How can someone move my btc that is a local wallet?

[cwwang]

Today I just noticed someone moved all of my btc from my private wallet to another address.  Strange thing is my bitcoin-qt is not running during that time.  How can this happen?  I just lost all those coins!

Any ideas on what could cause this? Or how can someone pull this off?

[mocacinno]

Today I just noticed someone moved all of my btc from my private wallet to another address.  Strange thing is my bitcoin-qt is not running during that time.  How can this happen?  I just lost all those coins!

Any ideas on what could cause this? Or how can someone pull this off?

Well, somebody must have had access to your wallet.dat (since you're using bitcoin-qt). There are some other possibility's, but they're really far-fetched (like somebody using the json-rpc interface, but that would require access to your computer from within the same network, an unlocked wallet,a weak password).

Did you lock your wallet using a strong password?
Did you save your wallet.dat on the cloud?
Did you give your wallet.dat to somebody else (a spouse, somebody unknown,...)?
Does anybody you don't trust 100% have access to your computer?
Do you run a virusscanner?
Is there a firewall?
Do you install any programs from untrusted sources?
Did you import private keys yourself?

If somebody has access to your wallet.dat, or is able to export your private key(s) while bitcoin-qt was running, he can spend your funds whenever he/she likes, your wallet doesn't have to be online for this... He can just sign the spending transactions with the key(s) he stole earlyer.

[cwwang]

I've been pretty save. Passphrase is pretty long random characters.  Very strange.  Someone hacked into my BInance account.  maybe my computer is compromised?  I don't get it.

I checked the debug.log on my bitcoin-data directory.  Apparently the transaction was done on 4/15/20 02:39 local time.  But during that time the bitcoin-qt is not running.  What gives?

[mocacinno]

I've been pretty save. Passphrase is pretty long random characters.  Very strange.  Someone hacked into my BInance account.  maybe my computer is compromised?  I don't get it.

I checked the debug.log on my bitcoin-data directory.  Apparently the transaction was done on 4/15/20 02:39 local time.  But during that time the bitcoin-qt is not running.  What gives?

Well, a compromised computer would do the trick... If somebody has access to your wallet.dat AND is able to capture your keystrokes when entering the passphrase, he can rob you blind.

Could you post (part of) your debug.log? If the log entry was generated on 02:39 , it means your wallet was running at that point in time... However, like i said before: it's perfectly possible to spend your funds while your wallet is not running, the only thing a thief needs is the private key(s)... When he has the key(s) he can spend your unspent outputs at any time he wishes, he does not need your wallet to be online.

PS: posting your log can decrease your anonimity, but it does not contain information that will allow anybody to steal from you again.

[cwwang]

Below is the transaction of someone sent my 8.08 coins to an unknown address

4/15/20 02:39 Confirmed (151 confirmations). Sent to (no label) 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA -8.08120416


Below is my debug log. Last shutdown was 4/9.  Then I started on 4/16.  There was no activity on 4/15.


2020-04-09T22:31:01Z UpdateTip: new best=0000000000000000000a7986fbeb212d76c5410f6d1806730e9e5b584cf835f9 height=625191 version=0x208e2000 log2_work=91.84263 tx=519485685 date='2020-04-09T22:30:59Z' progress=1.000000 cache=311.1MiB(3237493txo) warning='67 of last 100 blocks have unexpected version'
2020-04-09T22:43:06Z Pre-allocating up to position 0x5000000 in blk02029.dat
2020-04-09T22:43:06Z UpdateTip: new best=0000000000000000000324a4a9cd4dc2ea23298000d6f2119a51fa99ad36b983 height=625192 version=0x20400000 log2_work=91.842651 tx=519488067 date='2020-04-09T22:42:58Z' progress=1.000000 cache=311.3MiB(3239975txo) warning='68 of last 100 blocks have unexpected version'
2020-04-09T22:49:57Z UpdateTip: new best=0000000000000000000084796852af145b8ddbf758317a509ea514b76800b787 height=625193 version=0x20c00000 log2_work=91.842671 tx=519489269 date='2020-04-09T22:49:40Z' progress=1.000000 cache=311.5MiB(3241244txo) warning='69 of last 100 blocks have unexpected version'
2020-04-09T22:51:31Z UpdateTip: new best=0000000000000000000fed96ca174999768440df83e892325d011cc6bac5bd28 height=625194 version=0x3fffe000 log2_work=91.842692 tx=519489630 date='2020-04-09T22:51:19Z' progress=1.000000 cache=311.5MiB(3241463txo) warning='70 of last 100 blocks have unexpected version'
2020-04-09T23:08:01Z tor: Thread interrupt
2020-04-09T23:08:01Z Shutdown: In progress...
2020-04-09T23:08:01Z addcon thread exit
2020-04-09T23:08:01Z torcontrol thread exit
2020-04-09T23:08:01Z opencon thread exit
2020-04-09T23:08:01Z net thread exit
2020-04-09T23:08:01Z msghand thread exit
2020-04-09T23:08:01Z scheduler thread interrupt
2020-04-09T23:08:01Z Dumped mempool: 0.009077s to copy, 0.090141s to dump
2020-04-09T23:08:02Z [default wallet] Releasing wallet
2020-04-09T23:08:02Z Shutdown: done
2020-04-16T06:48:01Z




2020-04-16T06:48:01Z Bitcoin Core version v0.18.1 (release build)
2020-04-16T06:48:01Z Assuming ancestors of block 0000000000000000000f1c54590ee18d15ec70e68c8cd4cfbadb1b4f11697eee have valid signatures.
2020-04-16T06:48:01Z Setting nMinimumChainWork=0000000000000000000000000000000000000000051dc8b82f450202ecb3d471
2020-04-16T06:48:01Z Using the 'standard,sse41(4way),avx2(8way)' SHA256 implementation
2020-04-16T06:48:01Z Using RdSeed as additional entropy source
2020-04-16T06:48:01Z Using RdRand as an additional entropy source
2020-04-16T06:48:01Z Default data directory /home/cwwang/.bitcoin
2020-04-16T06:48:01Z Using data directory /beast/bitcoin-data
2020-04-16T06:48:01Z Config file: /beast/bitcoin-data/bitcoin.conf
2020-04-16T06:48:01Z Using at most 125 automatic connections (1024 file descriptors available)
2020-04-16T06:48:01Z Using 16 MiB out of 32/2 requested for signature cache, able to store 524288 elements
2020-04-16T06:48:01Z Using 16 MiB out of 32/2 requested for script execution cache, able to store 524288 elements
2020-04-16T06:48:01Z Using 4 threads for script verification
2020-04-16T06:48:01Z scheduler thread start
2020-04-16T06:48:01Z Using wallet directory /beast/bitcoin-data/wallets
2020-04-16T06:48:01Z init message: Verifying wallet(s)...
2020-04-16T06:48:01Z Using BerkeleyDB version Berkeley DB 4.8.30: (April  9, 2010)
2020-04-16T06:48:01Z Using wallet /beast/bitcoin-data/wallets
2020-04-16T06:48:01Z BerkeleyEnvironment::Open: LogDir=/beast/bitcoin-data/wallets/database ErrorFile=/beast/bitcoin-data/wallets/db.log
2020-04-16T06:48:01Z init message: Loading banlist...
2020-04-16T06:48:01Z Cache configuration:
2020-04-16T06:48:01Z * Using 2.0 MiB for block index database
2020-04-16T06:48:01Z * Using 8.0 MiB for chain state database
2020-04-16T06:48:01Z * Using 440.0 MiB for in-memory UTXO set (plus up to 286.1 MiB of unused mempool space)
2020-04-16T06:48:01Z init message: Loading block index...
2020-04-16T06:48:01Z Opening LevelDB in /beast/bitcoin-data/blocks/index
2020-04-16T06:48:02Z Opened LevelDB successfully
2020-04-16T06:48:02Z Using obfuscation key for /beast/bitcoin-data/blocks/index: 0000000000000000
2020-04-16T06:48:07Z LoadBlockIndexDB: last block file = 2029
2020-04-16T06:48:07Z LoadBlockIndexDB: last block file info: CBlockFileInfo(blocks=57, size=69345739, heights=625138...625194, time=2020-04-09...2020-04-09)
2020-04-16T06:48:07Z Checking all blk files are present...
2020-04-16T06:48:08Z Opening LevelDB in /beast/bitcoin-data/chainstate
2020-04-16T06:48:09Z Opened LevelDB successfully
2020-04-16T06:48:09Z Using obfuscation key for /beast/bitcoin-data/chainstate: 6721ed49b14769d0
2020-04-16T06:48:09Z Loaded best chain: hashBestChain=0000000000000000000fed96ca174999768440df83e892325d011cc6bac5bd28 height=625194 date=2020-04-09T22:51:19Z progress=0.996134
2020-04-16T06:48:09Z init message: Rewinding blocks...
2020-04-16T06:48:10Z init message: Verifying blocks...
2020-04-16T06:48:10Z Verifying last 6 blocks at level 3
2020-04-16T06:48:10Z [0%]...[16%]...[33%]...[50%]...[66%]...[83%]...[99%]...[DONE].
2020-04-16T06:49:21Z No coin database inconsistencies in last 6 blocks (8082 transactions)
2020-04-16T06:49:21Z  block index           80075ms
2020-04-16T06:49:22Z init message: Loading wallet...
2020-04-16T06:49:22Z BerkeleyEnvironment::Open: LogDir=/beast/bitcoin-data/wallets/database ErrorFile=/beast/bitcoin-data/wallets/db.log
2020-04-16T06:49:22Z [default wallet] nFileVersion = 180100
2020-04-16T06:49:22Z [default wallet] Keys: 0 plaintext, 4004 encrypted, 4004 w/ metadata, 4004 total. Unknown wallet records: 0
2020-04-16T06:49:22Z [default wallet] Wallet completed loading in             166ms
2020-04-16T06:49:22Z [default wallet] setKeyPool.size() = 1997
2020-04-16T06:49:22Z [default wallet] mapWallet.size() = 4
2020-04-16T06:49:22Z [default wallet] mapAddressBook.size() = 4
2020-04-16T06:49:22Z mapBlockIndex.size() = 625195
2020-04-16T06:49:22Z nBestHeight = 625194
2020-04-16T06:49:22Z AddLocal([2600:8802:1102:5f00:15ff:b85c:29b4:d2fd]:8333,1)
2020-04-16T06:49:22Z Discover: IPv6 wlp3s0: 2600:8802:1102:5f00:15ff:b85c:29b4:d2fd
2020-04-16T06:49:22Z AddLocal([2600:8802:1102:5f00:139e:86c9:7b79:b787]:8333,1)
2020-04-16T06:49:22Z Discover: IPv6 wlp3s0: 2600:8802:1102:5f00:139e:86c9:7b79:b787
2020-04-16T06:49:22Z Bound to [::]:8333
2020-04-16T06:49:22Z Bound to 0.0.0.0:8333
2020-04-16T06:49:22Z init message: Loading P2P addresses...
2020-04-16T06:49:22Z torcontrol thread start
2020-04-16T06:49:22Z Loaded 64616 addresses from peers.dat  662ms
2020-04-16T06:49:22Z init message: Starting network threads...
2020-04-16T06:49:22Z net thread start
2020-04-16T06:49:22Z opencon thread start
2020-04-16T06:49:22Z init message: Done loading
2020-04-16T06:49:22Z dnsseed thread start
2020-04-16T06:49:22Z msghand thread start
2020-04-16T06:49:22Z addcon thread start
2020-04-16T06:49:22Z GUI: Platform customization: "other"
2020-04-16T06:49:22Z GUI: PaymentServer::LoadRootCAs: Loaded  126  root certificates
2020-04-16T06:49:29Z New outbound peer connected: version: 70015, blocks=626227, peer=0
2020-04-16T06:49:33Z Loading addresses from DNS seeds (could take a while)
2020-04-16T06:49:35Z 282 addresses found from DNS seeds
2020-04-16T06:49:35Z dnsseed thread exit
2020-04-16T06:49:43Z UpdateTip: new best=0000000000000000000acdba38bcbd8e80f03b321ec453f9f4e3fcce5ed4cc48 height=625195 version=0x20000000 log2_work=91.842712 tx=519492624 date='2020-04-09T23:22:21Z' progress=0.996147 cache=1.2MiB(12886txo)
2020-04-16T06:50:25Z UpdateTip: new best=000000000000000000045ca57680cf9225d23b616cf008a28de8b1b302bc3e1e height=625196 version=0x20400000 log2_work=91.842733 tx=519494722 date='2020-04-09T23:22:53Z' progress=0.996147 cache=2.0MiB(20931txo)
2020-04-16T06:51:10Z

[mocacinno]

So, after reading your log, and looking up that address on a block explorer, i can pretty much say you were indeed robbed.
He used all unspent outputs completely, no change address was used. He overspent on the fee aswell, so he'd be sure the transaction would get confirmed quickly.

Since your wallet wasn't online at the time of the robbery, you can be certain the robber has indeed all private keys belonging to this wallet... Consider the wallet to be compromised, consider your computer to be compromised. If you hold any more funds on any other wallet, DO NOT open that wallet on that compromised PC... Buy a hardware wallet, create a paper wallet,.... Do whatever you need to do, but you should move any funds on any wallet that was on the compromised computer to a wallet that never touched the compromised machine as soon as you can without acting so hastely you make other mistakes.

But i cannot stress this enough: any funds on any wallet that was on your compromised machine is at risk. Just moving the wallet files to a clean PC is not sufficient, you need to create brand new wallets on a clean pc and move all funds from the old wallets (on the compromised pc) to the brand new wallets (that never touch the compromised machine)

I hate to be the barer of bad news, but those 8+ BTC are gone i'm afraid... +150 confirmations... I feel sorry for you.

I know it doesn't mean anything to you, but i gave your post a merit. You seem like the kind of person i'd like hanging around on bitcointalk. I hope this robbery didn't scare you away from crypto currencies (altough i would completely understand if it did). It's all hindsight now, but a hardware wallet or an airgapped setup would probably have been the way to go when holding >8 BTC...

[cwwang]

Which hardware wallet do you recommend?

[mocacinno]

Which hardware wallet do you recommend?

I personally have 4: a ledger HW.1 (discontinued ages ago), a ledger nano S, a trezor one and a trezor model T... I must say that i personally prefer ledger hardware, but that's just my personal taste. Both ledger and trezor make quality products. There are other vendors out there, most of them are legit, but those two brands are the most popular... And a large usebase is a good thing when it comes to discovering vulnerability's and longtime support.

But if you need a sollution right now, you can either find an old laptop/desktop and completely disable all networking hardware (or plain remove the networking cards) then setup bitcoin core or electrum as an airgapped wallet.

walktroughs:
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet
https://electrum.readthedocs.io/en/latest/coldstorage.html

An other possibility is making a paper wallet in a secure way... Basically, use a community vetted, trusted wallet generator to create a bip38 encrypted paper wallet on an OFFLINE pc (at least reboot it after the paper wallet has been generated), print on a locally connected printer (reboot the printer afterwards). Make several copys, laminate...

BEFORE actually using your new (secure) setup, i'd recommand a testnet setup first... Basically, run the airgapped setup in testnet mode, or create a testnet paper wallet... Fund the airgapped wallet/paper wallet with some tBTC and test if you are able to spend the funds afterwards. Only when you are confident you have a working procedure to access your funds later on, move on to the mainnet...

[cwwang]

So someone accessed my computer and cracked the passphrase?  How could that happen? 

[mocacinno]

So someone accessed my computer and cracked the passphrase?  How could that happen?  

No idear... Maybe some malware/virus/keylogger. Maybe phishing. Maybe physical access. Maybe an accidental backup in the cloud. Maybe a physical vulnerability on the OS level.
But the fact remains that if you were cleaned out, somebody must have had the opportunity to get to your private keys... This makes your complete setup compromised. You can never be 100% sure you are safe unless you start over with a clean install, clean wallets, ...

[cwwang]

After spending a few hours last night. I think I know what happened. <sigh>...  It was a hack.  Through my NAS I believe.  Anyway... Its done deal.

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

[BrewMaster]

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

no there is nothing you can do about it. bitcoin transactions are irreversible so they sent coins not be unsent. and there is no centralization to want to judge the correctness of the accusations and "flag" the address as belonging to a thief.

[HCP]

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

Some of the exchanges have flagged things before, but generally only in the instance of a massive hack and theft from either themselves or other exchanges. You can't really blacklist bitcoin addresses... and the thieves are likely to simply move the coins through mixers or other addresses to obfuscate their history.

You only real option at this point is to make sure you learn from this and take the necessary steps to prevent it occurring in the future.

Sorry for your loss.

[joniboini]

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

There are some websites that list things like this. Such as https://www.bitcoinabuse.com/ or https://bitcoinwhoswho.com/. I don't know how effective they are but if reporting is what you want to do, it's probably worth posting there.

[The Cryptovator]

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

There are some websites that list things like this. Such as https://www.bitcoinabuse.com/ or https://bitcoinwhoswho.com/. I don't know how effective they are but if reporting is what you want to do, it's probably worth posting there.

I was wondering same, there is option to report bitcoinwhos & bitcoinabuse. It would helpful if someone check address on same website (IMO). Reporting address wouldn't prevent hackers to hack bitcoin. On the other hand if hacker transfer their hacked fund eventually without mixing then reporting on exchanges would help lock amount (if exchange want to recognize with fraud funds). But hackers are more smarter than us, likely they will not leave any clue to fund them.

Anyway, sorry for your loss @OP. Hope you have learned already. Just clean you device by formatting everything & reset your all password on ther device or cleaned device immediately.

[bob123]

After spending a few hours last night. I think I know what happened. <sigh>...  It was a hack.  Through my NAS I believe.  Anyway... Its done deal.

Is this just a guess or do you have any evidence ?

Compromising a NAS does not necessarily mean your computer gets compromised. You either had to actively execute malware stored on the NAS or there were further vulnerabilities (maybe due to an unpatched system?)

What kind of NAS do have (vendor / model) ?


You definitely have to completely wipe your computer and NAS. Backup important files and format any disk.

And if he has access to your private keys (wallet file + your entered password), he also has access to any other password you have entered on this computer since you got compromised.
Make sure to change all affected passwords.

[Lucius]

Below is the transaction of someone sent my 8.08 coins to an unknown address
4/15/20 02:39 Confirmed (151 confirmations). Sent to (no label) 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA -8.08120416

Another in a series of sad stories, but also warning that such amount of coins should not be stored in desktop wallet, on the computer we use for everyday needs. It seems to me at first that this was not an accidental attack, but that you were the intended target. All those who knew you had so much BTC are suspicious, no matter how much you trust them. I would personally go in that direction, though it is something that would require a thorough investigation and resources that you probably do not have.

Part of your BTC is now on this address https://www.blockchain.com/btc/address/38sDP6DuzMkp8NBxX2XhgF8eLWRoWTHHUo , and you can try to report them, but it is possible that the hacker has already sold them, and they have a new legitimate owner.

[cwwang]

It is confirmed he first enter through myqnapcloud.com.  Then access my NAS.  Yes.  One password was compromised and I should of done a better job securing that.  Regardless its mitigated.

I also filed a complaint with the FBI and have some security guys helping me to do some investigating.  I do have some general idea where the attack came from; but I'll keep it like this for now.  I want the fed to get involved and hopefully they'll.

Status: 152 confirmations
Date: 4/15/20 02:39
To: 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA
Debit: -8.08116106 BTC
Transaction fee: -0.00004310 BTC
Net amount: -8.08120416 BTC
Transaction ID: 668c2e5d00e25f15c23a8f843dfc4502a595343b78ede0e99eb935710f9be726
Transaction total size: 557 bytes
Transaction virtual size: 315 bytes
Output index: 0

[cwwang]

Below is the transaction of someone sent my 8.08 coins to an unknown address
4/15/20 02:39 Confirmed (151 confirmations). Sent to (no label) 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA -8.08120416

Another in a series of sad stories, but also warning that such amount of coins should not be stored in desktop wallet, on the computer we use for everyday needs. It seems to me at first that this was not an accidental attack, but that you were the intended target. All those who knew you had so much BTC are suspicious, no matter how much you trust them. I would personally go in that direction, though it is something that would require a thorough investigation and resources that you probably do not have.

Part of your BTC is now on this address https://www.blockchain.com/btc/address/38sDP6DuzMkp8NBxX2XhgF8eLWRoWTHHUo , and you can try to report them, but it is possible that the hacker has already sold them, and they have a new legitimate owner.

 I'm an optimist.  I learn from my mistakes and move on.  I don't feel bad about this.

[joniboini]

But hackers are more smarter than us, likely they will not leave any clue to fund them.

Just like everybody else, they made mistakes sometimes. Keeping a logs like this is not a bad idea, just in case they'll use the same address, or mistakenly connect different address and sent it to a known exchange address. There's nothing to lose here, might as well do it.