Pages:
Author

Topic: BTC stolen from electrum wallet (Read 2555 times)

hero member
Activity: 672
Merit: 500
April 02, 2014, 01:21:39 PM
#31
I use an old laptop for bitcoin related thing. Reinstalled windows myself, chrome browser, then a antivirus software and that is it. No java, no shareware, just use electrum and blockchain wallet via chrome. Please do not install any other altcoin wallet either.
sr. member
Activity: 475
Merit: 252
April 02, 2014, 12:32:27 PM
#30
If I always used safekeys to enter password for creation/withdrawal from electrum, would that make me 100% safe?

Anyone who tells you something is 100% safe is lying.

You might be 99% safe, 93% safe or 60% safe, no one knows... but I would garner a guess that safekeys would keep you MORE safe than you are NOT using it.

The most important thing is to scan your system regularly with malware bytes and run something like Microsoft Security Essentials... Also, Disable Javascript in your browser, and whenever you come to a legit site (like youtube etc) you can click "add to exceptions" and it will let you view that page with javascript. If a sketchy site requires javascript. Do NOT activate it.


I recommend safe paper wallets made offline if you're not too good with computers.
newbie
Activity: 37
Merit: 0
April 02, 2014, 12:21:21 PM
#29
If I always used safekeys to enter password for creation/withdrawal from electrum, would that make me 100% safe?
sr. member
Activity: 475
Merit: 252
April 02, 2014, 12:17:11 PM
#28
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?

Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.

I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.


As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.

If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.

The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.

If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.

http://pastebin.com/YhUj6fzt

Thank you.


You're welcome, I originally wrote that in Japanese for my friends here in Japan, and I translated into English so I'm sorry if it's hard to understand.

If you have any questions about the process feel free to ask.
legendary
Activity: 1274
Merit: 1004
April 02, 2014, 11:51:08 AM
#27
If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.

http://pastebin.com/YhUj6fzt

+1, and OP if you have Java enabled in your browser, disable it.

Here are some more tips
https://bitcointalksearch.org/topic/keep-your-system-updated-and-stay-secure-tips-to-avoid-viruses-trojans-203876
newbie
Activity: 37
Merit: 0
April 02, 2014, 11:45:38 AM
#26
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?

Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.

I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.


As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.

If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.

The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.

If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.

http://pastebin.com/YhUj6fzt

Thank you.
sr. member
Activity: 475
Merit: 252
April 02, 2014, 11:13:43 AM
#25
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?

Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.

I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.


As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.

If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.

The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.

If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.

http://pastebin.com/YhUj6fzt
newbie
Activity: 37
Merit: 0
April 02, 2014, 10:52:50 AM
#24

Well, here is the report.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes
...

Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]


It appears likely that you have a Trojan/Malware on your computer posing as AdobeUpdate.

http://www.virusradar.com/en/MSIL_BattleBot.A/description

This was very likely used by a remote intruder to take a copy of your wallet file(s) and to run a keylogger that captured your password.


Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?
full member
Activity: 150
Merit: 100
Thank you! Thank you! ...
April 02, 2014, 04:46:18 AM
#23

Well, here is the report.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes
...

Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]


It appears likely that you have a Trojan/Malware on your computer posing as AdobeUpdate.

http://www.virusradar.com/en/MSIL_BattleBot.A/description

This was very likely used by a remote intruder to take a copy of your wallet file(s) and to run a keylogger that captured your password.
newbie
Activity: 37
Merit: 0
April 02, 2014, 12:28:25 AM
#22
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.

OP can you confirm whether this address is a deterministic one that Electrum gave you or is this an imported public address/private key pair?

cbeast thanks for the explanation!

All the addresses I used were ones generated by electrum
full member
Activity: 180
Merit: 100
April 01, 2014, 09:33:54 PM
#21
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.

OP can you confirm whether this address is a deterministic one that Electrum gave you or is this an imported public address/private key pair?

cbeast thanks for the explanation!
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
April 01, 2014, 09:09:31 PM
#20
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.
newbie
Activity: 32
Merit: 0
April 01, 2014, 09:03:40 PM
#19
3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 is when OP received this amount on address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 and f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb is when same amount was stolen from this address.

There is still a little hope that someone close to you decided to prank you on April 1st,
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
April 01, 2014, 08:58:43 PM
#18
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.


Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.
I doubt a hacker would only steal from one address. They would have cleaned out the wallet using keyloggers. Electrum has the ability to import and export private keys as well as sync to other wallets. DON'T USE THEM unless you are an expert. I lost dozens of BTC that way before I learned the dangers.
full member
Activity: 180
Merit: 100
April 01, 2014, 08:53:51 PM
#17
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.


Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
April 01, 2014, 08:51:47 PM
#16
It looks like address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 is your compromised address, but I wouldn't assume it's the only one. I think there is an option to freeze individual addresses, but the safest thing to do is sweep each individual private key to a new wallet.
full member
Activity: 180
Merit: 100
April 01, 2014, 08:46:12 PM
#15
I myself quarantine and delete all. Restart my comp then scan again for peace of mind.
I personally use the "watch only" feature of electrum so that my private keys are not stored on the computer.

You backed up onto a USB stick. Did you ever back up onto the hard drive? Default path?
Was your computer on and electrum running when the theft occured?

I am curious whether this loss is due to some form of malware or whether the "12 word seed" used to create Electrum wallets has been broken.

Finally as cbeast said, the transaction outputs are anomalous and suggest someone could've physically accessed your computer. Is this a possibility?
newbie
Activity: 37
Merit: 0
April 01, 2014, 08:35:29 PM
#14
Where should I go from here? Quarantine/delete all the potential threats? reformat pc? throw it out? shoot myself in the head?
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
April 01, 2014, 08:27:05 PM
#13
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.
hero member
Activity: 504
Merit: 500
eidoo wallet
April 01, 2014, 08:24:31 PM
#12
Pages:
Jump to: