All assets from Bitcoin Core wallet stolen

[zzz88789]

Hello!

In January I downloaded a new version of Bitcoin Core wallet from  https://bitcoincore.org/. After  waiting for almost 3 weeks to get node fully synchronised and to see the wallet's balance, I discovered that in the meantime on 11/02 all my assets that were stored in the Bitcoin Core (v0.20.1) were stolen to SegWit address bc1qz6k55y7z20azt596u80mtp0p53v9qnrj534t3k . I have never shared anything (seeds or private keys) regarding my BTC wallet address and thought that funds are save by using full node wallet.

How could this happen? What can I do, to still use this wallet to receive on it my pending mining that is still linked (and cannot be "un-linked" to the address from where the funds have been stolen?

Any suggestions would be much appreciated.

[OmegaStarScream]

AFAIK, the site you downloaded from is legit and is maintained by the Bitcoin core developers. Your computer is probably infected and if the attacker has your private key, then there is nothing preventing him from stealing your mining rewards again.

[zzz88789]

Thank you for your response. I cannot see that PC would be infected (using AVAST, Microsoft Defender/Firewall with weekly scheduled scanning for viruses and malware). How could someone got knowledge about private keys? Was the reason that Core node (and wallet) had to be open for several weeks for it to be synchronized?

As the linked mining address cannot be changed for already pending mining assets, I can only hope to be quicker and to withdraw the mining deposit as soon as it comes to another address? Can I still use the same Core version to make new address (in order to make deposit/withdrawal from compromised to a new one) or is it better to download new version?

[joniboini]

How could someone got knowledge about private keys? Was the reason that Core node (and wallet) had to be open for several weeks for it to be synchronized?

I doubt that's the case, if that's true, many clients would be compromised already. Synchronization is required since you're running a full node. Make sure you verify your downloaded files by following the guide on https://bitcoincore.org/en/download/.

As Omega mentioned above, there is likely malware, virus, keylogger, or other forms of malicious software on your computer. I'd reinstall the OS after doing a full wipe and create a new wallet asap. Using the latest client would be preferable but even if you use the old version, there should be no problem (as long as the malware/etc has been wiped out). CMIIW.

[ranochigo]

Thank you for your response. I cannot see that PC would be infected (using AVAST, Microsoft Defender/Firewall with weekly scheduled scanning for viruses and malware). How could someone got knowledge about private keys?

Antiviruses are not impenetrable. It's entirely possible that it was a well designed malware. Did anyone else have physical access to your computer besides you?

Was the reason that Core node (and wallet) had to be open for several weeks for it to be synchronized?

Yes.

As the linked mining address cannot be changed for already pending mining assets, I can only hope to be quicker and to withdraw the mining deposit as soon as it comes to another address? Can I still use the same Core version to make new address (in order to make deposit/withdrawal from compromised to a new one) or is it better to download new version?

You should backup important files and wipe your computer first. You can install Bitcoin Core again to import the compromised wallet.dat for the sole purpose of withdrawing the funds that has yet to be sent. If the attackers are any smarter, they probably would be faster than you and use a script to monitor the addresses.

[DannyHamilton]

Have you installed any wallets for any altcoins on the same computer?  Have you installed any mining software for Bitcoin or any altcoins? Have you installed any pirated software (or any software that you didn't purchase from an appropriate retail seller)?

Many of those could EASILY have a wallet stealer built into them without triggering any malware or virus scanner.

Also, did you password protect your wallet with a strong password?  Did you create a backup of your wallet and store it somewhere unsecured (such as an email inbox)?

[seoincorporation]

Have you considered an internal job? if you say that your computer was on sync for several week then maybe someone gets physical access to that machine and was able to get the privatekeys. 

Maybe you have an antivirus and all that stuff, but you know how vulnerable is windows, to have an antivirus doesn't give full protection at all. Next time use a virtual machine and Linux to run the full node. That's the secure way to do it.

[nc50lc]

-snip- I discovered that in the meantime on 11/02 all my assets that were stored in the Bitcoin Core (v0.20.1) were stolen to SegWit address bc1qz6k55y7z20azt596u80mtp0p53v9qnrj534t3k . I have never shared anything (seeds or private keys) regarding my BTC wallet address and thought that funds are save by using full node wallet.
-snip-
Any suggestions would be much appreciated.

Which of the transaction to bc1qz6k55y7z20azt596u80mtp0p53v9qnrj534t3k is yours?
But since you've mentioned "mining address" and "cant be changed", I'd take yours is the one from this address: 1Jucx1ny7mpxWwTfqVt4LTNyT4NPeosDs6

My question: is that a vanity address? If yes, where/how did you create it?
Because there are a couple of online sites where you can create compromised vanity addresses.

[BTCtester.com]

For address bc1qz6k55y7z20azt596u80mtp0p53v9qnrj534t3k there are connections to the Binance exchange (7 hops after the thiefs initial transaction). As well there seem to be connections to Poloniex and coinpayments.net .
But to really analyse deeply and document evidences it's nothing which can be done in an hour or so.
So I'm sorry for your loss but the costs for tracing and later on legal activities would be too high in comparsion with your loss.