I GOT HACKED AND LOST 1 MILLION

[Valerian77]

Yesterday in the very early hours of the morning Dec 4th I have been hacked and completely robbed out. The total of 1 Mio USD in different coins have been stolen from my system. I am still pissed off from my own shitty security. But things happened and I cannot go back in time.

Here ist the list coins and transactions of the robbery:

Date/Time          Currency Amount      Reference to Blockchain explorer    Destination address
04.12.18 00:31   DASH       9000         https://tinyurl.com/y8fpvxln          Xom6WhRTiAZhtiMzMQXCS4Aew1PB3v62Tb
04.12.18 00:36   BCH        613,291     https://tinyurl.com/yd2y3wdr        Qpx5pyy9catx7sluuyzqr03fw3c93ahwms2qfhnznx
04.12.18 01:12   BTC        2                 https://tinyurl.com/ybnrmvfq        1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP
04.12.18 01:20   BTC        1,7            https://tinyurl.com/y8s4c7kc         1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP
04.12.18 01:30   NEM        264992       https://tinyurl.com/ycr35va3          NBLI5G-ONLML2-5RY666-BQL2QS-IIMCJT-EUT5PJ-R7MF
04.12.18 02:14   BURST    7643993       https://tinyurl.com/yat7pjna          BURST-2WVC-EJXY-TMMW-2SQRW
04.12.18 12:42   BTC        1,840       https://tinyurl.com/ycknktjx           bc1qy8ypdjjqkh663j83k4zlv8cxw8nte08m042nxf
04.12.18 12:44   OmiseGo  2329,436  https://tinyurl.com/y9tuss5q          0xd26114cd6ee289accf82350c8d8487fedb8a0c07
04.12.18 12:45   LTC        117,602       https://tinyurl.com/y895dtvs         LhpfUpX32CTyd8MekNJkdXAX9BZYUzHNtW
04.12.18 12:48   BCH        5,899       https://tinyurl.com/ydctqokv         Qzhpt232rhktu2zzll55cf4vthyya8mtw5nsg9auu9
04.12.18 12:48   DASH       4,929      https://tinyurl.com/ya23s6y9          XerirSmDu9YjbdG641uNsg5tmnb2twvrgE

I wish I never make this experience in my life - but I cannot turn the clock back. If anybody has a good idea how to track down the thief the reward will be 10% of the recovered sum or a minimum of 10,000 USD in case of success.

There is one more information - the thief also tried to corrupt my Gmail account and Google gave me this information:

   Uhrzeit:    Gestern, 03:10
   Standort:    Litauen
   IP-Adresse:    46.166.160.158

It can be checked here:     https://tinyurl.com/y782ufvu

I am looking desperately for any kind of help or ideas how to go on with this case.

Thank you for any help

[Harkorede]

OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.

[Valerian77]

OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.

The coins were held in these locations (order corresponding to the list in my first posting):

Currency   Place
DASH      Qt-Wallet on Laptop
BCH      ElectronCash on Laptop
BTC      Binance.com
BTC      Kraken.com
NEM      Simplewallet on Laptop
BURST   Desktop wallet on Laptop
BTC      Exodus wallet on Laptop
OmiseGo   Exodus wallet on Laptop
LTC      Exodus wallet on Laptop
BCH      Exodus wallet on Laptop
DASH      Exodus wallet on Laptop

Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

[DaCryptoRaccoon]

Very sorry to read.

Do you know how the funds were compromised?
Do you have malware on your system?

NPM has recently been compromised and coin stealing malware was found in packages from NPM do you use NPM?

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

edit* no need didn't see you were using windows..

I am not sure there is much can be done you could contact exchanges and make them aware of the stolen coins see if they show on any exchange.
I would also keep the system offline if the attackers have access they could attempt to wipe there tracks if the machine is connected again.

You could also run wireshark see if there are any strange packets or connections that might help though it may not be advisable to download anything onto the machine if you are reporting it to the authority's.
They may ask you preserve it as evidence.

Edit*  If you think it was a keylogger there may be some traces of were it set the logs to.

[hubballi]

OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.

The coins were held in these locations (order corresponding to the list in my first posting):

Currency   Place
DASH      Qt-Wallet on Laptop
BCH      ElectronCash on Laptop
BTC      Binance.com
BTC      Kraken.com
NEM      Simplewallet on Laptop
BURST   Desktop wallet on Laptop
BTC      Exodus wallet on Laptop
OmiseGo   Exodus wallet on Laptop
LTC      Exodus wallet on Laptop
BCH      Exodus wallet on Laptop
DASH      Exodus wallet on Laptop

Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

In your comment itself you have told how you got robbed, This mainly happens when claiming the hardfork coins, Before also lot of users got hacked due to it. Your first fault was that you are using same computer for surfing and saving your all important wallets and documents. Second fault using same password everywhere, this made easy job for the hacker to hack all your wallets and other online places.

But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.

If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features.

[Valerian77]

But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.

If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features.

Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.

Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services.

[jackg]

Can you edit your op and not include url shorterners? It's not a great idea to use them especially if you've just said your computer has been compromised.

I think you should probably try to reevaluate what you have been using that computer for recently. Clearly something has got on it somehow and one million us dollars is quite a sum to lose. I'd suggest you consider getting an airgapped wallet $2000 on two computers isn't a very big amount to keep your security high by making one airgapped and encrypting it as much as possible.

[bitarmor]

I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.

I also tried pinging but no response but

Code:

nmap -sV -Pn 46.166.160.158

reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.

I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

[bitarmor]

You have to send an email detailing the whole issue to their abuse contact gotten from the domaintools search and maybe if they're reliable, they will try and help you out.

[mk4]

Hey. Really unfortunate on what happened to you. Hopefully this would be a lesson for you(an expensive lesson, that is). Please get a hardware wallet immediately if you're planning on re-buying cryptocurrencies.

Take note that while this is definitely a huge loss, remember that it's really not over for you. Money can be made back. Best of luck.

Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.

Can you please give us more information on this? What do you mean by "password safe"? Was it a mere .txt file? Or were you using a password manager? If so, what password manager specifically?

[jackleszz]

Both with the Electrum version for their blockchains.

Are you sure that the Electrum versions were official ones? Could you link to the ones you used.
Sometimes they aren't made by the devs of the coins.

[bob123]

I am sorry to hear about your loss.

But.. storing all of your money on your every-day-machine and on online services basically asks for being robbed.

You should have AT LEAST had a dedicated machine only for storing cryptos.
A proper offline-wallet / watch-only wallet setup or a hardware wallet would have been favorable.

Take it as a lesson and first work on your mindset regarding security before storing any cryptos again.
In the end.. owning cryptos means knowing a secret. Keeping this secret safe is the only way to keep your coins safe.

[buwaytress]

My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.

As you said, no use to harp on your poor security behaviours. But let me tell you this, you have to all but give up on recovering any of the funds lost out of your wallets and exchanges. If those spends have all been confirmed, the best you can do now is try and track the receiving addresses and see if they belong to exchanges - that's where I'd liquidate stolen funds asap. Probably all gone either, but if you somehow identify the exchanges and they can act quick enough, funds can be frozen there and returned later, but be prepared to be able to prove ownership of originating wallets.

There's been precedent, and Shapeshift themselves have also been known to assist, but of course for figures far higher. $1m is a lot though.

[Valerian77]

...
Can you please give us more information on this? What do you mean by "password safe"? Was it a mere .txt file? Or were you using a password manager? If so, what password manager specifically?

It was Safe+ :  https://tinyurl.com/ycmetl2n
I was just in the  process of changing to Keypass because the developer of Safe+ seems to have abondanded his work. But it did a good job so far and I think this is very likely not the hacker.

[Valerian77]

Both with the Electrum version for their blockchains.

Are you sure that the Electrum versions were official ones? Could you link to the ones you used.
Sometimes they aren't made by the devs of the coins.

the links were these:
BTCP  from   https://github.com/BTCPrivate/electrum-btcp/releases
BCD    I do not remember the source but from my download history the version is    Electrum-BCD-3.1.2-portable.exe

most likely the BCD wallet was the culprit

[Valerian77]

My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.

I was not away - they did it very quickly and I could literally see how they drained my wallets. 

[DaCryptoRaccoon]

My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.

I was not away - they did it very quickly and I could literally see how they drained my wallets. 

With all the forks going on I am surprised we don't see more horror stories like this one every time I see a coin now that says 1:1 claim I become very wary.
Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.

I would agree this is not likely to be a loan wolf hacker or script kiddie if they went to the trouble of running via a vps then onto your system,

First hand I would be changing the RDP port on your machine.

The port setting for Remote Desktop Services is found in the Windows Registry. In order to change this setting we will need to change the Port Number value in the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Changing the port will stop them re-connecting to your machine in the short term.
I would also check your settings in windows control panel then go to remote desktop and turn it off (on by default)

You could also run netstat with some additional flags to see if there are any processes running on the machine that have established connections.
Or run TCPView and see if there is anything showing here that might give you a clue to how they penetrated your system.

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

[Valerian77]

I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.

I also tried pinging but no response but

Code:

nmap -sV -Pn 46.166.160.158

reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.

I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

Very valueable remarks - thank you

I also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me

[Valerian77]

Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.

I think they started their job right in the moment when I started the BCD client. That must have been around midnight. Google closed my account at 03:16 due to unusual activity. That time they already hacked my kraken account for which Email + 2FA is necessary. Later obviously they just removed their traces which Google recognized.

First hand I would be changing the RDP port on your machine.

done

[Valerian77]

Meanwhile I checked the RDP logs on my system in   
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

It shows some entries on Dec 4th which do not exactly match the time of the hack. But there are also messages going back six months. The setting of RDP is turned off