Topic: How can someone move my btc that is a local wallet? (Read 419 times)

If it was a targeted attack, the attacker must have known about cwwang's crypto holdings, otherwise it wouldn't have been a targeted attack.
This being said, there's plenty of malware that's included into many real and fake programs, usually tools that have something to do with crypto, meanth to infect as many people as possible in the hope of finding a wallet, or copy/pasting keys, or copying the thief's address whenever a btc address is placed in the clipboard.

Don't know about the classification, but sure, if your wallet is compromised, it's usually all keys that get stolen at once.


Hardware wallets.
There is no other procedure that can give you > 99% protection while spending from an ONLINE pc. There are plenty of really good procedures for airgapped wallets and paper wallets that are at least as safe as hardware wallets tough.

I'm not a windows admin, i don't really like windows OS, but to the best of my knowledge, not all malware can be seen from the taskmanager... Rootkits, taskmanager vulnerability's, replacing the name of system components,...

Wow, that's pretty large sum of money that you lost here. I read all the replies from here so in case I know also what to do with my wallet. Sometimes, we don't know if our computer is compromised or not. I hope you will recover that losses soon. Just remember, money can always be replaced. Life moves on.

Sorry for your loss. Its brave that you are going to the bottom of this and doing everything to figure out what went wrong. Such incidents are an eye-opener to everyone. I have heard about phishing programs and keyloggers and that even virus scanners ending up installing such malware. I have a few questions to ask regarding this:

1. This is a targeted hack. Does that mean that the attacker probably had a way of knowing that cwwang had those kind of funds stored? I have heard of malware that randomly just scans computers to pick up presence of wallet.dat files?
2. How to classify such attacks? What are the ways in which it is possible to lose all your keys from a network connected PC?
3. Is there any Standard Operating Procedure where you can run a wallet like electrum on a network connected PC (for small, normal transactions) that would ensure that malware/ keyloggers don't get access to your computer?
4. Suppose a keylogger is active on my PC. Shouldn't it be possible to see it in background activity as some undefined/ random process (Talking about Windows).

These are just some of the questions that come to mind on seeing such attacks. It'll be great if those who know this stuff can answer. @cwwang, Can you please share that how did you figure out the modus operandi that you have described above.

Good for you, some people would suffer a psychological breakdown if they lost $56 000+, but there are obviously people who can afford it. I think you still have a lot to learn when it comes to protection of cryptocurrency, it is not easy to be your own bank.


I think the FBI can only help you if it's a hacker from the USA, because if it is Russia or some other exotic country... In any case, good luck with the investigation.

Just like everybody else, they made mistakes sometimes. Keeping a logs like this is not a bad idea, just in case they'll use the same address, or mistakenly connect different address and sent it to a known exchange address. There's nothing to lose here, might as well do it.

 I'm an optimist.  I learn from my mistakes and move on.  I don't feel bad about this.

It is confirmed he first enter through myqnapcloud.com.  Then access my NAS.  Yes.  One password was compromised and I should of done a better job securing that.  Regardless its mitigated.

I also filed a complaint with the FBI and have some security guys helping me to do some investigating.  I do have some general idea where the attack came from; but I'll keep it like this for now.  I want the fed to get involved and hopefully they'll.

Status: 152 confirmations
Date: 4/15/20 02:39
To: 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA
Debit: -8.08116106 BTC
Transaction fee: -0.00004310 BTC
Net amount: -8.08120416 BTC
Transaction ID: 668c2e5d00e25f15c23a8f843dfc4502a595343b78ede0e99eb935710f9be726
Transaction total size: 557 bytes
Transaction virtual size: 315 bytes
Output index: 0

Another in a series of sad stories, but also warning that such amount of coins should not be stored in desktop wallet, on the computer we use for everyday needs. It seems to me at first that this was not an accidental attack, but that you were the intended target. All those who knew you had so much BTC are suspicious, no matter how much you trust them. I would personally go in that direction, though it is something that would require a thorough investigation and resources that you probably do not have.

Part of your BTC is now on this address https://www.blockchain.com/btc/address/38sDP6DuzMkp8NBxX2XhgF8eLWRoWTHHUo , and you can try to report them, but it is possible that the hacker has already sold them, and they have a new legitimate owner.

Is this just a guess or do you have any evidence ?

Compromising a NAS does not necessarily mean your computer gets compromised. You either had to actively execute malware stored on the NAS or there were further vulnerabilities (maybe due to an unpatched system?)

What kind of NAS do have (vendor / model) ?


You definitely have to completely wipe your computer and NAS. Backup important files and format any disk.

And if he has access to your private keys (wallet file + your entered password), he also has access to any other password you have entered on this computer since you got compromised.
Make sure to change all affected passwords.

I was wondering same, there is option to report bitcoinwhos & bitcoinabuse. It would helpful if someone check address on same website (IMO). Reporting address wouldn't prevent hackers to hack bitcoin. On the other hand if hacker transfer their hacked fund eventually without mixing then reporting on exchanges would help lock amount (if exchange want to recognize with fraud funds). But hackers are more smarter than us, likely they will not leave any clue to fund them.

Anyway, sorry for your loss @OP. Hope you have learned already. Just clean you device by formatting everything & reset your all password on ther device or cleaned device immediately.

There are some websites that list things like this. Such as https://www.bitcoinabuse.com/ or https://bitcoinwhoswho.com/. I don't know how effective they are but if reporting is what you want to do, it's probably worth posting there.

Some of the exchanges have flagged things before, but generally only in the instance of a massive hack and theft from either themselves or other exchanges. You can't really blacklist bitcoin addresses... and the thieves are likely to simply move the coins through mixers or other addresses to obfuscate their history.

You only real option at this point is to make sure you learn from this and take the necessary steps to prevent it occurring in the future.

Sorry for your loss.

no there is nothing you can do about it. bitcoin transactions are irreversible so they sent coins not be unsent. and there is no centralization to want to judge the correctness of the accusations and "flag" the address as belonging to a thief.

After spending a few hours last night. I think I know what happened. ...  It was a hack.  Through my NAS I believe.  Anyway... Its done deal.

I am wondering if there is a way to flag that address as fraud?  Or some thing I can do about this event?  Any ideas is appreciated.

No idear... Maybe some malware/virus/keylogger. Maybe phishing. Maybe physical access. Maybe an accidental backup in the cloud. Maybe a physical vulnerability on the OS level.
But the fact remains that if you were cleaned out, somebody must have had the opportunity to get to your private keys... This makes your complete setup compromised. You can never be 100% sure you are safe unless you start over with a clean install, clean wallets, ...

So someone accessed my computer and cracked the passphrase?  How could that happen? 

I personally have 4: a ledger HW.1 (discontinued ages ago), a ledger nano S, a trezor one and a trezor model T... I must say that i personally prefer ledger hardware, but that's just my personal taste. Both ledger and trezor make quality products. There are other vendors out there, most of them are legit, but those two brands are the most popular... And a large usebase is a good thing when it comes to discovering vulnerability's and longtime support.

But if you need a sollution right now, you can either find an old laptop/desktop and completely disable all networking hardware (or plain remove the networking cards) then setup bitcoin core or electrum as an airgapped wallet.

walktroughs:
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet
https://electrum.readthedocs.io/en/latest/coldstorage.html

An other possibility is making a paper wallet in a secure way... Basically, use a community vetted, trusted wallet generator to create a bip38 encrypted paper wallet on an OFFLINE pc (at least reboot it after the paper wallet has been generated), print on a locally connected printer (reboot the printer afterwards). Make several copys, laminate...

BEFORE actually using your new (secure) setup, i'd recommand a testnet setup first... Basically, run the airgapped setup in testnet mode, or create a testnet paper wallet... Fund the airgapped wallet/paper wallet with some tBTC and test if you are able to spend the funds afterwards. Only when you are confident you have a working procedure to access your funds later on, move on to the mainnet...

Which hardware wallet do you recommend?

So, after reading your log, and looking up that address on a block explorer, i can pretty much say you were indeed robbed.
He used all unspent outputs completely, no change address was used. He overspent on the fee aswell, so he'd be sure the transaction would get confirmed quickly.

Since your wallet wasn't online at the time of the robbery, you can be certain the robber has indeed all private keys belonging to this wallet... Consider the wallet to be compromised, consider your computer to be compromised. If you hold any more funds on any other wallet, DO NOT open that wallet on that compromised PC... Buy a hardware wallet, create a paper wallet,.... Do whatever you need to do, but you should move any funds on any wallet that was on the compromised computer to a wallet that never touched the compromised machine as soon as you can without acting so hastely you make other mistakes.

But i cannot stress this enough: any funds on any wallet that was on your compromised machine is at risk. Just moving the wallet files to a clean PC is not sufficient, you need to create brand new wallets on a clean pc and move all funds from the old wallets (on the compromised pc) to the brand new wallets (that never touch the compromised machine)

I hate to be the barer of bad news, but those 8+ BTC are gone i'm afraid... +150 confirmations... I feel sorry for you.

I know it doesn't mean anything to you, but i gave your post a merit. You seem like the kind of person i'd like hanging around on bitcointalk. I hope this robbery didn't scare you away from crypto currencies (altough i would completely understand if it did). It's all hindsight now, but a hardware wallet or an airgapped setup would probably have been the way to go when holding >8 BTC...

Below is the transaction of someone sent my 8.08 coins to an unknown address

4/15/20 02:39 Confirmed (151 confirmations). Sent to (no label) 3KkktVYUaCR52oZUdZzpuXFMvqpLmYFaqA -8.08120416


Below is my debug log. Last shutdown was 4/9.  Then I started on 4/16.  There was no activity on 4/15.


2020-04-09T22:31:01Z UpdateTip: new best=0000000000000000000a7986fbeb212d76c5410f6d1806730e9e5b584cf835f9 height=625191 version=0x208e2000 log2_work=91.84263 tx=519485685 date='2020-04-09T22:30:59Z' progress=1.000000 cache=311.1MiB(3237493txo) warning='67 of last 100 blocks have unexpected version'
2020-04-09T22:43:06Z Pre-allocating up to position 0x5000000 in blk02029.dat
2020-04-09T22:43:06Z UpdateTip: new best=0000000000000000000324a4a9cd4dc2ea23298000d6f2119a51fa99ad36b983 height=625192 version=0x20400000 log2_work=91.842651 tx=519488067 date='2020-04-09T22:42:58Z' progress=1.000000 cache=311.3MiB(3239975txo) warning='68 of last 100 blocks have unexpected version'
2020-04-09T22:49:57Z UpdateTip: new best=0000000000000000000084796852af145b8ddbf758317a509ea514b76800b787 height=625193 version=0x20c00000 log2_work=91.842671 tx=519489269 date='2020-04-09T22:49:40Z' progress=1.000000 cache=311.5MiB(3241244txo) warning='69 of last 100 blocks have unexpected version'
2020-04-09T22:51:31Z UpdateTip: new best=0000000000000000000fed96ca174999768440df83e892325d011cc6bac5bd28 height=625194 version=0x3fffe000 log2_work=91.842692 tx=519489630 date='2020-04-09T22:51:19Z' progress=1.000000 cache=311.5MiB(3241463txo) warning='70 of last 100 blocks have unexpected version'
2020-04-09T23:08:01Z tor: Thread interrupt
2020-04-09T23:08:01Z Shutdown: In progress...
2020-04-09T23:08:01Z addcon thread exit
2020-04-09T23:08:01Z torcontrol thread exit
2020-04-09T23:08:01Z opencon thread exit
2020-04-09T23:08:01Z net thread exit
2020-04-09T23:08:01Z msghand thread exit
2020-04-09T23:08:01Z scheduler thread interrupt
2020-04-09T23:08:01Z Dumped mempool: 0.009077s to copy, 0.090141s to dump
2020-04-09T23:08:02Z [default wallet] Releasing wallet
2020-04-09T23:08:02Z Shutdown: done
2020-04-16T06:48:01Z




2020-04-16T06:48:01Z Bitcoin Core version v0.18.1 (release build)
2020-04-16T06:48:01Z Assuming ancestors of block 0000000000000000000f1c54590ee18d15ec70e68c8cd4cfbadb1b4f11697eee have valid signatures.
2020-04-16T06:48:01Z Setting nMinimumChainWork=0000000000000000000000000000000000000000051dc8b82f450202ecb3d471
2020-04-16T06:48:01Z Using the 'standard,sse41(4way),avx2(8way)' SHA256 implementation
2020-04-16T06:48:01Z Using RdSeed as additional entropy source
2020-04-16T06:48:01Z Using RdRand as an additional entropy source
2020-04-16T06:48:01Z Default data directory /home/cwwang/.bitcoin
2020-04-16T06:48:01Z Using data directory /beast/bitcoin-data
2020-04-16T06:48:01Z Config file: /beast/bitcoin-data/bitcoin.conf
2020-04-16T06:48:01Z Using at most 125 automatic connections (1024 file descriptors available)
2020-04-16T06:48:01Z Using 16 MiB out of 32/2 requested for signature cache, able to store 524288 elements
2020-04-16T06:48:01Z Using 16 MiB out of 32/2 requested for script execution cache, able to store 524288 elements
2020-04-16T06:48:01Z Using 4 threads for script verification
2020-04-16T06:48:01Z scheduler thread start
2020-04-16T06:48:01Z Using wallet directory /beast/bitcoin-data/wallets
2020-04-16T06:48:01Z init message: Verifying wallet(s)...
2020-04-16T06:48:01Z Using BerkeleyDB version Berkeley DB 4.8.30: (April  9, 2010)
2020-04-16T06:48:01Z Using wallet /beast/bitcoin-data/wallets
2020-04-16T06:48:01Z BerkeleyEnvironment::Open: LogDir=/beast/bitcoin-data/wallets/database ErrorFile=/beast/bitcoin-data/wallets/db.log
2020-04-16T06:48:01Z init message: Loading banlist...
2020-04-16T06:48:01Z Cache configuration:
2020-04-16T06:48:01Z * Using 2.0 MiB for block index database
2020-04-16T06:48:01Z * Using 8.0 MiB for chain state database
2020-04-16T06:48:01Z * Using 440.0 MiB for in-memory UTXO set (plus up to 286.1 MiB of unused mempool space)
2020-04-16T06:48:01Z init message: Loading block index...
2020-04-16T06:48:01Z Opening LevelDB in /beast/bitcoin-data/blocks/index
2020-04-16T06:48:02Z Opened LevelDB successfully
2020-04-16T06:48:02Z Using obfuscation key for /beast/bitcoin-data/blocks/index: 0000000000000000
2020-04-16T06:48:07Z LoadBlockIndexDB: last block file = 2029
2020-04-16T06:48:07Z LoadBlockIndexDB: last block file info: CBlockFileInfo(blocks=57, size=69345739, heights=625138...625194, time=2020-04-09...2020-04-09)
2020-04-16T06:48:07Z Checking all blk files are present...
2020-04-16T06:48:08Z Opening LevelDB in /beast/bitcoin-data/chainstate
2020-04-16T06:48:09Z Opened LevelDB successfully
2020-04-16T06:48:09Z Using obfuscation key for /beast/bitcoin-data/chainstate: 6721ed49b14769d0
2020-04-16T06:48:09Z Loaded best chain: hashBestChain=0000000000000000000fed96ca174999768440df83e892325d011cc6bac5bd28 height=625194 date=2020-04-09T22:51:19Z progress=0.996134
2020-04-16T06:48:09Z init message: Rewinding blocks...
2020-04-16T06:48:10Z init message: Verifying blocks...
2020-04-16T06:48:10Z Verifying last 6 blocks at level 3
2020-04-16T06:48:10Z [0%]...[16%]...[33%]...[50%]...[66%]...[83%]...[99%]...[DONE].
2020-04-16T06:49:21Z No coin database inconsistencies in last 6 blocks (8082 transactions)
2020-04-16T06:49:21Z  block index           80075ms
2020-04-16T06:49:22Z init message: Loading wallet...
2020-04-16T06:49:22Z BerkeleyEnvironment::Open: LogDir=/beast/bitcoin-data/wallets/database ErrorFile=/beast/bitcoin-data/wallets/db.log
2020-04-16T06:49:22Z [default wallet] nFileVersion = 180100
2020-04-16T06:49:22Z [default wallet] Keys: 0 plaintext, 4004 encrypted, 4004 w/ metadata, 4004 total. Unknown wallet records: 0
2020-04-16T06:49:22Z [default wallet] Wallet completed loading in             166ms
2020-04-16T06:49:22Z [default wallet] setKeyPool.size() = 1997
2020-04-16T06:49:22Z [default wallet] mapWallet.size() = 4
2020-04-16T06:49:22Z [default wallet] mapAddressBook.size() = 4
2020-04-16T06:49:22Z mapBlockIndex.size() = 625195
2020-04-16T06:49:22Z nBestHeight = 625194
2020-04-16T06:49:22Z AddLocal([2600:8802:1102:5f00:15ff:b85c:29b4:d2fd]:8333,1)
2020-04-16T06:49:22Z Discover: IPv6 wlp3s0: 2600:8802:1102:5f00:15ff:b85c:29b4:d2fd
2020-04-16T06:49:22Z AddLocal([2600:8802:1102:5f00:139e:86c9:7b79:b787]:8333,1)
2020-04-16T06:49:22Z Discover: IPv6 wlp3s0: 2600:8802:1102:5f00:139e:86c9:7b79:b787
2020-04-16T06:49:22Z Bound to [::]:8333
2020-04-16T06:49:22Z Bound to 0.0.0.0:8333
2020-04-16T06:49:22Z init message: Loading P2P addresses...
2020-04-16T06:49:22Z torcontrol thread start
2020-04-16T06:49:22Z Loaded 64616 addresses from peers.dat  662ms
2020-04-16T06:49:22Z init message: Starting network threads...
2020-04-16T06:49:22Z net thread start
2020-04-16T06:49:22Z opencon thread start
2020-04-16T06:49:22Z init message: Done loading
2020-04-16T06:49:22Z dnsseed thread start
2020-04-16T06:49:22Z msghand thread start
2020-04-16T06:49:22Z addcon thread start
2020-04-16T06:49:22Z GUI: Platform customization: "other"
2020-04-16T06:49:22Z GUI: PaymentServer::LoadRootCAs: Loaded  126  root certificates
2020-04-16T06:49:29Z New outbound peer connected: version: 70015, blocks=626227, peer=0
2020-04-16T06:49:33Z Loading addresses from DNS seeds (could take a while)
2020-04-16T06:49:35Z 282 addresses found from DNS seeds
2020-04-16T06:49:35Z dnsseed thread exit
2020-04-16T06:49:43Z UpdateTip: new best=0000000000000000000acdba38bcbd8e80f03b321ec453f9f4e3fcce5ed4cc48 height=625195 version=0x20000000 log2_work=91.842712 tx=519492624 date='2020-04-09T23:22:21Z' progress=0.996147 cache=1.2MiB(12886txo)
2020-04-16T06:50:25Z UpdateTip: new best=000000000000000000045ca57680cf9225d23b616cf008a28de8b1b302bc3e1e height=625196 version=0x20400000 log2_work=91.842733 tx=519494722 date='2020-04-09T23:22:53Z' progress=0.996147 cache=2.0MiB(20931txo)
2020-04-16T06:51:10Z