Stolen bitcoins, help!

[DannyHamilton]

I suppose this doesn't belong in this forum, but I need it to be seen quickly by a lot of people.  Feel free to move it to a better forum if necessary:

I just did a transaction with someone, (I was the sender) and the bitcoins were immediately transferred out of their wallet.

Does anyone recognize the address: 13CChHmYHDMCfFpVDjnpEPfsijUUjjcccc

Is there any chance of this being a white-hat hacker?

If we can get these 2.24422442 bitcoins back, it would really be appreciated.

-  Danny

[escrow.ms]

Do you know which wallet receiver was using? and if it was blockchain.info wallet it's possible that his account/privatekeys got compromised.

I found culprit
http://www.hackforums.net/showthread.php?tid=3973147&page=18

  He's using Java drive by's so it might be possible that your client's PC got compromised if he was using Java.

[DannyHamilton]

Do you know which wallet receiver was using? and if it was blockchain.info wallet it's possible that his account/privatekeys got compromised.

Yes, he's using blockchain.info.

I'm pretty sure that his private keys are compromised.

I was hoping that just maybe it was compromised by a white-hat hacker, but I realize how unlikely that is.

He's in a bit of a panic, and I'm doing what I can to help him.

I understand how dire the situation is, but if there's any chance of getting these bitcoins back it would obviously be appreciated.

[DannyHamilton]

Note:

The address 13CChHmYHDMCfFpVDjnpEPfsijUUjjcccc is the thief's address that the bitcoins were moved to.  That's why I was hoping the address might be familiar to someone.

[escrow.ms]

His skype and email address: themad2403@live.com

I'll try to talk to him.

[jonald_fyookball]

man thats too bad... i hope the thief will have a change of heart and give back at least
some of those coins.

[escrow.ms]

Please ask your customer to scan his laptop/pc as soon as possible and he should change password of his accounts on a different pc which is safe.

[DannyHamilton]

His skype and email address: themad2403@live.com

I'll try to talk to him.

Thanks.  I feel really bad for this guy.  He's sitting across the table from me in a bit of a panic, and I feel pretty helpless.

[Polycoin]

His skype and email address: themad2403@live.com

I'll try to talk to him.

Thanks.  I feel really bad for this guy.  He's sitting across the table from me in a bit of a panic, and I feel pretty helpless.

Is he physically sitting across the table from you?

No Trolling: There should be software to track down bitcoin addresses etc. *Heads up to software developers, make that software*

[DannyHamilton]

Please ask your customer to scan his laptop/pc as soon as possible and he should change password of his accounts on a different pc which is safe.

I've already explained the importance of using a safer option (such as Armory, Electrum offline, or paper wallets created offline) for amounts that would be devastating to lose.

I've also already explained that he should avoid bitcoin completely until he is certain that he can keep them secure.

We looked through his laptop a bit, and didn't find much that would explain the theft.

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

[Polycoin]

Please ask your customer to scan his laptop/pc as soon as possible and he should change password of his accounts on a different pc which is safe.

I've already explained the importance of using a safer option (such as Armory, Electrum offline, or paper wallets created offline) for amounts that would be devastating to lose.

I've also already explained that he should avoid bitcoin completely until he is certain that he can keep them secure.

We looked through his laptop a bit, and didn't find much that would explain the theft.

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

No Trolling: Did he open up any emails or anything sent to him? It is possible and very easy to disguise Keyloggers in attachments such as documents and even pictures(only if you download them though, viewing on google drive is safe) He might have a hidden keylogger on his computer.

Have him go through past emails/anything he downloaded from them, or even from the internet.

[DannyHamilton]

Is he physically sitting across the table from you?

Yes, literally physically.

We are sitting at a table together.  He is clearly in a bit of a panic over this.  This is quite clearly more bitcoins than he can afford to comfortably lose.  I'm doing what I can to help him, but its not a good situation.

He checked to make sure he had his bitcoins.  Then he handed me the cash.  Then he went to send the bitcoins from his blockchain.info wallet to some other address, and noticed that they were gone from his blockchain.info wallet.

[DannyHamilton]

He might have a hidden keylogger on his computer.

Yes, he might.  I'm not sure how to tell if he does or not.

He and I had a transaction about 3 weeks ago with no problem.  He claims he hasn't installed anything since, and that he ran a virus scan yesterday.

Regardless, it is clear that the bitcoins were taken.  Finding out how is secondary.  Finding out if we can get them back (or finding out who) is the primary goal.  If he can figure out who, he might just be angry enough to employ a rubber hose collection technique.

[laughingbear]

https://bitiodine.net/cluster/13CChHmYHDMCfFpVDjnpEPfsijUUjjcccc

I hope this helps

[shawshankinmate37927]

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

Was he using IE to access blockchain.info?

[DannyHamilton]

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

Was he using IE to access blockchain.info?

Yes.  This was the first time he used IE to access his blockchain.info wallet.  In the past he has always used Chrome.

[acoindr]

This sucks. As great as Bitcoin is if people feel it's too complex to use securely they'll shy away from it.

I was contemplating starting a blog to help people secure their coins, answer questions etc. but haven't had the time. Multisignature wallet solutions should help this security problem tremendously. I feel like we're right in the transition from crazy wild west to more predictable, controllable user experience. People say this will be the year of multisig wallets and I expect that's true.

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

It appears WebCake is malware: http://malwaretips.com/blogs/webcake-virus-removal/

Often people trying to gain access to some facet of a system can piggyback on some existing vulnerability, just as real world viruses can open up the immune system to other bugs. Either way if this person isn't savvy enough to keep his machine free from basic viruses then that explains why he is likely easy picking.

[escrow.ms]

I tried to talk but he blocked me on skype. I'll try to contact him on hackforums.

Ps: i forgot to tell you that since he's from hf he might be using FUD rat/trojan so it will not get detected by av easily and he might be using betabot which have rootkit etc.

Please ask your client to take help from malware removal experts.
http://www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/

[Stevenrm87]

Tale the $1000 loss as a learning experience. Or pretend you went out and had fun last night.

[DannyHamilton]

This sucks. As great as Bitcoin is if people feel it's too complex to use securely they'll shy away from it.

I was contemplating starting a blog to help people secure their coins, answer questions etc. but haven't had the time. Multisignature wallet solutions should help this security problem tremendously. I feel like we're right in the transition from crazy wild west to more predictable, controllable user experience. People say this will be the year of multisig wallets and I expect that's true.

The closest we could find was an IE addon called WebCake that neither of us knew what it was.

It appears WebCake is malware: http://malwaretips.com/blogs/webcake-virus-removal/

Often people trying to gain access to some facet of a system can piggyback on some existing vulnerability, just as real world viruses can open up the immune system to other bugs. Either way if this person isn't savvy enough to keep his machine free from basic viruses then that explains why he is likely easy picking.

Yes, we all understand that this happened because he was unable to secure his computer against bitcoin threats.  He is VERY PAINFULLY aware of that himself right now.

I didn't open this thread to point out what he did wrong.  I was just hoping that the owner of 13CChHmYHDMCfFpVDjnpEPfsijUUjjcccc might *just maybe* be a white-hat hacker, or that the hacker was dumb enough to already be identified (like that Marcus guy on localbitcoins).