Topic: I GOT HACKED AND LOST 1 MILLION - page 7. (Read 25034 times)

I'm sorry for your loss, this was an expensive paid price of your negligence + extremely poor attitude to safety. As you have noticed, for part of the stolen coins are very likely responsible BCD and BTCP fake wallets - when you put your seed there, all BTC and BCH (if they shared same seed) are very easily stolen.

If you think you've been targeted attacked, ask yourself who all know you had that kind of coins in your possession ? Family, friends, acquaintances, girlfriend...

In any case you should all report to the police, this is big money and you do not have to reconcile that it's all over and money lost. Too bad that you did not use HW before, when it is obvious that you have it in possession.

hm yes - if that is the case then my system is still open like anything - at least meanwhile I installed  https://www.spyshelter.com  to see if anything dubious is going on - but probably I will have to change to a newly setup system - at least remaining cryptos are on a ledger now and 2FA backup codes are on paper only

Oh damn. I'm not saying that it's the reason why you got hacked, but that app looks not-so-trustworthy in my opinion. How did you end up with that password manager? There are a few decent ones that should've ranked higher on Google Play Store.

They may have connected before the hack and just been sitting waiting though if there is entry for the 4th I would assume that indeed was the attackers connecting unless you use RDP yourself.
I think the RDP logs only show the initial connection from the peer to host.


edit :  after thought possibly they connected with RDP first them infected you with some other type or RAT or malware from the RDP connection.  Is also highly possible.

Meanwhile I checked the RDP logs on my system in   
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

It shows some entries on Dec 4th which do not exactly match the time of the hack. But there are also messages going back six months. The setting of RDP is turned off

I think they started their job right in the moment when I started the BCD client. That must have been around midnight. Google closed my account at 03:16 due to unusual activity. That time they already hacked my kraken account for which Email + 2FA is necessary. Later obviously they just removed their traces which Google recognized.

done

Very valueable remarks - thank you

I also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me

With all the forks going on I am surprised we don't see more horror stories like this one every time I see a coin now that says 1:1 claim I become very wary.
Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.

I would agree this is not likely to be a loan wolf hacker or script kiddie if they went to the trouble of running via a vps then onto your system,

First hand I would be changing the RDP port on your machine.

The port setting for Remote Desktop Services is found in the Windows Registry. In order to change this setting we will need to change the Port Number value in the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Changing the port will stop them re-connecting to your machine in the short term.
I would also check your settings in windows control panel then go to remote desktop and turn it off (on by default)

You could also run netstat with some additional flags to see if there are any processes running on the machine that have established connections.
Or run TCPView and see if there is anything showing here that might give you a clue to how they penetrated your system.

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

I was not away - they did it very quickly and I could literally see how they drained my wallets. 

the links were these:
BTCP  from   https://github.com/BTCPrivate/electrum-btcp/releases
BCD    I do not remember the source but from my download history the version is    Electrum-BCD-3.1.2-portable.exe

most likely the BCD wallet was the culprit

It was Safe+ :  https://tinyurl.com/ycmetl2n
I was just in the  process of changing to Keypass because the developer of Safe+ seems to have abondanded his work. But it did a good job so far and I think this is very likely not the hacker.

My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.

As you said, no use to harp on your poor security behaviours. But let me tell you this, you have to all but give up on recovering any of the funds lost out of your wallets and exchanges. If those spends have all been confirmed, the best you can do now is try and track the receiving addresses and see if they belong to exchanges - that's where I'd liquidate stolen funds asap. Probably all gone either, but if you somehow identify the exchanges and they can act quick enough, funds can be frozen there and returned later, but be prepared to be able to prove ownership of originating wallets.

There's been precedent, and Shapeshift themselves have also been known to assist, but of course for figures far higher. $1m is a lot though.

I am sorry to hear about your loss.

But.. storing all of your money on your every-day-machine and on online services basically asks for being robbed.

You should have AT LEAST had a dedicated machine only for storing cryptos.
A proper offline-wallet / watch-only wallet setup or a hardware wallet would have been favorable.

Take it as a lesson and first work on your mindset regarding security before storing any cryptos again.
In the end.. owning cryptos means knowing a secret. Keeping this secret safe is the only way to keep your coins safe.

Are you sure that the Electrum versions were official ones? Could you link to the ones you used.
Sometimes they aren't made by the devs of the coins.

Hey. Really unfortunate on what happened to you. Hopefully this would be a lesson for you(an expensive lesson, that is). Please get a hardware wallet immediately if you're planning on re-buying cryptocurrencies.

Take note that while this is definitely a huge loss, remember that it's really not over for you. Money can be made back. Best of luck.

Can you please give us more information on this? What do you mean by "password safe"? Was it a mere .txt file? Or were you using a password manager? If so, what password manager specifically?

You have to send an email detailing the whole issue to their abuse contact gotten from the domaintools search and maybe if they're reliable, they will try and help you out.

I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.

I also tried pinging but no response but reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.

I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

Can you edit your op and not include url shorterners? It's not a great idea to use them especially if you've just said your computer has been compromised.

I think you should probably try to reevaluate what you have been using that computer for recently. Clearly something has got on it somehow and one million us dollars is quite a sum to lose. I'd suggest you consider getting an airgapped wallet $2000 on two computers isn't a very big amount to keep your security high by making one airgapped and encrypting it as much as possible.

Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.

Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services.