Topic: Had 165k ETH stolen last night. (Read 605 times)

Thank you for the advice about signing a message to verify my ownership. However, as khaled0111 pointed out, the intent of my post was not to ask for donations or mislead anyone, but to understand what happened and seek help. That said, in an effort to address any lingering doubts, I have followed the advice and signed a message which you can find here: https://etherscan.io/verifySig/22663.

I'm well aware of the various scams circulating and want to reassure everyone that I'm approaching this with a high degree of caution.

I sincerely appreciate the support and guidance from this community during this incredibly stressful and challenging time

damn I know a similar case like this it happen to my brother wallet, so the story was one of my brother's friend sent him around ~0.3 Eth but after receiving it took a couple of hours for that money transferred from my brother wallet to scammer wallet.

and then I ask him about the current private key but he told me never shared the private key and never approved any smart contract but the money is long gone

Honestly, I don't see any reason why he needs to do that. There is no reason to doubt his story, so far. It's not like he came up with this story to ask for donations or anything like that. He just want help to figure out what happened.

OP, I see that you reported the address to etherscan.io and posted a comment there. Be careful of those who replied to you pretending they can help you recover your lost money. They are scammers, do not trust them!

It's good to know that you are moving forward, You will need a lawyer who knows about cybersecurity to help you with your case, I'm sure the funds from that wallet will move so can get ready to have communication with exchanges if ever hacker moves it to these exchanges.
Checking the address it is now marked as phishing.

You've said you've lost 88 ETH $165k from the address you own 0xbed5681AB526863c4CCee75e394db537A75DA761. Etherscan's added Fake_Phishing185501 warnings about the receiving address. If you're holding private keys you should sign a message Signing a Message on Ethereum or else we can't know if you're telling the truth.

I don't know how to prove that I own that wallet or that I lost the funds. However I did receive a voicemail from law enforcement today, I am certain I will be speaking with them tomorrow. So not sure how much more I should share. However I'd be glad to prove it's my wallet.

The little research I did on that Rewind.io app says that it can remember and view everything you have seen, written, or said on your device. This information can cause massive problems in the wrong hands. Another source I found says that the backups aren't "fully" encrypted, and there exists a possibility of stealing someone's data. I have no idea what they consider as "fully encrypted". It either is or isn't. The encryption could be weak or strong, not sure what fully or semi encrypted is supposed to mean. Some data is encrypted while the rest isn't? Who knows.

---

So Rewind.io was installed on your Mac after your Metamask wallet. The wallet is older. Did you make any outgoing transactions from your wallet during the time that Rewind.io was installed? More precisely, did you make any outgoing transactions prior to the 26 ETH one that you moved to Kraken?

If the OP doesn't know how it happened he's at risk of it happening twice. It's process by elimination so a malware program's needed. OP didn't prove it's his cryptocurrencies so it isn't easy accepting what he's saying but I'm feeling sad if he's lost $165k.

Question #1:
OP, you say your wallet is older than when you started using Rewind.ai. After you started using that tool, did you ever display your private keys or your mnemonic recovery words of your wallet on screen so that such sensitive details could've been recorded by Rewind.ai?
Think hard and try to remember any possibility for such to happen.

You say Rewind.ai stores recordings only on your local device. Question #2: how are such recordings secured? Any encryption or password necessary to replay such recordings? (I don't know this tool.)

Question #3: have you ever granted someone remote access to your device? Do you have remote access tools installed, like TeamViewer, Anydesk, ...?

Question #4: I assume your MacBook wasn't ever in any repair shop or Apple repair while there's still your data on it and since you have your wallet active? (Just to exclude the most obvious things.)

My brainstorming is about how could your wallet's sensitive data leaked. You didn't say or answer anything about browser extensions. Is this Bitcasino only a website or did you install some software from them on your device?

Pmalek's idea that the stealing transaction could be somehow related to your transfer to Kraken is a path worth to explore but frankly I don't have an idea how this could lead to a leak of data allowing a malicious party to transfer your funds.

Problem is also that is not going to be easy to determine if your device is clean or infected with something malicious.

It's more money than I'll see in my life I'm sorry you've lost $165k ETH it's got to hurt. I'd be broken if it happened to me. I don't want to be unsympathetic but are you able to prove you've lost it? It's hard to believe every thing we're told so can you prove it?

Including private keys? (pls don't say yes)
I'm not gonna accuse him just for ruining your relationship. But in this case (about a large sum of money), if this were to happen to me, I'd be more realistic and not limit any suspicions. For me that's natural, because "money can blind a person".

But it's up to you, what I quoted actually... never mind

I began using Rewind quite early on but my wallet is much older, and it's been a real lifesaver on numerous occasions, helping me recall things I'd forgotten or needed to retrace my steps on. While the article you've linked to does cover both the pros and cons of Rewind AI, the fact that all the data is stored locally mitigates my concerns.

As for my partner, we maintain a high level of transparency and are both keenly aware of crypto-related issues. We share everything, so there's no conceivable motive for him to engage in such behavior.

My intuition leads me to this conclusion as it appears to be the most logical, but from a technical standpoint, it feels like a stretch.


He does not use my computer, and we have our own rooms, he also is good about crypto security.

All right, let's slow down.
Everything I'm going to ask and say next is just assumptions and possibilities, I don't mean to accuse anyone. Up to this point, I'm with Pmalek that your privatekey was leaked.

Since when was your rewind application installed? did it also record the screen when you generated the privatekey?
Then about your old partner, is there any chance that s/he can also watch the saved recording?


Anyway, reviews about Rewind.ai that might be worth reading: https://www.lifewire.com/rewind-ai-records-everything-on-your-mac-privacy-nightmare-or-amazing-memory-tool-6826733

Maybe your keys leaked with the 26 ETH transaction that you made from Metamask to your Kraken account. After that, someone got the secrets that they needed to steal the remaining coins. I don't know how, though.

What about your partner that you said lives with you. Does she use your computer? It doesn't have to be that she stole from you, maybe she used some fake app. Does she play games or use some dubious apps and permissions over social media?

Sorry  for your loss OP,this is a hard lesson for you. I am not blaming you but it has always been an advice here by experts that don't keep big amount of bitcoin in an online wallet because you will be vulnerable to hackers but instead use a hard wallet to keep your coins but this information was irrelevant to you not until you have become a victim. A link with malware was sent to you and that was how your wallet was compromised. I don't think that such an hacker will transfer the funds to an exchange only if he is dumb. If crypto is not illegal in your country and the funds was sent to an exchange, then it is possible to freeze the account with the help of the police.

For someone who is unable to regulate their emotions, the notion of this enormous loss can be intolerable. This is a tragic tale that OP will carry on with.

If there was a way to get your stolen $165k Eth back, we would have all taught you the way, but in this situation, there is no way to discover the person who stole your crypto assets.

Have courage, and consider it a lesson well learned. You should not use your Eth wallet once again because it has been compromised. Instead, use a hard wallet to create a more secure wallet that won't be vulnerable to hackers.

As OP uses MetaMask which is a browser based wallet: which browser extensions do you have installed? If you don't pay attention to what extensive rights some extensions demand and if you install shady ones, you're quick in trouble.

Do you have some sort of extension from Bitcasino installed??

I consider a browser based wallet like MetaMask already as a very bad idea. Browsers are very complex software beasts that constantly interact with the www, that is mostly external data thrown at your try-to-be-everything-software-renderer which has gazillions of bugs, constantly.

Any exploit in your browser puts your browser wallet at risk. What could possibly go wrong here? Nevermind...

That is indeed quite uncommon behavior of a malicious actor who has enough control to send coins from OP's wallet.

Certainly, the scenario you described is indeed puzzling. I agree that if a malicious actor had gained control of my private key or seed phrase, we would expect them to act more opportunistically. The presence of 12 Ethereum (~$35K as of my case) sat in my wallet untouched for almost 18 hours, I was withdrawing from that amount so it is highly unusual if a hacker had control over my wallet that they wouldn't touch those funds.

The sequence of events is indeed perplexing. The malicious activity started almost synchronously with the deposit of the larger sum of 111 Ethereum that I won from Bitcasino. Within minutes of this deposit, I successfully managed to transfer 26 Ethereum to my Kraken account. Only after this transaction, the unauthorized transfer of the remaining funds began.

The hacker's hesitation and the delayed reaction seem counterintuitive if we're dealing with a classic case of private key compromise. It doesn't make sense why they left a significant amount untouched in the wallet for so long, and why they waited until after a large deposit and a subsequent withdrawal by me before they moved the funds.

One potential explanation is a triggered event or condition - possibly a smart contract interaction or some other automated mechanism that was set to activate upon the receipt of a large deposit. I mentioned in my previous responses about a smart contract transaction that occurred immediately after the 111 Ethereum deposit. While the connection is uncertain, it's a point of interest that could potentially explain the odd timing.

Of course, these are all speculations based on the peculiar circumstances surrounding this incident. The reality may be different, and a thorough investigation is underway to get to the bottom of it.

It's indeed a perplexing situation, and I appreciate your interest in understanding this unusual case. I'll continue to update as I make progress with my investigations and hopefully provide some clarity in due time.

It's literally driving me crazy.

I am truly sorry for your loss but this whole thing is very strange to me.
You said that there was about $7k at that address earlier, but that the "hacker" (or whatever is behind it) did not touch that money, but was waiting for a larger amount. When that larger amount has arrived, he hesitates and allows you to transfer a solid part of that money (about 1/3) and only after that, he transfers the rest of the ETH.
This really doesn't look like a serious hacker to me, To me, this really doesn't look like a serious hacker, it's just that he would leave the possibility of saving $50-$60k.