Topic: I GOT HACKED AND LOST 1 MILLION - page 5. (Read 25034 times)
Just checking back, this story genuinely saddens me, like genuinely. OP again, I am so sorry for your loss.
Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
It leaves another company to contact for information. See https://github.com/contact/report-abuse
Github may be more willing to give more information regarding the wallet repo & the account it's under.
The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.
Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.
- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;
Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).
Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.
- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;
Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).
Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!
Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
It leaves another company to contact for information. See https://github.com/contact/report-abuse
Github may be more willing to give more information regarding the wallet repo & the account it's under.
OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.
The coins were held in these locations (order corresponding to the list in my first posting):
Currency Place
DASH Qt-Wallet on Laptop
BCH ElectronCash on Laptop
BTC Binance.com
BTC Kraken.com
NEM Simplewallet on Laptop
BURST Desktop wallet on Laptop
BTC Exodus wallet on Laptop
OmiseGo Exodus wallet on Laptop
LTC Exodus wallet on Laptop
BCH Exodus wallet on Laptop
DASH Exodus wallet on Laptop
Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)
this is so bad news, but where you had this altcoins? on exchange? or which wallet? Check the table above. Kraken, Binance are exchanges, DASHQt is a local full wallet, Exodus is a SPV wallet, ...
Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
https://i.imgur.com/w4z1Dz2.png
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
they must have obfuscated the code.. only after the hack their signature was added to virus total db and such.. the probablity that other people got hacked from this same wallet is high!
Hope you don't leave crypto after this.. as other member said, you are healthy and still can make money!
OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.
The coins were held in these locations (order corresponding to the list in my first posting):
Currency Place
DASH Qt-Wallet on Laptop
BCH ElectronCash on Laptop
BTC Binance.com
BTC Kraken.com
NEM Simplewallet on Laptop
BURST Desktop wallet on Laptop
BTC Exodus wallet on Laptop
OmiseGo Exodus wallet on Laptop
LTC Exodus wallet on Laptop
BCH Exodus wallet on Laptop
DASH Exodus wallet on Laptop
Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.
I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.
(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)
this is so bad news, but where you had this altcoins? on exchange? or which wallet? Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
OP I feel for you, my heart goes out to you.
Please try & stay calm as possible, you have lost money but you’re still alive & healthy. You can make money again in other ways in the future. Don’t do anything stupid.
I’ve seen similar things happen to a few others, it’ll be from trying to claim those shitcoin’s. Guys, let this be a lesson to all of you, please do not risk your bitcoin’s chasing forks. If you have to then send all your bitcoin’s to another computer or a hardware wallet.
NEVER download weird wallets on the same system you keep your bitcoin’s on.
Please try & stay calm as possible, you have lost money but you’re still alive & healthy. You can make money again in other ways in the future. Don’t do anything stupid.
I’ve seen similar things happen to a few others, it’ll be from trying to claim those shitcoin’s. Guys, let this be a lesson to all of you, please do not risk your bitcoin’s chasing forks. If you have to then send all your bitcoin’s to another computer or a hardware wallet.
NEVER download weird wallets on the same system you keep your bitcoin’s on.
Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:
According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.
Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe
It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018
I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag
Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:
According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.
Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe
It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018
I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag
Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection
My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.
I'm sorry to hear this OP. Did you by chance download your BTCD wallet from electrumdiamond dot com?
In May of this year (2018), I too was hacked by this malware wallet. :-(
DM, if you would like to discuss.
In May of this year (2018), I too was hacked by this malware wallet. :-(
DM, if you would like to discuss.
...
I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.
Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.
I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.
Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.
I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
there was another case in 2011: https://bitcointalksearch.org/topic/i-just-got-hacked-any-help-is-welcome-25000-btc-stolen-16457
back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.
...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.
I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.
I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.
Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.
I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.
I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.
Based on the amount of outputs, I wouldn't be surprised if they mixed them to be completely honest.
That's a hard road to follow, I'd say your best piece of information at this point would be the attempted Gmail access by far (ie: the ip address you have)
The IP was released by Ripe, have you tried emailing their Abuse email address: [email protected]
ok thanks - I will
...
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action.
Lithuania is also member country of Interpol, maybe they can do something to help you track hackers.
yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.
I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.
The IP was released by Ripe, have you tried emailing their Abuse email address: [email protected]
I'm sorry for your loss.
The of dash was sent in a lot of addresses but the last tx in chain of 8,147.263 Dash are in this address
https://chainz.cryptoid.info/dash/address.dws?Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC.htm
I will search for all coins later. Maybe someone can contact exchange to ask if this address belongs to an exchange
The of dash was sent in a lot of addresses but the last tx in chain of 8,147.263 Dash are in this address
Code:
Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC
I will search for all coins later. Maybe someone can contact exchange to ask if this address belongs to an exchange
Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)
I was thinking that surely someone couldn't be dumb enough to use their own IP for a hacking attempt. I know people are dumb but that'd be a new level...
It's likely it's owned by a vpn or someone providing a hidden service such as tor or open vpn also (less lists will be kept of these too).
Sorry to hear that but putting all crypto in one platform is not recommended.
Personally I have several wallet where I store the fund so I'm not experience too much loss if got hacked/loss
Personally I have several wallet where I store the fund so I'm not experience too much loss if got hacked/loss
Jump to: