Author

Topic: Corrupted Wallet? Or Hacked? (Read 429 times)

newbie
Activity: 10
Merit: 18
February 04, 2021, 06:34:24 PM
#15
Sounds good. Thank you for all the help. Will report back after have had a chance to try these.
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
February 04, 2021, 05:37:17 PM
#14
Thanks for your answers that really clears things out!
Good news is the wallet still controls the money
The bad news is that it's encrypted so you have to find the password, you can't do anything without that
Command to try a password, please do it on a PC without internet, especially as you are using Windows:
Quote
python pywallet.py --wallet=path/to/wallet.py --find_address 1YoUradDress --passphrase "the-password"

You can have two self-explanatory outputs:
Quote
The wallet is encrypted and the passphrase is incorrect
[
    {
        "addr": "13RhV5gEq5vWXeR6BrqK4tbqre63SSgSTy",
        "compressed": true,
        "encrypted_privkey": "a6c8a26001dfb1b6fabb73196ead96c7bb0a81c9490e27607dea7b4c0afa5195332136f955103a2 9295e8238079b7d3d",
        "pubkey": "031295da558de0efe0dbe904be9748ab44d3b59196079ed4dda6cba889a79d2fc2",
        "reserve": 1
    }
]

Quote
The wallet is encrypted and the passphrase is correct
[
    {
        "addr": "13RhV5gEq5vWXeR6BrqK4tbqre63SSgSTy",
        "compressed": true,
        "encrypted_privkey": "a6c8a26001dfb1b6fabb73196ead96c7bb0a81c9490e27607dea7b4c0afa5195332136f955103a2 9295e8238079b7d3d",
        "hexsec": "8d1b71624b7bf8d5165cb9c77bea710173219b813da7c9ebc42a1997ad1064fe",
        "pubkey": "031295da558de0efe0dbe904be9748ab44d3b59196079ed4dda6cba889a79d2fc2",
        "reserve": 1,
        "sec": "L1x1EXNCt2mavzE7zT7Vrck57UfZFY8zHuEgcKaQFCknm3ztAGke",
        "secret": "8d1b71624b7bf8d5165cb9c77bea710173219b813da7c9ebc42a1997ad1064fe01"
    }
]

Obviously you want the second one
To be clear: the moment you have the "passphrase is correct" output with the hexsec/sec/secret values, this means you have the money back (except for the few more seconds needed to transfer it to an Electrum wallet)
This also means that what you have on the screen is worth the whole balance, meaning that using a photo of it or an eidetic memory a person can steal the coins before you transfer them

Try a couple of passwords with different capital letters, punctuation, space, etc
If you really can't find the correct one: first stop thinking about that for a couple of days and try again, maybe you husband changed some 'i' to '1' or things like that

If you're really stuck then you can use tools to bruteforce the wallet using what you remember of the password, doing modifications on it and other things
Keep in mind though that depending on how well you remember it it may still take centuries to find it
Some examples (that I never tried) you can find on Google:
  https://github.com/glv2/bruteforce-wallet
  https://github.com/gurnec/btcrecover

They may not be applicable for your specific password problem, we may have to make a custom one
Just try for now and come back to report success or failure
Good luck!


Note: "Version mismatch (must be <= 81000)" is just a warning, disregard it

And yes, as HCP said above, keep copies of the original files
HCP
legendary
Activity: 2086
Merit: 4361
February 03, 2021, 01:58:36 PM
#13
You appear to be having the same problem as https://github.com/bitcoin/bitcoin/issues/16091 , try the solution listed there which is to run 0.21 with the -upgradewallet switch and see if you can open the wallet file in that newer version.
And again, as always... when trying to extract info from wallet.dat using scripts and/or using commands that can make irreversible modifications to wallet.dat like -upgradewallet, make sure you're working on copies of the wallet.dat... don't work on the original of your wallet.dat files!
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
February 03, 2021, 06:46:22 AM
#12
Quote
The wallet is encrypted but no passphrase is used
Version mismatch (must be <= 81000)

It sounds like you have a newer version of the wallet.dat file that pywallet can't read yet. Maybe @jackjack can confirm if the wallet.dat format has indeed changed between the version of Core OP made the wallet with that existed in 2010 and 0.21?

Or maybe the encryption format changed between 0.17 and 0.21 and encrypted wallets made in later versions can't be read in 0.17?  Huh

You appear to be having the same problem as https://github.com/bitcoin/bitcoin/issues/16091 , try the solution listed there which is to run 0.21 with the -upgradewallet switch and see if you can open the wallet file in that newer version.
newbie
Activity: 10
Merit: 18
February 02, 2021, 09:31:00 AM
#11
Answers to the questions:

Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? Yes, we have all 3. We are able to view the address in python, so we were not hacked (that was our original fear).

"Also I'm confused with this sentence of yours
Quote
We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. We have done the Python method, but since the password isn't working we can't access the private keys
Are you talking about the same wallet file?
As I wrote above, one wallet has exactly one unique password for all the keys
And you say that you were 'able to access the original small change', so that would mean you know the wallet password"

I think we actually ended up with 2 different wallet files. When the wallet was opened on Jan 1 of this year there was a small amount at one address within the wallet and a larger amount at another address within the wallet. I believe it forked once transactions began being made.


When was the wallet created? Encrypted? Created a few years ago. Encrypted January 2021
What is your bitcoin-core version? When encrypted on Jan 1, 2021 was using most recent core version. However, changed to 0.17 last week to correct the error "
"Can't generate a change address key. No keys in the internal keypool and can't generate any keys." that we were having with the smaller amount of BTC.

What is your OS, Windows or Linux? Windows


Here is the error we get in python (version 2.7) with privkey info removed:

The wallet is encrypted but no passphrase is used
Version mismatch (must be <= 81000)
[
    {
        "addr": "1Hxxxxxxxxxxx",
        "compressed": false,
        "encrypted_privkey": "xxxxxx",
        "pubkey": "04xxxxxxxxxxx",
        "reserve": 1
    }
]
newbie
Activity: 10
Merit: 18
January 28, 2021, 08:05:29 PM
#10
Thank you for your thorough response. We will try all of these and be in touch.
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
January 28, 2021, 03:47:35 PM
#9
Sorry to insist but can you confirm that you see encrypted_keys with pywallet?
I've helped many people and even small misunderstandings can lead to a great amount of lost time

Quote
The issue is that the password that was set worked to access the smaller amount within the wallet, but not for the larger amount in the wallet.
This is not the issue
When created, the wallet file contains around a hundred keys (let's say K1, K2, K3, etc, K100)
Those keys contain keys you can see and some hidden change keys
All are used to compute the displayed balance
When you set a password you encrypt the whole wallet with this unique password, so all the initial keys are in there
(One problem can arise when you made around one hundred transactions after the last backup but this doesn't seem to be the case here)

Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? (check but don't write it here)
Maybe you were actually hacked and this could confirm this

Also I'm confused with this sentence of yours
Quote
We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. We have done the Python method, but since the password isn't working we can't access the private keys
Are you talking about the same wallet file?
As I wrote above, one wallet has exactly one unique password for all the keys
And you say that you were 'able to access the original small change', so that would mean you know the wallet password

Another questions
When was the wallet created? Encrypted?
What is your bitcoin-core version?
What is your OS, Windows or Linux?



Last thing:
This may be about a 'change addresses'-related bug triggered on old wallets
If you know the address that received the 'lost' funds, look for its info with this pywallet (download the new version, I just pushed it!) command output
Quote
python pywallet.py --wallet=path/to/wallet.py --find_address 1YoUradDress
, if there is no output then answer all my previous questions and don't read below
If it is there though you should have the key (if hacked then the coins would be gone though)
The output should look like this:
Code:
        {
            "addr": "13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ",
            "compressed": true,
            "hexsec": "aec3301d51faa7c31b8fd6a7eb902f3ccfdd5d4a4491a088004a03b260901a37",
            "private": "xxxx",
            "pubkey": "020017ebde6ec0ca2c76324d96c725f26fd66b331f02e1f3033d7e639058537836",
            "reserve": 1,
            "sec": "L35RgAh2euE8Q1pLEaA2ERsH6D9QEcQGK1mDwxZkg3ir3tco8Anq",
            "secret": "aec3301d51faa7c31b8fd6a7eb902f3ccfdd5d4a4491a088004a03b260901a3701"
        }
What you need is the "sec" value, this is your private key (here for the 13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ address)

If you have this instead:
Code:
        {
            "addr": "13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ",
            "compressed": true,
            "encrypted_privkey": "7e77381ea8764ca899599dc47ad8e4f135188b482ffa2f7bdc6f174c920ebca4ab8716f890cc2da65de139c5f280711c",
            "pubkey": "020017ebde6ec0ca2c76324d96c725f26fd66b331f02e1f3033d7e639058537836",
            "reserve": 1
        },
This means that you must specify your password by adding the `--passphrase your-password` option to the command line and you'd get the "sec" value as expected (consider this insecure though so you should change your password afterwards, but let's focus on recovering the private key first)

If you can't get the "sec" value of your address, then come back here to tell us what errors you encounter and post them (without sensitive content though)
If you can get the "sec" value then just download the Electrum wallet, import the private key and check you see the balance ( https://bitcoinelectrum.com/importing-your-private-keys-into-electrum/ )

DO NOT SHARE ANY OF THE "sec", "secret", "hexsec", "private" OR "encrypted_privkey" VALUES!
newbie
Activity: 10
Merit: 18
January 28, 2021, 02:46:24 PM
#8
Thank you for your response. Yes, the password was set in Core QT.

The issue is that the password that was set worked to access the smaller amount within the wallet, but not for the larger amount in the wallet. But it wasn't changed in between accessing them. We have both tried it as well as my husband's business partner tried it for us just in case we were typing it wrong. We continue to be able to type this password in to access the smaller amount.
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
January 28, 2021, 01:40:59 PM
#7
Code:
He put a password on the wallet and made copies
You mean from within bitcoin-core right?

If so, using pywallet you can dump the wallet, with all the encrypted keys, right?
Then there is no way around that, you must find the password that was set, maybe there is a missing character of something else but you need to find that out
There is no password corruption possible and this thing is robust, you 'just' need to find out the real password
If you can't, there are plenty of fuzzers around here and I think that if you are only a few characters away from the real password it will be recoverable
newbie
Activity: 10
Merit: 18
January 28, 2021, 10:24:12 AM
#6
Thank you for the previous help. So here is the issue now with a bit of a timeline. Of note, this all took place within Bitcoin Core QT

1/1/2021 -
  • My husband opened the wallet and it had all the BTC in it. Some of the BTC was what he mined a few years ago and some of it was given to him as a promotion for signing up with the software at the time. This is important in that they were at different addresses within the wallet.
  • He put a password on the wallet and made copies. He sent the password to me and took pictures of it.
  • He then sent a couple dollars worth of BTC to a friend to test the wallet.
  • When he sent the test it came out of the address that had the smaller amount of BTC. (The larger amount he had mined was still at the other address.) When he sent the test there was change created/sent back to a new address within the wallet.

1/7/2021 -
  • My husband sends one more small test to an Exodus wallet we own. In order to send this he would have had to have entered the password created on 1/1/2021.
  • Change is given since he did not send the entire amount of bitcoin in the wallet. It goes to a new address within the wallet. This is where we freaked out thinking that we had been hacked as the entire amount of BTC was suddenly shown as being transferred out of the wallet. However, according to @achow101 we simply received the change back from the transaction. Now came trying to access that information
  • The password that had been previously set on the wallet no longer worked for the larger amount received as change on 1/7.

1/9/2021 -
  • We opened the wallet back up and were able to access the original small amount from 1/1 that had been received back as change. We were able to use the password that had been created on 1/1/2021
  • We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. My husband does not recall changing the password. If he had, he would have written it down, taken a picture or something. We have done the Python method, but since the password isn't working we can't access the private keys.

Any further advice on what might have happened? Is it possible that the older version of our wallet being used in Bitcoin Core QT created its own encryption when the change was received to the new address?

An additional issue we are having is that when we try to send the smaller amount to an Exodus wallet so that we can get it out of Bitcoin Core QT we get the following errors:

"Can't generate a change address key. No keys in the internal keypool and can't generate any keys.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
January 11, 2021, 07:57:56 PM
#5
~snip~
.....

It should be work if the password from the image is right. Check the image carefully you might be typing a wrong or extra letter/character sample instead of small l you put a big I or 1 or instead of zero 0 you put O.

If not and you already tried all possible passwords then try to dump it using your password and pywallet.py. If you get the same issue when dumping your wallet there is a big possibility that your password on the image is not the right password.


Follow the guide from this link below on how to install the python dependencies and download the copy of pywallet.py from this link below.
- https://github.com/jackjack-jj/pywallet

Then use this command:
Try it first without the password.
Code:
python pywallet.py --dumpwallet --datadir=. > wallet.txt

With password
Code:
python pywallet.py --dumpwallet  --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE

You can find the wallet.dat file under this directory path

Code:
C:\Users\YourUserName\Appdata\Roaming\Bitcoin
or
Press this WinKey+R then type this %APPDATA%\Bitcoin
You should find the wallet.dat on that folder. Don't forget to get a copy of your wallet.dat before you dump it with pywallet.py

If successful you can import those private keys to other wallets like Electrum it doesn't need to download the whole blockchain.
legendary
Activity: 1148
Merit: 3117
January 11, 2021, 05:45:24 PM
#4
Okay, thank you so much for the help. We were able to locate the key on the computer!

Now comes the second part of the issue. The password is not working. The password was used on Friday to send a test transaction to himself.
I have a picture of the wallet password sent via WhatsApp (from him to me) and it written down.

But he can't send any bitcoin at all from it even though the correct amount is now showing.

As of note:  When he entered the password he put as an example

horse123
hosre123

and sent that as a picture.  However, he must have re-typed it so it would go thru, or bitcoin-qt didn't flag it.  He did send a transaction
after that password so now we are lost.  Is it possible the password got corrupted or something?

 
What might be happening is that he wrote the password wrong before sending to you via WA. I would triple check the password and try again. From what I know, passwords don't get corrupted, else we would be in a bad spot... Give it a couple of hours and try again with a fresh head. This seems to be a steamroller of emotions in the past hours (days?), so chances are you're typing the wrong password somewhere (perhaps mistyping an I for an l, or something like that) ...
newbie
Activity: 10
Merit: 18
January 11, 2021, 05:34:51 PM
#3
Okay, thank you so much for the help. We were able to locate the key on the computer!

Now comes the second part of the issue. The password is not working. The password was used on Friday to send a test transaction to himself.
I have a picture of the wallet password sent via WhatsApp (from him to me) and it written down.

But he can't send any bitcoin at all from it even though the correct amount is now showing.

As of note:  When he entered the password he put as an example

horse123
hosre123

and sent that as a picture.  However, he must have re-typed it so it would go thru, or bitcoin-qt didn't flag it.  He did send a transaction
after that password so now we are lost.  Is it possible the password got corrupted or something?

 
staff
Activity: 3458
Merit: 6793
Just writing some code
January 10, 2021, 09:57:49 PM
#2
If the wallet is as old as you say, the keys for the Bitcoin is very likely on the wallet on his office computer.

What you are likely looking at is something referred to as a change output. Bitcoin operates with objects known as UTXOs, there isn't such a thing as "a Bitcoin". Each UTXO has some value, and when it is spent, it is spent in full. When you are sending Bitcoin to someone else, you are most likely sending an amount that does not exactly match the amount of the UTXO being sent, so the wallet will create another output in that transaction that sends the remaining Bitcoin back to yourself. The wallet will use a newly generate private key for this, and of course, it stores that private key as well.

This change is much like change with physical bills. If you are paying for a $15 item with a $20 bill, the cashier will return to you a $5 bill. The same applies in Bitcoin.

With modern software, the wallet will pre-generate thousands of keys. As it needs new private keys, it will first use one it has pre-generated. This is known as having a keypool.

However very very old software do not have a keypool. They don't have any pre-generated keys and instead generate new ones as needed. If the wallet is indeed from as long ago as you say, it is very likely that the wallet file does not have a keypool. So when the change output was generated by sending Bitcoin to the friend, the change output went to a newly generated key that was added to the wallet file by the modern software. The modern software will have also added a keypool. However when you use the original wallet file, it will not have a keypool so it is unable to see the change output. Thus we get the situation you are in.

When you are able, you should check the wallet on the office computer. It should show the correct amount of Bitcoin and the correct transactions. If it does, make a backup of that wallet and use that version of the wallet file from now on.
newbie
Activity: 10
Merit: 18
January 10, 2021, 08:20:32 PM
#1
My husband did some BTC mining a few years back and had a wallet on a computer that went bad.   He took the hard drive out to save it and later thought maybe he could find some.

We recently moved and found the hard drive of this computer that had the wallet on it.  When we accessed the wallet we found a few bitcoin and decided we needed to secure it asap with all that is going on with bitcoin these days. We made multiple copies and ordered a nanoledger...which is yet to arrive.

In the meantime, my husband sends a couple bucks worth of BTC to a friend to ensure the wallet is accurate.   It worked. Friday he buys a tiny bit of bitcoin and receives it to his wallet on the desktop at office.  At this time the amount on the wallet is still the same. (His office computer ledger is up to date).

He then gives me the backup of the wallet and has me download bitcoin core-qt to my computer so that we can monitor it at home vs in his self-employed office.  I start downloading the blockchain last week.  Super slow of course.  I load up the wallet in the meantime. It shows the same amount as my husband's computer had shown. Friday night my computer finishes syncing the core program up and it shows a *2 transactions* from the day before with all of our BTC being transferred out. Neither of us did this and no one else had access to the computer. We have done malware scans with no results. Teamviewer was on my computer and on his, but not open. When we follow the trail to see where the BTC went it is just sitting in a wallet with no other crypto but our amount. I would think if it were hackers they would have split it off by now and moved it elsewhere.

Also, there was no password, I guess, on the wallet at my house...didn't think about that.  My husband's work computer had a password.  Written down.  It doesn't show the change, but he can't access it now because the password doesn't work.

Antivirus:
- windows defender
- malwarebytes on office computer and home lapton ran and showed nothing
- mcafee

Is there a chance it is a corrupted wallet vs a hack? Is there anyway for us to get it? Help please. (A sleep deprived mom and wife trying to help out).:-)
Jump to: