Lost all my Assets

ufuk42 · 27 October 2024 17:33

Good evening, please help me someone to understand this, if possible.

I got hacked somehow. Everything I own was in the Cardano Ecosystem. I had two hot wallets and one cold wallet. Let’s call them Hot 1, Hot 2, Cold 1.
When I wasn’t even on the PC transactions were made from the two hot wallets:

1.) All assets were swapped to ADA
2.) The ADA were withdrawn

Hot 1
12000 ADA
stake1uyl98n9q486wexngchw8dzsl38709eeemal4tgafqxlasvqjve6z2

Hot 2
1500 ada
stake1u9ckjvxqhrfleuv74alexdr329a0ux9ktg7uq7qs47mkqpqneaenk

After these were lost, I paniced and wanted to set up a new seed phrase on my ledger nano S (Cold 1). To stay safe I felt like I had no other option than to make a third new hot wallet (Hot 3) to swap everything there from the cold wallet (Cold 1) while I reset the ledger and write down the 24 seed phrases. After I was done maybe 20 minutes went by and the Hot 3 got drained with almost everything I own. My plan was to send it back to the new Cold 2. I know that it was a fault since the Cold 1 wasn’t touched by the adversary.

Cold 1
stake1uykfl80zfe5vy9c0rp6x76tedstf0n7xatusw2nr8zrhetqmlgyxp

Hot 3
stake1u82s6x5wwuav688fpt8ztqyl3nhwsm9e77emezqfsvcspkgy2m8zz

124000 ADA
in total drained from Hot 3 in three steps.

here are the tx ids:

5e5069b39801ace53ba7e978796acdf32492f37f450b9df8075361b0d2b96835

7c95d28acb5a489a086e731e7929e6caf8752ae921caa1af3c71a45939c287da

9a4818d8181ab9c441540dddca11f78021c132cd230db07e9540559e054e3254

That is the hackers address: addr1qx2v8mwzuqvpptmwhe7rwt0zx8xxhhgrxrwrww7quma8f6rj43lvvx2usrgfks5pzuajmxp0znt9z8pmj2ykzh2q2xdqm6ckm3

It happened just like in the Hot 1 and Hot 2 drains. First the largest FT-Bags were swapped through DexHunter in Taptools and then withdrawn as ADA.
I manged to save a little bit (few NFTs and small bags of FTs), but it’s peanuts compared to the $IAG bag i had. I know I shouldn’t have send it away from my cold wallet, but I was afraid to lose it, too. Fuck my life, I still can not comprehend this. Please help me if possible

Thank you in Advance, Cardano Fam

HeptaSean · 27 October 2024 19:40

I would have advised to try if the people at Xerberus can help you analyse it. But I see you have already contacted them.

I’d personally keep expectations rather low. They can help analysing movements on the blockchain and maybe can identify which CEX was used for cashing out. But then it’s still very far from getting anything back. The CEX has to be willing to help and even if they are willing, it is entirely possible that the attackers already cashed out, cannot reliably be identified or are somewhere where it’s hard to impossible to get to them.

To at least find out what happened: Did you use all three hot wallets in the same wallet app? Were that different wallets with different seed phrases or accounts inside the same wallet with the same seed phrase?

If those were all different seed phrases maybe even in different wallet apps, it looks like your computer was compromised (as opposed to just having given the seed phrase away). And severely compromised if it is actually monitoring you creating a new wallet and emptying it minutes later.

Another curious thing here is that the attacker’s account is not the usual freshly created account used just for accumulating some prey and then cashing out. This account has been used for more than three years, has more than 15000 used addresses, is staked, and still has more than 1 million ADA in it: https://adastat.net/accounts/72ac7ec6195c80d09b4281173b2d982f14d6511c3b9289615d40519a That’s kind of odd.

Klaffin · 31 October 2024 22:38

That’s indeed very curios, somebody doesn’t even try to cover their tracks…

HeptaSean · 31 October 2024 22:47

In the meantime, we got a little further in researching this in other communication channels:

That is not the attacker’s account. It is https://tradeogre.com/ which is a kind of crypto to crypto CEX that does not require any KYC, just an e-mail address (that is not even verified to be real).

So, in this case, the attacker did not use any Cardano wallet they control themselves, but just went directly to cashing out.

Worth remembering if any address associated with stake1u9e2clkxr9wgp5ymg2q3wwednqh3f4j3rsae9ztpt4q9rxsyjanpd comes up.

(TradeOgre was kind of helpful in telling where the prey went further. Not sure if that will help in the end.)

Klaffin · 1 November 2024 09:53

Good there anyway… it does make sense that’s it’s some cex address…

as for ufuk42, has any light shine upon how this happened?

ufuk42 · 1 November 2024 17:27

The tradeogre twitter account is also where the on is directed to for support.
I wrote him and he gave me a BTC adress with roughly 25k USD worth on it and only one (receiving) transaction. He also said that he “blocked” the hackers account.

The prices on his exchange are bad, but not that bad. What was stolen from me is roughly 3 times the worth of that adress. After looking into the Cardano Adress of the exchange I saw 70k ADA were sent there a day before I wrote him. That had to be the adress he gave me.

I then sent him a screenshot of the transactions with my money (week before). I asked him to unblock the first account, but he said it was the same account!
Seems like he is still successfully draining wallets.

For the transactions from my wallets he answered me with 7 BTC adresses receiving the BTC between 6:10:59 and 6:32:47 PM UTC on 19th October 2024.

A: (0,20319758 BTC, ~14700 $)
bc1qmhku9sncj3hrja4vd6g03wy9jzscusuuwy4a8s

B: (0,07648851 BTC, ~5500$)
bc1qle3ux5ftnx7e39jrgq8m564ukt506z0y2vdksx

C: (0,12381476 BTC, ~8900 $)
bc1q9ldqahe2grmngaq4dkww8c4c7zf5da6y4cwv68

D: (0,11800527 BTC, ~8500 $)
bc1qpemw2y6eghgktuv5pm8qap20zhpax4w4duuuku

E: (0,10853207 BTC, ~7800 $)
bc1qvm3yelqswrkmdchc4ke4qtkc4kl2s4spj0jhyk

F: (0,04559793 BTC, ~3300 $)
bc1qt5lgfa4swvwdy7tz67nq4w4hzzk877ncf9we6x

I tracked them yesterday and found that all were new addresses only C has been moved to G1 and G2.
G1:
bc1qlx3lky4gftc3p2et5zuk9v7jgjkxwmtnypkq9h

G2:
1DNedn8o4v4xd6A2BQ4uEVPcRBHrdz6pbk

G1 is also a new adress, but G2 is where things get interesting. It’s a Legacy Address and has nearly 1200 transactions.

Shortly after arriving at G2 another transaction happened with the exact same amount. The output of that transaction was splitted into 8 adresses.

H1:
18bYvustaVxkxA5wbh9D9adM4vGDCsB3Hd

H2:
bc1q2thnmvcwqh9rxfc4t3kvcq8cn4jr0na3n5jkqc

H3:
bc1q2thnmvcwqh9rxfc4t3kvcq8cn4jr0na3n5jkqc

H4:
bc1q9whknfhfwf5fdckl4qnk7wyku3cxx77n7ndzxp

H5:
bc1qrwssqyz7fjluddsvyqx89c5534hrythsjkrvec

H6:
bc1q38nv77w7danh9jgy8csq85p9dk5a4shnej7cvq

H7:
3GvQJuR7ST3FFRmsSc1SNPH2hJWgLA6YXk

H8:
1AQLXAB6aXSVbRMjbhSBudLf1kcsbWSEjg

Here it becomes chaotic and hard to track. Half of them have millions in overall transaction volume.
Especially H1 has 3.8 billion $ tolal volume.
I also saw the tag “Binance” in a bitcoin explorer in a recent transaction of the H1 adress.
In H2 I saw a tag “Fixed Float” seemingly a Bitcoing-Lightning Exchange.

If you can recommend anyone who is good at tracking BTC funds…

Topic		Replies	Views
12k ADA got stolen Report a Scam scam , report-scams , eternl , dapp-conector , wallet-eternl	18	1110	20 July 2023
Nami wallet - all assets gone Report a Scam	6	1009	25 July 2023
So I Staked my ADA in EXODUS, and it was gone. Am I hacked? Community Technical Support	5	2220	15 April 2021
My wallet got hacked and funds stolen. HELP! General Discussions wallet , transactions , explorer , hack	2	1176	20 August 2022
Nami just rolled me Community Technical Support	6	468	19 December 2023

Lost all my Assets

Related topics