Strange Transaction - Bitcoins lost

[C. Bergmann]

Hello,

I am not talking about my bitcoins but about someone else's bitcoins. I know several reasons how a hacker can steal your bitcoins, but I can't explain this. He secured his systems with kaspersky, used multibit and encrypted his wallet with a password. He also didn't open some appendix of a mail.

The story:
He sended yesterday at the afternoon (MEZ) 0.2381 BTC from an exchange to his wallet. For this he created a new adress: https://blockchain.info/address/17v2YjSNHJkzsExZWgzKCep85d2jwi5NTp
Today in the morning he opened his wallet. Nothing. He controlled several times if the adress was right. It was.

Than he searched blockchain.info. This happened with his transaction:
confirmation at 16:15 yesterday. Bitcoins arrived.
In the night (about 01:00) Bitcoins were send. He didn't send, someone sended.

The transaction out is part of a huge transaction about 31.8 btc which were send from many adresses to one adress. Like someone had all this adresses in a wallet.

When I opened the sending-adresses I found this pattern: all I looked at include only two transactions: one in and one out. Balance is zero. The transaction in happened some days ago.

It seems newly created adresses on multibit-wallets have been manipulated. Can this be true?

[1714038205]

1714038205

[1714038205]

1714038205

[1714038205]

1714038205

[DannyHamilton]

Need more evidence.

My initial assumption is malware on his computer.

My second assumption is unofficial copy of MultiBit.

My third assumption is that he didn't create the address with MultiBit.

Until there is proof that all three assumptions are false, I am not inclined to entertain a suspicion that the current version of MultiBit is at fault.

[escrow.ms]

People use crypters to hide their malware from antiviruses and to bypass av's like kaspersky pure. So never rely on just antiviruses, overall safety & security is necessary.

[C. Bergmann]

Need more evidence.

My initial assumption is malware on his computer.

My second assumption is unofficial copy of MultiBit.

My third assumption is that he didn't create the address with MultiBit.

Until there is proof that all three assumptions are false, I am not inclined to entertain a suspicion that the current version of MultiBit is at fault.

Malware was my first assumption too.
He uses MultiBit since several month. So I don't think it's an unofficial copy of MultiBit.
He said he did create the adress with MultiBit.

What you mean with "overall safety & security"?
He uses a antivir-programm and set a password for the wallet. What further measures are necessary? Some Anti-Malware programm?

I didn't ask, if he had further balances on multibit, but would a malware not supposed to steal everything?

[cr1776]

Need more evidence.

My initial assumption is malware on his computer.

My second assumption is unofficial copy of MultiBit.

My third assumption is that he didn't create the address with MultiBit.

Until there is proof that all three assumptions are false, I am not inclined to entertain a suspicion that the current version of MultiBit is at fault.

Malware was my first assumption too.
He uses MultiBit since several month. So I don't think it's an unofficial copy of MultiBit.
He said he did create the adress with MultiBit.

What you mean with "overall safety & security"?
He uses a antivir-programm and set a password for the wallet. What further measures are necessary? Some Anti-Malware programm?

I didn't ask, if he had further balances on multibit, but would a malware not supposed to steal everything?

Antivirus programs are not foolproof, there are zeroday exploits etc that can bypass them.  As Danny said above, it sounds like malware is a possibility, Trojan version of multibit etc. 

Without more information it is hard to determine what has occurred.

For larger balances, antivirus software isn't enough.

[oakpacific]

Hello,

I am not talking about my bitcoins but about someone else's bitcoins. I know several reasons how a hacker can steal your bitcoins, but I can't explain this. He secured his systems with kaspersky, used multibit and encrypted his wallet with a password. He also didn't open some appendix of a mail.

The story:
He sended yesterday at the afternoon (MEZ) 0.2381 BTC from an exchange to his wallet. For this he created a new adress: https://blockchain.info/address/17v2YjSNHJkzsExZWgzKCep85d2jwi5NTp
Today in the morning he opened his wallet. Nothing. He controlled several times if the adress was right. It was.

Than he searched blockchain.info. This happened with his transaction:
confirmation at 16:15 yesterday. Bitcoins arrived.
In the night (about 01:00) Bitcoins were send. He didn't send, someone sended.

The transaction out is part of a huge transaction about 31.8 btc which were send from many adresses to one adress. Like someone had all this adresses in a wallet.

When I opened the sending-adresses I found this pattern: all I looked at include only two transactions: one in and one out. Balance is zero. The transaction in happened some days ago.

It seems newly created adresses on multibit-wallets have been manipulated. Can this be true?

Nothing like that happened before? Does he still have any unspent coins in his MultiBit wallet? He did not send anything before receiving the coins right? Also, is his password strong enough?

[escrow.ms]

What you mean with "overall safety & security"?
He uses a antivir-programm and set a password for the wallet. What further measures are necessary? Some Anti-Malware programm?

I wrote a thread long time ago about it.
https://bitcointalk.org/index.php?topic=203876.0

If you want to be safe,you have to take care of several things.

1. If you are using Windows, Keep your software (MS Office, Adobe PDF,Java,Flash etc ) and OS updated.

2. Don't download things from unreliable sources, If you do, make sure to scan them on http://virustotal.com/ , http://malwr.com/.

3. Avoid Spam emails with Pdf/word file attachments.
4. Secure your WIFI and modem/router.
5. Avoid random person's pendrives.

I know a case where a guy contacted a buyer on localbitcoins and told him that he wants to sell cheap coins for cash, He created escrow on Localbitcoins, then he went to buyers house with his pendrive and said his password is written in a notepad file, then logged on localbitcoins and did transaction, took cash and left. Few hours later buyers account was empty and he lost other coins too.

What that hacker did? He probably used usb autorun function or binded exe file with txt and changed extension.

[jcgeny]

never use wi-fi :all systems are crackeds

for the rest , bitcoin is looking too much "amateur" , the wallet file can not be copied from one pc to another : at least with bitcoin-qt...
it looks like linux and its famous security that in fact hides the real truth : a buggy old system that no-one use and absolutely not made for "debutant" . from the front of security , M$ kills a lot of big botnets and closes a lot of doors assuring for real SECURITY ....never heard any linux having ever made that ....

[nybbler905]

never use wi-fi :all systems are crackeds

for the rest , bitcoin is looking too much "amateur" , the wallet file can not be copied from one pc to another : at least with bitcoin-qt...
it looks like linux and its famous security that in fact hides the real truth : a buggy old system that no-one use and absolutely not made for "debutant" . from the front of security , M$ kills a lot of big botnets and closes a lot of doors assuring for real SECURITY ....never heard any linux having ever made that ....

funny, I dropped XP for Ubuntu due to the botnets having easy access to my system and the lack of connections for them with Linux.  I also have taken the time to go over every line in the bitcoin.conf file to make damn sure that there is no allowed access ( no solo mining for me! ) and that only allowed peers can connect.  I HAD to do that last step for both BTC and LuckyCoin as the original Lucky would try and connect to the BTC network ( and ocasionaly vice versa ).   As to not moving the wallet.dat file, 4 mother boards later, 3 operating systems... ( counting Ubuntu 12.04 and 13.04 as one ) the backup of my first wallet is still used to start bitcoin-qt ( latest version ) after all this time and I pass word protected it prior to backing it up.  M$ don't kill botnets, they live on those systems, usually as system programs.  The reason you have not heard of any Linux having made that is that you have not heard HOW to get a virus ON a linux system.  Thank You WINE for making viruses possible on Linux! 

[fronti]

  The reason you have not heard of any Linux having made that is that you have not heard HOW to get a virus ON a linux system.  Thank You WINE for making viruses possible on Linux! 

funny that all think linux the the holly grail.
also you do not need wine for botsnets on "Linux"
there are also many other ways to infect a linux box.

this was last year,

http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

also there are others..
so the most important stuff is, "you need to know what you are doing, keep your software up to date, don't run programs from unkown sources..."

Also compiling from sourcecode may not help ever. i remember for a backdoor in a makefile for irssi. where the sourcecode packeges where changed with an bad one..

so, many ways where you can get even on linux malware..

just my 2 mBTC

[escrow.ms]

Well it's true that malware are available for MAC and Linux too but still windows users are the easy target of young hackers.

[nybbler905]

OK, fronti you are correct there are other ways for Linux to get infected.  Using server based Linux does set up a pandora's box of options to get in to a system and make the changes.  I did my research and Ubuntu, Knoppix and a few others that can run off of a CD to boot in to are the few variations that do not use SHM ( or memory Shims for those that call shared memory that ) and also do not ' allow with out being told to deny ' remote access.  Windows has remote administration and Windows Messaging built in and turned on by default as the biggest back door in to a system.  As to the strange transactions with Bitcoins Lost, a few days prior to the reports of mass unconfirmed BTC transactions showing in block chains I've had 0.001 BTC ' aparently ' go out ( according to the block chain ) attached to a transaction.  My wallet didn't show it, it did show the transaction I was trying to do and the associated fee.

Depending what block explorer you use, it says on a few that the actual ballance may be higher in your wallet than what is reported.  What gives with that?

[DannyHamilton]

OK, fronti you are correct there are other ways for Linux to get infected.  Using server based Linux does set up a pandora's box of options to get in to a system and make the changes.  I did my research and Ubuntu, Knoppix and a few others that can run off of a CD to boot in to are the few variations that do not use SHM ( or memory Shims for those that call shared memory that ) and also do not ' allow with out being told to deny ' remote access.  Windows has remote administration and Windows Messaging built in and turned on by default as the biggest back door in to a system.  As to the strange transactions with Bitcoins Lost, a few days prior to the reports of mass unconfirmed BTC transactions showing in block chains I've had 0.001 BTC ' aparently ' go out ( according to the block chain ) attached to a transaction.  My wallet didn't show it, it did show the transaction I was trying to do and the associated fee.

Depending what block explorer you use, it says on a few that the actual ballance may be higher in your wallet than what is reported.  What gives with that?

A wallet is a collection of one or more addresses. A block explorer does not know how many addresses are in your wallet. A block explorer does not tell you the total balance of your wallet, just of an address

[ksteve96]

OP, can you provide a hijackthis log? I'm guessing something stole the private keys from a bunch of people. 

[donsanto]

This looks like a case of malware. If it was an issue with the client then there would of been more reports of thieft.

[C. Bergmann]

OP, can you provide a hijackthis log? I'm guessing something stole the private keys from a bunch of people. 

I'll ask. As I said, I have the luck it was not my wallet. I personally have never lost any bitcoins instead of pure and greedy stupiditious gambling. It was a customer of bitcoin.de, a german marketplace I do pr for, who announced his loss in our forum and I promised to ask ... Actually our forum is down cause we move it, but when it's up again I'll ask.

And yes: it seems someone stole the privkeys of many people, the adress in the blockchain indicates it. What make me wonder is that there is a connection between newly created adresses, fresh incoming transactions and the stealing. This could shed a light on the mechanism of this malware.

[Zickafa]

"I am not talking about my bitcoins but about someone else's bitcoins" sounds like "my friend not me loves you, what do you think about it?"

[C. Bergmann]

"I am not talking about my bitcoins but about someone else's bitcoins" sounds like "my friend not me loves you, what do you think about it?"

I know well; but I wouldn't be ashamed to loose a bitcoin through malware, so there's no reason to ... but its very unimportant, I just said it to explain my lack of information / my unability to run hijackthis