Topic: HELP, Bitcoin wallet has been emptied from 26btc to 0.1btc Was my wallet hacked? (Read 1249 times)

I'm not sure how much I can tell you about what is or is not available in either of the two wallet.dat files that you have just from a list of addresses seen in "Receive Coins".  Unfortunately most of your bitcoins will likely be associated with change addresses that are not displayed to you in the user interface, so just looking at the user interface won't tell you which change addresses are missing from either wallet.  I'm certainly willing to try looking and seeing what I can tell you.  You are welcome to PM me, or you can email me if you prefer. You'll need to let me know if you email me, or I might mistake your email for spam/junk.

There is probably a way to recover the damaged wallet.dat.  I think you can try starting up Bitcoin-Qt from a command line adding -salvagewallet as described here:

https://bitcointalksearch.org/topic/m.1307828

If that doesn't work, you might try looking into a Python program called pywallet.pl.  Apparently it provides tools for manipulating wallet.dat files.  I'm really not an expert on recovering damaged wallet.dat files.  Perhaps someone with more expertise in that area than me will stop by and help out.

If I was experiencing the issue, what I would probably do is:

Create a list of private keys from the damaged wallet.dat in Bitcoin-Qt
Shut down Bitcoin-Qt
Create a temporary wallet at https://blockchain.info/wallet
Use blockchain.info's "import private key" functionality to import the private keys of all the addresses listed above.
Move the wallet.dat out of the bitcoin data directory and restart Bitcoin-Qt so it creates a brand new undamaged wallet.dat
Send all the bitcoins from the blockchain.info wallet to my new Bitcoin-Qt wallet.

To get a list of private keys:
Click on the "Help" menu in Bitcoin-Qt
Select (click on) "Debug window"
In the debug window, click "Console"
If your wallet is encrypted, enter the following into the Console:


Replacing YOUR_PASSWORD_HERE with your actual password.  This will unlock your wallet for 10 minutes (600 seconds).

To get your private keys, you'll need to enter the following into the console:


Run it multiple times, once for each bitcoin address in the list I provided above replacing BITCOIN_ADDRESS with one of the bitcoin addresses each time.

This will respond with your private key (it will start with either a 5, K, or L).  Do not give this private key to anyone.  With it they can take or spend your bitcoins.  This is the private key that you'll need to import into your temporary blockchain.info wallet.

If any of the addresses report Private key for address 1bitcoin_address_here is not known (code -4) then either that part of the wallet is damaged beyond the ability for Bitcoin-Qt to access the private key, or I've somehow accidentally provided you with an incorrect bitcoin address.  Either way, those bitcoins won't be recoverable via this method (perhaps pywallet would fare better in those situations).

If this solution is satisfactory and you plan on using it, then let me know and I'll try to get you a list of addresses that are associated with the bitcoins that were initially received at 1BX3a8LG8c4MhmDf7S8srfEpvyywUkqjJQ and that still have a balance associated.

Ok.  It looks like your bitcoins have NOT been stolen, so that's the good news.

Scanning the blockchain, I've manged to find just about 70 unspent BTC that are all associated with addresses that at one point in time were in your wallet.

I wouldn't be too concerned about your wallet being "hacked".

This leaves us with the question of why you can't see the appropriate balance.

I don't have enough information yet, but it sounds like perhaps your wallet.dat file is corrupted/damaged, and that the client is having difficulty accessing the private keys and/or addresses stored there.  Hopefully you save backups of your wallet on a regular basis so we'll have a slightly older undamaged copy of the wallet that we can work with to regain your access to your coins.  If not, we'll have to see how much we can salvage from the wallet.dat that you have.

It seems like you may be trying to coordinate running multiple wallets at once?  Is this true?  Depending on the methods you use to do so, this can sometimes lead to confusion that can result in a person accidentally damaging, erasing, overwriting, or losing track of a wallet.dat file.

Following is a list of addresses that should be in your wallet (many may be change addresses so they won't show up in the user interface) and the current bitcoin balance associated with each.  If we can find the appropriate wallet.dat file that has the private keys for any of these addresses, we can recover those bitcoins for you:

13foqPMnvmarekBM8ednUZrQZiZ3DCKjJQ * (0.000965 BTC)
14nuyzirsJF8nErEdehdJomKRLWqAAGueX * (0.10095333 BTC)
14PRu1uQMH9dupcMvxdymNnMs2NZkvkv3L * (0.00000001 BTC)
154Pfi3NKJQqr9H7w7gZx1cWi6Y2ddbckh * (1.76756914 BTC)
19ne3LaHymE4VyXt5eCcWUVXof3LnBHCWq * (0.23122043 BTC)
1AjhniMUq2MvggNy8ap8WFe1ujw8TTLTjD * (0.0009216 BTC)
1BGCy7kz6MyQ1AsEM1RGqeBezhndRjdLz4 * (12.85355644 BTC)
1bJ2ZwKzJHHAmaQD4Eh7eJeaeDojKa26p  * (0.00000001 BTC)
1C5WuxJm2PbXk11dv2nbpp9X5WhCuahQ5H * (0.01009845 BTC)
1Cx2v7GUW45bMj3GaiiUC4X9puWD7txzMt * (0.1025 BTC)
1DMo8hyinfUCCUadqBqcg2g3TZzNSuTsMP * (0.00350617 BTC)
1DyX8xypVuzRwaHZXAErz4Lnqco7WdyyYR * (23.43793931 BTC)
1E8U6AEbQp1itK4eBUcAB58TTPif8HezxA * (0.00602041 BTC)
1EbFdgAvESQWdVRha7Vfz9pUg9CzLcGo2h * (0.00006172 BTC)
1EdgurmCihEWrDRZkkTGGrobMr8YjwMvUD * (0.00000001 BTC)
1EUr4TVTMBX6WZSfgs4wVqxby8mBSBvRXA * (0.00000001 BTC)
1EZy8MCmUqyRz9qxynHMdTur85NvCW4Syp * (0.00004229 BTC)
1F3g4S4x27miUcTF5mn9GmTxU64NBgdFmU * (0.37605181 BTC)
1F5kBUzgMSJdypKuymtbKBGqjgTg9y6b9z * (0.00054567 BTC)
1FUXJEfwoCMXzqkY5obRndbuVWoxEcip6c * (4.34643184 BTC)
1Fxx7PD5P7o2eq8vVDGCmQhCyxAWg51g9x * (0.00046924 BTC)
1H2iSotWSCar66JBqRFAGHMw5syQbVvvUY * (0.78689033 BTC)
1J3q3UxWug5tksK4LYPsgjy5SeG1afDBkW * (0.00204701 BTC)
1KyEbMo9GoAREKKTLrFTt7C7mTPHP2j9en * (6.43890673 BTC)
1LSAtJa8TVEDNV6v1e6MJrpL4EzDu3odpf * (0.56748684 BTC)
1MXwy2vgdFSdAw4PVfUE2dgHNYGXe1NLdZ * (4.78141783 BTC)
1No4DHvKfx95Z7HwCucZaA8LVr4rdWKGVr * (14.03322594 BTC)
1UHpqU64qYGEwREAsaRP7HgdU2apCUc6d  * (0.55267123 BTC)

I believe that nearly all of these balances are either change from a bet sent to SatoshiDice, or winnings received back from a bet sent to SatoshiDice.  This list was compiled from bets that were placed with bitcoins that were initially received at 1Cx2v7GUW45bMj3GaiiUC4X9puWD7txzMt.

There may be additional bitcoins that I have not traced down yet that were initially received at 1BX3a8LG8c4MhmDf7S8srfEpvyywUkqjJQ, but I figured we'd see what we can do with the list above before I move on to scanning the blockchain for transactions associated with 1BX3a8LG8c4MhmDf7S8srfEpvyywUkqjJQ.

Ok, here's what I can tell you so far about address 1Aru9gzJmhAw5CW12ggrubGvCcgmMQbhfk:

This address was first used at 17:39:05 UTC on 2013-02-03 to receive 0.49728461 BTC in change from a transaction where 1EZy8MCmUqyRz9qxynHMdTur85NvCW4Syp was spending a previously received 0.6067434 BTC output to send 0.10845879 BTC to "SatoshiDice 50%" (1dice97ECuByXAvqXpaYzSaQuPVvrtmz6).

At 18:06:21 UTC on 2013-02-03, that 0.49728461 BTC was spent to send "SatoshiDice 50%" 0.1202328 BTC along with a 0.001 transaction fee.  The remaining change of 0.37605181 BTC was sent to 1F3g4S4x27miUcTF5mn9GmTxU64NBgdFmU where it has not yet been spent.

At 18:07:49 UTC on 2013-02-03, "SatoshiDice 50%" paid out 0.23479558 BTC in winnings to 1Aru9gzJmhAw5CW12ggrubGvCcgmMQbhfk.

At 05:09:49 UTC on 2013-02-04 that 0.23479558 BTC was spent sending 0.1 BTC to 1Cx2v7GUW45bMj3GaiiUC4X9puWD7txzMt and 0.13379558 BTC to 1ENZbDcoJvKvQpyXaJiXXGeb68g9rfJeKj, along with a 0.001 BTC transaction fee.  Neither of these have been spent since then.

So, it would seem that the following should be in your wallet:
1EZy8MCmUqyRz9qxynHMdTur85NvCW4Syp with a balance of 0.00004229 BTC
1F3g4S4x27miUcTF5mn9GmTxU64NBgdFmU with a balance of 0.37605181 BTC

And probably at least one of the following:
1ENZbDcoJvKvQpyXaJiXXGeb68g9rfJeKj with a balance of 0.13379558 BTC
1Cx2v7GUW45bMj3GaiiUC4X9puWD7txzMt with a balance of 0.1025 BTC

Some of these may be "change" addresses, so if you are using the Bitcoin-Qt reference client, you might not see these addresses (although you should see the amount included in the balance) in the user interface.  Do you know how to use the console to dump out a list of addresses in the wallet?

Click the links to see the transactions and address balances described.

I can certainly understand your concern, especially after an event that you don't understand that has resulted in your wallet no longer showing you the bitcoin you expect it to.

Be aware that while giving out a bitcoin address does destroy your anonymity a bit (since that address and any other addresses associated with it can now be determined to be yours). In no way can anyone spend/steal any of your bitcoins if all they have is some of your bitcoin addresses.   Don't ever let anyone convince you to share any of your private keys in a public forum.  That would give the entire public access to spend any and all bitcoins that are ever associated with that address in the future.

If you trust me or some other knowledgeable person in this forum, you can communicate over PM to reduce your exposure.  There are definitely some benefits to communicating publicly though:

• If I (or someone else) gives bad/dangerous advice or ask for something that could violate your security, others will see that and warn you.
• Something one of us says could spark a thought in someone else's mind about what is causing the issue, they can then provide feedback that otherwise would be missed.
• If someone else has the same problem in the future, the could find this discussion while searching, and have their issue figured out much faster.

I'll start by looking at the one you've provided, if i need more information to figure out what happened or where your bitcoins are, I'll let you know.


I hadn't thought to ask yet, but it is probably going to be important.  Are you using version 0.7.2 of the reference wallet (Bitcoin-Qt), or something else (Electrum, Armory, MultiBit, older version of Bitcoin-Qt, etc.)?

Possibly, but not necessarily.  Have you been backing up your wallet.  Do you have older or multiple copies of your wallet.dat file?  Confusion about which is the most recent or current live wallet.dat file could certainly lead to you loading the wrong copy into blockchain.info/wallet which would result in blockchain.info not knowing about all of your transactions and displaying the wrong balance.

I'll take a look in the blockchain at the address you've provided and see what I can find out.  I'll be back with more questions and/or information later.

http://blockchain.info/address/1KyEbMo9GoAREKKTLrFTt7C7mTPHP2j9en

Is this one of those 15 addresses?

EDIT:
http://blockchain.info/address/1FUXJEfwoCMXzqkY5obRndbuVWoxEcip6c
http://blockchain.info/address/1MXwy2vgdFSdAw4PVfUE2dgHNYGXe1NLdZ
http://blockchain.info/address/1No4DHvKfx95Z7HwCucZaA8LVr4rdWKGVr

EDIT:
http://blockchain.info/address/1H2iSotWSCar66JBqRFAGHMw5syQbVvvUY
http://blockchain.info/address/19ne3LaHymE4VyXt5eCcWUVXof3LnBHCWq

Can't he just run bitcoin with the -rescan command so his wallet re-syncs with his balance according to the blockchain?

Yes, what Danny said above. I'm guessing that the transactions for sd failed to confirm.

To do that we'd need to know your bitcoin addresses.

OK, I have a problem here i hope somebody can advise me on,...  My knowledge on all this is limited, i did try to search to find somebody with a similar problem but couldn't find anything.  I haven't slept for over 30 hours now and this is really stressing me out, so forgive me if this doesn't make the best of sense....

Right, so I had a bitcoin wallet with 53 bitcoins in it... I then discovered satoshi dice and was hooked, playing it on and off for several hours yesterday.

After playing for several hours I made a bet/payment of 14btc, then followed by another of around 30btc, leaving my balance at 26btc (after winning of previous games were confirmed)

but this is were it gets very weird....  All of a sudden, for all my new transactions stop receiving any confirmations, so the 14btc and 30btc transfer just stayed at 0 confirmations for over 24 hours along with 5 smaller transactions, but the coins left my wallet leaving me with 26 coins.   satoshidice's site acknowledges the payment but didn't process any game, it is the strangest thing...  I have a transaction id but when i search it on their site it shows that they didn't play a game like all the other payments.  it is as if somebody had spent the money out of my wallet before i sent the payment, making my wallet a dud basically, does that make sense?

So although i had 7 transactions at the top of my wallet with 0 confirmations when i made a new payment the following day it received confirmations without any problems.

I was left with a wallet with apparently 26btc, but i knew somethign strange had happened.

thinking i had just lost 44btc somehow, but it got worse...

I decided to export my wallet and upload it onto blockchain.info, this would be a good way of getting an accurate situation of whats in my wallet.  When i uploaded the wallet.dat file and logged in I ONLY HAD 0.1002 BITCOINS.

I know transaction history can be followed, so i wonder if anybody can help me by checking if any funds left my wallet to any address other than  1dice97ECuByXAvqXpaYzSaQuPVvrtmz6

ps sorry for the long winded, messy post,i hope somebody can take the time to read it, thanks.