Author

Topic: wrong bitcoin address (Read 375 times)

HCP
legendary
Activity: 2086
Merit: 4363
November 21, 2019, 02:10:19 PM
#27
I'd check with both "MalwareBytes" and "Spybot Search and Destroy"... to see if they find anything. Not that that really guarantees anything one way or the other due to false positives and that they generally only detect "known" malware.

Personally, when it comes to malware removal... I would be inclined to simply format the machine and reinstall the OS from scratch. It can be a bit of a hassle backing up data and reconfiguring apps etc... but it is generally far more effective in removing malware completely. Undecided
member
Activity: 532
Merit: 13
November 21, 2019, 11:06:32 AM
#26
Hello. Thanks for reply.
1) I do not use bookmarks on any financial site.
2) I am using Opera as browser. I only have Opera ad blocker as extension.
3) I have neither installed. Do not even know what they are.
4) Other exchanges are fine.
 Is it safe to download Spyhunter to remove clipboard malware if I am infected?
Again,thanks for all your help and suggestions.
HCP
legendary
Activity: 2086
Merit: 4363
November 20, 2019, 02:57:21 PM
#25
It only happens on Kucoin and only with bitcoin.
Then the possibilities I can think of are:

1. Phishing/Fake website... you're not actually logging into Kucoin, but a scam clone version that is hardcoded to use hackers address. Check the URL very carefully... perhaps try to type it out manually instead of relying on a bookmark.

2. Bad browser extension... what browser are you using? and have you looked at the settings to see what extensions/addons are running? Maybe try a different browser to see if the same thing happens.

3. Do you have tampermonkey or greasemonkey installed? If so, check to see what scripts are running... Again, try a different browser to see if the same thing happens.

4. Kucoin specific clipboard hijacker. Can't say I've heard of a clipboard malware that was specific to one site... but it might do it on other exchanges as well. Have you tried other exchanges? or just Kucoin?
member
Activity: 532
Merit: 13
November 20, 2019, 02:19:54 PM
#24
Hello HCP.
thanks for your reply. It only happens on Kucoin and only with bitcoin.
HCP
legendary
Activity: 2086
Merit: 4363
November 19, 2019, 02:56:22 AM
#23
Ok... so you'd need to correctly identify what the root cause was before you can judge whether or not you've fixed anything and the likelihood of it reoccurring in the future. So, back to the original problem of addresses being automatically changed to 13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z.

If you copy/paste the following addresses one at a time:
1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
17VZNX1SN5NtKa8UQFxwQbFeFc3iqRYhem
1CC3X2gu58d6wXUWMffpuzN9JAfTUWu4Kj

Do those addresses paste correctly or are they changed to something else? Huh

Does it only do it on a particular website (ie. ONLY on Kucoin)? or does it do it when you paste an address everywhere (text editor, browser, Word document etc)?

If it ONLY happens in the browser and only on one (or a couple of) particular site(s), it might be a Tampermonkey type extension designed to mess with particular websites only... if it does it EVERYWHERE, then it's most likely a generic clipboard hijacker.
member
Activity: 532
Merit: 13
November 18, 2019, 11:27:32 AM
#22
Getting of topic here. There is no porn on my device. I have not downloaded any software or installed any apps or extensions.
sr. member
Activity: 882
Merit: 268
November 18, 2019, 10:28:53 AM
#21
maybe your computer has been infected with a keylogger, and you happen to allow the option to save passwords in your browser. Try checking first because this includes the hijacking mode, if it still doesn't change it's better to reinstall, or reset all data from different computer because the malware has infected sensitive parts of the system including your antivirus.
legendary
Activity: 2730
Merit: 7065
November 18, 2019, 05:08:39 AM
#20
Porn and illegal software, especially cracked Operating Systems and AV solutions should have no place on a device that stores sensitive information and is used in connection with our financials in either way. It's a ticking time bomb. Either watch XXX on TV or get another device just for your nasty habits and don't store any of your financial data on it.   
legendary
Activity: 2422
Merit: 2228
Signature space for rent
November 18, 2019, 02:52:03 AM
#19
After reading all of your reply it's been clear that your account has hacked individually. Exchange hasn't hacked since there is no any update about it. So your device is no more safe zone. First you need withdraw your fund from some others devices if needed. But please check carefully address again.

I will not say you are safe even you found malware on your device although you removed it. I will suggest format your device and erase everything  and install original OP system from beginning. Then I might say you are on safe zone. You should do it because you are using this device for fund management like bitcoin. You should not install any unknown software on your device. Be careful especially when you are watching porn. Most of malware attacks came from porn sites.
legendary
Activity: 2730
Merit: 7065
November 17, 2019, 03:10:28 AM
#18
It means installing a fresh copy of your OS, getting rid of every trace of the previous install. You didn't mention which OS you use. These are instructions for Windows 10.
Check out this source how to do it if you are not comfortable trying it out yourself:
https://www.laptopmag.com/articles/reset-windows-10-pc

Some videos
https://www.youtube.com/watch?v=TikFTiXTuNI
https://www.youtube.com/watch?v=8LgHNRjiekQ
member
Activity: 532
Merit: 13
November 16, 2019, 09:32:56 AM
#17
The attack happened between the evening of Wednesday 6th November and the morning of Thursday 6th November.
I had not downloaded any new programs or opened any email attachments.
I have opened new accounts with new passwords.

Does reformatting mean doing a factory reset? Any , easy, instructions available?
legendary
Activity: 2744
Merit: 4065
November 16, 2019, 07:23:23 AM
#16
Here is trojan   Win32:Trojan-gen  C:\ProgramData\zxits\WerFault.exe
werfault.exe is used for Windows Error Reporting.
This file is not a risk in itself and may be affected by a virus.
Since when did this problem happen with you? Have you downloaded any program from untrusted sources or was the program untrusted?

I opened a new perfect money account and a new exchange account. Will the hacker have access to these accounts?
How would they hack my kucoin account?
Kucoin has 2FA. The email address I use is only for kucoin. The password I use is only for kucoin.
They accessed my perfectmoney account and my exodus wallet. All different email addresses and passwords.
What permissions are granted to that program? In general, you need to reinstall the operating system, change all passwords, and resend your currencies to new wallets.
legendary
Activity: 2170
Merit: 1789
November 16, 2019, 05:53:30 AM
#15
I have run malwarebytes and the result is negative, no virus,trojans or malware.
I have run AVG and found 1 trojan. I have quarantined it. Does this mean it is no longer active?
Here is trojan   Win32:Trojan-gen  C:\ProgramData\zxits\WerFault.exe

That could mean Malwarebytes database is not recognizing the malware yet. If I were you, I'd do what most people said above, which is reformat and reinstalling your system. The attacker might have planted some backdoor and your antivirus/malware didn't realize it.

I realize it might take some time but it's better than risking your computer to be monitored by somebody else.
member
Activity: 532
Merit: 13
November 16, 2019, 05:21:36 AM
#14
Hello.
Thanks for all the replies,help and suggestions.
 I have run malwarebytes and the result is negative, no virus,trojans or malware.
I have run AVG and found 1 trojan. I have quarantined it. Does this mean it is no longer active?
Here is trojan   Win32:Trojan-gen  C:\ProgramData\zxits\WerFault.exe
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
November 16, 2019, 03:03:07 AM
#13
To avoid future compromise on your bitcoin, I think you can apply the steps guide by @LoyceV.
How to lose your Bitcoins with CTRL-C CTRL-V
Copying part of your bitcoin address, and manually type the rest.
Doing double or tripple checks after you finish copy & paste & type the whole address. Doing this carefully before clicking on send button and / or confirm button/link from your email will help you safe.
More details can be found in the given thread.

It is a little off-topic but I think the lesson of sending bitcoin to bitcoin-A/B/C address and lose bitcoin is a painful lesson and if you are interested, please see the story: Sent BTC to BCH address. Andthe answer.
You have to be careful when choosing ticker of crypto currency on exchanges, make sure you choose BTC, not BCH or whatever B- or BT- coins.

To recap, please carefully check:
- Bitcoin address
- Ticker of cryptocurrency you want to withdraw or send.
legendary
Activity: 2170
Merit: 1789
November 16, 2019, 01:50:52 AM
#12
I opened a new perfect money account and a new exchange account. Will the hacker have access to these accounts?
How would they hack my kucoin account?

Based on what you posted above, maybe he's using a clipboard malware, or a keylogger to monitor your PC (which is even worse).

It might be difficult to remove it completely even if you use anti-malware, so the best thing you can do imo is: update all your supposedly affected accounts from another device (a secure one), backup your data from the infected pc and secure format your storage, run a fresh install of your OS.
member
Activity: 532
Merit: 13
November 16, 2019, 01:31:41 AM
#11
I opened a new perfect money account and a new exchange account. Will the hacker have access to these accounts?
How would they hack my kucoin account?
Kucoin has 2FA. The email address I use is only for kucoin. The password I use is only for kucoin.
They accessed my perfectmoney account and my exodus wallet. All different email addresses and passwords.
legendary
Activity: 3472
Merit: 3217
Happy New year 🤗
November 15, 2019, 05:27:17 PM
#10
KuCoin exchange is legit and I think you have a big problem with your PC and maybe someone is monitoring your PC.

Do you have any important files from your PC like a wallet? Make sure to backup them first because the only solution to remove all malware and viruses to your PC is to format the PC and install a fresh OS just like suggested above.

I believe that you're not using any protection in your PC so make sure to install one I recommend you to try Kaspersky Total Security they support crypto and it is a high level of security protection for your PC they have a 30 days trial. It can block the auto-install script when visiting suspicious websites if you don't have AV protection for both PC and browser the auto-install script will install silently and you will not notice if you are infected or not. That is why I recommend you to use AV.

Even if you *think* you have quarantined the malware, your computer will still not be safe to use. Your computer may display one thing but will actually transmit other data to any website you are interacting with.
Yeah, I agree with you I just want him to quarantined the PC first to test if it's because of some infected files so that we will know what is the cause of changing bitcoin address every time he pastes his address.
legendary
Activity: 2758
Merit: 3105
Top Crypto Casino
November 15, 2019, 05:04:16 PM
#9
Or if you really need to do the transaction, try to do it on your other trusted machine, maybe from one of your family, friends, etc.
If I may add, in case you don't have access to another machine or don't want to, you can exclude the first two or three characters and copy the rest of the address then after pasting it you may add the missing characters manually. Don't forget to check the final address more than once before sending the transaction.
copper member
Activity: 2996
Merit: 2374
November 15, 2019, 04:53:58 PM
#8
It seems your device or PC is infected with clipboard malware.
Let me ask if what exchange you are talking about?

Try to scan your PC first with Malwarebytes and antivirus like Kaspersky and scan the whole PC you might be infected with clipboard malware.
If they detect suspicious files try to quarantine them and try to paste the address again to any website.
Even if you *think* you have quarantined the malware, your computer will still not be safe to use. Your computer may display one thing but will actually transmit other data to any website you are interacting with.
member
Activity: 504
Merit: 23
Epsilon Omega
November 15, 2019, 04:53:54 PM
#7
When I see this, I'm very thankful that I actually making 2nd or until 3rd glance at the start and end of my public address whenever I will send funds on exchanges or another wallet.

We should be very careful on everything we see on internet. Every simple click will end yours assets zero.
legendary
Activity: 3122
Merit: 1398
For support ➡️ help.bc.game
November 15, 2019, 04:37:48 PM
#6
Hello. Recently I had my account on an exchange hacked. Since then whenever I try to change my remaining btc,on other sites, the address I am given to input is replaced by the address the hacker used.
Hacker used this address to withdraw funds to; 13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z
Whenever I input new address into my sites the address given is replaced by the above address. Anyone any idea how to overcome this problem?

Don't know how it ends up on your machine but it looks the malware came from one of your downloads and you installed it. That file might come from random sites you have visited or clicking random links e.g via email. It might also be included on the download package where you are not aware that's included and just hit the check and accept button.

The malware will not be executed unless someone executed it

For now, refrain from doing any transaction until your machine is clean. Or if you really need to do the transaction, try to do it on your other trusted machine, maybe from one of your family, friends, etc.

Your options are:

1) Reformat the whole system (OS) to have a clean and fresh look.

2) If you don't want to end up reformatting the whole system as it's really hassle to come back again from scratch and re-install again your programs, try MalwareBytes (not a promotion but this is the only anti-malware program that I used since then and no doubt, the most powerful one in my own view).

My suggestion is doing number 1 since we don't know if that malware includes other types of malware that have another purpose.
legendary
Activity: 2366
Merit: 1272
Heisenberg
November 15, 2019, 04:07:39 PM
#5
Exchange was kucoin
Like BitMaxz said... your computer is likely to be infected with malware. If i was you i would even just format and reinstall a fresh OS.

Looking into the address transaction history: https://blockchair.com/bitcoin/address/13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z
It seems to have been in use for more than 2 years old... which implies whichever malware is using it is most like to have been in existence for a while now and has scammed lots of people and is still scamming

member
Activity: 532
Merit: 13
November 15, 2019, 03:14:42 PM
#4
Exchange was kucoin
legendary
Activity: 3472
Merit: 3217
Happy New year 🤗
November 15, 2019, 02:59:47 PM
#3
It seems your device or PC is infected with clipboard malware.
Let me ask if what exchange you are talking about?

Try to scan your PC first with Malwarebytes and antivirus like Kaspersky and scan the whole PC you might be infected with clipboard malware.
If they detect suspicious files try to quarantine them and try to paste the address again to any website.
legendary
Activity: 2464
Merit: 3878
Hire Bitcointalk Camp. Manager @ r7promotions.com
November 15, 2019, 02:35:01 PM
#2
Not sure which hack you are talking about and the site. If you are seeing this wrong address then do not initiate an withdrawal. Possibly the hacker wants you to send your withdrawal in the address that is always showing in your side.

Stay in touch with their updates and when you will see it's safe and not changing then initiate the withdrawal.
member
Activity: 532
Merit: 13
November 15, 2019, 02:32:49 PM
#1
Hello. Recently I had my account on an exchange hacked. Since then whenever I try to change my remaining btc,on other sites, the address I am given to input is replaced by the address the hacker used.
Hacker used this address to withdraw funds to; 13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z
Whenever I input new address into my sites the address given is replaced by the above address. Anyone any idea how to overcome this problem?
Jump to: