I GOT HACKED AND LOST 1 MILLION

[Artemis3]

Passwords may be as good as they can. When they are stored in the same password safe the single password of the safe unlocks all of them. A password safe does not provide real security. At most it helps to distribute your passwords over many devices.

do not put backup codes in any password safe. They are only safe on paper and that only if they are read from the screen on a safe system. 2FA means to have a second independent source for the authentication - that is not given anymore if the backup codes are stored on the same system as the password - that is even true if a different password manager is used.

It is an scalability problem. Your brain isn't going to reliable handle 1000 random passwords. Same with 2fa backups. Tho be my guest if you trust more writing them down manually in a notebook, and hope that notebook does not fall in the wrong hands or gets lost.

Password managers encrypt their data file (or at least they should), provided you use a decent password, it should be no problem to store it even in google cloud. If you read the rest of my post, you should pay attention to the "secure computer" part, you can have that one air gapped, without any LAN or WIFI if you want.

You don't seem to trust password managers, perhaps because your password was keylogged when you opened it in your insecure windows computer. But that's not the password manager fault, you had a malware already intercepting everything. You should prevent this in the first place.

[GrosWesh]

Thank you for all given infos, including @Artemis3.

On my side I set some rules :

- Permanent use of a keyboard input encryptor : however I do not know it's real efficiency, your opinions are therefore welcome.

- Each password used (and I use hundreds) is unique.

- All these passwords are printed on physical paper and stored in a folder. Of course in case of destruction of these documents (by fire, water etc ...) I could only blame myself. It should be noted that this solution suits me for the moment insofar as I do not have collossales sums in cryptos.In the case of op, I would secure even more it is obvious).

- I do not install special wallets (especially for airdrops)

There is so much more to say, but eveyone uses own method.I especially wanted to participate in this conversation to bring my humble point of view regarding the storage of passwords.

Good luck to all, especially op, you have strong nerves, well done! I wish you the best for 2019, wholeheartedly

[JollyGood]

A good idea is maybe having a separate laptop which is specifically used for the purpose of wallet transactions only

[lightfoot]

Another possibility is to buy a tablet or something and run a wallet there. If you dedicate it you probably won't be running other stuff, the problem then becomes updates and such. Eventually you just get a HW wallet or cold wallets and be done with it.

[Artemis3]

Thank you for all given infos, including @Artemis3.

On my side I set some rules :

- Permanent use of a keyboard input encryptor : however I do not know it's real efficiency, your opinions are therefore welcome.

- Each password used (and I use hundreds) is unique.

- All these passwords are printed on physical paper and stored in a folder. Of course in case of destruction of these documents (by fire, water etc ...) I could only blame myself. It should be noted that this solution suits me for the moment insofar as I do not have collossales sums in cryptos.In the case of op, I would secure even more it is obvious).

- I do not install special wallets (especially for airdrops)

There is so much more to say, but eveyone uses own method.I especially wanted to participate in this conversation to bring my humble point of view regarding the storage of passwords.

Good luck to all, especially op, you have strong nerves, well done! I wish you the best for 2019, wholeheartedly

Those are good ideas. You have to think ahead, because when you are handling money you WILL become a target, either directly (you managed to attract someone's attention) or indirectly (phishing, malware, random probing, etc).

As for the keyboard encryptor, I'm not entirely sure of the usefulness of that. I guess its a race of who captures the keystrokes first...
You should have those passwords backed up in someway, in case the physical location gets destroyed (in a fire, flood, or such). Could be digitally using an encrypted file or password manager, or copies in a different places. But securing (and making) the copies becomes tricky; which is why I like the digital encrypting method more.

Another possibility is to buy a tablet or something and run a wallet there. If you dedicate it you probably won't be running other stuff, the problem then becomes updates and such. Eventually you just get a HW wallet or cold wallets and be done with it.

Cold "paper" wallets are very good when handled properly and its always a good practice to learn how to make and use them.

And never mix your leisure computer with your money handling operations.

[Valerian77]

One million USD is such a big money. Someone is spying on you since you had a lot of portfolio in your system.

I am not the only victim of these criminals. And I think they did not spy directly on me but on people who downloaded and used their trap like BCD wallet malware.

I guess you can't recover your coins since it is already been taken away from you. I can only advice is to make a seperate wallets that you will put 2FA for more security.

yes - I should have known it before. Now the damage is there. For sure I will not make that mistake again. And I will not recover from it anytime soon. I worked for many years to get together what has been stolen now.

I'm so sorry for your lost. I hope you can recover your money / coins back.

Last year, me and lots of people were scammed by coinsmarkets exchange and we never get back our's.
Thread was locked ( I have never understand why it's locked ) but you can get some authorities' contact info and some advises. https://bitcointalk.org/index.php?topic=2185903.4060

honestly contacting the authorities is always a good step in this kind of situation. If it helps is another kind of question. I assume that most of these criminals make a failure former or later which directs them into prison. But does it help the victims? Most times not. Anyways it might help to keep some out of this criminal business - like this one:
Russian 'hacking genius' accused of $530 million 'dark web' fraud against Americans posed with tigers and crocodiles before his FBI-ordered arrest

[alevlaslo]

It was necessary to use only cold storage that the network machine never saw your private keys http://docs.electrum.org/en/latest/coldstorage.html
But DASH masternodes not working at this mode

NEM can return, please contact the developers

[khaled0111]

...
- Permanent use of a keyboard input encryptor : however I do not know it's real efficiency, your opinions are therefore welcome.
...

It is not 100% safe. A low level keylogger or kernel-based keylogger will be able to intercept your keyboard inputs before it gets encrypted.
this solution works better with touch screen inputs not with keyboard inputs.

The best is to combine it with typing some keys via visual keyboard. You can also trick the hacker by adding some random keytrokes (there are softwares that can generate it for you).

[alevlaslo]

nothing will save you from a smart virus, it can even recover files from a cleaned recycle bin, so only cold storage is necessary

other people not touched yet, but this a large amount was

[kano]

Well, the simplest change to make to more likely avoid such problems is to not use Windows.

Linux is not virus proof, but a much smaller and harder target for hackers.
Ubuntu is simple to install and easy to use.

Windows virus checkers do not detect 'viruses' they detect 'known viruses'
This case clearly shows that.
... and that is by design by McAfee years ago to ensure an ongoing income stream.

Botnets of 100's of 1000's of windows machines are not urban legends, they're fact.

If you wish to reduce you risk storing currency on a computer, use linux, but also understand how to do that safely.

[lepbagong]

A good idea is maybe having a separate laptop which is specifically used for the purpose of wallet transactions only

maybe it could be an idea that you say but for some people it will add to the workload, which is still my mind why can it be easily hacked? I am also concerned about this incident, because this value is quite large.

[jhongzjhong]

As what have OP said, it was so sad to have been lost on that huge amount. I've learned those replies too it is very informative to avoid us in being to hack. I also used a laptop and all web wallet and Apps wallet are here so I am now aware that it might be lead to hack or any possibilities to be hacked.

A good idea is maybe having a separate laptop which is specifically used for the purpose of wallet transactions only

maybe it could be an idea that you say but for some people it will add to the workload, which is still my mind why can it be easily hacked? I am also concerned about this incident, because this value is quite large.

Yes, that is good I dea. If we can't afford to buy hardware wallet, then, we separate our wallet to other device just like tablet.

[upupup]

Guys, please:
-never tell that you owe crypto
-use VPN
-use Linux
-use cold storage (or at least 2fa without the recovery option)

Antivirus software is pretty much useless against modern keyloggers or virus.  Windows can be really dangrous especially if you use cracked software or single guys

[UserU]

Well, the simplest change to make to more likely avoid such problems is to not use Windows.

Linux is not virus proof, but a much smaller and harder target for hackers.
Ubuntu is simple to install and easy to use.

Windows virus checkers do not detect 'viruses' they detect 'known viruses'
This case clearly shows that.
... and that is by design by McAfee years ago to ensure an ongoing income stream.

Botnets of 100's of 1000's of windows machines are not urban legends, they're fact.

If you wish to reduce you risk storing currency on a computer, use linux, but also understand how to do that safely.

Unfortunately most of us use Windows and are so familiar with it, that is has been part of our lives. I've used Linux before but eventually gave it up because Windows has everything I need (apps-wise).

One way to not get hacked besides not keeping 'em on exchanges is to use common sense.

No matter how advanced anti-viruses could be, simply being careless won't protect your system from being compromised.

You could have a super-strong password to any offline wallet(s) but if you managed to get phished, its game over.

[af_newbie]

OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.

The coins were held in these locations (order corresponding to the list in my first posting):

Currency   Place
DASH      Qt-Wallet on Laptop
BCH      ElectronCash on Laptop
BTC      Binance.com
BTC      Kraken.com
NEM      Simplewallet on Laptop
BURST   Desktop wallet on Laptop
BTC      Exodus wallet on Laptop
OmiseGo   Exodus wallet on Laptop
LTC      Exodus wallet on Laptop
BCH      Exodus wallet on Laptop
DASH      Exodus wallet on Laptop

Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

I feel sorry for you.  It can happen to anyone.  Problem is you had too many altcoin wallets on your machine.  You should have only run bitcoin.org core offline wallet compiled from sources.  

You should have used a dedicated, clean machine to access your coins or online accounts. And never web browse or install anything on that machine.  QT Wallets should be encrypted and stored on removable USB drives, only connected when sending.  Blockchains should be updated with dummy wallets.  You should have run 'core' wallet apps, not use online or third party wallets.  The 2FA devices should be dedicated hardware (old phones) and not connected to any network.  Why in the world did you use password safes?  BCD?  Really?  I did not even know they existed, I would not bother with any bitcoin splits.  I recovered BTG/BCH but this was done on an old PC with BTC moved to another wallet after the fork and before the recovery attempt.  I would not trust any wallet other than bitcoin.org core wallet.  If you're really paranoid, inspect the sources, compile from sources on a dedicated dev machine.

This is everyone's worst nightmare.  

Spend some money on dedicated 'POS' equipment and never touch it unless you move coins or access exchange accounts.  And keep the wallet, blockchain backup on multiple devices in multiple physical locations.

This just shows you, bitcoin is still in an early adoption phase.  It is still not for everyone.

PS. Why would anyone keep all these altcoins is beyond me?  Store your money in BTC in bitcoin.org core wallet and forget all the BS coins.

[nc50lc]

BTC      Binance.com
BTC      Kraken.com

If this was accurate, you can contact these Exchanges (not customer service) for their cooperation. Kraken may be impossible but Binance might answer you.
An Email containing complete info on your ownership of the addresses' funds, Some personal info and/or Clearance together with a detailed explanation of your statement.

Why? Given that you have the Full Proof of ownership and you can proove that you're not the one who moved the funds,
Exchanges like Binance requires KYC policy to their users and they have the power to point you to any leads to the Culprit.
This can get you to a real person which can be questioned for more leads.
And even if it was withdrawn to a "Mixing" address (unless they tolerate crimes), you can also contact the service provider to provide the final address where the funds (2btc from Binance?) are being held.

But it's been quite long since the hacking incident, I can only assume that it was already laundered as "investments" to micro-earning sites or loans.

[Valerian77]

and ... the hackers wallet is online again:       http://electrumdiamond.org/

I think Github has kicked them. They have renamed the executable to version 3.0.5.3 and put it into the file system download directory.

disgusting

[UserU]

and ... the hackers wallet is online again:       http://electrumdiamond.org/

I think Github has kicked them. They have renamed the executable to version 3.0.5.3 and put it into the file system download directory.

disgusting

You might wanna remove the URL. You never know some might download it, thinking its legit.

[JollyGood]

Any more information on this scam?

[logfiles]

The bastard(s) is(are) still online with a new profile on github called "electrums".
It was made 9 days ago





I hope no one has fallen for their malware so far. I am going to try to report their profile