Topic: Armory 0.94.1 is out - page 4. (Read 11877 times)

So I guess this is some type of trojan that has been sitting calling bitcoind every 10 minutes or something trying to extract private keys?

I'm trying to port over to bitcoin-qt now to verify. I don't know exactly how it was done. I remember it was a day I visited a litecoin website and installed litecoin.

This is 1/3rd of the story at best.

We are talking about 5BTC, split in 2 wallets, ~2.9 BTC in wallet A, ~2.1 BTC in wallet B.

On May 6th, 3 transactions in block #410492 moved coins from wallets A and B to address 18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF:

- tx 1&2 move all coins from wallet A. All coins in this wallet were split between 2 addresses. The spending tx each sweep one of these addresses.
- tx 3 moves all coins out of out of 1 address from wallet B, about 0.28 BTC.

In all cases, there was no change and all outputs were spent regardless of how small they were (a few were >0.02 BTC). This pattern is indicative of a private key sweep.

However, all transactions came with small fees. All fees were >0.002BTC. Considering one of these tx spends 10 utxos and another one 7, we're far below the proper fee/kB for quick confirmation. The fact that all 3 tx were confirmed within the same block with such low fees is possibly an indicator that they sat in the mempool for some time.

This to me doesn't characterize theft, rather deliberate private key sweeping. You would expect a thief targeting your private keys would be sophisticated enough to pay a 0.01 total fee on 3 tx stealing some 3 BTC just to get included in the next block.

This accounts for ~3.2 BTC. If the story ended there, and you claimed 3.2 BTC were stolen, then you would have more evidence supporting your claim than otherwise. The fee analysis alone is not strong enough on its own refute theft. However, you are claiming 5 BTC are missing, and the last ~2 BTC leave your wallet in a different fashion.

---------------

About half a day later, in block #410581, 6 transactions move coins from wallet B.

- 5 tx spend to address 1CDyeeCHcReYhfaeTb37Piwq8ZWqLtHU5o
- 1 tx spends to address 12DaNV3b6iSobe5uMwBELYdMkoLJ1V4eto
- 4 out of 6 addresses return change
- As a result of change, wallet B currently has a balance, albeit rather small. Nonetheless, this balance remains larger than some of the smaller utxos that were redeemed among all these transactions.
- The fee/kB density of these 6 transactions is over 2~3 times superior (guesstimate) that that of the first 3 transactions.

---------------

It is also notable that prior to these 9 transactions, you only spent coins once, from wallet B, in November 2015. This implies, in case you use online wallets, that you rarely if ever typed in your password to decrypt your private keys. The point is moot if your wallets are offline. On the other hand, there is not much to discuss if your wallets are online and unencrypted.

This observation narrows down the possible attack vectors. Since you didn't spend any coins for months prior to the event, this couldn't have been an attack on the recipient address (swapping a payment address for the attacker's), nor an adversary process trying to steal your password/encryption key or decrypted private keys in RAM. This also rules out RNG snafu.

Again this point is moot if you toyed around with your password a few hours before the coins moved. This comment in particular and this post in general should be a reminder that you need to provide as much details as possible if you hope to find out what happened to your coins. Your wallets only speak that much.

The only credible attack vector that remains is that someone has access to your encrypted wallets (physical access to your computer, cloud storage backup, infected machine, etc...) and your passwords (possibly brute forced if they are weak, again need more details here). However, this would contradict the sweeping pattern: why sweep private keys if you crack a wallet? Just spend it all in one go.

Still this doesn't explain why the attacker would sweep all keys from one wallet and only ~15% from the other, nor his spending pattern (you'd expect 1:1 spend address to wallet address, or a single address for all wallets), nor why he deemed useful to return change, nor why he paid low fees to steal >60% of your coins and much higher fees for the remainder, and lastly why he did it 12h apart.

Ok, I will now try to import all 5 wallets into wallet.dat on my bitcoin install and see if that restores the coins

http://bitcoin.stackexchange.com/questions/5941/how-do-i-import-a-private-key-into-bitcoin-qt

You need to do it for every armory address

I have 2 wallets I need to try this on..

Is there instructions for exporting and importing into a wallet.dat?

I need to do it twice?

Try to export private key in new wallet and check using bitcoin?

I noticed bitcoin-cli can connect while armory is open.. not sure if it is possible to issue commands such as get wallet balance and transfer..

Otherwise, if this is not a bug that has made a mistake in transaction account, I have no idea

Increase your keypool and start private keys importing into bitcoin

I'm telling you, if these coins are coin, it's a trojan most likely used RPC while armory was open.

Unless this is another type of attack. Who knows why it was done like this.

I'm still hoping for a bug

Nope, no one has access to my machines or my office

It could be someone physically close to you and he did a hasty job of corrupting your wallets

Whatever it was appeared to push all my coins to this wallet:

18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF


I am hoping it's a bug.. I just spent money and time to lose money.. $2000 is alot of money for me.

It is theft. I don't spend any coins.. I was about to transfer out but I wasn't able to.

I collect small payments into 2 wallets from my business. I never spend and then I was going to exchange it..

Unless this has somehow "spent" into an address which I can still access? This doesn't make any sense to me. What do you need?

Armory was running in the background

I am scanning for malware now, the only thing i can think of is it want bitcoin client and got the wallet address and balances and RPC a transfer.

I agree it doest look like it's theft, but I didn't use them.. so unless it's a bug.. it's definitly thefy

There is a set of transactions moving coins from your wallets but again the pattern does not reflect theft, rather deliberate spending. It would make little sense for a thief to steal your coins the way this was done. Without further investigations, I cannot qualify this spending pattern as theft.

To confirm or infirm this case, you would need to present more information and/or enlist the community into helping with the investigation. You would would have to at least divulge the addresses involved, your spending habits, and whether you know the recipient addresses.

I cannot assert if this is theft with what information I have, and so far I remain skeptical.

Is there anyway to confirm this was stolen? Bitcoin is really not useful. People stealing $2000 just like that? I'm so'posed to run a business like this?

Can you confirm someone has stolen all my coins?

If this is true. This is something connecting to bitcoind while armory is loaded with the RPC configuration in the config file, scanning wallets and transferring out.

Ok, thanks. I did not spend these. The only way is a bug or someone stealing them with a trojan. I didn't spend, the balances are very weird to leave money like that. Thanks

Your wallets helped me identify and fix 2 GUI bugs, but nothing in there indicates the balances are off.

Most of the wallets funds were moved in some 15 transactions, all spending coins to a same address. Half of them had change, and the pattern does not suggest someone stealing coins or trying to sweep the wallet, rather deliberate, incremental spending. I invite you to look into that, notably that one recipient address.

Ok, hope it's going OK. Looking forward to new version. Thanks

Yes.

Goatpig is the only one in charge of maintaining anything in armory as he is the only full time developer of it.