Author

Topic: Is this stolen? (Read 392 times)

HCP
legendary
Activity: 2086
Merit: 4361
August 07, 2020, 05:36:31 PM
#22
Investigating Wasabi because they have dark market funds transferring through them is like investigating Fedex or USPS because they deliver packages sent from dark market Roll Eyes

Hell, using their logic, Europol should probably investigate the electricity companies for providing electricity to dark market computers/servers... and the ISPs for providing them internet access while they're at it Roll Eyes
legendary
Activity: 1624
Merit: 2481
August 07, 2020, 06:09:12 AM
#21
Wasabi is excellent. However, they're under investigation by Europol. Chainalysis did an 3-week investigation for them and according to their findings, 30% of the funds washed come from the dark market. Remember, this is similar to what happened to bestmixer.io before they got shut down.

The thing is, they might be able to shut down wasabi's coordinator server which is managing the CoinJoin, but after all that is a decentralized protocol where no one learns anything about the other participants and no one can link other inputs/outputs together beside the one owning them.
When (if) wasabi finally decides to allow others to run a coordinator server, the whole process is distributed and decentralized. Shutting that down won't be possible since there is no single instance.
newbie
Activity: 6
Merit: 0
August 06, 2020, 02:57:36 PM
#20
They don't market themselves as a mixer, but effectively that's what they offer. Their purpose is to obfuscate funds.

What "they" offer, is a privacy-orientated wallet. We have way too less of such wallets implementing new features and improvements.
CoinJoin is a decentralized way to regain some level of anonymity by mixing funds with other participants.

You are free to use your SPV wallet which communicates with a 3rd party server telling them all of your addresses, the amount of BTC you own, all your transactions, your IP address and therefore a relatively precise geo location.
But not everyone has to use such a privacy-invading wallet. And IMO wasabi actually is the best privacy preserving SPV desktop wallet available.


Yes, I agree. The mixer reference is not a negative connotation.

Wasabi is excellent. However, they're under investigation by Europol. Chainalysis did an 3-week investigation for them and according to their findings, 30% of the funds washed come from the dark market. Remember, this is similar to what happened to bestmixer.io before they got shut down.

https://coinjournal.net/news/wasabi-the-bitcoin-mixer-wallet-is-on-europols-radar-for-a-significant-amount-of-dark-web-transactions/ 
legendary
Activity: 1624
Merit: 2481
August 06, 2020, 12:19:53 PM
#19
They don't market themselves as a mixer, but effectively that's what they offer. Their purpose is to obfuscate funds.

What "they" offer, is a privacy-orientated wallet. We have way too less of such wallets implementing new features and improvements.
CoinJoin is a decentralized way to regain some level of anonymity by mixing funds with other participants.

You are free to use your SPV wallet which communicates with a 3rd party server telling them all of your addresses, the amount of BTC you own, all your transactions, your IP address and therefore a relatively precise geo location.
But not everyone has to use such a privacy-invading wallet. And IMO wasabi actually is the best privacy preserving SPV desktop wallet available.
newbie
Activity: 6
Merit: 0
August 06, 2020, 12:05:07 PM
#18
Hi all,
just logged into my ledger to see a zero balance. I am not great at reading the blockchain transactions, could someone help?

I have 3 transactions I don't recognise.

First this one with 0.249 btc being transfered to me - https://blockstream.info/tx/a79f7ad72da35ea61731852efe39d3ace74dc7e92323a861581f31f01ddf1578
Second with me transfering 0.01 btc to another address - https://blockstream.info/tx/19af75549cecada158a77614c813361371adbb13e731a9c3ab3dc6ea0ee42fab
Third with me transferring 0.4499 btc to another address - https://blockstream.info/tx/a7cab7007fbee0e06d28e9635d442629ed4f0ec08af00453d56b305d8956387c

does this look like its been stolen? the third one seems to get split into many different addresses? I'm not sure if I'm reading it right. it's either this or I did the transaction and forgot where I sent it (unlikely). It confuses me why if this were being stolen, they would transfer 0.249 btc to me before stealing the balance

thanks for any help

I'm sorry this happened! I hope you've resolved the issue that led to the theft so it never happens again.

Your funds were sent to the mixer Wasabi wallet bc1qh6h8fxnldvm78gtpm00jjun5suwx2mn2jt7qm2 and commingled with 65 UTXOs--likely other victims. The funds were split into even transaction amounts--0.10791 BTC, with the exception of 1 output of 10.45923 BTC which was sent through the mixer again. There are hundreds of victims from what I can see. The funds are split from there; commingled; and sent to other private wallets and exchanges.

I'm not sure which hardware wallet you are using, but there is a clear exploit happening. You stated you made a mistake, saving the info--but I'd still contact the company and let them know what happened. They can't do anything, but you can raise their awareness and perhaps they can write a blog on how to protect private keys when using their wallet.

They don't market themselves as a mixer, but effectively that's what they offer. Their purpose is to obfuscate funds. And true, not ALL of the addresses are vics.

Ok--not an exploit--using this term liberally. Meaning, malware on OPs mobile exploited a flaw in OPs security.

I found this on Ledger's site: https://support.ledger.com/hc/en-us/articles/360005514233-Secure-your-recovery-phrase-PIN-code They do say never to take a photo of the 24-word recovery phrase. They have an "In the News" section where they highlight relevant information. A blog on security pinned to their front page might be a nice addition--Not everyone hops on forums, not every customer understands security. It's a kindness. Getting information out there is useful to the entire crypto community--we want this to succeed, I assume, and the community to grow. So do these companies. The more visibility/education on scams, fraud, security best practices--the better for all.

I hope this info is useful to you, OP. Again, very sorry this happened. Wishing you the best.
legendary
Activity: 1624
Merit: 2481
August 06, 2020, 11:16:55 AM
#17
Your funds were sent to the mixer Wasabi wallet bc1qh6h8fxnldvm78gtpm00jjun5suwx2mn2jt7qm2 and commingled with 65 UTXOs--likely other victims. The funds were split into even transaction amounts--0.10791 BTC, with the exception of 1 output of 10.45923 BTC which was sent through the mixer again. There are hundreds of victims from what I can see.

Wasabi wallet is not a mixer. It is a wallet implementing Chaumian CoinJoin.
Those other UTXO's you see, don't have to be other victims. This can be anyone queuing for a CoinJoin. There are always ~50+ people queuing for a CoinJoin.



I'm not sure which hardware wallet you are using, but there is a clear exploit happening. You stated you made a mistake, saving the info--but I'd still contact the company and let them know what happened. They can't do anything, but you can raise their awareness and perhaps they can write a blog on how to protect private keys when using their wallet.

It was not an exploit.
As OP has mentioned, the most likely thing what happened was that his mobile got compromised. And since he had a digital backup of his mnemonic code stored there, his funds got too.

Contacting ledger won't help at all. They also don't really need to write a blog on how to protect private keys (rather: the mnemonic code since you don't actively get access to backup the private keys).
There is a lot of information available here on the forum (and on the web) on how to properly store sensitive data like private keys and mnemonic codes.
newbie
Activity: 6
Merit: 0
August 06, 2020, 11:02:28 AM
#16
Hi all,
just logged into my ledger to see a zero balance. I am not great at reading the blockchain transactions, could someone help?

I have 3 transactions I don't recognise.

First this one with 0.249 btc being transfered to me - https://blockstream.info/tx/a79f7ad72da35ea61731852efe39d3ace74dc7e92323a861581f31f01ddf1578
Second with me transfering 0.01 btc to another address - https://blockstream.info/tx/19af75549cecada158a77614c813361371adbb13e731a9c3ab3dc6ea0ee42fab
Third with me transferring 0.4499 btc to another address - https://blockstream.info/tx/a7cab7007fbee0e06d28e9635d442629ed4f0ec08af00453d56b305d8956387c

does this look like its been stolen? the third one seems to get split into many different addresses? I'm not sure if I'm reading it right. it's either this or I did the transaction and forgot where I sent it (unlikely). It confuses me why if this were being stolen, they would transfer 0.249 btc to me before stealing the balance

thanks for any help

I'm sorry this happened! I hope you've resolved the issue that led to the theft so it never happens again.

Your funds were sent to the mixer Wasabi wallet bc1qh6h8fxnldvm78gtpm00jjun5suwx2mn2jt7qm2 and commingled with 65 UTXOs--likely other victims. The funds were split into even transaction amounts--0.10791 BTC, with the exception of 1 output of 10.45923 BTC which was sent through the mixer again. There are hundreds of victims from what I can see. The funds are split from there; commingled; and sent to other private wallets and exchanges.

I'm not sure which hardware wallet you are using, but there is a clear exploit happening. You stated you made a mistake, saving the info--but I'd still contact the company and let them know what happened. They can't do anything, but you can raise their awareness and perhaps they can write a blog on how to protect private keys when using their wallet.
legendary
Activity: 1624
Merit: 2481
August 06, 2020, 08:25:06 AM
#15
When I first got this ledger, I have now remembered that I saved a photo of the seeds to my secure folder(mistake #1).

That's an important - and unfortunately a costly - lesson to learn. This seems the most plausible explanation.


This is the only way I can see that they have accessed it. I've run anti virus etc on there but it's found nothing.

An AV is not guaranteed to find malware. Most of them are using signatures to find old and already known malware and some behavior analysis which - depending on the AV - can be circumvented by the malware relatively easy or with quite some work only.



ok, thank you for that explanation. I always believed that when you chose your passcode, this effectively became the 25th seed word that is used to generate the private keys....so you need the card of 24 seed words + the secret passcode.

As o_e_l_e_o already mentioned, that exists.
Unfortunately a lot of people are using a lot of different terms for that. It is (and should be called) a passphrase. This passphrase is used as a salt in the key derivation function, resulting in exactly what you have mentioned.




Dont listen to this legendary person, he is TOTALLY WRONG.

You sir, have no clue at all.


Azorult and hydra takes screenshots, so whenever you wrote those words down, they might have been snap shot and sent to hackers.

Ye.. you just missed one important thing.. the mnemonic code never ever appear on the PC, neither do they need to be entered there.
So, the next time you want to "correct" someone, take a look here and make use it.
legendary
Activity: 2268
Merit: 18748
August 06, 2020, 06:29:48 AM
#14
There is such a thing as a passphrase, which essentially becomes a "25th word" as you put it, but it is not the same as the PIN you use to unlock the hardware wallet.

To set up a passphrase on a Ledger, you can either attach it to a secondary PIN so the Ledger device saves it and automatically uses it when you enter your secondary PIN, or you can just use the one PIN and manually enter your passphrase each time you want to use the wallets protected by that passphrase. You can use multiple different passphrases to unlock multiple different wallets, but you can only have one attached to a secondary PIN. The longer and more random the passphrase then the more secure it is, but you should also back it up separately from your 24 word seed phrase, as if you forget your passphrase then your coins will be lost.

See here for more information: https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
August 06, 2020, 04:46:24 AM
#13
I always believed that when you chose your passcode, this effectively became the 25th seed word

No, the PIN is only for the physical access to the hardware wallet. Else they would have asked you also backup that on the card.
The backup card is there so anything happens, from the Ledger getting destroyed and Ledger company getting bankrupt to you losing all your memories, you or somebody from your family can access the money.
newbie
Activity: 4
Merit: 3
August 06, 2020, 04:39:57 AM
#12
ok, thank you for that explanation. I always believed that when you chose your passcode, this effectively became the 25th seed word that is used to generate the private keys....so you need the card of 24 seed words + the secret passcode. In that case, I probably wasn't as security minded as i should've been with the seed becausde I thought I had the extra protection of the passcode. doh
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
August 06, 2020, 04:26:48 AM
#11
I think I have solved it, but it still confuses me a lot.
When I first got this ledger, I have now remembered that I saved a photo of the seeds to my secure folder(mistake #1). I think there must be some malware on the phone, because I have never entered my seeds onto my computer or anywhere else and I don't ever remember opening the image. They must have gotten the 4 digit passcode from monitoring my phone when I used it with other apps, for example some apps are unlocked with the same 4 digit code I use to unlock my ledger(mistake #2). This is the only way I can see that they have accessed it. I've run anti virus etc on there but it's found nothing. I also checked all the installed apps and there is nothing strange here. In fact this phone is rarely used and only really for whatsapp and google authenticator. For this to be true, it would mean someone has had access to my phone for over a month which is very worrying

Physically, the seeds are hidden in my house. I live alone and no one else has access, certainly no one I know knows my passcode or understands bitcoin, or even knows I own a ledger.

$5000 is a nice expensive lesson in security I guess. Thanks all for any replies and help Smiley I'm off to buy a new phone

Ouch! Quite expensive indeed.
Your logic has some mistakes. As soon as anyone had access to your seed, they don't need your pin or anything: with the seed they can re-create the wallet on any other computer or smartphone, or ledger or ... (other options may exist).
The wallet doesn't contain the coins, it only handles the private keys (simplified explanation) and the private keys are based on your seed.
The private keys are the most important thing: they are the only thing that allows spending the coins.

So whoever got your seed, it was all he needed to steal your money. (meaning that mistake #1 was more than enough)
newbie
Activity: 4
Merit: 3
August 06, 2020, 04:21:08 AM
#10
I think I have solved it, but it still confuses me a lot.
When I first got this ledger, I have now remembered that I saved a photo of the seeds to my secure folder(mistake #1). I think there must be some malware on the phone, because I have never entered my seeds onto my computer or anywhere else and I don't ever remember opening the image. They must have gotten the 4 digit passcode from monitoring my phone when I used it with other apps, for example some apps are unlocked with the same 4 digit code I use to unlock my ledger(mistake #2). This is the only way I can see that they have accessed it. I've run anti virus etc on there but it's found nothing. I also checked all the installed apps and there is nothing strange here. In fact this phone is rarely used and only really for whatsapp and google authenticator. For this to be true, it would mean someone has had access to my phone for over a month which is very worrying

Physically, the seeds are hidden in my house. I live alone and no one else has access, certainly no one I know knows my passcode or understands bitcoin, or even knows I own a ledger.

$5000 is a nice expensive lesson in security I guess. Thanks all for any replies and help Smiley I'm off to buy a new phone
legendary
Activity: 2268
Merit: 18748
August 04, 2020, 02:04:49 PM
#9
Azorult and hydra takes screenshots, so whenever you wrote those words down, they might have been snap shot and sent to hackers.
Hardware wallets generate the seed phrase on the hardware wallet itself and display the words on the screen of the hardware wallet. Taking screenshots of your computer display is irrelevant when you use a hardware wallet as the seed phrase never appears on the computer display.

bob123 is correct. The only way screen grabbers could have stolen his seed phrase is if he manually entered it in to his computer, in which case there are 100 ways his seed phrase could have been compromised.
member
Activity: 95
Merit: 10
August 04, 2020, 12:57:02 PM
#8

You might also check your system for keyloggers like azorult or hydra ( usually embedded with pirates games in torrents)

Not relevant if he is using a hardware wallet and never entered the menmonic on his PC.
And if he did, it doesn't necessarily have to be a keylogger, but basically any other kind of malware.
[/quote]

Dont listen to this legendary person, he is TOTALLY WRONG.

Azorult and hydra takes screenshots, so whenever you wrote those words down, they might have been snap shot and sent to hackers.
legendary
Activity: 1624
Merit: 2481
August 04, 2020, 11:24:35 AM
#7
If the only place you stored your mnemonic code is indeed the card, then someone must had access to it.

Just to confirm.. you generated the seed / mnemonic code yourself on the ledger, right ? And since then you never entered it anywhere ?

If the answer to both questions is "yes", someone had access to the written mnemonic code.



Where do you keep your seed?

He answered that question already. Read the 2nd post from OP in this topic.


You might also check your system for keyloggers like azorult or hydra ( usually embedded with pirates games in torrents)

Not relevant if he is using a hardware wallet and never entered the menmonic on his PC.
And if he did, it doesn't necessarily have to be a keylogger, but basically any other kind of malware.
member
Activity: 378
Merit: 53
Telegram @keychainX
August 04, 2020, 02:59:47 AM
#6
Hi all,
just logged into my ledger to see a zero balance. I am not great at reading the blockchain transactions, could someone help?

I have 3 transactions I don't recognise.

First this one with 0.249 btc being transfered to me - https://blockstream.info/tx/a79f7ad72da35ea61731852efe39d3ace74dc7e92323a861581f31f01ddf1578
Second with me transfering 0.01 btc to another address - https://blockstream.info/tx/19af75549cecada158a77614c813361371adbb13e731a9c3ab3dc6ea0ee42fab
Third with me transferring 0.4499 btc to another address - https://blockstream.info/tx/a7cab7007fbee0e06d28e9635d442629ed4f0ec08af00453d56b305d8956387c

does this look like its been stolen? the third one seems to get split into many different addresses? I'm not sure if I'm reading it right. it's either this or I did the transaction and forgot where I sent it (unlikely). It confuses me why if this were being stolen, they would transfer 0.249 btc to me before stealing the balance

thanks for any help

Where do you keep your seed?

Have cases where family members (brother/kids) move their family funds.

You might also check your system for keyloggers like azorult or hydra ( usually embedded with pirates games in torrents)
 
HCP
legendary
Activity: 2086
Merit: 4361
August 03, 2020, 05:31:09 PM
#5
just logged into my ledger to see a zero balance. I am not great at reading the blockchain transactions, could someone help?
...
Third with me transferring 0.4499 btc to another address - https://blockstream.info/tx/a7cab7007fbee0e06d28e9635d442629ed4f0ec08af00453d56b305d8956387c
...
does this look like its been stolen? the third one seems to get split into many different addresses? I'm not sure if I'm reading it right.
No, it's not being split into many different addresses... three UTXOs are being combined and sent to one address: bc1q9slt8tfwfp33sn8gul0jmcpemq85pxh2csje6j


Quote
It confuses me why if this were being stolen, they would transfer 0.249 btc to me before stealing the balance
Indeed... also... why would any thief only take 0.01 and leave all the rest... only to send another transaction later that takes everything? It certainly doesn't look like the 'normal' sequence of someones wallet being emptied by a thief! Undecided

These transactions occurred just over a month ago... are you 110% sure that you didn't make them? Huh
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
August 03, 2020, 06:54:43 AM
#4
-snip- I was thinking that I may have made the transactions and forgot, but it looks like the bitcoin has been split into multiple accounts which definitely was not me, so I guess that is stolen somehow
That "split" seems normal, the last transaction just spent the "change" of your previous transactions, plus one that's probably from your older transactions.

If it's really not you, then the issue must be there's someone else who've used your seed and passphrase combination to make a wallet (which is highly unlikely)
because why would a hacker send coins to his victim's wallet?
I bet this is just caused by a cloudy memory.
newbie
Activity: 4
Merit: 3
August 03, 2020, 06:28:47 AM
#3
Have you ever written your Ledger seed somewhere you shouldn't? (email, dropbox, text file, etc...)

Do you see, in your transaction history, a +0.249 BTC incoming transaction to your wallet from the first transaction? Could you share a screenshot of your transaction history tab?

If your balance is zero and you didn't make any of those transactions, I don't see what else that could be.

the screenshot is here: https://ibb.co/QnnCBsP

I've never written the seed anywhere electronic, only on the card when i bought the ledger 2/3 years ago(checked, it is a legit ledger), and definitely never written down my passcode which is why I am so confused.  I did use the ledger around 1 week before these transactions appeared, and the first transaction of +0.249 makes little sense to me. I've checked all my accounts and the bitcoin isn;t there. I was thinking that I may have made the transactions and forgot, but it looks like the bitcoin has been split into multiple accounts which definitely was not me, so I guess that is stolen somehow
legendary
Activity: 2758
Merit: 6830
August 03, 2020, 06:15:08 AM
#2
Have you ever written your Ledger seed somewhere you shouldn't? (email, dropbox, text file, etc...)

Do you see, in your transaction history, a +0.249 BTC incoming transaction to your wallet from the first transaction? Could you share a screenshot of your transaction history tab?

If your balance is zero and you didn't make any of those transactions, I don't see what else that could be.
newbie
Activity: 4
Merit: 3
August 03, 2020, 06:07:39 AM
#1
Hi all,
just logged into my ledger to see a zero balance. I am not great at reading the blockchain transactions, could someone help?

I have 3 transactions I don't recognise.

First this one with 0.249 btc being transfered to me - https://blockstream.info/tx/a79f7ad72da35ea61731852efe39d3ace74dc7e92323a861581f31f01ddf1578
Second with me transfering 0.01 btc to another address - https://blockstream.info/tx/19af75549cecada158a77614c813361371adbb13e731a9c3ab3dc6ea0ee42fab
Third with me transferring 0.4499 btc to another address - https://blockstream.info/tx/a7cab7007fbee0e06d28e9635d442629ed4f0ec08af00453d56b305d8956387c

does this look like its been stolen? the third one seems to get split into many different addresses? I'm not sure if I'm reading it right. it's either this or I did the transaction and forgot where I sent it (unlikely). It confuses me why if this were being stolen, they would transfer 0.249 btc to me before stealing the balance

thanks for any help
Jump to: