Topic: Urgent Beware - My Blockchain.info account was drained! (Read 7044 times)

Check for malware on your computer, do a full scan + rootkit check.

 
I think that maybe a very good point. I have now used every sort of scan I can find and none of them picked up any trojans, worms keyloggers or remote access attempts. Also, maybe this isn't important but this happened on my Blockchain.info wallet after I had changed the settings to send an email to my gmail account for every transaction. I'm at a loss to explain it but I'm not using Blockchain.info until I know eveything is ok again. I ran spybot and it found nothing either. I checked for extra phoney system file mimics, like csrss.exe. I've never had a problem before with any online service on this laptop

One thing extra thing I've done now is to lock the wallet to a fixed IP, (it's in the Blockchain settings) so it can't be accessed from any other IP, all well and good as long as my IP doesn't change. Otherwise, it will be a huge hassle.

You all are assuming it was a brute force attack. AFAIK it could be keys strolen from your hard drive. Blockchain stores keys on your computer, they are not responsible for keeping the keys safe.

If you type in the latitude/longitude coordinates from the IP address in google maps it appears the IP is in the middle a highway. Wtf?

Never put a large amount of money on an online account, let this be a warning to any newbies who are thinking of doing the same, it may seem convenient but I assure you it can and will get stolen.

XKCD is always a good read, but BEWARE brain wallets. They are not a panacea, you have to know how to create strong passphrase. Take a look at this thread https://bitcointalksearch.org/topic/if-you-used-brainwalletorg-must-read-security-breach-251037

Keep password security in mind:

I beg to disagree with this. Choose a strong password, do write it down and store it in your safe/bury it in your garden/wherever. You are far more at risk of forgetting a strong password than someone guessing it (and if its a weak password, changing it every Tuesday is not going to help at all). But yes, backup your wallet, everywhere. If the password is strong enough then its safe even if some cracker gets his hands on it. And if you're paranoid use cold storage (paper wallets), and keep multiple copies of them too.

No feedback to report

all I can tell you is be very careful. There are many people trying to break in to your wallets and you will get no help. Be very very careful, change your password regularly, never write it down and keep wallet backups.

From the user log file in Blockchain.info wallet account settings. I posted it above.

I'm curious, where did you get the IP address?

Yes, the timing is very significant and suggests remote desktop access. The password I used has never been written down anywhere, its not in any user text file or doc. So keylogging or remote access seem to be the most plausible.

Also, I checked my Remote Assistance settings in system properties. They were mysteriously set to true. I know I had set them to false again when I upgraded to win8 several months ago (for some reason, annoyingly, the update had set them to true)

Update: I contacted the Australian server company for the suspect IP Address. So far, they have been very helpful and are looking to identify the user from their logs and time stamp etc...

I will post more when I know more.

Thanks again for your help. 

Clearly.


Not necessarily a trojan, just pointing out that a trojan won't necessarily show up in a virus scan, so the fact that "two deep scans from to up to date virus checkers" come up clean doesn't mean that there isn't a trojan installed.


It's never right to blame the victim.  I wouldn't say "it must be your fault somehow", but it is good to understand what the possible attack vectors are so effort isn't wasted on things that aren't a threat and so that yourself and others can better protect themselves in the future.


I am aware of that, and the timing is certainly suspect.  It is possible that the trojan waited for you to log in and type your password to capture it.  It is also possible that someone hacked their way into a remote desktop connection.  I suppose it's also possible that the timing was a coincidence.  Without more information about how the thief got your password, it is difficult to say why it happened while you were logged in.


Agreed.  I'm very curious about how the thief got your password.  If you ever figure it out, please come back and let us know.  Such information will make it easier to inform others about how to protect themselves.


Upset me?  You've got to try a whole lot harder than that to upset me.  Even those who are putting all their effort into upsetting me rarely succeed.

Yes you are correct. In my defense, for me it was around 2 am in the morning at the time I wrote that post and I was nearly brain dead anyway. It was a bad day.

You put it all down to a trojan and my password being abused, Of course, it was my laptop and in the end it must be my fault somehow, I agree. 

You also don't seem to take the point that the only fraudulent transaction took place under my nose while I was logged in.. ie at the same time. from an IP address on the other side of the world. logged and recorded. There have not been any other attacks, just one, at exactly the same time as I was logged in. I'm sorry I didn't lose more than 0.21 I got my numbers wrong because I was very tired.

Now, despite two deep scans from two up to date virus checkers I can find no trojans or worms or other keyloggers, the only password I used when it happened was the one for that wallet. So yes, it is most likely my fault somehow, but How? Exactly? Until I can find some help on that, I can't trust using my blockchain wallet from that laptop. As escrow.mi said, my best option is using a paper wallet until this issue is resolved. If it is so easy to strip an account, my personal trust in the system is shot and I would hate to have 10 or 100 bitcoins or even only 0.21 in any online wallet until I know I can trust it again. It's a significant security problem. sorry to have upset you. Thanks for your help. 


 

You really need to pay attention to what you are doing and what you are typing.  You can't even seem to keep straight how much you lost.

You didn't know how much bitcoin you had, you didn't know how much was taken, you wrote 1.4 when you meant to write 1.03, and then you wrote 0.221776556 when you meant to write 0.21776556.

It won't surprise me if you used your password somewhere insecure, or installed some trojan software that you acquired for free somewhere (well written trojan software won't show up in a virus scan no matter what scanning software you are using).

It really isn't possible for anyone to steal your bitcoins unless they have your password.  Therefore, the question is "How did the hacker get your password?"

no every thing else seems to be ok, I lost 0.221776556, not 1.4 (that was wrong too it was 1.03 total deposits), that's a relief, but still gone while I watched. I also had a deposit from bitvisitor. It's been a bad day, sorry...

Checking now.

When I logged back in everything was set to 0, so I assumed it was 1.4 or close to it.

escrow.ms explained that was because I removed Blockchain from the network listing.

0.21776556 BTC according to http://blockchain.info/address/1Cqfi7gKrbGgQuWNpGrziDzmaNoY2cGGjV

The other spend transactions were way back in July (scroll down looking for the red tags). Did you lose anything from any of your other addresses?

oh shit, that was the wrong one, it was 0.2277 something that went, my mistake

I looked at the total amount deposited, not the actual transaction

I can only see a 0.2 BTC transactiion from your wallet to this one.


http://blockchain.info/tx/a7676c33ef493e08fc87346569718015fc6063d064f19a977c7aa70de1462dc0