I GOT HACKED AND LOST 1 MILLION

[npole2000]

Which wallet you download before an attack happened? Also some AV certainly are not top level protection and you mention AVG, Avira which in my opinion are very low on my trusted list. You probably installed remote access trojan (RAT) on your PC, and with that hackers can do almost everything.

I downloaded the fake BCD wallet, i think it was Electrum-BCD-3.1.2-portable.exe from electrumdiamond.org (that is now closed/suspended).
What fooled me was the guides on Reddit to claim your forks.
Of course I downloaded the malicious software, I'm a little surprised that the AV's didn't caught this as apparently it's pretty old, not 0-day stuff. However still my mistake, I shouldn't have used the PC where I trade.

You do not mention using of firewall which is very important, most people think that only AV is sufficient protection. When it comes to cryptocurrency I always use only the best security software+hardware wallets. I know you are trader, so you should be more careful in future. My recommendation would be to use one PC only for cryptocurrency, with top security software and without any torrent/suspicious files downloads.

I limit the firewall usage coz I'm behind a NAT, while you still exposed to the outgoing connections that can be exploited only by a malicious software running on the PC, that is the case. It's the first time that a file passed through my checks and scans. I would have probably authorized the wallet network traffic anyway ...maybe the firewall would have caught the RAT after the installation, but it's all assumptions here.

What I know is that even while knowing the infections, no scan have found it (I also give it a pass with malwarebytes), I had to trace it back "manually".

And it wasn't a traditional RAT, there was no "fake" app starting with my PC, and no port listening (it wouldn't have worked while behind a NAT without a proper port forwarding or uPNP). It was the app calling the remote server from my PC, and the app was a perfectly legit instance of notepad. I mean if it wasn't for the network activity, I would have never found it.

So they well obfuscated the code to not get caught, and used notepad as wrapper (proxy) to run the malicious code (you run the legit process as suspended, and they you gonna use the allocated space to run your own code).

[1714135906]

1714135906

[1714135906]

1714135906

[1714135906]

1714135906

[npole2000]

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).
I may have more chance to settle this due to their negligence, than try to find the "hacker", because it would cost me more money in lawyers than what they robbed.

The EU law exonerates the providers/host of the illegal activities conducted on their network/servers provided that they are unaware of it, while obliges them to react immediately as soon they became aware of the illegal conduct. The email sent by Valerian is clear evidence that they became aware of it, but not having reacted immediately, they became co-responsible of every subsequent damage. Hopefully it will make progress.

Honestly I will not investing much time in this, I mean I won't go in Lithuania to talk to them, and surely I won't spend another cent on this.

@Valerian: if you may provide to me in private the original conversation you had with Cherry Servers, it will greatly help!

[Valerian77]

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).
I may have more chance to settle this due to their negligence, than try to find the "hacker", because it would cost me more money in lawyers than what they robbed.

The EU law exonerates the providers/host of the illegal activities conducted on their network/servers provided that they are unaware of it, while obliges them to react immediately as soon they became aware of the illegal conduct. The email sent by Valerian is clear evidence that they became aware of it, but not having reacted immediately, they became co-responsible of every subsequent damage. Hopefully it will make progress.

Honestly I will not investing much time in this, I mean I won't go in Lithuania to talk to them, and surely I won't spend another cent on this.

@Valerian: if you may provide to me in private the original conversation you had with Cherry Servers, it will greatly help!

EU small claims is only for claims up to 5000 EUR. But sure I will give you the conversation with Cherry Servers.

[npole2000]

EU small claims is only for claims up to 5000 EUR. But sure I will give you the conversation with Cherry Servers.

Tnx. And yes, I spedicified: "Due to the low amount involved I can use the EU small claims...".
That's the amount they stolen from me, and that's the reason of why I'm proceeding against Cherry Servers. In the end I'm interested to have back my money, I don't care who will pay.

[Lucius]

npole2000 by what you wrote in your posts it seems that you possess fairly good knowledge regarding cryptocurrency and PC/online security. Unfortunately, you made just one mistake by downloading that fake wallet (if this is way how you get infected). In past such fake wallets only could steal seed or private keys, and now they become even greater threat. Because of that I only claim BCH via ElectronCash (https://electroncash.org/ is only legit site), and all other BTC forks have never been too important to me.

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).

This is good move since you have that option, honestly I did not even know such option is existed in EU (for some reason only Denmark is excluded). By the answer Cherry Servers give to Valerian77 they are not obliged to disclose such information to anyone then "local law enforcement agencies in Lithuania".

Dear Sir,

Despite the best intentions, I'm afraid we cannot help you in this situation. We do not reveal any information about services associated with our prior or current clients to third parties. As our company is registered in Lithuania, we are only accountable to local law enforcement agencies in Lithuania and can only reveal such information to them when obliged to do so by local law or when a Lithuanian court order is received.

I hope European Small Claims can be of assistance in such a situation, be sure to let us know how the situation develops.

[Valerian77]

... By the answer Cherry Servers give to Valerian77 they are not obliged to disclose such information to anyone then "local law enforcement agencies in Lithuania".

Dear Sir,

Despite the best intentions, I'm afraid we cannot help you in this situation. We do not reveal any information about services associated with our prior or current clients to third parties. As our company is registered in Lithuania, we are only accountable to local law enforcement agencies in Lithuania and can only reveal such information to them when obliged to do so by local law or when a Lithuanian court order is received.

they are not obliged to any law enforcement other than their local in a first glance. But if they provide knowingly a platform for scammers, criminals and maybe terrorists then they will see how quickly they will be involved in international criminal cases also in other countries and compensation requests.

[Initscri]

npole2000 by what you wrote in your posts it seems that you possess fairly good knowledge regarding cryptocurrency and PC/online security. Unfortunately, you made just one mistake by downloading that fake wallet (if this is way how you get infected). In past such fake wallets only could steal seed or private keys, and now they become even greater threat. Because of that I only claim BCH via ElectronCash (https://electroncash.org/ is only legit site), and all other BTC forks have never been too important to me.

I'm opening a legal complaint against Cherry Servers.
Due to the low amount involved I can use the EU small claims (no lawyer is needed and it's all electronic).
Instead of pursuing the hacker (I believe Valerian is doing it already), I will try to recover my money from Cherry Servers proving their negligence.
The evidence to support the thesis is about the fact that Valerian contacted them about the illegal activities running on their servers, giving enough information to identify the customer and while they didn't wanted to disclosure the customer identity (perfectly legal without a court/police mandate) they didn't reacted, neither they care to check the server, leaving it operative for several days, so leaving the criminals doing more damage (including to me).

This is good move since you have that option, honestly I did not even know such option is existed in EU (for some reason only Denmark is excluded). By the answer Cherry Servers give to Valerian77 they are not obliged to disclose such information to anyone then "local law enforcement agencies in Lithuania".

Dear Sir,

Despite the best intentions, I'm afraid we cannot help you in this situation. We do not reveal any information about services associated with our prior or current clients to third parties. As our company is registered in Lithuania, we are only accountable to local law enforcement agencies in Lithuania and can only reveal such information to them when obliged to do so by local law or when a Lithuanian court order is received.

I hope European Small Claims can be of assistance in such a situation, be sure to let us know how the situation develops.

And considering the amount, the case actually might stand a chance. It seems there are quite a few people who have been affected, a class action may be the best route of action.

[bitarmor]

Going through the previous comments especially that of npole, I now understand that the attacker(s) used some really good obfuscation techniques to bypass detection systems.
I also believe that the attacker got a legit version of the Electrum BCD wallet and then modified it to contain his malicious payload.

I think a good prevention mechanism everyone should note is how to do data verification. In other words, I mean verification of MD5, SHA-1 and SHA-256 hashes. Its some cryptography stuffs!

So for an example, if Electrum releases a new version of software, they also release the checksum, which are random strings of text. Now, If I download that new release and I want to ensure file integrity, I run a hash function against that file and compare the result to what was shown on the official website; if they match, I then know that it is legit. If not, I know that it has been tampered with.

Its kind of what I think is best practice for critical systems such as where you store your financial data.

There's no way both the legit Electrum and modded Electrum's checksum can be the same except if you were MITM'ed whilst visiting a non-https site.

A way to do this on Windows:
Open up Powershell and use the command:
default is SHA-256

Code:

Get-FileHash C:\path\to\file.exe 

To specify the hashing algorithm, (based on the official site's specification)

Code:

Get-FileHash C:\path\to\file.exe -Algorithm MD5

Code:

Get-FileHash C:\path\to\file.exe -Algorithm SHA1

Code:

Get-FileHash C:\path\to\file.exe -Algorithm SHA256

and then compare the result to the hash the official site released.

Linux users: (Any of the three depending on which you want to view)

Code:

md5sum /path/to/file

Code:

sha1sum /path/to/file

Code:

sha256sum /path/to/file

Stay safe, all.

[Valerian77]

I think a good prevention mechanism everyone should note is how to do data verification. In other words, I mean verification of MD5, SHA-1 and SHA-256 hashes. Its some cryptography stuffs!

If you have the real checksums they can be used to check the real executable. But what would prevent a scammer from creating new hashes for his malicious software? If the executable would be downloaded from his site then the hashes would also be from there.

Because of that I can just recommend anybody to use a dedicated device or hardware wallet for cryptocurrencies - do not expose your funds to thiefs and scammers. I wish I had taken these precautions myself in time.

[npole2000]

Because of that I can just recommend anybody to use a dedicated device or hardware wallet for cryptocurrencies - do not expose your funds to thiefs and scammers. I wish I had taken these precautions myself in time.

I use (multiple) hardware wallets.. or I would have lost everything.
I also use a dedicate PC to do my crypto stuff.
I'm also not 100% noob concerning the computers/IT stuff.

And considered all the above, howsoever, I still get robbed of something.
Analyzing the situation AFTER it happened, it's easy. There's like ten things that I could have done differently to avoid it (of course!), but the point is that a life is long a life... and sometime you can't be perfect every single day, otherwise we will live in the paranoid and fear.

- I should have paid much more attention to the wallet used, opinions on Reddit, guide on the web, an apparent legit website weren't enough.
- The fact that no AV/scans found anything wasn't sufficient to call the file safe.
- I could have used a VM to do this stuff (I have like 5 VM's installed on my machines, that are only a click away);
- I could have paid much more attention to how to use my trading platforms (leaving it open while not being at the PC is stupid if looked after..);
- And finally the luck (unluck): my daily hours (and dinner time) are normally different, that day I got delayed by other stuff, in 99% of others cases I would have been at the PC soon enough to block it before;

It's all about "imperfections" concatenate with each other and I consider myself very lucky to have adopted hardware wallets from the very begging and using 2FA on every exchanges, so while I learned a lesson for "cheap" (cheap if compared with your amount) I won't consider myself "completely stupid", I'm not perfect as every other human, maybe for the next months.. years.. I will pay much more attention than usual, but i'm sure that one I eventually forget to be extremely paranoid and I may do the same mistakes again.

My idea is: don't be a complete bloke (in example: don't leave your wallet full of money on a bench in a mall), but neither don't start to be paranoid (don't hide your money in a cave, under a rock, protected by lions), because if you start to be extremely paranoid you won't live anymore. so where you hide your hardware wallet seed? What if someone will find it? Did you split in 4 parts sending it 3 places around the world? do you remember all the 24 words by memory? What if your memory will not be good anymore? And stuff like this... you will always live with an "acceptable risk".

[Valerian77]

@npole2000
that is the reason that security is very expensive for companies and anyone else

[logfiles]

<snip>

Thanks for sharing the guide... This is new to me and I am glad I learned it from here. Better to take some time figuring out how to be secure than being sorry.
Yesterday I just did a google search on how people claim forks especially the recent Bitcoin Cash Forks and realized how so many people are vulnerable to getting hacked.

Incidents have been there where fake websites claiming to be official sites while offering fake wallets for download pop up out of nowhere. sometimes someone claiming to give a guide of how o claim the coins give a link to a fake wallet/fake website. Hopefully, will people get sensitized about such dirty tricks.

[cellard]

Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:

According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.

Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe

It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018

I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag



Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection



My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.

"Bitcoin Diamond" was never safe. If altcoins and all forks in generals are scammy, well, "Bitcoin Diamond" was just a straight robbery. There were news about it:

It is also witnessed that there is no source code made available to the people, in any form of open source codes. As a direct consequence of which, the Trezor along with Ledger Nano S hardware wallets do not support Bitcoin Diamond. On its official website, one can also find murky wallets and they have mentioned it as “Waltets”.

There exists no blockchain or the source code and therefore we can certainly designate Bitcoin Diamond to be a fraud.

https://coinnounce.com/bcd-bitcoin-diamond-scam-hard-fork-of-btc/

Well, this is insanity. No source code available and no blockchain? Anyway, I remember reading something fucked up about this fork and ignored it.

OP apparently also used the same password for password decryption as he used for online services? That's a no-no. And it seems you had a ton of money on exchanges too. Cmon guys, it's almost 2019. If you have 1 million bucks worth of crypto, put it 1 million bucks worth of effort into securing your coins, and remember to keep your coins in wallets within offline computers. Do not reuse passwords for online services. Pretty obvious stuff. Oh and try to avoid installing ANY altcoin software on the same computer you keep your bitcoins, and do not expose too much of your money outside of Bitcoin. Always check SHA-256 checksums if you are too lazy to compile source codes.

[Valerian77]

And the scammer is online again:

http://www.electrumdiamond.org/

I just want to know how domain registry services and international police can allow these criminals to go on with their activities.

[logfiles]

And the scammer is online again:

http://www.electrumdiamond.org/

I just want to know how domain registry services and international police can allow these criminals to go on with their activities.

Yup I also see it... am also wondering how this continues to happen.

Also, I was just thinking, If we took the complaint to the GitHub team, is there a chance that they could take down the malware hosted on their website alongside with the criminal's account?

[Initscri]

And the scammer is online again:

http://www.electrumdiamond.org/

I just want to know how domain registry services and international police can allow these criminals to go on with their activities.

Yup I also see it... am also wondering how this continues to happen.

Also, I was just thinking, If we took the complaint to the GitHub team, is there a chance that they could take down the malware hosted on their website alongside with the criminal's account?

Not only that, but their registrar NameCheap & GoDaddy may be able to provide more information (https://who.is/whois/btcd.io)

Namecheap Abuse: https://www.namecheap.com/support/knowledgebase/article.aspx/9196/5/how-and-where-can-i-file-abuse-complaints

GoDaddy Abuse: https://godaddy.com/help/reporting-abuse-27154

Github Abuse: https://github.com/contact/report-abuse

GH at the very least will remove the repo.

[Lucius]

And the scammer is online again:

http://www.electrumdiamond.org/

I just want to know how domain registry services and international police can allow these criminals to go on with their activities.

It seems that cryptocurrency is not at the top of their list of priorities for now. If we consider how much total crypto market worth today, it is clear that they have some other priorities which generate much larger sums of money in terms of criminal activities. In addition, there is also the problem of education - to fight these threats we need educated people in the right places. One of the benefits of the Internet is anonymity, and we can see some bad people use that - they just switch form one hosting/country to another.

I report this site to : https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Let's shut them down as soon as possible

[Valerian77]

this is funny (or not)

Namecheap never reacted to the ticket. GitHub seamed to have taken down the repository for some days. But now its up and running again. 

[Lucius]

this is funny (or not)
Namecheap never reacted to the ticket. GitHub seamed to have taken down the repository for some days. But now its up and running again. 

I think that for some people holidays have started a little earlier, at this time of year support may be slower than usual. Have you followed Namecheap rules regarding the abuse reporting? Maybe they consider your case as Fraud scheme and they will not assist you if report is not made to https://complaint.ic3.gov .

I have to admit it's strange that GitHub is reacted in that way, maybe they remove them, but they find a way to get back. Only thing we can do is to report them again.

Is there any progress in the investigation of your case?

[Valerian77]

this is funny (or not)
Namecheap never reacted to the ticket. GitHub seamed to have taken down the repository for some days. But now its up and running again. 

I think that for some people holidays have started a little earlier, at this time of year support may be slower than usual. Have you followed Namecheap rules regarding the abuse reporting? Maybe they consider your case as Fraud scheme and they will not assist you if report is not made to https://complaint.ic3.gov .

I have to admit it's strange that GitHub is reacted in that way, maybe they remove them, but they find a way to get back. Only thing we can do is to report them again.

yes probably - it would be a mess if another person would become victim of this fraud

Is there any progress in the investigation of your case?

yes there is - I will post the progress when it will not affect the investigation anymore