Been robbed
-
said in Been robbed:
BURST-GAJL-VWKN-2XPB-H39R9
What is strange is the 15 zero transactions before the theft means it was a bot to phish your passphrase. If I'm right then you must of just used your passphrase at the time of those 15 zero transactions. Let me know if i was right
-
@Burstde I saw those zero transactions too! Fishy fishy
Edit: zero transactions were asset transfers, noted. Thanks @Energy
-
who is this guy he doesn't look like a miner. He made one transaction before this theft? Can anyone vouche for them?
BURST-RL8F-QNEW-28UN-7W6FF
-
-
@luxe the only online wallet ive used is the burst-team one and the local wallet and the burst-team one was allways https.
i have antilogger installed so i doubt that i was keylogged.i
@Burstde even if we did rollback the blockchain the guy still has access to my account and can transfer them. this would also require all nodes to rollback or a new release
-
@luxe said in Been robbed:
@Lexicon Your account seams to be not the only one robbed, the target account BURST-9HTR-WSSF-XY9H-7HUNW got money from several accounts.
If brute-force is unpossible (222 chars) passwords must have been grabbed somewhere else ... ask yourself ... did you ever use your pass on online wallets without https, solo mine through a pool url, download burst software from somewhere else than the org. source or expose your password in another way through the internet? Guess your pc was not infiltrated due the other effected accounts ...@luxe from what I understand, the passphrase never gets sent over the internet, it gets encrypted client side.
@lexicon please run a rootkit detector on any PCs you have logged in from
-
@Focus To the best of my knowledge you're correct and the passphrase itself is not sent, but if the communication can be captured, a replay attack may be possible, using a different transaction body with same hashed passphrase. That's why I'll never do anything on straight http wallets.
-
@haitch said in Been robbed:
@Focus To the best of my knowledge you're correct and the passphrase itself is not sent, but if the communication can be captured, a replay attack may be possible, using a different transaction body with same hashed passphrase. That's why I'll never do anything on straight http wallets.
So would this wallet be vulnerable to attack and anyone who has used it, be screwed?
-
@Focus said in Been robbed:
@luxe from what I understand, the passphrase never gets sent over the internet, it gets encrypted client side.
Also client can be manipulated ... you have to trust the ones that host the wallet, and if they got the wallet from a trusted source (i'm kinda paranoid sometimes ...)
@Lexicon So, do you have any idea what could have happened? I just try to figure out, to warn others ...
-
@socalguy said in Been robbed:
@haitch said in Been robbed:
@Focus To the best of my knowledge you're correct and the passphrase itself is not sent, but if the communication can be captured, a replay attack may be possible, using a different transaction body with same hashed passphrase. That's why I'll never do anything on straight http wallets.
So would this wallet be vulnerable to attack and anyone who has used it, be screwed?
What haitch is saying is he could have been a victim of a man in the middle attack, meaning someone has to be either on the same network or close to lexicon's network to capture packets.
-
@Focus ok
-
Here is what we have so far guys, I am asking for help on this.
The suspect: BURST-9HTR-WSSF-XY9H-7HUNW
The accounts that got hacked:
BURST-RMJ7-9MSC-5FMB-32G5D
50'618 Burst
BURST-PDGU-57FE-6AJ4-4V8VP
90'489 Burst - No assets
Last Transaction - 12/16/2014 03:07:21
BURST-GAJL-VWKN-2XPB-H39R9
3'241'029 Burst
BURST-WMMV-BF7N-KZZC-AYDE6
80'736 Burst - No Assets
BURST-EYZ9-2NHP-VN4T-72RU4
37'683 BurstSo, Looking at the above we attacked these angles:
-
Password sniffed or compromised from online wallet?
This cannot hold true because the 3rd account has not been used since December 2014 -
Exploit on the asset exchange?
No, because 2 out of the 5 account had no assets -
Pool Software
Possible but highly doubtful. Lexicon was on his pool.
The others are as follows
BURST-7Z2V-J9CF-NCW9-HWFRY
.eu
BURST-6WVW-2WVD-YXE5-EZBHU
.biz
BURST-8NZ9-X6AX-72BK-2KFM2
v2pool x 2 accounts
So different software -
Brute force attempt?
Most probable, would have to confirm with the passphrases the other 4 accounts were using.
5.Surfbar?
Lexicon had used it but not sure if it was around in Dec. 2014What else, this person is definitely a coder because all transactions were done seconds between each other so that says botted(automated)
-
-
@Lexicon one of my mods told me about what happened to you, really sorry and I hope you will be able to find who did this!
-
all of the 5 accounts was emptied and all assets put up for sale on the asset exchange within 30 minutes
the assets that were worthless were left behind. so its someone who knows nxt or burst
-
this is some f'ed up shit man... got me shook!
just curious tho, @Lexicon why do you mention nxt?
-
Ok guys, we found the source of the breach. The surfbar istalled a rootkit, something they said they had removed a while ago.
PLEASE DO NOT USE THE SURFBAR ANY LONGER
Those who have the surfbar please check the following location for this file:
\AppData\Roaming\dclogsIt has been logging all your browser actions.
-
We will deactivate the surfbar in the next hours. I want to mention that the infection occurred in the beginning of December. Please check your AppData folder like Focus said. Activate "Show hidden files" to find it.
-
... and if we have no such file in the roaming folder? I've been using a "side browser" for the surfbar.
-
I'd say don't use the surfbar, I've honestly never liked the thing from the day it was released.
-
@k.coins No files means the keylogger we are talking about has not infected you. As I said, only people who used the surfbar in the beginning of december 16 are maybe in danger. It depends on many variables, which browser, which anti-virus and so on...
VM and Linux users are fine.








