Add another to the list of stolen BTC addresses

[enmaku]

Not sure how it happened yet, still investigating, but My wallet got stolen today in this transaction. If anyone has more info, it'd be appreciated. It was only 5 BTC so I'm not all that concerned, but if anyone else got ganked today you're not alone.

[1715334135]

1715334135

[1715334135]

1715334135

[1715334135]

1715334135

[1715334135]

1715334135

[Stephen Gornick]

If you aren't sure how it got stolen then you need to assume you are still compromised and that it could happen again.

Can you share any details?

e.g., operating system, wallet (e.g., local bitcoin client and version, or online e-wallet, etc)   If local, do you have wallet encryption?

[drakahn]

It was a wallet on your pc?

Not sure, was the client open at the time? do you have it running as a server or daemon with a weak password? any possibility of malware?

[enmaku]

It was probably my own stupidity. Unencrypted wallet only ever used on 2 PCs, both of which have good up-to-date antivirus, malware etc. one of which is a corporate PC which I can guarantee hasn't been anywhere even remotely shady. Bitcoin Client was 0.5.31 win32 on Win7x64. Both were configured for RPC but had strong passwords and bindings, open ports on the router, etc. It was only a 5 BTC loss so I'm not that worried (that's the only reason I was so lax on security anyway) but I wanted to make sure folks knew what happened. The bulk of my coins are in paper or deterministic wallets, it was only my "spending cash" wallet that got nabbed. Suppose I'm just another cautionary tale now.

I also just confirmed that I have an old-as-hell unencrypted backup on dropbox, though it may still contain the necessary addresses to be responsible for that transaction (I'll have to verify).

In any case, I'm now considering every address in that wallet, my dropbox account and both PCs "burned" and won't be trusting them with funds until they've been wiped and re-built. Luckily I have VMs for just such a purpose

[Foxpup]

It was probably my own stupidity. Unencrypted wallet only ever used on 2 PCs, ... one of which is a corporate PC...

Helpful hint: System administrators see everything. Don't put anything on a corporate PC that you don't want them to get their hands on. Such as unencrypted wallets.

[Stephen Gornick]

Helpful hint: System administrators see everything. Don't put anything on a corporate PC that you don't want them to get their hands on. Such as unencrypted wallets.

This is really a bigger issue than we are acknowledging.  Managed devices are just that -- systems that can be fully controlled by a remote.  And not just that -- with a typical windows system almost any app that is installed has the ability to read the bitcoin wallet.dat data file.

Won't it be just a matter of time before some contract employee of popular software package, for instance, puts in a rogue piece of wallet stealing code that doesn't execute until a certain date and time?  Fortunately, encrypting the wallet helps raise the bar (so that more than just physical read access to the wallet.dat file is necessary) but a determined attacker can counter that hurdle as well.

[enmaku]

It was probably my own stupidity. Unencrypted wallet only ever used on 2 PCs, ... one of which is a corporate PC...

Helpful hint: System administrators see everything. Don't put anything on a corporate PC that you don't want them to get their hands on. Such as unencrypted wallets.

Hell they may not have even had to touch my wallet. I sit in the IT area and was on lunch when this went down, they could have done it with remote desktop alone. The list of people with RDP access to my computer is much longer than the list of people with full admin access to any computer. I'd hate to not be able to trust the folks sitting < 100 feet from me all day, but that might be an unfortunate reality

[realnowhereman]

I also just confirmed that I have an old-as-hell unencrypted backup on dropbox, though it may still contain the necessary addresses to be responsible for that transaction (I'll have to verify).

My money is on this or malware.

Bitcoin has such low public awareness that the chance of your network admin being aware of bitcoin and dishonest enough to steal your wallet seem pretty low.

However, there must be hundreds of dropbox admins, and it would surely be pretty easy for them to do a scan of their storage for any bitcoin wallet, then take a copy.  All it takes then is one dodgy dropbox employee.  That seems more likely than it being your particular network admin.

Old unencrypted wallets can easily contain addresses that are current thanks to bitcoin's address pre-generation system.

Similarly, one bitcoin-aware malware author can easily add a "copy wallet.dat" to their code and get large scale theft.

[Foxpup]

Bitcoin has such low public awareness that the chance of your network admin being aware of bitcoin and dishonest enough to steal your wallet seem pretty low.

If the system administrator isn't aware of Bitcoin a strange program he's never seen before in his life which is sending and receiving unknown data across his network, then he obviously isn't doing his job. The first thing he'll do is find out what the Hell it is, find out that it's a form of untracable money, then realise that he can steal said money without being traced. Most people, although they claim to be honest, will steal any money they find without hesitation if they think nobody is watching.

[enmaku]

Bitcoin has such low public awareness that the chance of your network admin being aware of bitcoin and dishonest enough to steal your wallet seem pretty low.

If the system administrator isn't aware of Bitcoin a strange program he's never seen before in his life which is sending and receiving unknown data across his network, then he obviously isn't doing his job. The first thing he'll do is find out what the Hell it is, find out that it's a form of untracable money, then realise that he can steal said money without being traced. Most people, although they claim to be honest, will steal any money they find without hesitation if they think nobody is watching.

Well, I *did* recently blow away my %appdata% folder and re-download the blockchain. That's probably enough traffic to catch the sysadmin's eye.