I think I am hacked but can't figure out what happened (solved, TIL change)

DieJohnny

legendary

Activity: 1639

Merit: 1006

Quote from: Abdussamad on July 31, 2014, 08:33:34 AM

Quote from: DieJohnny on July 31, 2014, 08:17:17 AM

Quote from: spin on July 31, 2014, 03:37:20 AM

On blockchain.info there is a setting that controls how your change gets handled. Please be careful as your change may also go to an address that is only on the blockchain.info wallet (and not your local wallet) depending on your settings. I must say the process you are using seems quite complex and I'd be worried of accidental mistakes using this process. I'd also stick with keeping my private keys on my pc, if at all possible (and not pasting them on a website).

Well to be clear, here is how I have managed my bitcoin for about 9 months:

1. I printed a paper wallet
2. I made that public key a watch key on Blockchain.info. I typed in my private key into a password protection service that I pay a yearly fee to use. I put my printed wallet somewhere safe.
3. whenever i wanted to spend that bitcoin I would copy the private key from password sevice into blockchain.info and then would replace my computers clipboard with something else. Doing this has never changed my watch address to an address that blockchain.info owns the private key, and it has never created a problem with change until i used my bitcoin-qt wallet the other day for a payment.

I only recently imported that private key into my bitcoin client and I cannot remember why I did that, but it has made me very uncomfortable frankly.

What i described above has always made me feel very safe regarding my coins. What about the process is complicated?

Why do you print a paper wallet if you are going to store the private key online anyway?

Are you using the sweep option in bc.i or the import option? If you are using the sweep option then it sends all the bitcoins in your paper wallet to another address in your bc.i wallet.

Every wallet deals with change. Some send it back to one of the input addresses. Some to a dedicated change address. And some to another address in your wallet. We use wallets instead of raw addresses because wallets handle change for us. But if you then start to look up raw addresses you will be confused and start to panic.

Yes i was confused and panicked.

I print the wallet because it is kept away from my house and is in a sense a disaster recovery option. I will never trust my laptop completely for anything as I have had too many failures of every type imaginable. I do not trust bitcoin services frankly. I use a simple password protection app because it is the most trusted digital protection I know about.

Abdussamad

legendary

Activity: 3682

Merit: 1580

Quote from: DieJohnny on July 31, 2014, 08:17:17 AM

Quote from: spin on July 31, 2014, 03:37:20 AM

On blockchain.info there is a setting that controls how your change gets handled. Please be careful as your change may also go to an address that is only on the blockchain.info wallet (and not your local wallet) depending on your settings. I must say the process you are using seems quite complex and I'd be worried of accidental mistakes using this process. I'd also stick with keeping my private keys on my pc, if at all possible (and not pasting them on a website).

Well to be clear, here is how I have managed my bitcoin for about 9 months:

1. I printed a paper wallet
2. I made that public key a watch key on Blockchain.info. I typed in my private key into a password protection service that I pay a yearly fee to use. I put my printed wallet somewhere safe.
3. whenever i wanted to spend that bitcoin I would copy the private key from password sevice into blockchain.info and then would replace my computers clipboard with something else. Doing this has never changed my watch address to an address that blockchain.info owns the private key, and it has never created a problem with change until i used my bitcoin-qt wallet the other day for a payment.

I only recently imported that private key into my bitcoin client and I cannot remember why I did that, but it has made me very uncomfortable frankly.

What i described above has always made me feel very safe regarding my coins. What about the process is complicated?

Why do you print a paper wallet if you are going to store the private key online anyway?

Are you using the sweep option in bc.i or the import option? If you are using the sweep option then it sends all the bitcoins in your paper wallet to another address in your bc.i wallet.

Every wallet deals with change. Some send it back to one of the input addresses. Some to a dedicated change address. And some to another address in your wallet. We use wallets instead of raw addresses because wallets handle change for us. But if you then start to look up raw addresses you will be confused and start to panic.

DieJohnny

legendary

Activity: 1639

Merit: 1006

Quote from: spin on July 31, 2014, 03:37:20 AM

On blockchain.info there is a setting that controls how your change gets handled. Please be careful as your change may also go to an address that is only on the blockchain.info wallet (and not your local wallet) depending on your settings. I must say the process you are using seems quite complex and I'd be worried of accidental mistakes using this process. I'd also stick with keeping my private keys on my pc, if at all possible (and not pasting them on a website).

Well to be clear, here is how I have managed my bitcoin for about 9 months:

1. I printed a paper wallet
2. I made that public key a watch key on Blockchain.info. I typed in my private key into a password protection service that I pay a yearly fee to use. I put my printed wallet somewhere safe.
3. whenever i wanted to spend that bitcoin I would copy the private key from password sevice into blockchain.info and then would replace my computers clipboard with something else. Doing this has never changed my watch address to an address that blockchain.info owns the private key, and it has never created a problem with change until i used my bitcoin-qt wallet the other day for a payment.

I only recently imported that private key into my bitcoin client and I cannot remember why I did that, but it has made me very uncomfortable frankly.

What i described above has always made me feel very safe regarding my coins. What about the process is complicated?

spin

sr. member

Activity: 362

Merit: 262

On blockchain.info there is a setting that controls how your change gets handled. Please be careful as your change may also go to an address that is only on the blockchain.info wallet (and not your local wallet) depending on your settings. I must say the process you are using seems quite complex and I'd be worried of accidental mistakes using this process. I'd also stick with keeping my private keys on my pc, if at all possible (and not pasting them on a website).

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: DieJohnny on July 29, 2014, 11:47:48 AM

Wow you guys are great, the Bitcoin client finished updating and everything seems to be exactly as you both described.

It was very unsettling that my main address balance was smaller than expected. So many things I don't know about this protocol.

Can you explain this to me: I actually keep my main address as a watch-only address on Blockchain.info. I have made MANY payments using blockchain.info where i simply paste in my private key when i want to use Bitcoin from that address. I typically do not use my laptop Bitcoin-QT client for payments. In this type of case, when i use Blockchain.info where does my Change go?? I have never before observed my main address balance shrink more than my payment....

The protocol allows the wallet designer to decide how they want their wallet to handle change.

The Bitcoin Core wallet uses a brand new address for change every time you send a transaction.

I'm not certain which, but Blockchain.info either sends the change back to your primary "receiving" address, or to one of the addresses that previously received the particular outputs you are spending.

Regardless of how the wallet handles change, it must be handled. If a transaction does not send the excess value back into the wallet somehow, then the entire excess value from the sum of the outputs being spent becomes transaction fees for the miner that confirms the transaction.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: DieJohnny on July 29, 2014, 11:47:48 AM

-snip-
Wow you guys are great, the Bitcoin client finished updating and everything seems to be exactly as you both described.

It was very unsettling that my main address balance was smaller than expected. So many things I don't know about this protocol.

Can you explain this to me: I actually keep my main address as a watch-only address on Blockchain.info. I have made MANY payments using blockchain.info where i simply paste in my private key when i want to use Bitcoin from that address. I typically do not use my laptop Bitcoin-QT client for payments. In this type of case, when i use Blockchain.info where does my Change go??

AFAIK blockchain.info sends it back to the same address it came from.
E.g. this one [1] was most likely done via blockchain.info. As you can see you send 7.7397 back to the address the coins came from.

Btw: since you imported your private key to bc.i its no longer a watch only address, only they have a way to wipe the key after you use it.

[1] https://blockchain.info/tx/1f12787fe34da6cbd3913abb6e716432c980aab55888ebce34453ad4644dea74

DieJohnny

legendary

Activity: 1639

Merit: 1006

Quote from: DannyHamilton on July 29, 2014, 10:18:44 AM

Quote from: DieJohnny on July 29, 2014, 09:39:45 AM

I own 1Ahmrza4Zg1BAQGKeDCrLsSiWxNGHuysku

I sent 2 BTC to the address 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM, which is an exchange.

I have no idea what the other 5+ BTC is or how it got in this txn....

Sorry, I thought you were saying you received 2 BTC. Didn't realize that you were sending 2 BTC.

As shorena has pointed out, Bitcoin Core has MANY addresses that it keeps hidden from you. The addresses that you see are just your "receiving" addresses. In other words, they are the addresses that you requested so that you can give them out to other people to send bitcoins to you.

Since any received output must be spent in its entirety, the wallet needs to send the change back into the wallet whenever you are sending an amount that only partially uses a previously received output. The wallet keeps these change addresses hidden from you and stores them in your wallet.dat file so they are backed up when you back up your wallet.

Since the wallet knows about these hidden addresses, it is still able to display the correct "balance" for the entire wallet.

If you're curious, you can see a list of all unspent outputs that you have received and the address where the wallet received the output if you enter

Code:

listunspent

in the "Console" of the "Debug Window" under the "Help" menu.

You can learn more about how bitcoin handles change here:
https://en.bitcoin.it/wiki/Change

Wow you guys are great, the Bitcoin client finished updating and everything seems to be exactly as you both described.

It was very unsettling that my main address balance was smaller than expected. So many things I don't know about this protocol.

Can you explain this to me: I actually keep my main address as a watch-only address on Blockchain.info. I have made MANY payments using blockchain.info where i simply paste in my private key when i want to use Bitcoin from that address. I typically do not use my laptop Bitcoin-QT client for payments. In this type of case, when i use Blockchain.info where does my Change go?? I have never before observed my main address balance shrink more than my payment....

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: DieJohnny on July 29, 2014, 09:39:45 AM

I own 1Ahmrza4Zg1BAQGKeDCrLsSiWxNGHuysku

I sent 2 BTC to the address 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM, which is an exchange.

I have no idea what the other 5+ BTC is or how it got in this txn....

Sorry, I thought you were saying you received 2 BTC. Didn't realize that you were sending 2 BTC.

As shorena has pointed out, Bitcoin Core has MANY addresses that it keeps hidden from you. The addresses that you see are just your "receiving" addresses. In other words, they are the addresses that you requested so that you can give them out to other people to send bitcoins to you.

Since any received output must be spent in its entirety, the wallet needs to send the change back into the wallet whenever you are sending an amount that only partially uses a previously received output. The wallet keeps these change addresses hidden from you and stores them in your wallet.dat file so they are backed up when you back up your wallet.

Since the wallet knows about these hidden addresses, it is still able to display the correct "balance" for the entire wallet.

If you're curious, you can see a list of all unspent outputs that you have received and the address where the wallet received the output if you enter

Code:

listunspent

in the "Console" of the "Debug Window" under the "Help" menu.

You can learn more about how bitcoin handles change here:
https://en.bitcoin.it/wiki/Change

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: DieJohnny on July 29, 2014, 09:39:45 AM

I own 1Ahmrza4Zg1BAQGKeDCrLsSiWxNGHuysku

I sent 2 BTC to the address 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM, which is an exchange.

I have no idea what the other 5+ BTC is or how it got in this txn....

Are you sure that you do not also "own" 1KBYU5bdt8ngYCNV4FXuNqESv8V3is5ms3 as that would make it one of your change addresses. Its not possible (under normal circumstances) to change transactions that have allready been broadcasted. So if you indeed broadcasted that you want to spend 2 BTC to 1JEX from 1Ahmr it makes sense that 1KBYU is your change address.

Does the "balance" on your bitcoin qt still make sense? If it was only reduced by 2 BTC turn "Coin Control" on to see possible inputs under "send". You should find the 5.7... BTC there.

Edit:

Quote from: DieJohnny on July 29, 2014, 09:48:00 AM

-snip-
what does this mean:

"They paid a 0.000001 BTC transaction fee, and the remaining 5.739699 BTC was sent as change back into their own wallet at address 1KBYU5bdt8ngYCNV4FXuNqESv8V3is5ms3"

That address is not mine and i do not know anything about it.

Bitcoin core/qt handles change addresses internally. You usually do not have to worry about it. The background is that you have to spend an input entirely. If you have an input of 7 BTC and want to send 2 BTC you will get 5 BTC on a "new" address. Its not actually new, the client manages more addresses than it is showing you.

DieJohnny

legendary

Activity: 1639

Merit: 1006

Quote from: ?? on ??

Your address is 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM, correct? If so, then . . .

Where did you get the 2 BTC from?

Whoever sent you the 2 BTC, they have a wallet with the address 1Ahmrza4Zg1BAQGKeDCrLsSiWxNGHuysku

Their wallet had received a 7.7397 BTC output on 2014-05-30 at 13:57:03 UTC with transaction 1f12787fe34da6cbd3913abb6e716432c980aab55888ebce34453ad4644dea74

They then spent this 7.7397 BTC output to send you your 2 BTC with transaction 91025e08289b5ed1cab337ac5c469c1836694967b29e99e81e0850ea5669a1c3

They paid a 0.000001 BTC transaction fee, and the remaining 5.739699 BTC was sent as change back into their own wallet at address 1KBYU5bdt8ngYCNV4FXuNqESv8V3is5ms3

If 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM is your address, then it appears that you (or a hacker) created a transaction on 2014-06-28 at 23:45:07 UTC paying a 0.0001 BTC transaction fee and either:

sending 0.37718429 BTC to 14ExDTsh7boFwKTBc4Cg2Tr8AJeBLyW7Mb
or sending 1.62271571 BTC to 16X9FAYu4vpRR3DKzzKgYmahRETdzwL7z3

If 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM is not your address, then where did you get the 91025e08289b5ed1cab337ac5c469c1836694967b29e99e81e0850ea5669a1c3 transaction ID?

what does this mean:

"They paid a 0.000001 BTC transaction fee, and the remaining 5.739699 BTC was sent as change back into their own wallet at address 1KBYU5bdt8ngYCNV4FXuNqESv8V3is5ms3"

That address is not mine and i do not know anything about it.

DieJohnny

legendary

Activity: 1639

Merit: 1006

I own 1Ahmrza4Zg1BAQGKeDCrLsSiWxNGHuysku

I sent 2 BTC to the address 1JEXBpcFMBGDXRVvZedTJnC1DzJA7VrCqM, which is an exchange.

I have no idea what the other 5+ BTC is or how it got in this txn....

DieJohnny

legendary

Activity: 1639

Merit: 1006

Maybe someone can tell me how I would even create a single transaction with two large outputs like the one I listed....

DieJohnny

legendary

Activity: 1639

Merit: 1006

My local Bitcoin-QT (at the time 9.1 beta) has a single address transaction of 2 Bitcoin. This transaction at the time and for at least a week showed only a 2 Bitcoin transfer.

However, NOW, the block chain says I sent another 5+ bitcoin to another address.... with that Transaction....

My Bitcoin client stopped updating to the network i thought because it was an older version.

Here is the transaction ID 91025e08289b5ed1cab337ac5c469c1836694967b29e99e81e0850ea5669a1c3

How am i exposed here? What the hell is going on? How is it possible my client wouldn't show the other 5 BTC in my transaction.. It is still updating...

BTW, i am encrypted on my laptop and am using a passphrase in my wallet.

Topic: I think I am hacked but can't figure out what happened (solved, TIL change) (Read 1047 times)