|
TheFridge (OP)
|
 |
August 04, 2014, 09:14:50 PM |
|
Hey all,
I need some help, I opened my wallet to discover it had a 0 balance and no transaction history, no nothing. The wallet is synced but there is no information in the wallet. Even saved addresses are gone.
The wallet.dat file is still there.
Have I been hacked?
Im using the Windows Bitcoin core wallet. Has this happened to anyone before and what can i do about it?
Thanks
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
btchris
|
|
August 04, 2014, 09:41:33 PM |
|
If all the saved addresses are gone, I'd guess that either the wallet.dat file moved or was deleted (by accident? technical glitch? a hacker? hard to say...), or the place where Bitcoin Core is looking for the wallet.dat file changed/got reconfigured.
Usually hackers don't matter deleting the wallet.dat as far as I'm aware (they usually just transfer the Bitcoin out leaving you with a 0 balance but the same keys), so maybe that's a good sign....
Have you installed or upgrading any software on your PC recently? Do you have a backup of the wallet.dat? Did you ever intentionally choose an alternate datadir?
How much was in there (don't have to tell me, I just mean ask yourself)? If it was a lot and you have no backups, and if you're a techie yourself or if you're willing to enlist the aid of one (a friend or paid), you should probably assume a technical glitch (it's the best case) and do something drastic, like shut down your PC right now, and boot off of a rescue CD with some data recovery tools.
Otherwise, I guess I'd start by searching the whole HD for any wallet.dat file, including the Trash/Recycle Bin, in the hopes it was just an accident/technical glitch. If you do a dumpwallet via the debug console / RPC, it would be interesting to see the creation dates of all of the keys. I'm guessing they were all created just now when you opened your wallet, which means the original wallet.dat file wasn't where it was expected and it got recreated.
That's all I can think of for now...
|
|
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 10:04:49 PM |
|
Thanks for the reply. It seems I may have been hacked. I checked the address I have sent bitcoins to from an exchange and the blockchain says my balance is zero and a transaction was made yesterday emptying the wallet. MY Minerals Coin address has also been emptied too  Will there be a trace of this transaction in the debug file? I have run a virus scan and all seems clean. Does anyone have any ideas how they got in? |
|
|
|
|
Anon136
Legendary
 Offline
Activity: 1722
Merit: 1217
|
|
August 04, 2014, 10:06:37 PM |
|
https://www.buytrezor.com/ Then at least nothing like this will ever happen again.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
alani123
Legendary
Offline
Activity: 2394
Merit: 1415
Leading Crypto Sports Betting & Casino Platform
|
|
August 04, 2014, 10:10:09 PM |
|
Did you download anything fishy lately?
|
| ..Stake.com.. | | | ▄████████████████████████████████████▄
██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄
██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████
██ ██████████ ██ ██ ██████████ ██ ▀██▀
██ ██ ██ ██████ ██ ██ ██ ██ ██
██ ██████ ██ █████ ███ ██████ ██ ████▄ ██
██ █████ ███ ████ ████ █████ ███ ████████
██ ████ ████ ██████████ ████ ████ ████▀
██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
██ ▀▀▀▀▀▀▀▀▀▀ ██
▀█████████▀ ▄████████████▄ ▀█████████▀
▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄
██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█ ▄▀▄ █▀▀█▀▄▄
█ █▀█ █ ▐ ▐▌
█ ▄██▄ █ ▌ █
█ ▄██████▄ █ ▌ ▐▌
█ ██████████ █ ▐ █
█ ▐██████████▌ █ ▐ ▐▌
█ ▀▀██████▀▀ █ ▌ █
█ ▄▄▄██▄▄▄ █ ▌▐▌
█ █▐ █
█ █▐▐▌
█ █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀ ▐█▌ ▀█▄
██ ▐█▌ ██
████▄ ▄█████▄ ▄████
████████▄███████████▄████████
███▀ █████████████ ▀███
██ ███████████ ██
▀█▄ █████████ ▄█▀
▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀
▀███████ ███████▀
▀█████▄ ▄█████▀
▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 10:13:14 PM |
|
Not that I know of, seems the Minerals wallet was emptied on he 2nd of this month and the Bitcoin wallet yesterday. So the malware could have been sitting there for a while.
|
|
|
|
|
|
btchris
|
|
August 04, 2014, 10:19:25 PM |
|
Thanks for the reply. It seems I may have been hacked. I checked the address I have sent bitcoins to from an exchange and the blockchain says my balance is zero and a transaction was made yesterday emptying the wallet. MY Minerals Coin address has also been emptied too Will there be a trace of this transaction in the debug file? I have run a virus scan and all seems clean. Does anyone have any ideas how they got in? That really stinks, I was optimistic it may have just been a technical glitch, so sorry if I got your hopes up. Is there any chance the transaction you're looking at was something you initiated, and you're just confusing a full-out transfer with a change address, or was there only one output? Regarding the log file: maybe. Most hacker victims just have their wallets or keys stolen, and then the hacker transfers the Bitcoin out later. If the hacker actually used your PC to transfer the coin out, then it would be in the logs. Also in the logs will be a bunch of "reserve" address creation messages around the time your wallet.dat was recreated. Did you have your wallet encrypted? Did you have RPC enabled? Have you installed or upgrading any software on your PC recently (especially from this or another Bit/Altcoin forum)? |
|
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 10:34:14 PM |
|
I couldnt find a bunch of reserve requests in the log file. Im not much of a techie but how do i use the the dumpwallet in the debug console? I typed dumpwallet into the console but it is asking for a string?
|
|
|
|
|
|
btchris
|
|
August 04, 2014, 10:42:50 PM |
|
I couldnt find a bunch of reserve requests in the log file. Im not much of a techie but how do i use the the dumpwallet in the debug console? I typed dumpwallet into the console but it is asking for a string?
I'm not sure it'll help you much, but here it is anyways (with the quotes, assuming you're on Windows): dumpwallet "c:\walletdump.txt" Then you can double-click it (the file), and it will display the creation time of all of the reserve addresses (I think in the UTC time zone). |
|
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 10:53:30 PM |
|
Yer just as we suspected, the keys were created only a couple of hours ago when i opened the wallet. This sucks. So the hacker just removed the wallet.dat file completely and when i opened the client it created new keys? Is this what happened?
Thanks for the help btw
|
|
|
|
|
|
btchris
|
|
August 04, 2014, 11:01:07 PM |
|
Yer just as we suspected, the keys were created only a couple of hours ago when i opened the wallet. This sucks. So the hacker just removed the wallet.dat file completely and when i opened the client it created new keys? Is this what happened?
Thanks for the help btw
Probably, Bitcoin will create 100 new addresses if wallet.dat is missing, and given that they got two different wallets, it sure doesn't sound like a technical glitch. I'm sure you don't want to hear this, but to be safest you should probably reinstall everything from scratch at this point. If your wallets were encrypted, it's very likely you have a keylogger on your system. This means: (1) don't log into anything, and (2) after your system is reinstalled (or better yet, from a different system), change all your important passwords, especially financial ones, cause it's a good bet someone else could have them now... |
|
|
|
|
|
btchris
|
|
August 04, 2014, 11:03:03 PM |
|
By the way, are you sure that it doesn't look like a normal change transaction (not normal/a stealing tx would be a whole bunch of inputs and just one output). If you're not sure, please post the transaction id up...
|
|
|
|
|
|
nottm28
|
|
August 04, 2014, 11:05:41 PM |
|
did you get an error saying your wallet.dat was corrupt?
if so did you say 'yes' re-download entire blockchain?
same thing happened to me - I used process explorer (or task manager if you must) to kill the bitcoind process. Fire it back up and after a while - hey presto...
|
donations not accepted
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 11:18:38 PM |
|
did you get an error saying your wallet.dat was corrupt?
if so did you say 'yes' re-download entire blockchain?
same thing happened to me - I used process explorer (or task manager if you must) to kill the bitcoind process. Fire it back up and after a while - hey presto...
Nope, didnt get any error messages, just opened the client and downloaded the last few hundred blocks and nothing was in there |
|
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 11:19:52 PM |
|
By the way, are you sure that it doesn't look like a normal change transaction (not normal/a stealing tx would be a whole bunch of inputs and just one output). If you're not sure, please post the transaction id up...
Im not 100% sure, here is a tx id from transferring a little from a exchange e998ecedfe1dcbaaa33c585ceb75eca3a2ef325743654436e80cc48ae14f5f6b |
|
|
|
|
|
bigasic
|
|
August 04, 2014, 11:44:51 PM |
|
Every time i hear something like this my stomach cramps.. I get paranoid about the coins that I have. I have stopped downloading anything to my computer that Im not 100 percent sure it safe. I hope it wasn't too much of a loss.
|
|
|
|
|
|
TheFridge (OP)
|
|
August 04, 2014, 11:49:15 PM |
|
No it wasnt lot thankfully, just over 1 BTC, but im more bummed about the Minerals Wallet, had a lot more in that one. If someone with a but more knowledge on tracking the blockchain can check that tx ID i sent from a exchange to my wallet can check I am looking at this properly?
|
|
|
|
|
|
|
|
TheFridge (OP)
|
|
August 05, 2014, 12:25:28 AM |
|
Yes that is the address. So they would have to have access to the wallet.dat file then send them from my address, is that right?
|
|
|
|
|
|
ForgottenPassword
|
|
August 05, 2014, 12:33:33 AM |
|
Yes that is the address. So they would have to have access to the wallet.dat file then send them from my address, is that right?
It looks like they somehow got your wallet.dat file and dumped the private keys out and imported them to blockchain.info/wallet to spend. Likely because they don't have/want to sync the blockchain. So it sounds like you've actually been hacked and it's not a technical bug. These are all your addresss to? http://blockchain.info/address/1Kniun52uhJjEdKJhW2QFzNNjBmtvJetWUhttp://blockchain.info/address/1FEgzCSiXmBe966UDZnNUpwrziDv28P5dvhttp://blockchain.info/address/1HGQ4J7VPDsF88RsjXSZXchJRenfevtHR2http://blockchain.info/address/1MYvWmES69U2qP2kdHNwm9Gr4orp4K694RIt would be a good idea to post a list of every address in that wallet that had funds stolen when you get a chance. I'll take a look and see if we can find out anything about the hack from it if I have free time. I would also NOT use the PC the wallet was on AT ALL. Have a tech-savvy friend make backups of important files, and securely reinstall it before using it for anything important. However if you have another PC to use it may be a good idea not to do that right away as you'll want to figure out how you were hacked first to prevent others from being hacked the same way. Did you keep backups of your wallet anywhere? was your wallet encrypted? if you use the password anywhere else CHANGE IT IMMEDIATELY from a secure PC, and change any passwords of other accounts you logged into recently on that PC. If you have any remaining bitcoin generate a new wallet on a secure PC and move them immediately. What OS were you using? Do you have any remote control software like Teamviewer installed? Did you install anything Bitcoin or cryptocurrency related recently? what version of bitcoin-core were you running? Whats the link to the minerals altcoin thread? |
|
|
|
|
