I GOT HACKED AND LOST 1 MILLION

[upupup]

Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)

[jackg]

Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)

I was thinking that surely someone couldn't be dumb enough to use their own IP for a hacking attempt. I know people are dumb but that'd be a new level...

It's likely it's owned by a vpn or someone providing a hidden service such as tor or open vpn also (less lists will be kept of these too).

[btcaccelerator]

I'm sorry for your loss.

The of dash was sent in a lot of addresses but the last tx in chain of 8,147.263 Dash  are in this address

Code:

Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC

https://chainz.cryptoid.info/dash/address.dws?Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC.htm

I will search for all coins later.  Maybe someone can contact exchange to ask if this address belongs to an exchange

[Initscri]

The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.net

[Valerian77]

...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.

Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.

yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.

I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.

I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.

[Valerian77]

The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.net

ok thanks - I will

[Initscri]

...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.

Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.

yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.

I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.

I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.

Based on the amount of outputs, I wouldn't be surprised if they mixed them to be completely honest.

That's a hard road to follow, I'd say your best piece of information at this point would be the attempted Gmail access by far (ie: the ip address you have)

[Lucius]

...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.

Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.

yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.

I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.

I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.

I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.

Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.

I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.

[Valerian77]

...

I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.

Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.

I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.

there was another case in 2011:      https://bitcointalk.org/index.php?topic=16457.0

back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.

[TheShillBilly]

I'm sorry to hear this OP.  Did you by chance download your BTCD wallet from electrumdiamond dot com?

In May of this year (2018), I too was hacked by this malware wallet.  :-(

DM, if you would like to discuss.

[logfiles]

Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:

According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.

Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe

It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018

I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag



Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection



My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.

[Valerian77]

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

[marciks]

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

they must have obfuscated the code.. only after the hack their signature was added to virus total db and such.. the probablity that other people got hacked from this same wallet is high!

Hope you don't leave crypto after this.. as other member said, you are healthy and still can make money!

[Initscri]

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

It leaves another company to contact for information. See https://github.com/contact/report-abuse

Github may be more willing to give more information regarding the wallet repo & the account it's under.

[npole2000]

Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.

- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;

Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).

Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!

[Get-Paid.com]

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

It leaves another company to contact for information. See https://github.com/contact/report-abuse

Github may be more willing to give more information regarding the wallet repo & the account it's under.

The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.

[Initscri]

Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

It leaves another company to contact for information. See https://github.com/contact/report-abuse

Github may be more willing to give more information regarding the wallet repo & the account it's under.

The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.

Oh there's no doubt they faked info. But an IP may correlate to one of the attacks.

Doing a quick WhoIS pulls up NameCheap as their registrar.
https://who.is/whois/electrumdiamond.org

I'd contact their abuse email as well to see if they can assist at all.
It seems the domain was registered more than a year ago: you may be able to find cached versions of their DNS.

http://research.domaintools.com/research/whois-history/search/?q=electrumdiamond.org

[Bitcoin_Arena]

Feel so  sorry for OP. A few days ago, i made an article of how Not all crypto apps in App stores are safe. I didn't give much on other wallets and apps in Github but reading through your story, this is even more serious than phishing attempts through fake apps. Am going to update my thread using this experience (i hope it's okay) with major focus on the app in question so that new users can know how grave this matter can be.
I wish you all the best in an attempt to try and net that/those culprit(s)

[Valerian77]

Feel so  sorry for OP. A few days ago, i made an article of how Not all crypto apps in App stores are safe. I didn't give much on other wallets and apps in Github but reading through your story, this is even more serious than phishing attempts through fake apps. Am going to update my thread using this experience (i hope it's okay) with major focus on the app in question so that new users can know how grave this matter can be.
I wish you all the best in an attempt to try and net that/those culprit(s)

ok - do not forget all the other scam wallet like fake BTCP etc. Nothing is safe before you are 100% sure about the source of an executable. And in case its possible that no virus protector shows an indication

[Lucius]

Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.

- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;

Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).

Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!

Which wallet you download before an attack happened? Also some AV certainly are not top level protection and you mention AVG, Avira which in my opinion are very low on my trusted list. You probably installed remote access trojan (RAT) on your PC, and with that hackers can do almost everything.

You do not mention using of firewall which is very important, most people think that only AV is sufficient protection. When it comes to cryptocurrency I always use only the best security software+hardware wallets. I know you are trader, so you should be more careful in future. My recommendation would be to use one PC only for cryptocurrency, with top security software and without any torrent/suspicious files downloads.

Maybe it would be good to read : 5 Ways to Catch a RAT

Notice : Both links posted in this post are scanned with https://www.virustotal.com and they are safe to visit.