Valerian77



Offline



Activity: 437

Merit: 255







Sr. MemberActivity: 437Merit: 255 I GOT HACKED AND LOST 1 MILLION December 05, 2018, 10:32:11 PM Merited by DdmrDdmr (2), Lucius (1), bones261 (1), o_solo_miner (1) #1



Here ist the list coins and transactions of the robbery:



Date/Time Currency Amount Reference to Blockchain explorer Destination address

04.12.18 00:31 DASH 9000

04.12.18 00:36 BCH 613,291

04.12.18 01:12 BTC 2

04.12.18 01:20 BTC 1,7

04.12.18 01:30 NEM 264992

04.12.18 02:14 BURST 7643993

04.12.18 12:42 BTC 1,840

04.12.18 12:44 OmiseGo 2329,436

04.12.18 12:45 LTC 117,602

04.12.18 12:48 BCH 5,899

04.12.18 12:48 DASH 4,929



I wish I never make this experience in my life - but I cannot turn the clock back. If anybody has a good idea how to track down the thief the reward will be 10% of the recovered sum or a minimum of 10,000 USD in case of success.



There is one more information - the thief also tried to corrupt my Gmail account and Google gave me this information:



Uhrzeit: Gestern, 03:10

Standort: Litauen

IP-Adresse: 46.166.160.158



It can be checked here:



I am looking desperately for any kind of help or ideas how to go on with this case.



Thank you for any help Yesterday in the very early hours of the morning Dec 4th I have been hacked and completely robbed out. The total of 1 Mio USD in different coins have been stolen from my system. I am still pissed off from my own shitty security. But things happened and I cannot go back in time.Here ist the list coins and transactions of the robbery:Date/Time Currency Amount Reference to Blockchain explorer Destination address04.12.18 00:31 DASH 9000 https://tinyurl.com/y8fpvxln Xom6WhRTiAZhtiMzMQXCS4Aew1PB3v62Tb04.12.18 00:36 BCH 613,291 https://tinyurl.com/yd2y3wdr Qpx5pyy9catx7sluuyzqr03fw3c93ahwms2qfhnznx04.12.18 01:12 BTC 2 https://tinyurl.com/ybnrmvfq 1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP04.12.18 01:20 BTC 1,7 https://tinyurl.com/y8s4c7kc 1MBPQ445uL9kbUqq5abvcv2wdBgvjJ51KP04.12.18 01:30 NEM 264992 https://tinyurl.com/ycr35va3 NBLI5G-ONLML2-5RY666-BQL2QS-IIMCJT-EUT5PJ-R7MF04.12.18 02:14 BURST 7643993 https://tinyurl.com/yat7pjna BURST-2WVC-EJXY-TMMW-2SQRW04.12.18 12:42 BTC 1,840 https://tinyurl.com/ycknktjx bc1qy8ypdjjqkh663j83k4zlv8cxw8nte08m042nxf04.12.18 12:44 OmiseGo 2329,436 https://tinyurl.com/y9tuss5q 0xd26114cd6ee289accf82350c8d8487fedb8a0c0704.12.18 12:45 LTC 117,602 https://tinyurl.com/y895dtvs LhpfUpX32CTyd8MekNJkdXAX9BZYUzHNtW04.12.18 12:48 BCH 5,899 https://tinyurl.com/ydctqokv Qzhpt232rhktu2zzll55cf4vthyya8mtw5nsg9auu904.12.18 12:48 DASH 4,929 https://tinyurl.com/ya23s6y9 XerirSmDu9YjbdG641uNsg5tmnb2twvrgEI wish I never make this experience in my life - but I cannot turn the clock back. If anybody has a good idea how to track down the thief the reward will be 10% of the recovered sum or a minimum of 10,000 USD in case of success.There is one more information - the thief also tried to corrupt my Gmail account and Google gave me this information:Uhrzeit: Gestern, 03:10Standort: LitauenIP-Adresse: 46.166.160.158It can be checked here: https://tinyurl.com/y782ufvu I am looking desperately for any kind of help or ideas how to go on with this case.Thank you for any help

Valerian77



Offline



Activity: 437

Merit: 255







Sr. MemberActivity: 437Merit: 255 Re: I GOT HACKED AND LOST 1 MILLION December 05, 2018, 11:11:17 PM #3 Quote from: Harkorede on December 05, 2018, 10:49:53 PM OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.



The coins were held in these locations (order corresponding to the list in my first posting):



Currency Place

DASH Qt-Wallet on Laptop

BCH ElectronCash on Laptop

BTC Binance.com

BTC Kraken.com

NEM Simplewallet on Laptop

BURST Desktop wallet on Laptop

BTC Exodus wallet on Laptop

OmiseGo Exodus wallet on Laptop

LTC Exodus wallet on Laptop

BCH Exodus wallet on Laptop

DASH Exodus wallet on Laptop



Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.

I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and

(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system) The coins were held in these locations (order corresponding to the list in my first posting):Currency PlaceDASH Qt-Wallet on LaptopBCH ElectronCash on LaptopBTC Binance.comBTC Kraken.comNEM Simplewallet on LaptopBURST Desktop wallet on LaptopBTC Exodus wallet on LaptopOmiseGo Exodus wallet on LaptopLTC Exodus wallet on LaptopBCH Exodus wallet on LaptopDASH Exodus wallet on LaptopBasically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com ) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

MagicByt3



Offline



Activity: 658

Merit: 392





<Insert No Fucks Given Here>







Sr. MemberActivity: 658Merit: 392 Re: I GOT HACKED AND LOST 1 MILLION December 05, 2018, 11:14:19 PM #4



Do you know how the funds were compromised?

Do you have malware on your system?



NPM has recently been compromised and coin stealing malware was found in packages from NPM do you use NPM?



https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/



edit* no need didn't see you were using windows..



I am not sure there is much can be done you could contact exchanges and make them aware of the stolen coins see if they show on any exchange.

I would also keep the system offline if the attackers have access they could attempt to wipe there tracks if the machine is connected again.



You could also run wireshark see if there are any strange packets or connections that might help though it may not be advisable to download anything onto the machine if you are reporting it to the authority's.

They may ask you preserve it as evidence.



Edit* If you think it was a keylogger there may be some traces of were it set the logs to.







Very sorry to read.Do you know how the funds were compromised?Do you have malware on your system?NPM has recently been compromised and coin stealing malware was found in packages from NPM do you use NPM?edit* no need didn't see you were using windows..I am not sure there is much can be done you could contact exchanges and make them aware of the stolen coins see if they show on any exchange.I would also keep the system offline if the attackers have access they could attempt to wipe there tracks if the machine is connected again.You could also run wireshark see if there are any strange packets or connections that might help though it may not be advisable to download anything onto the machine if you are reporting it to the authority's.They may ask you preserve it as evidence.Edit* If you think it was a keylogger there may be some traces of were it set the logs to. "If you don't believe it or don't get it, I don't have the time to try to convince you, sorry". Satoshi Nakamoto

hubballi



Offline



Activity: 882

Merit: 297







Sr. MemberActivity: 882Merit: 297 Re: I GOT HACKED AND LOST 1 MILLION December 05, 2018, 11:19:10 PM #5 Quote from: Valerian77 on December 05, 2018, 11:11:17 PM Quote from: Harkorede on December 05, 2018, 10:49:53 PM OMG! That's enormous!, sorry for your loss, it would be of great help if you could elaborate where coins where held, is it a multi wallet(If Yes, which wallet ?) how it happen or what you could think have happened ? A malware installation, phishing site and or anything that is more specific.



The coins were held in these locations (order corresponding to the list in my first posting):



Currency Place

DASH Qt-Wallet on Laptop

BCH ElectronCash on Laptop

BTC Binance.com

BTC Kraken.com

NEM Simplewallet on Laptop

BURST Desktop wallet on Laptop

BTC Exodus wallet on Laptop

OmiseGo Exodus wallet on Laptop

LTC Exodus wallet on Laptop

BCH Exodus wallet on Laptop

DASH Exodus wallet on Laptop



Basically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.

I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and

(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

The coins were held in these locations (order corresponding to the list in my first posting):Currency PlaceDASH Qt-Wallet on LaptopBCH ElectronCash on LaptopBTC Binance.comBTC Kraken.comNEM Simplewallet on LaptopBURST Desktop wallet on LaptopBTC Exodus wallet on LaptopOmiseGo Exodus wallet on LaptopLTC Exodus wallet on LaptopBCH Exodus wallet on LaptopDASH Exodus wallet on LaptopBasically it was a stupid combination of failures. I use Windows 10 and tried to claim BTCP and BCD. Both with the Electrum version for their blockchains.I used the same long password for different things - especially my password safe had the same pw as the DASH QT wallet. So after I started the Electrum clients (which I tested before with Defender, SuperAntiSpyware and www.virustotal.com ) I had to do a little thing in DASHQT - that was it - the one of the wallets, most likely BCD, spied my password through a keylogger and the hacker had access to everything.(there is no need to discuss the stupidity of using Win10, same passwords many times, storing 2FA codes in password safes or testing new software on a vulnerable system)

In your comment itself you have told how you got robbed, This mainly happens when claiming the hardfork coins, Before also lot of users got hacked due to it. Your first fault was that you are using same computer for surfing and saving your all important wallets and documents. Second fault using same password everywhere, this made easy job for the hacker to hack all your wallets and other online places.



But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.



If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features. In your comment itself you have told how you got robbed, This mainly happens when claiming the hardfork coins, Before also lot of users got hacked due to it. Your first fault was that you are using same computer for surfing and saving your all important wallets and documents. Second fault using same password everywhere, this made easy job for the hacker to hack all your wallets and other online places.But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features. ▀█▄ ▄█▀ ▄█▀ ▀█▄ ██████████ N E X Y B I T ██████████ TRADE MINING GRAND OPEN! | Mine NXY and Get Daily Airdrop in BTC, ETH, USDT RIGHT NOW! ▀█▄ ▄█▀ ▄█▀ ▀█▄

Valerian77



Offline



Activity: 437

Merit: 255







Sr. MemberActivity: 437Merit: 255 Re: I GOT HACKED AND LOST 1 MILLION December 05, 2018, 11:46:44 PM #6 Quote from: hubballi on December 05, 2018, 11:19:10 PM But you are telling that your BINANCE AND KRAKEN exchange also got hacked but this both exchange you should have enabled the 2fa security then how did he got hacked it.



If you have to enabled the 2fa then it is really very bad that you are too careless with your security features which made you this much big loss. This is really a very costly lesson for you being careless with your security features.



Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.



Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services. Binance and Kraken was easy for them. They got my password safe and took the 2FA backup codes from there. Then they made a happy backroll and continued their raid.Google was the only company which detected abnormal behaviour patterns and disabled the account very quickly - I was able to unlock it with a trusted telephone device. Kraken setup a new withdraw address (the one I listed above) on command from the hacker - but disabled the account after I sent them my report on the hacking after I changed pw and 2FA already. Binance basically did not even reply on my report so far. I changed passwords and 2FA codes for all accounts and need to set new passwords for a list of 100 or so services.

bitarmor



Offline



Activity: 14

Merit: 15







NewbieActivity: 14Merit: 15 Re: I GOT HACKED AND LOST 1 MILLION December 06, 2018, 02:08:29 AM Merited by suchmoon (4), DarkStar_ (4), ETFbitcoin (1), Bitcoin_Arena (1) #8



I also tried pinging but no response but Code: nmap -sV -Pn 46.166.160.158 reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.



I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.



I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.I also tried pinging but no response butreports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

MagicByt3



Offline



Activity: 658

Merit: 392





<Insert No Fucks Given Here>







Sr. MemberActivity: 658Merit: 392 Re: I GOT HACKED AND LOST 1 MILLION December 06, 2018, 10:42:42 AM Merited by vapourminer (1) #17 Quote from: Valerian77 on December 06, 2018, 10:24:43 AM Quote from: buwaytress on December 06, 2018, 07:05:47 AM My ears burning even though this wasn't mine. They must have planned this properly, to have emptied out all of those wallets and accounts quickly while you were away.



I was not away - they did it very quickly and I could literally see how they drained my wallets.

I was not away - they did it very quickly and I could literally see how they drained my wallets.

With all the forks going on I am surprised we don't see more horror stories like this one every time I see a coin now that says 1:1 claim I become very wary.

Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.



I would agree this is not likely to be a loan wolf hacker or script kiddie if they went to the trouble of running via a vps then onto your system,



First hand I would be changing the RDP port on your machine.



The port setting for Remote Desktop Services is found in the Windows Registry. In order to change this setting we will need to change the Port Number value in the following key:



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp



Changing the port will stop them re-connecting to your machine in the short term.

I would also check your settings in windows control panel then go to remote desktop and turn it off (on by default)



You could also run netstat with some additional flags to see if there are any processes running on the machine that have established connections.

Or run TCPView and see if there is anything showing here that might give you a clue to how they penetrated your system.



https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview



With all the forks going on I am surprised we don't see more horror stories like this one every time I see a coin now that says 1:1 claim I become very wary.Looking at the time stamps it seems they possibly recon this before they did the move so they might have had a good bit of time in your system to be able to strike over all those platforms in a short space of time.I would agree this is not likely to be a loan wolf hacker or script kiddie if they went to the trouble of running via a vps then onto your system,First hand I would be changing the RDP port on your machine.The port setting for Remote Desktop Services is found in the Windows Registry. In order to change this setting we will need to change the Port Number value in the following key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpChanging the port will stop them re-connecting to your machine in the short term.I would also check your settings in windows control panel then go to remote desktop and turn it off (on by default)You could also run netstat with some additional flags to see if there are any processes running on the machine that have established connections.Or run TCPView and see if there is anything showing here that might give you a clue to how they penetrated your system. "If you don't believe it or don't get it, I don't have the time to try to convince you, sorry". Satoshi Nakamoto

Valerian77



Offline



Activity: 437

Merit: 255







Sr. MemberActivity: 437Merit: 255 Re: I GOT HACKED AND LOST 1 MILLION December 06, 2018, 10:54:32 AM #18 Quote from: bitarmor on December 06, 2018, 02:08:29 AM



I also tried pinging but no response but Code: nmap -sV -Pn 46.166.160.158 reports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.



I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

I did a look up. That IP originates from Lithuania; the ISP is UAB Cherry Servers with Azure configured as the name server and Cherry Servers are providers of Cloud Hosting Services so the hacker(s) definitely used a VPS to conduct this attack. I do not think this attack could be one guy but a well organized group. Why I think so is because from Cherry Servers pricing page, their services are quite expensive and I am not sure someone other than a well connected group could afford it.I also tried pinging but no response butreports open ports 3389: ms-wbt-server and 7070: ssl/realserver which confirms that the attacker is running a Windows OS and uses RDP for his trade.I tried connecting to the IP over my Windows RDP software and there's a response showing that the system is still online but without login creds, i can't do much. Maybe someone with advanced pentesting skills could take it up from here let's put an end to all these criminality.

Very valueable remarks - thank you



I also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me Very valueable remarks - thank youI also strongly believe the hackers were a organized group. From starting the likely infected BCD wallet to the point where they literally knew everything over my system and infrastructure was just minutes. And they need to find the password safe files and a matching program to read it - which is now only available under Android. Finally they did not waste time with problems. They left BTG in the Exodus wallet because Exodus does not accept all address formats. And they did not claim the BSV from the stolen BCH which I did meanwhile. So they came very quick, executed their damaging work and left a desaster for me