Litecoin wallet emptied, transactions happened outside the software wallet

Hi,

I use Litecoin Core 0.14.2 on a MacBook Pro. The wallet was created many years ago. The wallet is encrypted and I also took a back-up when I first created it.

When I logged in back in October I had 33.4 LTC in the wallet. I then loaded up the wallet on 29th November and the wallet sync’d recent transactions as I expected. However, the transaction window shows all my Litecoin, 33.4 LTC, were transferred to another address on 18th November 2017.

Nobody else has access to this password-protected encrypted machine, and the wallet back-up is safely stored on an encrypted USB stick that nobody has accessed.

How can my wallet have been emptied without someone having access to my wallet? I have lost all my LTC.

can you post the transaction details?

Absolutely I can…

First amount, then the fee:

11/18/17 05:14
Confirmed
Sent to LPe6aNxPLRNrziBiwmKRz9vJWMvrgfCMPC
Total: -33.41673448

11/18/17 05:14
Confirmed
Sent to LMzVXSPNxGaYcDYV8a2rvoQBjaqRyhXPE8
Total: -0.04515381

Sorry, I have no idea here, your coins move to an address with 397,470.26105946 LTC in and out.

no clue!

hope somebody jumps in and give us more info, this is so weird.

sorry bro.

Agreed. There is absolutely no way anyone had access to my wallet.

It was hacked externally, or my public and private keys were spoofed somehow. Brute-forced?

The system can be fooled, therefore it is not secure. It seems if a wallet exists, it doesn’t matter it anyone has direct access to it. Online or offline.

I’m going to list here a series of other addresses for transactions that happened at the same time as my wallet was emptied. I hope that at some time in the future, the owners of these wallets will come forward and search for their LTC and come across these addresses and this post about wallet insecurity and theft:

LURNQkk7C4G2UvEGrQKH8Eo2ViGGfGjTZe
Lg5iSvqtXASnaRzhxNw6eUUBh5HvumpEPX
LXiSaRLmtSki6D4P4EuDuEbVTSMiEDATqL
LeFvH5jzCkbriVe6SpKzTLt2Z1HfgotXD1
LLZBw13JGL9pATuhLhxjWkwSEd4Di4dRrv
LL3F4AxMkE3CgVc4SeHhiDDEmVVaRpnez7
LLBgiNpXCwZpBuWh7dD1tVkpidVe6AVc8s
LX98x7rF1uSdTNSJr585hPJsaznbmaDdba
LiKvftPTtz1p9EjMyoQdUVVHkUXJg2v1Wu
LUnvaJKhV21xwWaDC82SKSKpiYiihBUnDp
LRC9UK7CvaEQjgW84hBWw9E7yZghh22WPw
LWCr1JJCZo2TfM5YN692S5jm2HqSvgga5R
LiJTWpDYYXPy6RKyDq2NVjZ6t7x52dtZ9b

Amounts that appear to have all gone to the same address that day were 0.08LTC, 0.4LTC, 100LTC, 44.1LTC, 39.9LTC, 37.5LTC, 33.4LTC, 32.7LTC, 19.8LTC.

So the transactions that took place all went to individual addresses. Those individual addresses were then sent to this address: LS2m85SnR4iPrkmSn6Ur8p8hmVxwWN8j1x

This address totalled 305LTC (worth over £18’000 on the day of the transfer). Sadly that was then transferred somewhere else, etc. Very difficult to track down.

Also note, I went searching for alternative wallets (though I personally don’t believe it’s the wallet that is the issue. This was done 100% without access to my files or computer), and discovered that ElectrumLTC for Mac was hacked in 2017, and users had downloaded an exploited version of that wallet. The “important notice” at the top of the page here: https://electrum-ltc.org Who knows how many other wallets have been exploited in this fashion.

Somewhere, my 33.4LTC are sitting in someone else wallet. And I want them back.
Any help would genuinely be appreciated.

I find it hard to believe brute force was the issue.

What kind of use does that laptop get? What networks have you been on lately?

Did you upgrade to High Sierra before 18 November when the LTC was withdrawn?

Sounds like post hoc ergo propter hoc. How do we know if the Litecoin system was fooled and not just your system? (Not trying to be confrontational here, I just have a lot more faith in public-key cryptography and asymmetric key algorithms than I have in Apple, especially after the High Sierra issue.)

No confrontations at all. Difficult to tell from just text alone. I appreciate you giving a reply. Any help or ideas from anyone is appreciated, no matter how small or how silly the question might be.

I do not believe I had upgraded to High Sierra at that point.

The laptop is used for email and photoshop. That’s about it. I have used a bunch of networks, and did connect wirelessly to a new network at a studio I’ve started working at. However…

The main thing to point out here, to rule out anyone physically gaining access to my laptop is that I had it with me. I was at work, the laptop was in my bag on that day. Unused, not booted up or connected to anything. When the transaction took place, I was rehearsing with a crew in a studio.

This did not happen using my computer at the time. I 100% guarantee that.

So in order for this to have been done elsewhere with a different wallet, someone would have needed both my public and private keys, imported them into a new wallet somewhere and made the transfer. My wallet.dat file is encrypted. Even if they managed to get a copy of it, they would have to break that. My passphrase is complicated. But regardless they would have needed both. This is what I’m referring to when I’m saying it is insecure.

M wallet, as far as I was concerned, was at maximum security with regards to the settings within the software itself. The addition of my laptop being encrypted and password protected is another step, but I appreciate if it is turned on and left accessible that leaves it open to someone knowing exactly what to look for, but still needing the additional information to import to another wallet.

I’m curious to know if there are log files within the software I can look at (Litecoin Core 0.14.2). The debug.log shows everything from 29th Nov only, and not from before. I guess it overwrites at a certain point.

You didn’t torrent Photoshop, did you? Any torrenting at all? Run any application from an unidentified developer? Do you use that password for other services? Did you save a backup of your wallet somewhere?

There is system.log that goes back a month or a week (depending on your configuration) but that might register something strange. Should be able to search for “litecoin” and maybe also check logs from the day of the incident. You can view it using Console.app, /var/log/system.log on Mac.

Probably wise to run malware detection on your laptop. You could be a victim of a new form of malware that targets crypto wallets since there’s big money in exploiting them now. I don’t think it’s too unreasonable to think someone logged your keystrokes and got a hold of all *.dat files on your computer.

These are good suggestions too. Photoshop is official. I’ve run BitDefender, MalwareBytes and Avast. Nothing pops up as unusual, thought I appreciate key loggers may not.

The passphrase for my Litecoin wallet is (was, because I’m now no longer using it) unique for that wallet only. The wallet is backed up on an encrypted USB stick that is securely locked in a safe. The USB stick is encrypted itself.

There are two options I see; a key logger (at which point my email, bank account, ebay, PayPal and anything else) could be affected. Nothing else appears to have been affected so far, but I have used another device to change all passwords anyway, just in case.

I’ve seen on other forums people using software (HashCat) for cracking encrypted keys, etc. I don’t think it unreasonable that it was somehow reverse engineered.

Seems a lot of effort by an individual. Going from the investigation I’m still going through myself, it seems another 9 wallets were hit, with their LTC transferred into a master account alongside mine. It looks to have been something automated.

1 Like

Yes, that a possibility. Sounds like you did everything you should have done on your end to be safe, probably more than most do. Sorry to hear about your loss.

Let me know if you were able to review system.log for that day. I know Mac doesn’t always store that far back.

Update: It amazes me how much hacking and malware is out there.

On 1st August, the Electrum wallet folks put a note on their website saying infected binaries were replaced on their website without their knowledge. It’s on a note at the top of their page here: https://electrum-ltc.org

Handbrake, a video conversion tool for Mac, was also targeted not long ago.

Eltima have a blog post that their torrent download software, Folx, was also hacked and binaries replaced on their site, and they discovered this on 19th Nov 2017 (coincidence?). You can read about that here: Folx & Elmedia Player malware threat Neutralized

MacWorld have stated that the Eltima binaries would have uploaded “keychain data, browser history, browser cookies, SSH private data, 1Password data, cryptocurrency wallets, and more stolen and uploaded to an attacker-controlled C&C”. Details here: Sophisticated Mac OS Malware Uses Trust and Developer Certificates | Macworld

So a dodgy Folx torrent downloader could very well have been the cause here (but not confirmed). I’m now off to completely reinstall my operating system…

1 Like

No unfortunately none of the logs go back that far. I will dig out the last back-up I took, but I don’t think it’ll cover it.

Unfortunately, cyber crime pays.

Were you using Folx?

Rule #39

здравствуйте! подскажите качественный и надежный litecoin wallet? спасибо!