Missing 10,000 ADA, have I been hacked?

I’ve been keeping around 10,000 ADA in the first version Daedalus wallet. I only attempted to open my wallet once a month ago and closed it long before the blockchain was synched cause I didn’t have the time. Last week I updated to the latest Daedalus, synched the blockchain, and when I logged in I saw a transaction from a month ago sending my ADA away.

All 10,000 is gone, I’m left with like 0.7 ADA.

Here is the transaction:
From addresses

DdzFFzCqrhsny6ppF2huTa61Ev91PQAvkY8piUjYvU2eYjPomvEYzabjaUDepJhbGfRYbF5ZEzkFfAAWc3Cqv29BxgsLQrsTsgd7gne4
To addresses

DdzFFzCqrhsx21kCQiSQ3SnhouL7U81HKagHKMKJrBjRN3Yo9gT3ikVuAFshWMqoub5fUg1qzdYZu9pTeEydU9Yb3fwawBDNrKaxw7hb
DdzFFzCqrht8oALCKJbR7eJCGzAUBwi6JTzcD1m5A7kDDWqz541FXudNEuaF6vTpPcQTfYmfxnnxLVR2BaLbXEqotrmxH5t6oVDhvevb
Transaction assurance level

High. 177215 confirmations.
Transaction ID

36ec8336abf51e17b8332782a55d96310bfaacc36093d2deffc54359b8871603

How could something like this happen? Has my computer been hacked? Was there a vulnerability in the first Daedalus build?

I’d love some answers as to what happened, I can provide log files and such if that’s helpful.

Hi @headsaflame,
did you set up a passwort for daedalus?
Does anyone have physical access to your computer?

1 Like

Where or how did you keep your recovery phrase? It is likely that either your laptop is hacked or the place you keep your recovery phrase is unsafe.

I never set up a password for Daedalus (my first mistake) but as far as I know I’m the only one who has physically accessed my computer. I had my recovery phrase saved as a screenshot on my PC (my second mistake). Still I don’t see how someone could have sent my ADA without even opening the wallet.

Another interesting thing is the date this transaction occurred was the day after I started at my new job on a new network. Could something be infecting the network that could remotely trigger the Daedalus wallet?

I think it might be a good idea to make password creation mandatory for Daedalus wallets. What steps can I take now to secure my system? I’m running Sierra on a macbook pro. I ran Malwarebytes and it only found one thing that didn’t seem to be related.

Is it possible that you have sharing enabled on your MacBook Pro? If so, someone could have copied your screenshot and restored your wallet onto another machine and transferred the ADA after restoring.

The address your ADA was sent to only has 4 transactions, all within a 4 day period.

https://adatracker.com/address/DdzFFzCqrht8oALCKJbR7eJCGzAUBwi6JTzcD1m5A7kDDWqz541FXudNEuaF6vTpPcQTfYmfxnnxLVR2BaLbXEqotrmxH5t6oVDhvevb

Someone able to copy/read that screenshot is able to use it on a different computer to restore that wallet and then “savely” transfer it to another address.

The optional (and recommended) spending password helps preventing this. (EDIT: wrong assumption. when recovering with the seed the spending password is not required. The spending password is an extra protection in case someone who shouldn’t get access to the users desktop)

I just checked and apparently my macbook pro’s built in firewall was turned off, it was accepting all incoming connections. This probably had something to do about it. My keys were screenshots saved in a folder on my desktop, like 5 levels deep. I’ve since deleted all those and am now using a zip drive to store them.

Yes, and it has an interesting history. Each transaction is made from an address with only two transactions (one input and one full output) and each transaction moves only whole ADAs, so all the change goes back to the owner wallet. And all the 5 addresses these 4 transactions came from got their coins directly from an exchange address (distinctive massive input with a small amount going to a user and a massive “change” going back to an exchange).

And all the “exchange” transactions to original 4 wallets (5 addresses) were in December and January.

UPD: also, for the latest of 4 transactions two inputs gave the total of 4839.154 ADA, and 4839 ADA could not be moved, since remaining change would not be enough for a fee, so output is 4838 whole ADA

@headsaflame, at least you you can sign-up to “watch” this address on the adatracker, to see any future movements. And if it goes to an exchange - it might be possible to talk with them.

Also, @headsaflame, if you don’t have any remaining funds in this wallet, and it is anyways compromised - would you be willing to post the keys here, so we could check out some address relationships later?

3 Likes

I had gotten my ADA straight from the exchange and left it in Daedalus. I still have some change left in my wallet but not even a whole ADA. If I posted my keys here what else could you learn about the transaction?

Thanks for looking into this more, it all seems so fishy. I was hoping to get some clarity about how this happened. Maybe we can learn something to prevent other people from having the same experience.

2 Likes

@vantuz-subhuman Any theories about why this hack would insist on round numbers? They could just be OCD or anal as I can relate. :wink: Just wondering if there might be a technological edge or similar aspect to this. I noticed they only have those two periods of activity as well. Silence on that account since March.

@headsaflame I’m sorry this happened to you. It really sucks. I appreciate you being philosophical about it and at the very least this should prevent something like this from happening to someone else. Thanks for bringing it to the forum.

I would take @vantuz-subhuman’s advice and track this account on adatracker. When something moves at that address it will automatically email you. I’m wondering if there is a way to identify what exchanges the thief has used analyzing the existing traffic so you can contact the exchanges ahead of any moves of funds to thier platform in the future. @vantuz-subhuman… Any ideas there?

1 Like

How would you identify an exchanges wallet address? Telling whether it is an exchane is one thing, but knowing which one it is? It’s longshot but might be all we have to go on. I’ll track the address and see where it leads.

Never ever have keys in screenshots, on pc or phones, keys should be in physical form only or heavily encrypted, but I would stick to physical - same goes for anyone else reading this, if you care about your ADA - in the future with “AI” viruses these will be scraped easily - and there will come a day where a virus sweeps the internet and a huge chunk of people who have done this, will get rekt in a short period of time… then a solution might come, but its already to late for everyone who made the mistake.

Even if someone has just once had a screenshot, you are at risk, since files cant just be deleted from a harddisk, the normal delete function, does not actually delete things. Your hardisk doesnt know how to delete things, it just creates space for new files to be written on top on… So its only a flowing probability of being deleted over time…

Sorry to hear about your loss though, annoying.

A zip drive lol :smiley: ? is that a floppy disk?

and was there really no password on the first Daedalus wallet version? that sounds weird since that almost sounds like the key would have been held un-encrypted, I highly doubt that. Or did you create the wallet without having to create a password for it when you havent had use it? is that an option Daedalus allows?

2 Likes

Exchanges are not going to be judges in these matters, obviously. You have to think about it from the point of misuse. In large cases they could potentially get involved due to court enforcement, but 10.000 ada is a drop in the bucket in the scheme of things.

It might be a script identifying feature. For example, script just looks at the balance and then round it down for the nearest integer, hoping that the change will be enough for a fee. If transfer fails - subtract 1 ADA and try again. It’s a possibility, but no more than a guess, tho. Mostly I just pointed it out, so in the future we would recognise the same pattern if it ever happens again.

A script hypothesis implies that it most probably got access thru API, tho, and the Daedalus must be running for this to work. But if it’s true - then a malware might be a possible cause.

@headsaflame, Unfortunately, I think, asking for some official help from IOHK would be the only option here. And of course the chance of getting it is minimal, since the stealing is unprovable. But you can send them link to this thread, and they might offer you to send them any exchange address, coins end-up on, and they might be able to identify it, since they keep contact with the majority if not all exchanges.

But you also should be ready to possibility that it will be quite hard to track coins: https://www.schneier.com/blog/archives/2018/03/tracing_stolen_.html

The main point is that we will be able to additionally “sanity-check” the credibility of you words (addresses not related, etc). It might sound harsh, but trust is trust and evidence is evidence. Any issue creates a lot of possibilities that has to be “assumed away” and if some of them might be eliminated by an experimental hard-evidence data - it should. Just a question of narrowing down possibilities.

One of the points is that you would want to make this post as credible as possible, especially in the light of my previous point, that you might send a link to this post to IOHK support.

4 Likes

Agreed. I’m thinking more from the point of view that you’re giving them a heads up that they have a malicious actor on their system that they might want to watch.

Hi @headsaflame

I had my recovery phrase saved as a screenshot on my PC

  • Was your seed stored on another PC or on your Mac? Might be worth a shot to check your host files to see if your computer is owned
  • Do you remember the name of the MalwareBytes infection?
  • Were you connected through WiFi or Ethernet at the time?

You might ask for help on Reddit in r/netsec or r/computerforensics (hint they will be more inclined to help if there is a small fee). Even if your coins is not recovered at least you will have some idea who to shake your fist at

Reminder to never write your 24-word seed on anything with an internet connection.

If you guys want to do more investigating, here is the wallet’s 12 word key phrase:

1 Like
  1. My seed was stored in a folder on my mac as a screenshot.
  2. Malwarebytes found this file: com.genieoinnovation.Installer
  3. I was on wifi at the time

I do not think that genieoinnovatiohm has anything to do w/ the hack. First check whther your Mac was Powered on and that your Daedalus was running when those transaction occured. I would recommend a clean install of ur mac as the backdoor is probably still open. Sirry for the typos but typing from an ipad.

1 Like

My computer was powered on but Daedalus never was running. Are there any logs I can access that will tell me when it was running last? All I see is the transaction and I think it was from a day I tried opening the wallet but wasn’t successful.