Xem got stolen from private key wallet

Tech Support
#1

Hi Nem Community,
i want to report a transaction that stole all my Xem from MY account:
NDEBOG-2OE2D5-O6VMCO-HSV7IW-YTKEBY-REFS7R-FB5N
tx:
8f962c0a72839e2371ccfa37ceef3e1b13cbd8f3f3556bfa99539a47b934579f

I couldn’t believe it when i saw it, because i have been extra careful to the point of being paranoid in keeping the wallet safe.

Now I am asking myself where the thieves’ attack vector was…
What I did to create my wallet:

  1. Boot into live-Session of Linux Mint 18.2 beta. (the iso’s sha256 hash matched the official signature)
  2. Connected to my internet connection through Wifi.
  3. Downloaded the latest Universal Nano Wallet client with pre-installed FireFox and checked the Apostille.
  4. Disconnected from the Wifi
  5. Created a simple wallet and copied the resulting wallet address and the private key into the default tex teditor. I connected my usb printer and printed out the file. I did not save the file and closed the text editor.
    Note: I did not keep the .wlt-file intentionally, since i wanted to create a paper wallet only.
  6. I purged the wallet from the Nano Wallet and closed the Browser and rebooted my laptop, again into the Live-Session.
    Now I tested the private key by repeating the steps above but creating a private key wallet. Again, I did not keep the .wlt-file since i only want to have apaper wallet.

So far so good. Then I loaded up the wallet with Xem from an exchange (Litebit.eu). Everything seemed to be fine. I checked my balance with nembex and did not enter the private key anywhere.

Then I got interested with the DIM Ico and I decided to give it a shot. I repeated the steps above again to temporary create a private key account to send 1500 Xem to the DIM Ico wallet. Everything worked and I continued to load my account with the help of the exchange.
then, I checked my balance on Saturday and my 5687 Xem we’re gone. :frowning:
Someone sent them to the wallet address:
ncwplq-cvarby-xxpcc3-kdazuq-4mnl2l-ns7yir-m2xu

Note: please disregard the following two transactions, since it was an pending transaction from the exchange which i was able to save to a newly created wallet in time.

Now, I have checked this wallet address though nembex and I found many transactions like mine. e.g. transferring all the Xem from other accounts to this one. The only note-worthy transaction out from the thieves wallet address is Coincidentally(?) 15000 Xem to the DIM Ico. Maybe the attacker tried to laundry the Xem through that.

Please try to find out what happened to me and potentially others here. What did i do wrong?
Did the attacker computed my private key by chance?

I am willing to give reward to helpful answers.
Thank you for reading.

Please stop using brain wallet! and Refund to you
#2

I found your transaction, are you sure you didn’t left the “amount” field blank, making a wallet send all xem to adress, also scheck if it’s the same adress you where supposed to trasnfer 1500 xem to? Perhaps dimcoin has nem acc as brige to their “main”? (i know dimcoin is a mosaic)

#3

thank you for replying.
it is not the address i sent the 1500 Xem to (DIM). the thieves address is a completely unknown address to me.
I am sure that I didn’t do another transaction because I never used my private key again after sending 1500 Xem to the DIM Ico.

Kindly explore my hacked wallet address here:
http://chain.nem.ninja/#/account/NDEBOG2OE2D5O6VMCOHSV7IWYTKEBYREFS7RFB5N/0

#4

Nah, calculating your key or simply guessing won’t work.
If your story is true, then the thief must have a different method for obtaining your key.
Maybe a “friend” had access or you got a key logger on your computer?

1 Like
#5

No one had access to the printout of the key. That I am sure of.
For the keylogger… I used a live session of the Linux Mint OS with verified sha256 signature. So that is highly unlikely.

My best bet is a compromised wallet key-gen algorithm in Nano-Wallet or somehow I got a download that has been tempered with…

That was my intuition as well, but if one keeps generating wallet addresses with private keys, eventually he will find a wallet that is known to the NEM blockchain.

#6

Dear @nempathic
Sad to hear this story. I hope we can find out what the cause was.
Do you have your “Linux Mint live session” installation inside a Virtual Machine on your PC? If so - a keylogger/remote access tool can still capture the contents of that VM.
Cybersecurity Suite (Antivirus/Firewall/etc.) running on that system?

#7

Thank you. I also just want to know how it could happen. I don’t want to do the same mistake twice.

The live session was not in a virtual machine. I ran it straight from there iso- file. same as if i burnt it to a dvd.

Do you think someone could have tampered with the download from dropbox?

#8

Sadly I just found out they stole the DIM token and the Dim coins as well. Transactions:

22da4902074b0bd18e3ca251087e267d2c8729a71957f9eef7f9529965d1b818

0f1dd486051f03e7ef24c632bf02eab1329cf5bd0d054561fd36bce53847cd2c

for that reason they sent some Xem there to initiate the transaction. I didn’t expect the payout of DIM today, so while I was at work they stole it. I was not fast enough this time.

it’s so frustrating. :worried:
the world is full of bad people exploiting others…

I hope karma gets them!

#9

I just discovered that the thieves wallet address sent out another big amount of Xem to another Ico. This time the Breeze Ico with the wallet address of: NCHFO7-E5JLBY-RQOGLT-YJUTV5-AYEQGH-PDLXDC-3MG3
@brucepro
i googled “breeze and Nem” and i found your project. I am sure the thieves try to launder the Xem into tokens, while not risking their own money. First 15000 into Dim now 8000 into Breeze.

Please help to find a way to recover my Xem… I will provide you with every info possible. You are the only person who can help to recover my lost Xem.

#10

Wow! I am sorry to hear this. What is the address that had the XEM? Tokens are sent out as payments are received, so I am not sure how to refund or if there is even a way to verify the xem is stolen. Is their a way to prove that you are not the account owner that sent the xem to the breeze address?

#11

I just sent you a private message.
I am ready to give all details to prove that this is not my account and that i was indeed victim of a thief.

I’m devastated. I lost already over 1000 € to that insert-terrible-word-here.

Edit:
NDEBOG-2OE2D5-O6VMCO-HSV7IW-YTKEBY-REFS7R-FB5N
this was my address that i loaded up with Xem from the Lightbit.eu exchange and that got stolen 5687 Xem on Saturday. But i can’t use it anymore cause the attacker has the private key as well. it’s now a race to whoever send the Xems or Tokens away first.

#12

Did you have a strong password? 30-50 characters or more?

#13

I used this as a private key wallet only… so just a temporarily wlt file.
paper wallet.

#14

Not sure if it is possible to create a passwordless .wlt file from a private key. If so, I can imagine that it could have been stolen from localStorage or so.

#15

Looks like that address has had quite a few transactions. Did you visit any blockchain related sites while the wallet was open? Did you share your nem info with a friend?

#16

in the Nem NanoWallet i choose “create private key wallet”, entered my private key and got a wlt file which i intentionally didn’t save, cause i just wanted a paper wallet. nevertheless i used that temporary .wlt file to login to the NanoWallet to do a transaction.

#17

Just the nem.io website to download the NanoWallet.

I shared that with no one else. the private key was printed out and never saved electronically.

#18

That’s an idea worth… I just don’t know how. I right away purged it when i was done with my transaction.

#19

So you acctualy imported exchange address to nanowallet ?

#20

A probability could be a malicious browser extension. Do you have any suspicious browser extension installed?