BTC is missing from Blockchain.info wallet

[alastori]

Hello everybody,
Tonight I was trying to send some money from a blockchain.info wallet(INCOGNITO window) to my other blockchain wallet(normal window) and i kept getting an error "bitcoin transaction failed to send. Please try again" ( https://prnt.sc/ofizu7 ) something like this. I kept trying for like 3-4 minutes, i tried changing the fee and all that but i still couldn't send the money to my main blockchain wallet, so after some tries i gave up and decided to try again later so i closed my browser completely(including the incognito one) and after more than an hour i decided to login again and try and i saw that my funds (0.27735 BTC) were sent to this address: 16MgFBd4ay7Yz5bw2HEpvTzCFQwqRmFK73 so I immediately checked the other blockchain wallet if it was compromised or something but the other one was untouched. I don't know this address, I've checked my history and I've never copied or anything and as a matter of fact i wasn't even trying to send money from my main account(the one where i lost the bitcoins).
I have 2FA enabled and no signs of some malware or other stuff in my computer, i am using Ubuntu Linux.
Can someone please help me find out how I just lost ~3K USD?

[1714830216]

1714830216

[1714830216]

1714830216

[1714830216]

1714830216

[nc50lc]

With those limited info, it's kinda hard to tell.
I could be a phishing site, compromised wallet/account, watch-only wallet, malicious browser extension and other "common" scams.

We need more information about the wallet, how you've created it and the actual URL of the website that you're visiting.

[alastori]

With those limited info, it's kinda hard to tell.
I could be a phishing site, compromised wallet/account, watch-only wallet, malicious browser extension and other "common" scams.

We need more information about the wallet, how you've created it and the actual URL of the website that you're visiting.

I am 100% certain that it was https://www.blockchain.com/wallet.
No malware extensions because I was using incognito mode and they are disabled on incognito mode.
I am certain it wasn't a malware or something else because if it was a malware the hackers would have stolen the funds in my other wallet too. That's why I am so confused.

[alastori]

And btw after I lost the BTC i tried some other transactions on the same wallet and kept getting the same error as in the screenshot that i have posted. After 2 or 3 tries i was able to send money again and I am ruling out the phishing or malware part because I am using Two Factor Authentication so it's highly unlikely that I was hacked. I saw some other users are also having issues with some funds in blockchain.info so maybe it is related to that?

[nc50lc]

There are indeed other reports but most of them are victims of scam where the culprit offers cheap or free accounts with balance;
but the wallet is watch-only and only him can spend it.
Others are cases of lost old version wallets.

By any chance,
[1] Haven't you created that wallet yourself?
[2] Have you exported some or that particular address' private key before?
[3] Did you stored the 12/24-word SEED somewhere vulnerable (Cloud storage/Email/etc)?
Because those are the most possible reasons if we take malware and hacks into account.

Another problem is, if it was their fault, they wont be able to help you with it because the new version of blockchain.com wallet's private keys are only available for the user and not their server (as they said):

When you sign up for a Blockchain Wallet, you’re creating an encrypted file that contains the information you will use to access your funds: your seed (backup phrase), private keys, and cryptocurrency addresses. The file is encrypted with your password, which we never store or have access to

[alastori]

I have created both of the wallets myself in early 2017.
The 12 word seed was only stored on plain paper and the papers aren't lost or stolen. I think this is all somehow related to the sending problem I had because there is no other logical explanation for it. I have never exported the address private keys because I simple didn't have the need to. I have contacted blockchain.info support and I am waiting for their reply. I am excluding some type of cookie attack because i logged out of my wallet 2 or 3 minutes before the BTC were gone so that would reset the session ID and therefore even if my cookies were stolen they would be invalid.

[alastori]

The BTC has now been moved out of 16MgFBd4ay7Yz5bw2HEpvTzCFQwqRmFK73 .
I guess they are gone forever.

[bitmover]

The BTC has now been moved out of 16MgFBd4ay7Yz5bw2HEpvTzCFQwqRmFK73 .
I guess they are gone forever.

Yes, they are gone.you were hacked. Your system is compromised .

I would format all computers/smartphone that you ever used to access your wallet.

Where did you store the seed? Was it in a paper? Or in a Google draft, drive, cloud storage?

Blockchain.info wallet is not very safe, as there are many ways a hacker could get access to it.
Maybe even the e email that you used to create the wallet is compromised. Change its password and add 2fa to it.

[alastori]

The BTC has now been moved out of 16MgFBd4ay7Yz5bw2HEpvTzCFQwqRmFK73 .
I guess they are gone forever.

Yes, they are gone.you were hacked. Your system is compromised .

I would format all computers/smartphone that you ever used to access your wallet.

Where did you store the seed? Was it in a paper? Or in a Google draft, drive, cloud storage?

Blockchain.info wallet is not very safe, as there are many ways a hacker could get access to it.
Maybe even the e email that you used to create the wallet is compromised. Change its password and add 2fa to it.

The 12 word seed was only stored on plain paper and the papers aren't lost or stolen.
I was using a secure mail provider, Tuta.io and 2FA was enabled on both the email account and the blockchain.info wallet.
I know i was probably compromised but I have no idea how. All the latest updates of Ubuntu are installed and no new software has been installed in the previous 2 months or so.

[mocacinno]

Well... Like others have already said, your system is compromised...

Either reinstall your os, or at least continue digging untill you find the problem. Here's a starting point: https://upcloud.com/community/tutorials/scan-ubuntu-server-malware/ (in your previous post you mentioned you ran ubuntu).

You do have to realise exentions *can* be enabled, even in incognito mode... As a matter of fact, if you only installed packages from the official repo's and you're 100% sure you didn't fall for a (phising) scam, i'd say browser extensions are the most probably cause of infection, especially sine you indicate the funds were lost after you opened your wallet using your browser (what are the odds somebody having physical access to the seed decides to rob you at the exact moment you're using your browser).

[bitmover]

I was using a secure mail provider, Tuta.io and 2FA was enabled on both the email account and the blockchain.info wallet.
I know i was probably compromised but I have no idea how. All the latest updates of Ubuntu are installed and no new software has been installed in the previous 2 months or so.

If you had 2fa on both email and blockchain.info , the attacker somehow got access to your browser or seed. Theoretically, your seed in blockchain.jnfo is always compromised because you received it from your browser (someone could be watching)

I would format everything, as I already said. And review your online habits.

Also , try a more secure wallet next time, such as Electrum.org

[sheenshane]

The BTC has now been moved out of 16MgFBd4ay7Yz5bw2HEpvTzCFQwqRmFK73 .
I guess they are gone forever.

Yes, they are gone.you were hacked. Your system is compromised .

I would format all computers/smartphone that you ever used to access your wallet.

I'd been reading the replied post above and I had the same thought with them, compromising your system will be one of the main reason or you are in a phishing link. I saw that there are no chances that your bitcoin back(just move on of your loss) take this scenario as a lesson to learn. And bitmover was right, clean your computer or use a clean gadget that might use as an intended for wallet only(separate your working PC for daily use). Never trust web wallet they are easy to compromise by hackers.

Also , try a more secure wallet next time, such as Electrum.org

Strongly agree, Reliable and safe to use if your computer is clean. https://electrum.org/#download, Link to download for safer.

[Mpamaegbu]

I was using a secure mail provider, Tuta.io and 2FA was enabled on both the email account and the blockchain.info wallet.
I know i was probably compromised but I have no idea how. All the latest updates of Ubuntu are installed and no new software has been installed in the previous 2 months or so.

If you had 2fa on both email and blockchain.info , the attacker somehow got access to your browser or seed. Theoretically, your seed in blockchain.jnfo is always compromised because you received it from your browser (someone could be watching)

I would format everything, as I already said. And review your online habits.

Also , try a more secure wallet next time, such as Electrum.org

Blockchain info is also a secured wallet. At least I have used it for over two years without any issues. Except he exposed his 12 passphrase words online or someone around the OP got hold of them, I still don't know how it could be hacked. To even say that the 2FA authenticator was beaten in this case is really surprising to me to say the lest.

[alastori]

I was using a secure mail provider, Tuta.io and 2FA was enabled on both the email account and the blockchain.info wallet.
I know i was probably compromised but I have no idea how. All the latest updates of Ubuntu are installed and no new software has been installed in the previous 2 months or so.

If you had 2fa on both email and blockchain.info , the attacker somehow got access to your browser or seed. Theoretically, your seed in blockchain.jnfo is always compromised because you received it from your browser (someone could be watching)

I would format everything, as I already said. And review your online habits.

Also , try a more secure wallet next time, such as Electrum.org

Blockchain info is also a secured wallet. At least I have used it for over two years without any issues. Except he exposed his 12 passphrase words online or someone around the OP got hold of them, I still don't know how it could be hacked. To even say that the 2FA authenticator was beaten in this case is really surprising to me to say the lest.

It was my money I lost, I have no reason to lie. I would never fall victim to a phishing attack, my 12 word seed was not stored anywhere online.
If I had no idea around hacking or cybersecurity, I would understand that it is my fault and I wouldn't even open this thread. The only logical explanation is that there is some kind of zero day exploit that the public doesn't know about yet, or that the blockchain.info wallet is not as secure as you think.
I would recommend everybody to use another wallet, I'm already using Electrum, my BTC there is safe. Stop giving web wallets a chance, I knew i was probably making a mistake but i thought that since the blockchain.info wallet is probably the oldest it is probably safe. It is not.

[Potato Chips]

Regardless of who's at fault, it doesn't change the fact that web wallets are one of the least safe ways to store funds as it is more susceptible to attacks. The amount of time you've used it without issues doesn't change anything, no one should wait until a problem has occurred.

@op, note that securing funds doesn't end in picking a wallet as none provides 100% safety. Your wallet won't protect you in case of human error which is why adopting healthy practices helps in increasing your security. Take this as a reference https://bitcoin.org/en/secure-your-wallet

Lastly, don't forget to verify your electrum files to make sure what you've got isn't compromised

[Lucius]

This is another mysterious disappearance of user coins from blockchain wallet, and I doubt that the cause will be revealed any time soon. This service is have bad history of very strange hacks, and by reading how careful OP was with this site, I could agree that this is some exploit on blockchain.com.

It would be interesting to see what will support say, but I doubt they will say anything which can cause them any damage, and at the end they will say it was user error.

https://bitcointalk.org/index.php?topic=2488493.0

[mocacinno]

This is another mysterious disappearance of user coins from blockchain wallet, and I doubt that the cause will be revealed any time soon. This service is have bad history of very strange hacks, and by reading how careful OP was with this site, I could agree that this is some exploit on blockchain.com.

It would be interesting to see what will support say, but I doubt they will say anything which can cause them any damage, and at the end they will say it was user error.

https://bitcointalk.org/index.php?topic=2488493.0

Well... In my previous job I had to handle helpdesk calls one day a week in an environment with educated, but non-it personel (it was a rotating shift in which every IT team member was responsible for first line support one day a week). I've heared hundreds of people falsely claim to have done/not have done stuff, even when i confronted them with evidence.

My point is, there is no way to prove the OP didn't mess up... And there is no shame in this either... I have allmost fallen for a phising scam in the not so distant past, i've installed infected files on my "sandbox" pc unwillingly, i've even fallen for a ponzi a long, long time ago. Everybody makes mistakes, sometimes even without realising you made a mistake.

Now let me be clear, i'm not inplying the OP made a mistake and fell for a phising attack or got his system compromised, i'm just saying that i don't think anybody (including me) should be taken at face value when saying they 100% certainly didn't make a certain mistake. I really don't like web wallets, but i would never go as far as implying it was blockchain's fault without seeing any real evidence.

In my opinion, the odds of OP's system being compromised, or the OP being victim of a phising or a social engineering attack still seem more likely than blockchain being exploited... It's all about odds tough, there's no way to know for sure.

[dunfida]

This is another mysterious disappearance of user coins from blockchain wallet, and I doubt that the cause will be revealed any time soon. This service is have bad history of very strange hacks, and by reading how careful OP was with this site, I could agree that this is some exploit on blockchain.com.

It would be interesting to see what will support say, but I doubt they will say anything which can cause them any damage, and at the end they will say it was user error.

https://bitcointalk.org/index.php?topic=2488493.0

As usual where we would hear out those common lines that this incident was always on users side/fault.Majority is on infected PC but there are instances
where i do able to read up that users are pretty aware with their security which you can really think or say in mind that there were something behind on Blockchains service.

[sunsilk]

Op really seems to be knowledgeable about cyber security and knows where he should place himself. The fault should really be on blockchain.com's end.

alastori, you should report this to them on https://support.blockchain.com/hc/en-us/requests/new though I doubt that they will compensate your loss but let's see if they can stand and will figure out this faulty issue on their end.

[Lucius]

mocacinno, I agree that we can not be 100% sure that OP did not do something wrong, maybe he will find out later what wrong step he made. But during the years we see too many people complain that they lost bitcoins by using this wallet, and we have solid evidence (on link I posted), that it was possible to  get user private key / seed without any notification on e-mail of mobile phone in case of 2FA.

Some user is post few threads below that he and some other victims preparing are lawsuit against this company, they all lost significant amounts of coins in a very similar way, regardless of all security measures they taken.

Maybe I am wrong, but I do not see complaints from Coinbase or Binance users who lost coins, it is always blockchain wallet. I know they have big number of users, but still they should make a detailed review of their system and fix security vulnerabilities if they exist.

[alastori]

Op really seems to be knowledgeable about cyber security and knows where he should place himself. The fault should really be on blockchain.com's end.

alastori, you should report this to them on https://support.blockchain.com/hc/en-us/requests/new though I doubt that they will compensate your loss but let's see if they can stand and will figure out this faulty issue on their end.

I have already reported it to blockchain but i have not received a response yet.
What hurts the most is that everybody thinks it's always the clients fault, I am highly educated in cybersecurity and it is in my nature to not fall for stupid phishing attacks or to install suspicious malware.
Every time I have to deal with a file that comes from an unverified source, I view it on a virtual machine or when a VM is not available i use sandboxes to open it. It's very hard to get the usual malware on Linux, especially when you are educated on cybersecurity, because most hackers target their malware to Windows users because they are the majority, not Linux users. Everything is regularly updated on my PC and I only use 2 or 3 browser add-ons that are among the most popular ones. Plus they are all disabled on incognito mode by default, unless you SPECIFICALLY go and enable them in incognito, which is a thing I have not done. My wireless network was a home one, not a cafe or a restaurant etc., so I am excluding a MITM attack. Even if someone was theoretically sniffing my traffic, the traffic is already encrypted by SSL. If it was a non-secure wallet with other circumstances, I would not even open this thread. If I had a malware on my device, they would steal the funds from the other blockchain.info wallet too, not just this one. Plus, the weird error that i screenshotted, what's that ? I never encountered an error like that in my 3 years or so experience of Blockchain.info.

[alastori]

I even made a request to Blockchain.info to send logs of IP addresses that logged in to my wallet, just to confirm that nobody else was able to log in there, but they are not responding.

[sunsilk]

I even made a request to Blockchain.info to send logs of IP addresses that logged in to my wallet, just to confirm that nobody else was able to log in there, but they are not responding.

Does your account don't have that email verification each time you log in? they display IP address everytime you log in. Check your email because it also includes the browser used, operating system and the time of accessing.

The title of that email should be 'Authorize log-in attempt'.

snip

I understand your frustration especially if you are a techie guy and you are technically into cybersecurity. With the screenshot, IIRC it never happened to me but there were times that the app itself isn't working but it stops you from sending too.

And about the support through email, I've contacted them before and they seem to be good in replying with those concerns. I think their ticket has been flooded and they have to look over each of it that's why they haven't replied to your concern.

[alastori]

I even made a request to Blockchain.info to send logs of IP addresses that logged in to my wallet, just to confirm that nobody else was able to log in there, but they are not responding.

Does your account don't have that email verification each time you log in? they display IP address everytime you log in. Check your email because it also includes the browser used, operating system and the time of accessing.

The title of that email should be 'Authorize log-in attempt'.

I have the email verification, that's 2FA. It never showed any login attempt for me to verify, I have 2FA in my email too, no suspicious log-in attempts.

[Lucius]

alastori, i recently find interesting article how 2FA can be bypass in combination with phishing attack, and although this does not have to be something that has happened to you, it is possible that you are a victim of a similar attack.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

Regarding error you see, this is something I never see in time I use blockchain wallet. Whatever happened with your account, there is a probability that some trace has remained and that blockchain will find something.

Are you check your home wirelles network for intruders? All protection can be hacked, and everything depends on your modem / router firmware.

https://www.bleepingcomputer.com/news/security/new-method-simplifies-cracking-wpa-wpa2-passwords-on-80211-networks/

[sunsilk]

I even made a request to Blockchain.info to send logs of IP addresses that logged in to my wallet, just to confirm that nobody else was able to log in there, but they are not responding.

Does your account don't have that email verification each time you log in? they display IP address everytime you log in. Check your email because it also includes the browser used, operating system and the time of accessing.

The title of that email should be 'Authorize log-in attempt'.

I have the email verification, that's 2FA. It never showed any login attempt for me to verify, I have 2FA in my email too, no suspicious log-in attempts.

Okay that means that there's nothing wrong if you have verified it on the email that I'm talking. I don't have anything to add anymore since you have validated most of it and you're sure that you have done you part.

And there's no negligence on your side, did they replied already to the support report that you did?

[alastori]

alastori, i recently find interesting article how 2FA can be bypass in combination with phishing attack, and although this does not have to be something that has happened to you, it is possible that you are a victim of a similar attack.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

Regarding error you see, this is something I never see in time I use blockchain wallet. Whatever happened with your account, there is a probability that some trace has remained and that blockchain will find something.

Are you check your home wirelles network for intruders? All protection can be hacked, and everything depends on your modem / router firmware.

https://www.bleepingcomputer.com/news/security/new-method-simplifies-cracking-wpa-wpa2-passwords-on-80211-networks/

Yeah I understand how this attack works, the thing is i never open blockchain wallet from a link or something like that, i always type the URL key by key, the WPA2 password on my wireless network would take probably months to crack, no neighbours who are into this field, so I am ruling that out too.

I even made a request to Blockchain.info to send logs of IP addresses that logged in to my wallet, just to confirm that nobody else was able to log in there, but they are not responding.

Does your account don't have that email verification each time you log in? they display IP address everytime you log in. Check your email because it also includes the browser used, operating system and the time of accessing.

The title of that email should be 'Authorize log-in attempt'.

I have the email verification, that's 2FA. It never showed any login attempt for me to verify, I have 2FA in my email too, no suspicious log-in attempts.

Okay that means that there's nothing wrong if you have verified it on the email that I'm talking. I don't have anything to add anymore since you have validated most of it and you're sure that you have done you part.

And there's no negligence on your side, did they replied already to the support report that you did?

Nope, no reply yet.

[bitmover]

I would recommend everybody to use another wallet, I'm already using Electrum, my BTC there is safe. Stop giving web wallets a chance, I knew I was probably making a mistake but I thought that since the blockchain.info wallet is probably the oldest it is probably safe. It is not.

Hello alastori.

You made the correct decision, and you are using now a safer wallet.

However, we are all humans, and we are susceptible of making mistakes. If you make a mistake, such as using a not updated browser or clicking in a phishing or virus or whatever, your funds will be compromised using Electrum.
There are various sophisticated phishing, such as asking for update inside the electrum software with a phishing link.

Hardware Wallets are a cheap solution. Ledger nano s costs about 60 USD (buy only from ledger.com, never from any third party, because it may be compromised).
A hardware wallet is like 99.9% safe, the risks are minimum and you will basically only lose money if a hacker has physical access to the device. It is worth. I use it, and I recommend it to everyone.

[Lucius]

Yeah I understand how this attack works, the thing is i never open blockchain wallet from a link or something like that, i always type the URL key by key, the WPA2 password on my wireless network would take probably months to crack, no neighbours who are into this field, so I am ruling that out too.

Regarding WPA2-PSK, I doubt that it take months to crack - if firmware of all devices is not updated after that exploit was found, there is definitely a vulnerability which can be used for attack. People always suspect on neighbors with such things, but these days you can crack someone wireless even on few km with pretty cheap equipment.

A hardware wallet is like 99.9% safe, the risks are minimum and you will basically only lose money if a hacker has physical access to the device. It is worth. I use it, and I recommend it to everyone.

With hardware wallet user need to pay attention to a few things which can pose a danger. Seed should be stored in safe place, and all words need to be checked (backup is most important). Any address we see on Ledger Live or any other UI should be checked on hardware wallet because of possible clipboard malware which can change address. Last thing is to never type seed anywhere except in hardware wallet.

This way of keeping cryptocurrency is far more secure then any online or desktop wallet.