Please stop using brain wallet! and Refund to you

To everyone who uses NanoWallet
Please stop using brain wallet.

Brain wallet is very dangerous.
With no access to your Wallet or private key, hackers take all of your funds.
If you are currently using Brain Wallet, please be sure to shift to Simple Wallet.

As for the migration method, create a new simple wallet and transfer all funds from brain wallet. After that, please do not make money to Brain Wallet and do not use it. You can purge from NanoWallet so that it will not be used by mistake.

The hacking report has increased very much. Please be sure to respond as much as possible.

I explain the fundamental difference between Simple Wallet and Brain Wallet.
And, it also introduces the password meaning of simple wallet.

Although it is a quotation elsewhere, please refer to it.

Also, if you set a very simple password, we will deposit funds here before black hut hacking.
A simple password does not mean a short password. I actually found a password of more than 40 characters.

The deposit address is as follows.

NAZXEM-KDB3IQ-K4NU2C-X6RHIQ-D342W2-AOKRYA-AJV3

At that time, we will send you a message so please follow the instructions.
If you wish to make a refund please fill out this topic.

Many white hat hackers have cooperated and the protected funds are collected at the same address. I only know the secret key of that address.
I have been asked to return the funds and I am doing the procedure here.

Thank you for your consideration.

The response time for this topic is 1:00 to 11:00 GMT, Monday through Friday. (My TimeZone 10:00 to 20:00 at JST)
There are times and days when I can not respond, such as when I am out.
In addition, I am unable to respond when the day or time is designated as a holiday in Japan.

Donation destination address: NCH4UST5ITXTMLWSHKYFAAZXJNCSP7OFW3B3654L

15 Likes

tuto on simple wallet. https://www.youtube.com/watch?v=go-q3iEIVH0&t=2s

1 Like
Technical Details (hidden per mod request)

This thing needs a disclaimer as it makes it seem way worse than it is.

  1. Brainwallets are not inherently dangerous. They are if you use a weak password. Not enforcing a stronger password was indeed a huge oversight in ealier version of nano but it is enforcing 40char limit now and brainwallets are fine to use if you use a (pseudo)randomly created >=40 char password.

  2. This is not a problem with nem nor is this matter unique to nem. You could have a brainwallet in any crypto and infact many support it. The problem with weak passwords is the same everywhere. You use a weak password your funds are bound to be stolen simply because of the nature of brainwallets not because of weak implementations or bugs in any particular software.

  3. Technically there was never any hacking going on. The fact of the matter is that any 2 people using the same password will end-up with the same account since the private-key is derived from the password directly. So then there are people out there who start bruteforcing wallets i.e. trying weak passwords until they find an account that has funds in them. I’d be hesitant to call this hacking as it’s really an attribute of brainwallets. Same password, same account. Simple as that.

I share the concern but let’s make things very clear and not turn to fear mongering. If nano had enforced strong passwords from day 1 there would have been exactly 0 reports of stolen funds. That is the problem, not brainwallets themselves.

Hello, my wallet hacked…pls help me…

NCPJJHY2GXGVWYBT7UBH3NK2CBZF53NIVHEA3H4U He has my xem…(

Dear @Osaking ,
Please be relieved, your funds are protected.

First of all, please read topic number 1 firmly.

This is the screen of mobile wallet.
However, you are supposed to be using Brain wallet.
Have you imported your account from NanoWallet and used it?
Please do either one.
· Create a new wallet with Mobile Wallet
· Create simple wallet with NanoWallet

When the above work is completed, please tell me the newly created address.
I will remit the same amount and fees from here.

Thank you.

3 Likes

I create new wallet
How much symbol in password ?

Is this a new address?

In the case of simple wallet, the password becomes a password to remove the encryption of the “encrypted secret key” stored in the wallet.

In other words, if the “encrypted private key” is stolen by a virus or the like, the time until it is solved becomes the strength of the password.

Complex and long things are good, but since it will be entered every time, please find a compromise point that seems just fine.

It is also possible to put password management software in the smartphone.

Finally, I would like to do personal identification.
We will send private messages separately, so please handle it.

Thank you.

Yes , this my new addres

1 Like

Thank you for your reply.
We sent the contents of personal authentication by private message.
Please confirm.

Thank you.

Dear @Osaking ,
I really appreciate your cooperation.

Since individual confirmation was obtained, we will refund the funds.

Take fund
http://chain.nem.ninja/#/transfer/5cee696960341b9053164d242a3b12c46febe375f9dab2678f655740ea8ce8df

Refund
http://chain.nem.ninja/#/transfer/27439e5e8a39d39ba25d2c66b1240dfb70fb9a578ed355d1d2e2734b02f61b77

Back up your wallet and private key securely.

Thank you very much!!! Amazing :pray:t5::pray:t5::pray:t5:

1 Like

Your funds were protected from Brack Hat Hacker.
Congratulations.

1 Like

Since the question has arrived at PM, I will post it.

There are two ways to change simple wallet password, transfer to new address and private key import.
Private key import has the advantage that the address does not change.
Since the original is a simple wallet, there is no problem with importing.

However, if you change the password, Remote Account address and Secondary Address will change. This is because the password is related to the child account generation method of the BIP32 account.


With Simple Wallet it is virtually impossible to analyze the secret key using the current computer. This is because the computer creates a secret key from a sufficiently long random number. However, this is a condition that the virus or hacker has not been illegally invaded.

Brainwallet will take out the funds without entering the other’s computer.
The brain wallet’s secret key is generated from the password.
Even with over 40 letters, human characters can predict to some extent.
Safety can be secured if there are 40 random characters, but nothing is kept in keeping with any precaution.
That is why I do not use it.
And it is Simple Wallet that you do not need to worry about this at all.

Simple ollet passwords are effective when a virus or hacker is infiltrated into the PC.
The secret key is encrypted with the password and it is in the PC.
If we think on the premise that it is hacked, we also need to strengthen simple wallet passwords.
This is the area where convenience and safety are balanced. It has to be decided by individual judgment.

However, there is currently software that saves passwords safely.
It is also possible to save NEM’s Wallet password in that.
In this case, even if setting a very strong password, input effort will not change.

The latest NanoWallet has a function to measure the strength of the password.
You can calculate a measure of strength using this.

Enter the password to be set for Passphrase.
Since graph and analysis time will come out below, we will check this strength with reliance on this.
First is the red part of the graph Score.

Please be sure to make it 4/4 here. There is a fear that it can be broken by dictionary attack.
Even with random values, 11 characters are required at minimum to be 4/4.

Next, pay attention to the value of “Estimated Guess Times”.
Here, the analysis time of the password is shown from the number of calculations performed per second.

· 10/second
· 10,000/second
· 1,000,000,000/second

My MacBook Pro 2013 Late (Intel core i7 2.6 GHz) is about 33/second.

From here it will be my imagination.

If you optimize the code using GPU, it seems to be about 1000 times faster. Assume a little more 100,000/second.
Parallelization is very effective for this code, so if you are rich in individuals, you may be able to go up to 10 times this level. 100,000,000/second
1,000,000,000/second will definitely need a big data center.

The following example is a random character string using all alphabetic capital letters/lowercase letters/numbers/symbols.
In case of manual input Please read after recognizing that the risk to be analyzed increases.

Example 1
Xp;f[8rFt>{sJ8& It takes more than a century at random 15 characters 10K / sec. It seems that this is the realistic lowest line.

31

Xp;f[8rFt>{sJ8&zMY random 18 characters has become considerably safe.

12

Xp;f[8rFt>{sJ8&zMYQ3 random 20 characters very safe now.

01

Example 2:
Let’s also assume a word password. However, for such passwords NanoWallt did not give very accurate calculation results.
Below, we will explain with the value calculated based on entropy.

imbecile clop nose ordinary cortical balboa (6 words) It varies depending on the word list to be used, but it is as strong as 15 random characters of example 1 in 6 ~ 7 words.

homolog polis serving vagrom unduly divagate stripy heath parody doorman (10 words) This is safer than the random 20 characters in Example 1.

By the way, word passwords used in hardware wallet are used in 12, 18, 24 words. (default value is 24 words.)

Both Example 1 and Example 2 are calculated on condition that there is perfect randomness.
If human hands are added here, the strength of the password will definitely drop.
In addition, this information is for reference only. Depending on the evolution of the computer, it will become a weak password immediately.

Please make a good password.

Thank you.

1 Like

Здравствуйте, у моего друга недавно был взломан мобильный кошелек и все средства были выведены. Скажите можно ли как то ему помочь вернуть свои монеты или уже нет? Спасибо, жду ответа.

This hacked account is an account I know well.
We do a lot of hacking, and funds are robbed by many people.

I am sending a mosaic called “dangerous.this_user_is_a_hacker” to the account I certified as a hacker.
You can refer to it from the following information.

http://chain.nem.ninja/#/account/NBT3QYGLML4FVYN23MMP3NYOMFKY5X74DBA5VATX/0

This hacker does not show how to dispatch so much money.
Because it is very difficult to identify.

If you want to collect the funds, you will always need to monitor this account and hold down where you brought it to the exchange.
Currently it has not reached it yet and it is the current situation that there are not enough people to monitor at all times.

Before hacking in the future, I am doing activities to help as many people as possible. However, it is very difficult to respond after hacking.

I am sorry that I can not be a help.


(Машинный трансстарион)

Эта взломанная учетная запись - это учетная запись, которую я хорошо знаю.
Мы делаем много взлома, а средства ограбляют многие люди.

Я отправляю мозаику под названием «danger.this_user_is_a_hacker» на учетную запись, которую я сертифицировал как хакера.
Вы можете обратиться к нему из следующей информации.

http://chain.nem.ninja/#/account/NBT3QYGLML4FVYN23MMP3NYOMFKY5X74DBA5VATX/0

Этот хакер не показывает, как отправить столько денег.
Потому что его очень трудно идентифицировать.

Если вы хотите собрать средства, вам всегда нужно будет следить за этой учетной записью и удерживать ее там, где вы привели ее на биржу.
В настоящее время он еще не достиг этого, и в нынешней ситуации недостаточно людей для постоянного наблюдения.

Прежде чем взламывать в будущем, я делаю действия, чтобы помочь как можно большему количеству людей. Однако после взлома очень сложно ответить.

Мне жаль, что я не могу помочь.

Two “well known” hackers addresses are:
http://chain.nem.ninja/#/account/NBT3QYGLML4FVYN23MMP3NYOMFKY5X74DBA5VATX
and
http://chain.nem.ninja/#/account/NCWPLQCVARBYXXPCC3KDAZUQ4MNL2LNS7YIRM2XU
(both are working systematically, both are still active, it seems the later even robbed NDOPCL-UMPKYC-VAZ6C4-PXHEYU-LNKUUB-ZMOWVE-2O44 yesterday, - 29k XEM)

1 Like

Hacker tokens have been sent to these two addresses.

1 Like

Okay, so are we sure everyone who posted a mobile sceenshot created those wallets as brainwallets ? Because I doubt that if it not, then there is a seperate issue that needs adressing and now.

1 Like

Up to now we are offering a screen of mobile wallet to two people.
One person has confirmed brain wallet.
Another person knows that hackers are attacking against Brain Wallet usually, so I can almost assume that he are using Brain Wallet.
Therefore, the case of mobile wallet reported here is thought to have created brain wallet with NanoWallet and imported it into mobile wallet.

Thanks