been spent. It doesn't make any sense.

If it's a hardware+software issue, do you think if there is any way to recover them.

If you are absolutely certain that you never created a transaction to either send:

3.36400639 BTC to 1PbqBj5N1QHszSR244Ubh9KzoJaThM2twi

or

0.00153218 BTC to 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5

then this looks most likely to either be a hacker, virus, or trojan program that you installed that gained access to the private key of the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address.

Is this an address that you imported from somewhere?  Have you ever exported the private key of the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address?  Do you have any unencrypted backups of the wallet that contains the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address stored anywhere?

[chenchunyu88]

I think I figured out how the wallets got stolen. I started with bitcoin about 1 year and half ago. As first, I didn't add password for the wallet and backed it up. And then I realized there should be a password. So I added the password ever since. The bad thing is that I kept the old backups along with the newer ones.

I stored these on my Synology DSM network drive and it can be access through the internet with a password. However, recently there is a security issue of the Synology DSM OS and granted hacker access the entire filesystem. I think the hacker tried all those wallet backups and found the old one without password. That's why only a few BTC that is associated with that address are stolen while funds on other addresses are still good.

I am wondering in theory if it's possible to compromise a encrypted wallet with strong password.

I already move all the funds from the entire wallet to a new created paper wallet using armory. I hope now my bitcoins are secure.

I am also wondering if you have any other recommendations.

I think the security is quite a big issue to bitcoin as average user really need time to learn how to make it secure. That's why people put their money in a bank which is insured.

I have 2 windows 7 desktop running with the same bitcoin wallet.

This is a very bad idea. At best it will lead to confusion.  At worst, if you are not very careful, it can lead to losing bitcoins.

If it's a hacker, why didn't he/she also steal BTC from other addresses in the same wallet. And why didn't he/she drain my litecoin wallet as well. And the BTC sent has never been spent. It doesn't make any sense.

If it's a hardware+software issue, do you think if there is any way to recover them.

If you are absolutely certain that you never created a transaction to either send:

3.36400639 BTC to 1PbqBj5N1QHszSR244Ubh9KzoJaThM2twi

or

0.00153218 BTC to 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5

then this looks most likely to either be a hacker, virus, or trojan program that you installed that gained access to the private key of the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address.

Is this an address that you imported from somewhere?  Have you ever exported the private key of the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address?  Do you have any unencrypted backups of the wallet that contains the 1HwNG7uzc2asJSvfKETgu9VBFd9BmxAUb5 address stored anywhere?

[spin]

Are you using the same wallet on two different machines?  If you are using the same actual wallet.dat file you might be safe. 

However if you are using different wallet.dat files the two wallets will become different as they would be generating new addresses which are different.  They would have started off as the same wallet but when bitcoin-qt adds addresses to the wallets it will be different on the two machines which means they will start having different addresses. 

If you are wanting to use the same wallet on different machines you should use a deterministic wallet such as Armory.

[chenchunyu88]

I was using two different wallet.dat file at the time it happens.

I have a question: Is all the public keys generated by the same private key?

Are you using the same wallet on two different machines?  If you are using the same actual wallet.dat file you might be safe. 

However if you are using different wallet.dat files the two wallets will become different as they would be generating new addresses which are different.  They would have started off as the same wallet but when bitcoin-qt adds addresses to the wallets it will be different on the two machines which means they will start having different addresses. 

If you are wanting to use the same wallet on different machines you should use a deterministic wallet such as Armory.

[DannyHamilton]

I was using two different wallet.dat file at the time it happens.

I have a question: Is all the public keys generated by the same private key?

No.

Every address has it's own public key.

Every public key has its own private key.

With the Bitcoin-Qt wallet, the private key is generated completely randomly with no relationship at all to any other private key in the wallet.  This means that you need to have a safe copy of every private key in the wallet.  It is not possible to re-calculate the private keys from any values.

With some other "deterministic" wallets (such as Electrum) the private keys are generated in a sequence from a "seed" value.  This means that with such a "deterministic" wallet, you can re-calculate all the necessary private keys from the single "seed" value in the future if you need to.