I use Litecoin Core 0.14.2 on a MacBook Pro. The wallet was created many years ago. The wallet is encrypted and I also took a back-up when I first created it.
When I logged in back in October I had 33.4 LTC in the wallet. I then loaded up the wallet on 29th November and the wallet sync’d recent transactions as I expected. However, the transaction window shows all my Litecoin, 33.4 LTC, were transferred to another address on 18th November 2017.
Nobody else has access to this password-protected encrypted machine, and the wallet back-up is safely stored on an encrypted USB stick that nobody has accessed.
How can my wallet have been emptied without someone having access to my wallet? I have lost all my LTC.
I’m going to list here a series of other addresses for transactions that happened at the same time as my wallet was emptied. I hope that at some time in the future, the owners of these wallets will come forward and search for their LTC and come across these addresses and this post about wallet insecurity and theft:
Amounts that appear to have all gone to the same address that day were 0.08LTC, 0.4LTC, 100LTC, 44.1LTC, 39.9LTC, 37.5LTC, 33.4LTC, 32.7LTC, 19.8LTC.
So the transactions that took place all went to individual addresses. Those individual addresses were then sent to this address: LS2m85SnR4iPrkmSn6Ur8p8hmVxwWN8j1x
This address totalled 305LTC (worth over £18’000 on the day of the transfer). Sadly that was then transferred somewhere else, etc. Very difficult to track down.
Also note, I went searching for alternative wallets (though I personally don’t believe it’s the wallet that is the issue. This was done 100% without access to my files or computer), and discovered that ElectrumLTC for Mac was hacked in 2017, and users had downloaded an exploited version of that wallet. The “important notice” at the top of the page here: https://electrum-ltc.org Who knows how many other wallets have been exploited in this fashion.
Somewhere, my 33.4LTC are sitting in someone else wallet. And I want them back.
Any help would genuinely be appreciated.
I find it hard to believe brute force was the issue.
What kind of use does that laptop get? What networks have you been on lately?
Did you upgrade to High Sierra before 18 November when the LTC was withdrawn?
Sounds like post hoc ergo propter hoc. How do we know if the Litecoin system was fooled and not just your system? (Not trying to be confrontational here, I just have a lot more faith in public-key cryptography and asymmetric key algorithms than I have in Apple, especially after the High Sierra issue.)
No confrontations at all. Difficult to tell from just text alone. I appreciate you giving a reply. Any help or ideas from anyone is appreciated, no matter how small or how silly the question might be.
I do not believe I had upgraded to High Sierra at that point.
The laptop is used for email and photoshop. That’s about it. I have used a bunch of networks, and did connect wirelessly to a new network at a studio I’ve started working at. However…
The main thing to point out here, to rule out anyone physically gaining access to my laptop is that I had it with me. I was at work, the laptop was in my bag on that day. Unused, not booted up or connected to anything. When the transaction took place, I was rehearsing with a crew in a studio.
This did not happen using my computer at the time. I 100% guarantee that.
So in order for this to have been done elsewhere with a different wallet, someone would have needed both my public and private keys, imported them into a new wallet somewhere and made the transfer. My wallet.dat file is encrypted. Even if they managed to get a copy of it, they would have to break that. My passphrase is complicated. But regardless they would have needed both. This is what I’m referring to when I’m saying it is insecure.
M wallet, as far as I was concerned, was at maximum security with regards to the settings within the software itself. The addition of my laptop being encrypted and password protected is another step, but I appreciate if it is turned on and left accessible that leaves it open to someone knowing exactly what to look for, but still needing the additional information to import to another wallet.
I’m curious to know if there are log files within the software I can look at (Litecoin Core 0.14.2). The debug.log shows everything from 29th Nov only, and not from before. I guess it overwrites at a certain point.
You didn’t torrent Photoshop, did you? Any torrenting at all? Run any application from an unidentified developer? Do you use that password for other services? Did you save a backup of your wallet somewhere?
There is system.log that goes back a month or a week (depending on your configuration) but that might register something strange. Should be able to search for “litecoin” and maybe also check logs from the day of the incident. You can view it using Console.app, /var/log/system.log on Mac.
Probably wise to run malware detection on your laptop. You could be a victim of a new form of malware that targets crypto wallets since there’s big money in exploiting them now. I don’t think it’s too unreasonable to think someone logged your keystrokes and got a hold of all *.dat files on your computer.
These are good suggestions too. Photoshop is official. I’ve run BitDefender, MalwareBytes and Avast. Nothing pops up as unusual, thought I appreciate key loggers may not.
The passphrase for my Litecoin wallet is (was, because I’m now no longer using it) unique for that wallet only. The wallet is backed up on an encrypted USB stick that is securely locked in a safe. The USB stick is encrypted itself.
There are two options I see; a key logger (at which point my email, bank account, ebay, PayPal and anything else) could be affected. Nothing else appears to have been affected so far, but I have used another device to change all passwords anyway, just in case.
I’ve seen on other forums people using software (HashCat) for cracking encrypted keys, etc. I don’t think it unreasonable that it was somehow reverse engineered.
Seems a lot of effort by an individual. Going from the investigation I’m still going through myself, it seems another 9 wallets were hit, with their LTC transferred into a master account alongside mine. It looks to have been something automated.
Update: It amazes me how much hacking and malware is out there.
On 1st August, the Electrum wallet folks put a note on their website saying infected binaries were replaced on their website without their knowledge. It’s on a note at the top of their page here: https://electrum-ltc.org
Handbrake, a video conversion tool for Mac, was also targeted not long ago.