Attention, coins disappear from wallets

Attention, coins disappear from wallets
everyone who used forks and applications, transfer your coins to a new wallet
More than 4700 chia coins were stolen

1 Like

Hey. My wallet has been wiped to 0 from this address chia - xch16euvttx9ynd68xzl0qefc6k2jahycuwzr7umlqya4z4hq57r2dkq6tdugu
Where to look for help and what to do now?

I am experiencing the same problem, all my coin transfer to this address too (xch16euvttx9ynd68xzl0qefc6k2jahycuwzr7umlqya4z4hq57r2dkq6tdugu) and wondering what might be the root cause.

Is this related to this topic on reddit?

What should I do? Would refreshing my address help prevent future transfers?

Did you use the forks?
are coins earned by farming or and those that have been bought
There are a dozen victims on our pool. One was stolen 30 xch

All coins are farming. Today at 8 pm the transfer came and as you can see the coins have still not been added to the account…
Chia Version : 1.7.0-rc9

20.30 exactly and the payment is still not in the account. As you can see below, the payment has arrived correctly, but it is not in the wallet


No, i’m only faming at space-pool, no fork.

What pool?

Character limits are annoying

To see the purse transaction delete the purse base and re -synchronize it. This helped my friends see the transactions related to fraud

You have used some third -party farming software or statistics or something auxiliary. Maybe at the beginning of Hpool used

Looking at the history of the address they have sent on a huge amount of chia.

Something is really starting to stink here! My payment is still not in my wallet! (from 1.5 h) despite different synchronizations

Just to be sure: we don’t offer any custom software for our pool, despite the mobile apps (which are open source).

@Kris, I’d like to help you out, by investigating what happened to your pool payout. I can scan our logs for possible suspicious activity regarding your farm.

Can you share your launcher id with me, either in this topic or in pm?

This post was flagged by the community and is temporarily hidden.

Your payout from today got moved out of your wallet pretty quickly:

(Transactions tab)

That means the hacker has your 24 word mnemonic or malicious software is still active on your computer.

My advice would be to change your pool payout address immediately. Best is to use a cold wallet. Perhaps also scan your computer for suspicious processes. You could send small amounts of XCH to your wallet and see if it stops sending your coins away when shutting down certain processes or the entire computer.

1 Like

It is currently re-scanning the PC with various anti-virus programs and malwarebytes premium version. So far no viruses have been detected. After the scan is complete, I will contact you and send you the launcher ID in a private message. Thanks for your help

If XCH moved from your wallet, either your PC, your keys or both have been compromised.

Wipe the entire computer clean, and do fresh install of OS
Create a new set of keys, keep them safe (offline) and stop using the keys you were using before.
(that means re-plotting as well unfortunately)

Pretty drastic, but that’s the only way to be sure.

Sending everything to a cold wallet also helps to at least keep those coins safe, but that still doesn’t remove the underlying breach.

Sorry for all the people who got stolen from.


I own about 3500 plots. See how much time you waste…
Virus scanners do not detect any viruses.
Scans made with various antivirus programs.

My 24 words are safely stored on a piece of paper at home… Look when this address was set this morning - see how many coins it captures

Running a scanner is not the same as detecting the offending program / script. There are no 100% proof scanners out there. So, as @Voodoo said, formatting your OS drive is more or less the only option. Potentially formatting your HDs with plots as well (as we don’t know whether that stuff can linger).

It really doesn’t matter where your mnemonics are stored. If the program / script is on your box, two lines of RPC code can lift your mnemonics. Some mouse / kbd macros can do it as well. Therefore, a cold wallet (one that was never connected to the network) is really the only option.

See how many transactions have been made just today! Today the wallet has been active

Transactions 13607

13k transactions is about 10% of nodes. So, it has to be something really popular, and potentially there are not that many so popular tools. As it started hitting today or so, whatever it is had to sit dormant for some time, or it is being delivered via either some compromised browser, or phone app / browser. Although, if the source is the phone, it would rather not have the access to the node, thus no RPC, no macros, so rather difficult to capture that many mnemonics. At least that would be my guess.

The question is whether that 13k is all that is infected, or it is still working through the infected boxes.

Maybe someone should put a goodle spreadsheet, so folks could list what things they have (chia version, OS, tools used, pool, …).