Topic: BTC stolen from electrum wallet (Read 2526 times)
I use an old laptop for bitcoin related thing. Reinstalled windows myself, chrome browser, then a antivirus software and that is it. No java, no shareware, just use electrum and blockchain wallet via chrome. Please do not install any other altcoin wallet either.
If I always used safekeys to enter password for creation/withdrawal from electrum, would that make me 100% safe?
Anyone who tells you something is 100% safe is lying.
You might be 99% safe, 93% safe or 60% safe, no one knows... but I would garner a guess that safekeys would keep you MORE safe than you are NOT using it.
The most important thing is to scan your system regularly with malware bytes and run something like Microsoft Security Essentials... Also, Disable Javascript in your browser, and whenever you come to a legit site (like youtube etc) you can click "add to exceptions" and it will let you view that page with javascript. If a sketchy site requires javascript. Do NOT activate it.
I recommend safe paper wallets made offline if you're not too good with computers.
If I always used safekeys to enter password for creation/withdrawal from electrum, would that make me 100% safe?
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?
Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.
I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.
As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.
If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.
The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.
If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.
http://pastebin.com/YhUj6fzt
Thank you.
You're welcome, I originally wrote that in Japanese for my friends here in Japan, and I translated into English so I'm sorry if it's hard to understand.
If you have any questions about the process feel free to ask.
If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.
http://pastebin.com/YhUj6fzt
http://pastebin.com/YhUj6fzt
+1, and OP if you have Java enabled in your browser, disable it.
Here are some more tips
https://bitcointalksearch.org/topic/keep-your-system-updated-and-stay-secure-tips-to-avoid-viruses-trojans-203876
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?
Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.
I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.
As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.
If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.
The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.
If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.
http://pastebin.com/YhUj6fzt
Thank you.
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?
Let me say this: Electrum is a free piece of software that is open source. You should only trust it as much as you trust a collective group of people on the internet (everyone using Electrum and vouching for it), OR your ability to understand python code.
I personally trust my ability to read/code in python, so I don't need to trust Thomas or anyone telling me "this is a good program." I can verify this by myself.
As for this incident. I hate to say it, but your computer was compromised, and currently there is no piece of software for wallet that can protect you from a computer with a trojan.
If you deleted all the files from the report, I would say "maybe" you're safe. A good hacker could make a new form of trojan not traceable by malware detection, and then put in a second "dumb" trojan so that you will scan for it, find it, delete it, then continue on normal feeling safe... but you're not.
The best thing to do is ALWAYS ASSUME YOUR COMPUTER IS COMPROMISED.
If you want to keep your coins safe, buy a USB memory stick with over 8 GB and install Ubuntu on it, and boot your Electrum from there.
http://pastebin.com/YhUj6fzt
Well, here is the report.
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes
...
Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]
It appears likely that you have a Trojan/Malware on your computer posing as AdobeUpdate.
http://www.virusradar.com/en/MSIL_BattleBot.A/description
This was very likely used by a remote intruder to take a copy of your wallet file(s) and to run a keylogger that captured your password.
Well i deleted all the files that came up from the report, should I be safe now? And what so I do now for a new wallet? I don't really trust electrum but I guess it had nothing to do with it. Is it safe to make a new wallet with that program?
Well, here is the report.
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes
...
Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]
It appears likely that you have a Trojan/Malware on your computer posing as AdobeUpdate.
http://www.virusradar.com/en/MSIL_BattleBot.A/description
This was very likely used by a remote intruder to take a copy of your wallet file(s) and to run a keylogger that captured your password.
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.
OP can you confirm whether this address is a deterministic one that Electrum gave you or is this an imported public address/private key pair?
cbeast thanks for the explanation!
All the addresses I used were ones generated by electrum
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.
OP can you confirm whether this address is a deterministic one that Electrum gave you or is this an imported public address/private key pair?
cbeast thanks for the explanation!
If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.
3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 is when OP received this amount on address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 and f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb is when same amount was stolen from this address.
There is still a little hope that someone close to you decided to prank you on April 1st,
There is still a little hope that someone close to you decided to prank you on April 1st,
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.
Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.
Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.
It looks like address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 is your compromised address, but I wouldn't assume it's the only one. I think there is an option to freeze individual addresses, but the safest thing to do is sweep each individual private key to a new wallet.
I myself quarantine and delete all. Restart my comp then scan again for peace of mind.
I personally use the "watch only" feature of electrum so that my private keys are not stored on the computer.
You backed up onto a USB stick. Did you ever back up onto the hard drive? Default path?
Was your computer on and electrum running when the theft occured?
I am curious whether this loss is due to some form of malware or whether the "12 word seed" used to create Electrum wallets has been broken.
Finally as cbeast said, the transaction outputs are anomalous and suggest someone could've physically accessed your computer. Is this a possibility?
I personally use the "watch only" feature of electrum so that my private keys are not stored on the computer.
You backed up onto a USB stick. Did you ever back up onto the hard drive? Default path?
Was your computer on and electrum running when the theft occured?
I am curious whether this loss is due to some form of malware or whether the "12 word seed" used to create Electrum wallets has been broken.
Finally as cbeast said, the transaction outputs are anomalous and suggest someone could've physically accessed your computer. Is this a possibility?
Where should I go from here? Quarantine/delete all the potential threats? reformat pc? throw it out? shoot myself in the head?
It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.
Jump to: