My more than 2 bitcoins got stolen just 2 days ago.

[Lucius]

@mbLI, most of the victims come to terms with the fact that they were hacked and that their coins disappeared without a trace, but I think that you should still try to find out something and if you're lucky, maybe you can return some or all of the funds that were stolen from you.

When I mention luck, I mostly mean that your hacker made a mistake somewhere in the steps and maybe even used his real data on that CEX. That would be really stupid, but not all hackers are intelligent enough to know how to hide their tracks. What is "good" in the whole matter is that you are obviously not the only victim, and if investigations are opened in several countries, the chances increase that the hacker will still be discovered.

As for the reason you were hacked, now you know that the seed (backup) should never be stored on devices that have access to the internet.

[mbLI]

@mbLI, most of the victims come to terms with the fact that they were hacked and that their coins disappeared without a trace, but I think that you should still try to find out something and if you're lucky, maybe you can return some or all of the funds that were stolen from you.

When I mention luck, I mostly mean that your hacker made a mistake somewhere in the steps and maybe even used his real data on that CEX. That would be really stupid, but not all hackers are intelligent enough to know how to hide their tracks. What is "good" in the whole matter is that you are obviously not the only victim, and if investigations are opened in several countries, the chances increase that the hacker will still be discovered.

As for the reason you were hacked, now you know that the seed (backup) should never be stored on devices that have access to the internet.

Yeah, that's my only hope there. But it will help only if the police will work on this. And at the moment they do not.

As for the seed - yeah, now I know. I thought, that the wrong words sequnce will help. Also, couldn't realise that this can be done within few minutes - to scan the whole PC for the text files, which contains something looking like SEED phrase - I still can't understand - how techincally it can happen. I have 1 Tb of files here.

[Z-tight]

As for the seed - yeah, now I know. I thought, that the wrong words sequnce will help. Also, couldn't realise that this can be done within few minutes - to scan the whole PC for the text files, which contains something looking like SEED phrase - I still can't understand - how techincally it can happen. I have 1 Tb of files here.

I'm sorry that you had to lose your funds to learn the lesson that: anything that is stored online is prone to hacking, even if it is a 12 word seed phrase stored in the wrong order. Write your seed phrase down on paper and your wallet should be stored locally in an airgapped device or you use a hardware wallet. You don't have to understand exactly how the attack happened or the malware that the attacker used, just follow all the advice in this topic and use it to protect other funds you have or may have in the future. I hope your local police agrees to help you out in the process of recovering your funds.

[nc50lc]

Also, couldn't realise that this can be done within few minutes - to scan the whole PC for the text files, which contains something looking like SEED phrase - I still can't understand - how techincally it can happen. I have 1 Tb of files here.

All the attacker needs is to write a script that searches for specific patters for seed phrases or private keys or wallet files.
Be it in binary or plain text (eg.: "04ckey" or "03key" for keys in wallet.dat files), depending on how and what he prefers to search.
Reading a 1TB drive wont be as slow as writing something on it, specially the newer models.
One example of such script is pywallet's --recover tool that'll search the entire drive or parts of it for wallet files or private keys.
searching a 1TB drive wont take hours with that tool and it even search for deleted files, it'll be much faster if a script is designed to search only existing files.
Now, all he need is deploy a script like that with a malware or something, then remove the traces is necessary.

For the jumbled seed phrase, its falls under the limitation of the jumbled 12-words which only has possible 12! combinations.
With scripts like btcrecover's "seedrecover.py" tool and an address from your wallet which is easy to get, it can be arranged even with a home PC.

Example, I just rearranged a jumbled 12-word electrum seed phrase in just 22 minutes with a 9-year old processor (with luck):

Code:

seedrecover.py --tokenlist testseed_scramble12_electrum.txt --mnemonic-length 12 --language en --addrs bc1qsaly.....4t7p --addr-limit 2 --dsw --no-eta

Starting seedrecover 1.9.0-CryptoGuide, btcrecover 1.9.0-Cryptoguide on Python 3.11.4 64-bit, 21-bit unicodes, 64-bit ints
Using the 'en' wordlist.
2023-10-13 12:42:42 : Phase 1/1: up to 12 mistakes, 12 of which can be an entirely different seed word.
Warning: --no-eta without --no-dupchecks can cause out-of-memory failures while searching
2023-10-13 12:42:43 : Using 8 worker threads
2023-10-13 13:04:37 : ***MATCHING SEED FOUND***, Matched on Address at derivation path: m/0'/0/0
| 209083649  elapsed: 0:21:50  rate: 162.08 kP/s
2023-10-13 13:04:37 : Search Complete

It'll be significantly faster with the latest models and/or with GPU.

[Viscore]

Sorry to hear about your loss. There's no to recover the amount you lose already, so just chalk it up to experience and use it as a learning opportunity.

From the get-go, it's not a wise move to keep a large sum of money in a single wallet. Two bitcoins already constitute a substantial amount, and personally, I wouldn't even store one bitcoin in a single wallet. Electrum, while a reliable application, has had reported incidents of users losing their funds. However, it's important to note that this isn't the fault of the application itself, but rather the users' responsibility. Being cautious with your holdings is crucial.

My suggestion for the future would be to use multiple wallets. You don't have to memorize them all since that could be challenging, but it's a good strategy to minimize risk and prevent such incidents from happening again. Losing money is never a pleasant experience, especially in the current bullish market sentiment. You might end up regretting losing those 2 bitcoins, which could potentially be valued at $200k when Bitcoin reaches $100k, considering its all-time high (ATH).

[mbLI]

Thanks for the information guys. Still trying to make some steps.

[Lucius]

Yeah, that's my only hope there. But it will help only if the police will work on this. And at the moment they do not.
~snip~

I hope that your police will do something, even though it seems that they are not interested in the case or maybe they don't even understand what it is exactly about. In that case, it might be wise to seek the help of a lawyer, who again should be a person who at least somewhat understands what it is about and could convince the police to take some steps.

Another piece of advice in case someone offers you "professional help" in returning funds, be very careful with that and don't pay anyone anything in advance - they are mostly scammers who take advantage of victims like you.

[Mstfdmn]

I think I know the answer where it came from. I downloaded one software that night, and it wasn't working properly, so I deleted it straight away. I think the software contained malware. But the job was already done. Seems like it scanned my PC and got everything it needed in few minutes. The transacation was done exactly that night within few hours.

If it is not too private, can you explain what was that file or where did you downloaded it from?
Because that seems to be the most crucial part of your story.

I think I have the installation files of the software that caused the leakage of the information. Do you think it may help the police to find our where the data was sent to? Or it is not possible to track this from the software files?

Have you tried scanning that file with an antivirus program or at least with windows defender?

All the attacker needs is to write a script that searches for specific patters for seed phrases or private keys or wallet files.
Be it in binary or plain text (eg.: "04ckey" or "03key" for keys in wallet.dat files), depending on how and what he prefers to search.

Am I geting it correct, are the wallet files created by electrum includes the private keys or seed phrases when opened in plain text?

[nc50lc]

-snip-

Am I geting it correct, are the wallet files created by electrum includes the private keys or seed phrases when opened in plain text?

In Electrum, the wallet file contains the seed (for electrum generated seed) and master keys but not the individual private keys.
Those private data are in plain text only if the wallet or the secrets aren't encrypted with a password, otherwise it'll be encrypted.
The "wallet.dat" file in the example is a Bitcoin Core wallet file (non-descriptor).

[Mstfdmn]

-snip-

Am I geting it correct, are the wallet files created by electrum includes the private keys or seed phrases when opened in plain text?

In Electrum, the wallet file contains the seed (for electrum generated seed) and master keys but not the individual private keys.
Those private data are in plain text only if the wallet or the secrets aren't encrypted with a password, otherwise it'll be encrypted.
The "wallet.dat" file in the example is a Bitcoin Core wallet file (non-descriptor).

Let me ask in a simpler way:
Let's say you have an electrum wallet file that belongs to someone else and it is protected by a very strong password which you do not know.
Is it possible for you to take the funds in it?

[mbLI]

If it is not too private, can you explain what was that file or where did you downloaded it from?
Because that seems to be the most crucial part of your story.

This was VST plugin for music software. I made a mistake and simply googled it as I thought this one was very specific for hackers to use - there are too little people in the wrold who might need it. I just googled the name and "download" in the end. And used few forst links. I might even give you the links.

In Electrum, the wallet file contains the seed (for electrum generated seed) and master keys but not the individual private keys.
Those private data are in plain text only if the wallet or the secrets aren't encrypted with a password, otherwise it'll be encrypted.
The "wallet.dat" file in the example is a Bitcoin Core wallet file (non-descriptor).

Does this mean that the hacker did needed my password as well? Which I kept only in my head. Or the seed phrase itself is enough? I kept both seed phrasse and the wallet file on my laptop.

[sokani]

Thanks for the information guys. Still trying to make some steps.

I'm so sorry that you had to learn the hard way. 2 BTC is a whole lot of money and would certainly make a difference in many persons lives here. I don't think money is your problem because if you could stached up to 2 BTC in your wallet, then spending a few more dollars to get a good hardware wallet wouldn't have been an issue. You definitely didn't know that storing your seed phrase electronically was a bad practice. I hope the thief is caught and he pays for his crimes and I would also advise you to be spending more time here so that you can learn more about cyber security, wallet security, and many more.

[nc50lc]

In Electrum, the wallet file contains the seed (for electrum generated seed) and master keys but not the individual private keys.
Those private data are in plain text only if the wallet or the secrets aren't encrypted with a password, otherwise it'll be encrypted.
The "wallet.dat" file in the example is a Bitcoin Core wallet file (non-descriptor).

Does this mean that the hacker did needed my password as well? Which I kept only in my head. Or the seed phrase itself is enough? I kept both seed phrasse and the wallet file on my laptop.

The latter, the seed phrase alone is enough to restore your wallet.

My reply is about the wallet file in your drive and seed & master keys that are written on it:
If you set a password to encrypt the wallet, the wallet file and secrets will be encrypted.
If you set a password to encrypt only the secrets, secrets will be encrypted but not the wallet file.

But that password wont affect the seed phase that you've written in a text file or paper.

[Findingnemo]

Does this mean that the hacker did needed my password as well? Which I kept only in my head. Or the seed phrase itself is enough? I kept both seed phrasse and the wallet file on my laptop.

If someone gets the recovery seeds of a wallet then it can be imported on any Bitcoin wallet where it is supported, for example, electrum supports BIP-39 seeds too even though it doesn't generate that type seeds so once someone got the seeds they can simply import the wallet into their electrum by following this.

Create new wallet => standard wallet => I already have a seed => 'by entering the 12,18,24 seed words'

or whatever type the wallet is ready to be accessed.

[mbLI]

KuCoin accounts are frozen - but the won't ive any info whether there is something there or not, until I get the official law enforcement report. Dubai police is taking no actions.

Does anyone has personal contact in KuCoin who might help to get this information?

Or maybe there is some possibility to get the report from any countries' law enformecents?

[FatFork]

KuCoin accounts are frozen - but the won't ive any info whether there is something there or not, until I get the official law enforcement report. Dubai police is taking no actions.

Does anyone has personal contact in KuCoin who might help to get this information?

Or maybe there is some possibility to get the report from any countries' law enformecents?

I don't believe that personal contact with someone from KuCoin will help you in this case, as sharing such information would be against their policies. The only way, in my opinion, is to pursue legal means.

That's why I recommended you consider consulting someone who's experienced in dealing with  internet-related crimes and cryptocurrencies, like a specialized law firm. I can't speak for Dubai, but over here, I have a local contact I can turn to for legal advice, and the costs are minimal, if any. If it's not their area of expertise, they'll refer me to the right legal experts. From there, they handle all the communication with law enforcement and the courts on my behalf.

[Cricktor]

Does this mean that the hacker did needed my password as well? Which I kept only in my head. Or the seed phrase itself is enough? I kept both seed phrasse and the wallet file on my laptop.

No, the hacker doesn't necessarily need your wallet encryption password. Unless you use a strong and complex enough optional mnemonic passphrase in addition to the mnemonic recovery words to define your wallet, it is enough to steal your mnemonic recovery words for a thief to restore your complete wallet and steal your funds.

If you protect your wallet with an additional mnemonic passphrase it is of course mandatory not to save this mnemonic passphrase on the same device where the wallet is (offline only physical storage not together with your mnemonic recovery words is good practice here).

As you now learned the hard way it is no real obstacle for a thief to unmix 12 mnemonic recovery words when you have saved them on an online device. Mixing up the proper sequence of the words doesn't protect you when there are only 12 mnemonic words. With 24 randomly mixed up mnemonic recovery words the situation would be different for the thief. Such a random mixup of 24 words is not feasible to unscramble with current technology, time and energy.

[Z-tight]

Does anyone has personal contact in KuCoin who might help to get this information?

I don't think this will help, because maybe not everyone working in KuCoin will have access to the information that you are looking for, and even if you get a hold of one who does, they would probably not share the information with you. Be careful if anyone sends you a pm that they work with KuCoin after this, they are probably scammers and do not send money or private information to them.

Dubai police is taking no actions.

I don't know if you've posted it before or if i missed it, but why is the police reluctant to take any action? I feel the money lost here is huge enough for them to assist you in any little way possible.

[nc50lc]

I don't know if you've posted it before or if i missed it, but why is the police reluctant to take any action? I feel the money lost here is huge enough for them to assist you in any little way possible.

His reply about that matter is back in page 2, link: /index.php?topic=5469637.msg62969699#msg62969699
He replied to my post regarding the note that KuCoin or any other centralized exchange will require it before taking action.