Help! My bitcoin wallet got hacked

15 replies 169 views
darkgasMember
Posts: 8 · Reputation: 171
#1Nov 27, 2018, 08:19 PM
Hey guys, I’m pretty new to all this, so I really need some assistance. I had a decent amount of bitcoin stored on my Bitcoin Core wallet, and it was on a computer I barely used. It was offline most of the time, only connecting every six months just to update. Last time I checked it was late February this year, and everything was good, all my coins were there. I shut it down and didn’t think about it until recently. When I powered it back up, an update took like a week and a half. But when it finished, I saw my balance was zero. I noticed there was a transaction back in March when my computer was off and not connected to the internet. There’s a wallet ID and a transaction I can see. Turns out, my bitcoins were sent to two different wallets, and then split into two more wallets each, so now there are a total of four wallets holding my coins. HOW DO I GET THEM BACK? I really need help with this! Sorry if I’m not using the right terms or anything.
4 Reply Quote Share
fox_byteHero Member
Posts: 478 · Reputation: 2370
#2Nov 27, 2018, 10:36 PM
If these addresses are not part of your wallet or you did not make that transaction, then there is no way to recover them except by accessing the private key of those addresses. If this does not affect your privacy, post the addresses here, maybe we can track them down and find something that may be useful to you. What you did does not enhance the security of your coins, so to ensure that you set up cold storage correctly, please follow this guide ---->  https://electrum.readthedocs.io/en/latest/coldstorage.html or https://bitcointalk.org/index.php?topic=5228801.0
2 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#3Nov 28, 2018, 12:25 AM
Google tells me it's a "pool ball"? Online "once in a while" makes it a hot wallet, not cold storage. Bitcoin wouldn't exist if you could return transactions. Whoever controls the private keys is the only one who can do this, and if your coins got stolen, the thief isn't going to return them.
7 Reply Quote Share
darkgasMember
Posts: 8 · Reputation: 171
#4Nov 28, 2018, 12:58 AM
bc1qkn6gnfn6pgnmu9jam8ms4xt4zhdwd9rx7a4tr9-wallet number for which the transaction was made 0031f3e0e57fcd27fec28f714e244a6d0e1dafc584f4eb7f163328295e92912e-transaction
3 Reply Quote Share
diamond365Full Member
Posts: 136 · Reputation: 744
#5Nov 28, 2018, 02:49 AM
Verify Electrum wallet if possible too, it reduces risk of losing bitcoin to a fake Electrum wallet. [Guide] Verify and download Electrum wallet The paranoid user's security guide for using Electrum safely. A guide to create a cold storage wallet with Electrum. A cold wallet must be set up offline and use offline for a whole time.
4 Reply Quote Share
the_matrixSenior Member
Posts: 313 · Reputation: 1887
#6Nov 28, 2018, 07:53 AM
The transaction was made a long time ago, in March 24, 2024. I must say you lost a lot of money there, ~1.3 BTC. The current balance in that address is $0.00 and they have only used that address to receive your funds, which they moved on to two separate addresses. I didn't follow on from there, because i don't think there's any use, as you cannot recover stolen funds. Is there a way you think this could have happened? If your wallet is connected to the internet, even once, it no longer is an airgapped wallet. Did you expose your seed phrase?
4 Reply Quote Share
darkgasMember
Posts: 8 · Reputation: 171
#7Nov 30, 2018, 04:48 AM
Unfortunately, I don’t know how they did it, nothing was revealed
2 Reply Quote Share
paul_maxiSenior Member
Posts: 156 · Reputation: 896
#8Dec 1, 2018, 11:36 PM
It doesn't really matter if computer is turned off if private keys or seed words get leaked/hacked/stolen and imported in different device and wallet. I am not saying this happened in your case, but there is always a possibility. You can't return anything if you didn't send the transaction to your other wallet. Transaction is confirmed and balance on that receiving address is now zero.
2 Reply Quote Share
yield_forkFull Member
Posts: 162 · Reputation: 728
#9Dec 2, 2018, 04:20 AM
You said you used Bitcoin Core, right? The Bitcoin Core wallet backup is done by making a copy of the wallet file (wallet.dat). It doesn't provide a BIP39 mnemonic phrase, since Bitcoin Core calculates the private keys from a BIP32 root key. So there is no way for malware to have copied any mnemonic phrase, since it doesn't exist in a native Bitcoin Core wallet. What may have happened is that you created this wallet on a computer already compromised by malware, downloaded a "baptized" version of the software, etc. Unfortunately, we will never know why. The most rational thing to do is NEVER use this computer to perform any Bitcoin operations again. Get a new computer (or buy a hardware wallet and follow all the instructions on the manufacturer's website and other reliable sources), use it only for operations dedicated to BTC and nothing else. As you can see, the wallet was compromised before or during some point when your "cold storage wallet" was turned on to perform updates, certainly the thief was monitoring your wallet for quite some time waiting for the right moment to make the withdrawal, waiting for you to make more deposits to get the most out of your BTC. Another important factor I forgot to mention: was this wallet protected by a passphrase of bitcoin core?
2 Reply Quote Share
im_lynxHero Member
Posts: 515 · Reputation: 2161
#10Dec 2, 2018, 08:41 AM
What kind of an update lasted for 1.5 weeks? Bitcoin Core updating your wallet and syncing the blockchain or something else? You did not do any transaction in the past months with your wallet? If you didn't then we can assume someone else emptied your wallet. Who has access to your computer? Only you? Or did you e.g. invite some friends or had visitors in the period where the theft happened? The security of a Bitcoin Core wallet file is its wallet encryption passphrase. Did you setup a strong wallet encryption password/passphrase? What operating system runs on your computer?
0 Reply Quote Share
coin_sigmaLegendary
Posts: 1275 · Reputation: 5553
#11Dec 2, 2018, 01:49 PM
If your wallet is always connected to the internet online there are lots of possibilities that you don't know there's nothing that we can do since Bitcoin transaction is reversible. I suggest you stop using your wallet anymore and learn to create an Electrum offline/cold storage wallet on tails where you can save all of your BTC for long-term storage it is way safer than using Electrum on a Windows PC or Mobile phone that always connected online. You can also use it as an airgap where you can create offline transactions from your phone with your watch-only wallet and your offline wallet is your signer.
0 Reply Quote Share
pixel2014Hero Member
Posts: 857 · Reputation: 4132
#12Dec 3, 2018, 11:20 AM
Some people will still continue the tracing to know if the hacker sent the coins to exchanges or custodial wallet. If the money is huge, it is possible that the victim can report the person through legal means. But if the coins was not sent to anything custodial, likely the money is gone. Yes. But also offline attack is also possible. He should be careful with his device and how he backup his seed phrase. I do not think I have a wallet that does not have passphrase which I use to extend the seed phrase. This gives me feeling that my backup is more secure and better than not using passphrase.
4 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#13Dec 4, 2018, 05:07 PM
I think - and this is just a theory - that your computer was infected with malware that stole the wallet.dat from your computer and uploaded it to the hacker's server. Then when you shut down your computer, some time during that time-frame, the hacker guessed the password (?) or maybe already knew it and swept all the funds from it. It doesn't require your computer being turned on to do.
2 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#14Dec 4, 2018, 11:00 PM
Or, someone may have accessed the computer physically, so someone OP knows in real life. That's probably the only scenario in which OP can find back his coins.
1 Reply Quote Share
alt21Senior Member
Posts: 398 · Reputation: 1732
#15Dec 5, 2018, 01:38 AM
Sorry for the loss. It seems to me that Loyce's idea is the most possible. Someone must have gained physical access to your computer and stole the coins. The malware that NotATether suggests is a possibility but, most of the time, when people get hacked because of malware, they end up seeing irrational transactions with their coins. That's because most of the time the malware is pre-programmed to send the coins to specific addresses, to split them in parts and to perform wallet-hopping to hide the traces. In OPs scenario, the coins were transfered on ‎2024-03-24 13:26:44. Then they were moved again ‎2024-03-24 20:49:18. So, approximately 7hrs elapsed between the 2 transfers. I highly believe someone gained access to OPs computer and sent the coins to another address. Then, they moved to the computer where the other address' keys are hosted and performed another transaction. OP, if I were you, the only I would try to do (since you can't do much), would be to try and remember if someone visited me, or accessed my computer on March 24, 2024. The 7hrs in-between could mean: 1. someone visited you for lunch, some drinks etc and at some point they accessed your PC. Then they returned to their home and executed another transaction. 2. do you have your computer at the office? Do you share your working environment with anyone? If so, is there any chance that someone accessed your computer during you were working?
4 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#16Dec 5, 2018, 05:19 AM
That'll be easy to investigate since the PC should be turned-off during that time, if there are logs, the PC was turned-on. With the idea above: Check if it's accessed physically during the time when it's supposed to be off, Is the computer Windows/Linux? For the former, check your "Event Viewer->Windows Logs->System" (wait for a few minutes to load) to check if it has a log with timestamp on March.For the latter, use journalctl --since "2024-02-20 00:00:00" to do the same as the above. (you can set the date closer to the incident) If positive, then you can deduce that it's booted-up by someone who has access to the PC's hiding spot. If not, the keys/wallet was leaked before that incident, e.g. wallet.dat file's passphrase was cracked in March but got hacked months before that.
4 Reply Quote Share

Related topics