Topic: I GOT HACKED AND LOST 1 MILLION - page 5. (Read 25057 times)

The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.

Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges.
I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious.
The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session.
The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.

- They couldn't steal them while I was offline (2FA);
- They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC);
- They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn;
- They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;

Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack.
I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158
The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing.
Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft).
It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).

Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!

It leaves another company to contact for information. See https://github.com/contact/report-abuse

Github may be more willing to give more information regarding the wallet repo & the account it's under.

Check the table above. Kraken, Binance are exchanges, DASHQt is a local full wallet, Exodus is a SPV wallet, ...

they must have obfuscated the code.. only after the hack their signature was added to virus total db and such.. the probablity that other people got hacked from this same wallet is high!

Hope you don't leave crypto after this.. as other member said, you are healthy and still can make money!

this is so bad news, but where you had this altcoins? on exchange? or which wallet?

this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.

OP I feel for you, my heart goes out to you.

Please try & stay calm as possible, you have lost money but you’re still alive & healthy. You can make money again in other ways in the future. Don’t do anything stupid.






I’ve seen similar things happen to a few others, it’ll be from trying to claim those shitcoin’s. Guys, let this be a lesson to all of you, please do not risk your bitcoin’s chasing forks. If you have to then send all your bitcoin’s to another computer or a hardware wallet.

NEVER download weird wallets on the same system you keep your bitcoin’s on.

Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money.
I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware:

According to the wallet name you said you found in your download folder (Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet.

Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exe
Fake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exe

It's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io]
Fake Bitcoin diamond's Certificate has even expired since 12/6/2018

I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag



Finally i decided to scan the said wallet on virus total;
https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detection



My conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.

I'm sorry to hear this OP.  Did you by chance download your BTCD wallet from electrumdiamond dot com?

In May of this year (2018), I too was hacked by this malware wallet.  :-(

DM, if you would like to discuss.

there was another case in 2011:      https://bitcointalksearch.org/topic/i-just-got-hacked-any-help-is-welcome-25000-btc-stolen-16457

back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.

I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.

Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.

I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.

Based on the amount of outputs, I wouldn't be surprised if they mixed them to be completely honest.

That's a hard road to follow, I'd say your best piece of information at this point would be the attempted Gmail access by far (ie: the ip address you have)

ok thanks - I will

yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do.


I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.

The IP was released by Ripe, have you tried emailing their Abuse email address: [email protected]

I'm sorry for your loss.

The of dash was sent in a lot of addresses but the last tx in chain of 8,147.263 Dash  are in this address
https://chainz.cryptoid.info/dash/address.dws?Xus9DmMmcL5K6N2vQwuB7fHZms2XhAVvEC.htm

I will search for all coins later.  Maybe someone can contact exchange to ask if this address belongs to an exchange

I was thinking that surely someone couldn't be dumb enough to use their own IP for a hacking attempt. I know people are dumb but that'd be a new level...

It's likely it's owned by a vpn or someone providing a hidden service such as tor or open vpn also (less lists will be kept of these too).

Sorry to hear that but putting all crypto in one platform is not recommended.
Personally I have several wallet where I store the fund so I'm not experience too much loss if got hacked/loss

Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)