Suspect my system is compromised, but new

I am trying to learn more about using Cardano and started a GCP server hosting an Ubuntu image from a youtube video on creating a Cardano POS box ( I previously created a wallet on my windows machine, and used that key to restore my wallet on the linux box. I had some ADA on an exchange, and wanted to get it to a private wallet, so i clicked receive and copied the address. Sent the withdrawal request and have verified the address was correct. Meanwhile, I am working on some armor for my daughter. I watch the transaction on Binance complete, and in blockchain explorer. I saw my ADA transaction, and thought all was good. I see the amount in my balance and go about my business. Came back a bit later, and my balance is 0.XX again. Now I checked the address I used to withdraw from Binance, and verified (many time) that the address was correct. The transaction seems to show the amount i was sending. I search the wallet generated address on Cardano Blockchain and come up with the following:

If I am understanding this right, the transaction @05/13/2018 16:08:31 was the send to my wallet from Binance. but the transaction @05/13/2018 16:26:31 seems to be a transaction withdrawaing (sending) FROM my wallet. This is curious, I didnt initiate a withdrawal from my wallet. The Daedulus version is 0.8.3. The transactions tab just shows a spinning circle. I am feeling more confident my funds are gone, however I thought I would reach out in the event I am not understanding something right.
When I loaded Daedalus (v0.8.3 Release Candidate) I then Clicked Restore Wallet - Enter phrase and password i saved from when i created the wallet on windows. Restore completes. I click on receive - copy address from receive on Daedalus and copy it into withdraw request on Binance. Wait for transaction to complete - funds should be in wallet. I have the Cardano-SL layer running in the background, so it should update. Did I make a misstep?
Weird thing also, when I searched my wallet address (which is also listed in both Linux AND windows) there were 2 prior transactions I did not make either (as shown in blockchain explorer).
I dont see any transactions on my windows wallet. The balance on my windows wallet is the same as the linux wallet. The windows wallet shows 0 transactions at the time of restore (and currently). Maybe it takes awhile for the transactions to load on my VM using 0.8.3, so I am letting the transactions tab go for awhile and get some distance. Things I dont understand: the generated address in the RECEIVE tab of the linux machine should be unique, correct? The RECEIVE address on my Windows wallet contains the address I sent to. If this address is unique to my wallet, regardless of OS, the that would seem to indicate system compromise. Would it be fair to say that is correct the most likely result is compromise?

1 Like

It’s possible your Windows box was compromised a while ago. Did you ever save your 12-word seed online somewhere as a text file or screenshot (dropbox, google docs, etc)?

I havent saved my seed on any storage local or otherwise. I screen capped it - printed it straight away, and closed paint without saving. I typed up a version on notepad and printed it straight away also. Closed notepad without saving.

If he restored from seed then shouldn’t it be the exact same wallet, just on 2 different OS ? I would think that a generated address and all transactions would appear on both wallets.

ok, so this being my first experience I am uncertain what my expectations should be. I created an additional wallet on my windows box, and noticed that the RECEIVE tab had fewer generated addresses. In fact just the one. Where as the first wallet I setup had many, before I even sent anything to it. I thought it was a bunch of pre-generated addresses to choose from, but now I have doubts. As a test I have sent additional ADA to my other windows wallet. IF my windows system is compromised, they should vanish also - i would imagine. I verified the generated address had no prior transactions. When completed, I will try to restore this wallet and see what happens. Notably, I now see when the transaction completes, it shows up on the wallet SUMMARY tab. My prior transaction does not on my test wallet. I can see the address listed in the RECEIVE of my test wallet, yet zero transaction history posts. I can search the history of the address and SEE transactions.
How is that possible? How can there be ANY balance and no transactions listing in the wallet?

So to recap:
Windows has 2 wallets (test and other)
Sending additional ADA to other windows wallet
Will restore ‘other’ wallet and see what those results are.
Will the transaction history follow?
I would suspect IF my box was compromised, I will not have this ADA long.

well, good news - ADA is still there as of this morning. OMW to work, but plan on performing the next couple of steps:

  1. restore OTHER wallet to a different windows box. Apples - Apples
  2. Restore OTHER wallet to Linux box
    contrast results.
1 Like

ok, round 2:
ADA still available (so compromise is beginning to falter)
Restored walllet to different windows box, and the transaction history from the old box is present in the different box.
this seems a reasonable result.
So things I have left to do:

  1. restore OTHER wallet on Linux VM
  2. Monitor for ADA presence
  3. create transactions between linux and windows
  4. contrast results from Linux vs Windows
    so having come this far, my outstanding question has not really been addressed;

How can I have a balance on a wallet and 0 transactions?

Inconsistent wallet cache, probably caused by interrupted wallet restoration.

can this be corrected? My balance on that wallet has actually changed a couple times, but still shows 0 transactions. Also, I am not making these transactions. Should I delete it and restore it?
EDIT: this is the original wallet I set up, and hasnt had a restore initiated before.

Well, ADA is still on OTHER wallet, so either its not worth it for them, or system compromise is unlikely.
This weekend I will fire up the Linux VM and send some ADA to a CONTROL wallet. If the transactions shows up there, and does not vanash, I can begin to trust the VM. Additional conclusions will need further evidence at that point.

OK, restored wallet on Linux system.
The transaction history appeared on the Linux system, in contrast with the previous wallet restoration.
Only one receive address was populated, again different from the first wallet.
Its parked there, so I will wait and see if the ADA remains, or if the system is in fact compromised.

1 Like

Can you create a new wallet and move it real quick, just in case?

Also, the new release is out now. Maybe that will help as well.

1 Like

Well, I have updated the windows client to the new version. I dont see an update for the Linux version.
ADA is still present, so I dont think the Linux Box is compromised.
All the wallets came back, the two I know I control, and the one I dont.
It seems (albeit a very uninformed observation) that when the first wallet was created, It got mixed up with someone elses wallet, and the generated RECEIVE addresses. Somehow, the original wallet is present in my Daedalus, but I can not send any ADA. It has a balance on it of 0.002359, but the SEND tab shows I have 0.00000. I have seen this balance change at least 3 times without me initiating any transactions.
At this time, my Daedalus wallet seems to show someone elses wallet, I cant transact with it, and my original ADA was sent to a generated address (shown in my Daedalus) but seemingly not in my control. This was then sent away by someone else.
While I could delete the wallet, and be done with it. It seems an improbable outcome to creating my first wallet.
So, recap:
Took seed from new wallet I created and restored it to my linux box, from my windows box.
Its been a couple days, and I still have a balance, so I dont think my box is hacked.
The transaction history (the only record is the receipt from binance) was displayed in the restored wallet on the Linux box.
The WEIRD wallet still shows voluminous generated address, but the transaction history is a spinning circle, and i cant send anything from it.
The only generated address on both the OTHER and CONTROL wallet are the first generated address, and no more.