BTC stolen from Trezor!!

[Mike-miner]

Hi guys,

I need some help! Yesterday i made a transaction from my Trezor wallet to Bitrefill. This software is installed in the Trezor and gives you the option to buy vouchers. At the moment that i bought these vouchers my complete BTC wallet got emptied!! So it looks like a hack.....i assume Bitrefill is accountable for this but i'm still waiting for the reply from Trezor. I can tell you this is bad situation and i need to take legal action because this is a mayor volume that got hacked!

If you can help or advise it would be great! I'm offering 1 BTC for the person that can help me restore my coins!

regards!

[DaveF]

Bitrefill is not responsible for anything. Your wallet, your Trezor, your responsibility.

With that being said, can you provide the TXID of your transaction?

What wallet were you using with your Trezor?
There are some that are having issues with the latest firmware see here:

https://bitcointalk.org/index.php?topic=5255625.0

-Dave

[AdolfinWolf]

I can tell you this is bad situation and i need to take legal action because this is a mayor volume that got hacked!

If you can help or advise it would be great! I'm offering 1 BTC for the person that can help me restore my coins!

regards!

It seems highly unlikely that Bitrefill could have done anything which gave them access to your bitcoin.

More likely your computer is infected, and thus they were somehow able to get to your trezor when you connected it.

If you've really lost a significant amount of money, I suggest you try and contact some experts who can perhaps physically look at what the culprit is. If there has been an exploit within trezor (as i'm reading above? I'm not sure i haven't been following them), there might be a case there?

I doubt you'll see your money back though.

[OmegaStarScream]

What wallet were you using with your Trezor?

Apparently, he bought the vouchers directly from Trezor's web wallet: https://blog.bitrefill.com/trezor-integrates-bitrefill-953ad0afec4c
@OP Bitrefill cannot take your funds without you confirming the transaction from the device. Was your wallet emptied after you received the vouchers or everything was taken when you made the first transaction? If the latter, then as mentioned above, you probably have malware (clipboard hijacking).

[bob123]

Please provide all necessary information as mentioned in the pinned topic: [READ BEFORE POSTING] Tech Support Help Request Format

Most likely one of these 2 options happened:

1) Your PC is infected with malware and it created a transaction sending everything to the attackers Address. And you didn't check the transaction (address, amount) on your device and just pressed "send".
2) Someone got access to your trezor or the mnemonic code.

Could you answer these questions please:

• Did you double and triple check the transactin on your trezor?
• How did you backup your mnemonic code? Digitally?
• Did you initially create the seed and mnemonic code on the trezor device?
• Did anyone have access to your trezor?

 

[bitmover]

How did you backup your mnemonic code? Digitally?
Did you initially create the seed and mnemonic code on the trezor device?
 

Most likely one of the two were the problem, or both.

Using a hardware wallet means nothing if the user saves the seed digitally.

[BitMaxz]

Hi guys,

I need some help! Yesterday i made a transaction from my Trezor wallet to Bitrefill. This software is installed in the Trezor and gives you the option to buy vouchers. At the moment that i bought these vouchers my complete BTC wallet got emptied!! So it looks like a hack.....i assume Bitrefill is accountable for this but i'm still waiting for the reply from Trezor. I can tell you this is bad situation and i need to take legal action because this is a mayor volume that got hacked!

If you can help or advise it would be great! I'm offering 1 BTC for the person that can help me restore my coins!

regards!

How did you know that your wallet is emptied? Your wallet might be not syncing properly that's why the wallet balance is not showing properly. Check that first...

Like the above said before you made a payment to Bitrefill it should show something on the Trezor screen to confirm the amount and the address where you send or pay.

This is what it looks like:


If it shows in your Trezor with a proper amount of BTC your wallet shouldn't be emptied.

Much better post the transaction ID of this transaction here and let us review your transaction and maybe you sent all of your balances that's why all of your balance is gone.

[Btcspot]

 Hi mike I would think this could be bitrefills fault or you made error on Trezor. Try contacting Bitrefill here: https://www.bitrefill.com/contact/?hl=en
 Also I would try resetting your Trezor and reinstalling your wallet here: https://wiki.trezor.io/User_manual:Recovery
 Maybe its a glitch with the display somehow. Let me know how it is going.

[The Cryptovator]

Transaction shouldn't broadcast if you do not confirm from your device. So during payment process did you noticed the amount and address? Had you checked on block explorer if all the amount has sent to the same address from where you bought voucher? If your wallet synchronized correctly then transaction details should be there either balance should be there. Please share more details including transaction details. Perhaps you would notice any suspicious transaction on history.

By the way, if transaction has been broadcasted on the blockchain and at least there is 1 confirmation then your fund has gone. Bitcoin is irreversible and couldn't be refund with any cost. Don't fall into second scam in order to recover your funds.

[AdamBlade]

Transaction shouldn't broadcast if you do not confirm from your device. So during payment process did you noticed the amount and address? Had you checked on block explorer if all the amount has sent to the same address from where you bought voucher? If your wallet synchronized correctly then transaction details should be there either balance should be there. Please share more details including transaction details. Perhaps you would notice any suspicious transaction on history.

By the way, if transaction has been broadcasted on the blockchain and at least there is 1 confirmation then your fund has gone. Bitcoin is irreversible and couldn't be refund with any cost. Don't fall into second scam in order to recover your funds.

I correctly understood that the main thing is directly to sync the wallet, because I have a similar situation?

[philipma1957]

Hi guys,

I need some help! Yesterday i made a transaction from my Trezor wallet to Bitrefill. This software is installed in the Trezor and gives you the option to buy vouchers. At the moment that i bought these vouchers my complete BTC wallet got emptied!! So it looks like a hack.....i assume Bitrefill is accountable for this but i'm still waiting for the reply from Trezor. I can tell you this is bad situation and i need to take legal action because this is a mayor volume that got hacked!

If you can help or advise it would be great! I'm offering 1 BTC for the person that can help me restore my coins!

regards!

guys if it looks like a troll

if it acts like a troll

its a troll

here is 9200 reward I lost serious money  please help.

then no reply at all = troll

[bob123]

Transaction shouldn't broadcast if you do not confirm from your device.

A transaction not only shouldn't be broadcasted, but can't be broadcasted until you confirm it on your device.
The signing process only happens after confirming the transaction. You can't broadcast an unconfirmed transaction (theoretically you can, but it can't be included into a valid block).

[Mike-miner]

Hi guys,


Thanks for all input but there are still many questions. First of all trezor gave me the explanation that i got hacked because i entered the incorrect website https://wallet.trczor.com/

However the browser history shows a visit to this fake website one hour prior to the hack. On the time of the hack the browser history shows i was on the correct and legit Trezor website. In addition my Trezor transaction sheet shows a payment to Bitrefill and at exactly the same time a transaction (hack) which lead to the hack of 28+ BTC!!

https://www.blockchain.com/btc/address/3FRVjBLarohsczz15uWsBhxPPeZHY5Ngdm 

https://imgur.com/Kz8PBq2

There seems to be no reply from Bitrefill but i think it's very suspicious that these 2 transactions were done at exactly the same time.

However it would be great if you can help me finding these scammers! I offer a reward of 1 BTC if anyone can heklp me get these coins back!

[Lucius]

Thanks for all input but there are still many questions. First of all trezor gave me the explanation that i got hacked because i entered the incorrect website https://wallet.trczor.com/

However the browser history shows a visit to this fake website one hour prior to the hack. On the time of the hack the browser history shows i was on the correct and legit Trezor website. In addition my Trezor transaction sheet shows a payment to Bitrefill and at exactly the same time a transaction (hack) which lead to the hack of 28+ BTC!!

When you were on the fake page did you enter your seed/passphrase or maybe you download the firmware? The site itself shouldn't do any harm to your hardware wallet, but it's possible that you infected your computer with some malware or keylogger, so that the moment you were on the legitimate site and made a transaction to Bitrefill, the hacker used it to perform one unauthorized transaction.

What’s weird is that the hacked coins didn’t move from the address they were moved to, which reminds me of this case Fraudulent transaction along with the correct one(Ledger Nano S + Electrum). Of course it's about another HW and Electrum, but the similarity is that in both cases coins are not moved from alleged hacker address.

Therefore, there is a possibility that these 28+ BTCs are still in Trezor, but they are hidden in some strange path. For more information visit this link -> Change path protection.

[bitmover]

Hi guys,


Thanks for all input but there are still many questions. First of all trezor gave me the explanation that i got hacked because i entered the incorrect website https://wallet.trczor.com/

However the browser history shows a visit to this fake website one hour prior to the hack. On the time of the hack the browser history shows i was on the correct and legit Trezor website. In addition my Trezor transaction sheet shows a payment to Bitrefill and at exactly the same time a transaction (hack) which lead to the hack of 28+ BTC!!

https://www.blockchain.com/btc/address/3FRVjBLarohsczz15uWsBhxPPeZHY5Ngdm 

After reading your history, I think I will split my few BTCs in some different seeds in my ledger nano. There is also a functionality in ledger nano which allows you to keep 2 wallets using 2 different pins (one with a passphrase)

All in the same wallet is dangerous, even for a hardware wallet...

[Mike-miner]

@Lucius,

I think the explanation you give looks legit. That was the question i had because as you can see in the transaction summary two transactions were done exactly at the same time. One is legit to Bitrefill for some vouchers and the other transaction is the hack. The thing that upsets me te most is the fact that the Trezor can be so easily hacked! There should be more protection since i have lost all confidence in using a hardware wallet.

But i also noted that the coins weren't moved.....It would be great if there is somebody/company that can track this wallet ID.....I might need to check the change path protection issue. If you can provide me with more help i would appreciate it!

[Lucius]

I am not technically skilled enough to go deeper into this issue and say that in your case exactly what I wrote about in the previous post happened, but let's say that there is a possibility that this is exactly the case. Some call it a ransome attack, because the attacker did not steal the coins, but just hid them deep and knows which path they are on. But if no one has contacted you, then it could only be some malicious person or some as yet undiscovered bug.

What is certain is that both major manufacturers were warned back in 2018 of this attack, and that they are both (Ledger&Trezor) reacted with new firmware that was supposed to make it somewhat impossible for the user's funds to be irretrievably lost. What they did was actually to reduce number of key index to the extent that it is possible to break it with brute force.

If you read the link to the change path attack, then you could see something like this 44'/0'/234454354'/545343432/4654657657 , and you see that is an almost impossible brute force with today’s technology.

I guess you have firmware for your Trezor which is v2.0.9 or above (Model T) since they say Trezor One is never been vulnerable. From what I read Trezor should show you "key index for every address generated", which would mean that you could theoretically find the target path of the address where your coin is located. What I can't say is how to do it, is it possible through the Trezor UI, or should you use some special tool (maybe Ian Coleman tool (use only offline version) - https://github.com/iancoleman/bip39).

I would definitely send another ticket to Trezor support and shared this information with them.

Another interesting article -> A Ransom Attack on Hardware Wallets

[NotATether]

The transaction of the hack seemed to have been made before the bitrefill transaction, according to your screenshot. This transaction in particular, is where the all the coins moved to some other address https://www.blockchain.com/btc/tx/4e0d485f46cac908dab8bdc4cb6ba844aa52013ec599f3dad1616bb24e3b54bd. If it's indeed a hack then it's a strange kind of hack because I always thought a malicious transaction takes place after a real one is made, and then it's moved out using pay-to-many. It's more likely the coins are on a different key derivation path as Lucius mentioned.

The wallet ID of the hacker's, or the path's, wallet your money was moved to, according to wallet explorer, begins with 08506551a4 https://www.walletexplorer.com/wallet/08506551a41cb881. I'm not sure how useful this info will be to you but I thought I would chime in since you asked for the wallet ID.

You might also want to alter the address_index to different numbers and see if your coins are there, since that part of the key derivation path can be changed to any number but give you a different wallet. Quote on ethereum stack exchange below, but it's in the context of bitcoin and HD wallets so it's relevant to this problem.

Full path: m/44'/60'/0'/0'/0

What each number represents: m / purpose' / coin_type' / account' / change / address_index

[HCP]

The transaction of the hack seemed to have been made before the bitrefill transaction, according to your screenshot.

... but i think it's very suspicious that these 2 transactions were done at exactly the same time.

That was the question i had because as you can see in the transaction summary two transactions were done exactly at the same time.

Just for the record... the 2 transactions were NOT sent at the exact same time. The timestamp you are seeing:


... is the timestamp of the block that they were both included in:
https://www.blockchain.com/btc/block/638459


(NOTE: this timestamp is in UTC... and I believe you are in UTC-10 based on the timezone conversion from July 10th 01:41 UTC -> July 9th 15:41 as shown on your Trezor transaction screenshot)


However, if we look at the 2 transactions... we have:

Payment to Bitrefill: https://www.blockchain.com/btc/tx/86d9576d267330fe19dad050b17b67251c14c1c4b2c73f7225b6128ab42f67f7

This was received by blockchain.com at: 2020-07-10 00:58 UTC



Funds being "Stolen":

This was received by blockchain.com at: 2020-07-10 01:27 UTC



So the 2nd transaction actually seems to have happened nearly 30 mins after the bitrefill transaction was broadcast.


Likely your seed was compromised in some way when you accessed the fake website... did you enter your seed at all?

[rexxarofmoknathal]

Bitrefill is a legitimate company, you were almost certainly just rekt by a phisher or some other malware.

You should scroll back through your history to check the link where you found the software you installed.

Send it to us here so we can analyze it.