Check your wallets and move funds to a cold wallet ASAP

So it looks like the last days several people have reported their chia has been drained to this wallet xch1sq68hqkthcpjrz0eddeesum9pg2chkpxhgygh7g45mdplkz6c66s8sx4ma.

There are reddit threads were they are trying to find the common denominator to understand how people have been hacked, the obvious suspects are Hpool, a fork, plotter or monitoring software.

So if you don’t store your chia anywhere safe like a cold wallet then its about time you move your funds asap.


So, using your compromised phone or pool app is OK? Also, checking some chia “useful” web pages (like you provided) is OK as well? Aren’t those potentially the main vectors of delivering malware?

I am not saying that what you listed are not threats, but that list is basically everything chia related, at least for now.

Actually, looking at your list, seeing plotters there should make anyone to consider a dedicated box just for plotting, with nothing else installed on that box (so, if it gets infected, it will not be able to lift anything). Not seeing anything related to OSes, maybe running a plotter on Linux makes more sense now.

1 Like

I didn’t say the only suspects, I said the obvious ones. A bit ridiculous to list all possible ways don’t you think?

I really appreciate the fact that you posted about it. Although, narrowing the scope, even if not intended (as you stated) may give some people a false sense of security, and just continue what they do as normal.

I do think that if someone really wants to deliver some malware, potentially the easiest way is to compromise a website (whether that is a pool or some other chia related site). Those attacks are usually hard to detect, and potentially harder to nail down. Also, I would consider those phones really a weaker option to a desktop.

Still, maybe the best option is to isolate all chia activity (farming, plotting) to boxes that are not used for anything else, and limit access to places that may require more info.

I am not saying that I know what to do, or where to look for (am monitoring one website daily, but will stop doing that for now). I am also scared shitless, and thankful to you for the early warning.

That is the exact reason to instead of listing something saying that everything is on the table.

I didn’t narrow the scope, but if you feelt that people could assume that then all you hade to do was to post something along the lines of “Hey guys, also remember that there are several other posible vectors such as…”

Now I have seen you around in this forum an I know your a guy that tries to be helpful but I also know that you also piss a lot of people of and it’s because you constantly try to sound smart by being condescending. Just go back and read your first paragraph, that answer just does not make any sense compared to what I posted.

Sorry for that. Also, looking at that first paragraph, I didn’t mean you personally, but rather in general, as your, mine or someone else phone. The second paragraph was like a clarification that it would be better to just say that this thread may come from everywhere, at least for now. It was not really meant to go after you, at least I didn’t mean to have it sound like that.

Again, sorry, and thank you for warning the rest of those that are not on reddit (me included).

So the Chia code is, itself, safe, and devoid of any known security issues?

The computers, that I use for Chia, I use for nothing else. I never open the web browser. The only internet activity that takes place is Chia functionality related, and Windows Update related.

Can I assume that my wallet is safe?

I am asking because I have no idea how to create a cold wallet, and do not want to deal with it if my situation is considered safe.

:slight_smile: Nope. I mean, if your system will be compromised, then IMO 99% of farms will be compromised (knowing how you use your system). So, you don’t need to panic (yet).

It is just how hard you make your setup, and yours is potentially hard enough for now. You may watch this video, to eventually follow what that guy did to create a semi-cold wallet.

As far as any software, it is safe and devoid of any security issues until proven not to be, not the other way around.

The reason I mentioned phones / phone apps is that some / most of those apps include “useful” libraries (ads, stats, …), and those are virtually never scrutinized. Also, websites are compromised day in and day out; however, mostly those that may provide some benefits (extortion, bot installation). Unfortunately, it is really hard to keep a clean website (I also run few, but just pray that those are useless for hackers, and I try to do my best to keep those sites updated).

Two vectors that you have to keep in mind is that your box shares IP connection with the rest of your boxes (thus the entire world), and it has port 8444 open. I would say that for now, those two vectors are maybe not so much impossible, but rather hard enough to crack, to gain too little.

So, the hope is that the culprit will be identified soon, and it is not something really devious.

As I mentioned in the previous post, every time I hear such thing, I am really scared shitless. I posted before my thoughts about cold wallets, and unless someone has a spare box that is never connected, and turns it off after creating a new wallet, there are risks around that. Some people advocate for using VMs, I suggested Live DVDs, and those are also robust ways, but not as secure as such spare box. Still, the way presented in that video is not that far away, at least for now and with setups like yours (clean box, only running chia software).

1 Like

My recommendations:

Only a cold wallet is really safe.

  • A wallet address generated on a non-networked machine, the address not copied digitally to any other machine and always stored completely offline.

For what it’s worth, I recommend everyone switch to OG farming. More XCH in the long run, without these security issues.


Hello Vodoo. I have one question though:
All security in honors. But:

non-networked machine, the address not copied digitally to any other machine and always stored completely offline

How will you ever be able to work with your funds?

I’ll take a crack at this one:
You would temporarily activate your cold wallet (making it a hot wallet), and transfer XCH to/from your standard live/hot wallet. Then, return that temporarily hot wallet back to being a cold wallet.

So there will be a few minutes of exposure for your cold wallet, while you are making use of it. All the while, your standard hot/live wallet will never contain more than, perhaps, a single XCH win. Each win will get transferred to your cold wallet, leaving your hot/live wallet nearly always empty and worthless to attackers.

I wrote the above so that someone that better understands the process can confirm whether or not my understanding is correct.

1 Like

Basically yes,

However, once your cold wallet has been hot you can’t “make” it truly cold again. Because making it hot, means you have entered the keys somewhere into a machine that is connected to the internet. The keys could now be compromised. So when you use it, consider it burnt and create a new one to store your funds in.

@KryptoMine makes a fair point though. Cold wallets basically can’t be used, except to transfer funds to. Hence the name cold walled, short for cold storage wallet. You put your funds in cold storage where it’s safe but you also cannot use it for anything else.

1 Like

After you use your cold wallet (after temporarily making it hot), you can delete the keys associated with that wallet, via:
chia keys delete -f [fingerprint of wallet]

And when you want to, again, use the cold wallet, you resuscitate it via:
chia keys add -f [filename containing mnemonic]
(and, of course, keep the file containing the mnemonic on an encrypted flash drive)

keep your mnemonic 100% off of any storage device, and have a print-out of it, and enter it manually in the GUI when you want use your cold wallet. However, now you have it printed out, which is a security risk.

For that to happen, that machine would have to have been compromised. Correct?
If the machine you are using for this wallet dance is clean, then I imagine that your cold wallet should be safe?

In my case, my Chia machines are used for nothing, whatsoever, other than Chia. No web browsing, no downloads, no e-mail, no anything else. In such a case, the above described wallet steps should be safe (or as safe as can be).

Please correct anything I wrote, and let me know if there a way to make the cold wallet usable in any safer way?

As mentioned, sometimes it is easier to look at the other side of the problem. Instead of focusing on a security of what you have outlined, to look at the existing breaches.

So far, most likely targets were people that downloaded some non-vetted compromised software (e.g., from github - so much for the open source safe space). Potentially, there were issues with some OG based pools, and the software used to handle those farms (not sure about it, but this is where Hpool thinking points to - the original post in this thread). Although, a decent number of reported problems ended up being user errors, not really attacks.

Of course, one has to question any software that asks for your mnemonics (e.g., farmr). It is not so that I think that farmr may be an issue (I don’t), but rather that Chia doesn’t make it easy for software like farmr to work without those keys. So, in addition to being cautious about farmr type of software, my take is that a bit of pressure on Chia would help such developers provide a bit more secure solutions. Although, this is where a real cold wallet (as outlined by @Voodoo) makes it easier to some extent (potentially, when you need to warm up your wallet, you may be screwed (potentially having a latent malware) - you would need to have a clean machine, …).

We are at the very early chia stage, so are most likely not targeted by those that work on bitcoin, ethereum attacks, as those are much bigger markets for them. So far we were attacked potentially by those that are not on the level to compete with those that hack those other big coins (my take on what was reported so far), and they pray on those potentially most gullible ones.

Therefore, at least for now, your setup is ahead of the pack. The one thing that I would suggest for you is to really forget about your setup “stability” and how long it can run without reboots, but rather patch your Windows every month, as all those patches are done to improve security (stability as well). Also, one benefit of those patches is that you can do your db backups during those reboots.


I have never used github.
What is to stop someone from uploading malicious software, aimed at attacking Chia users, followed by some gullible Chia user seeing some new software with all kinds of descriptive bells and whistles (bait), downloading it, and getting screwed?

How many people have to review the code before it becomes available for downloading on github?

Does malicious software get found on github? Is the uploader identified and banned?

Agreed. It is why I want to use this time to lock down my XCH as much as possible.
I do not want to wait until Chia becomes a bigger target.

That machine is used strictly for plotting. The Chia services never run. It has no keys. It has no internet access. I see no reason to interrupt it, unless it acts up. If a reboot becomes necessary, then that is when I connect it to the internet and I allow Windows Update to run.

I have an XP machine that I run MAME on, that has not been patched in nearly 20 years. It also has no network connection.

As before, the code could be scrutinized, and considered all good, but a new vulnerability could be found with it, or a new version may have malicious part. So, just stay safe, and if you are not familiar with things, just ignore those (as you are doing right now).

Yes, those people get banned, but what stops them from opening a new account, getting a new email. It is not really github thing, as any “legit” software downloaded from any sort of app store may include libraries that were clean yesterday, but somehow got affected today, or a couple of guys in black suits asked them politely to include their library with a new release. You mentioned those two packages in the other thread. It is not so much that those are vetted, but rather they earned their reputation through providing quality of software for a long time.

A lot of people claim that Linux is the most robust and secure system and potentially the most scrutinized. However, just a month ago or so a backdoor was discovered that was inserted about 10 years ago. Does it mean that Linux is neither robust or not secure - I don’t think so, it just shows that these days whatever you use either has or may have issues. So, going back to what I have tried to outline in the previous post, that backdoor was not created by a highschooler in his mom basement, but rather by a government agency, and I doubt either you or I are targets for them, and no single scammer has broad enough knowledge to pull such thing.

Recently, I have read about a malware that infects your BIOS. It looks like the only solution to clean such a machine is to replace the motherboard. It really sucks.

Well sure you can do those things with your wallet in order to improve security. But that still doesn’t make it a cold wallet. Sorry to be pedantic about this, but a cold wallet is a very specific thing.

A cold wallet is a wallet that has never been exposed to a network. That is the only thing you can call a cold-wallet. Anything else is just a regular wallet with added security measures.

I’m not sure this completely removes the key from the system, or just from the Chia list, I have no way to verify this myself.

encrypting your keys, it seems logical, but plenty people have lost fortunes this way when they forgot the password after 7 years, so make sure you write that down somewhere :sweat_smile:

Should be, maybe, maybe not. That’s the point, to eliminate any coulds, shoulds an mabys. And yes you should use a clean machine for it in any case.

In any case security in crypto is an absolute pain in the ass.

This comment is just silly. There is no difference between pool farming (using the chia pooling protocol) and “OG Farming” (or self-pool farming).

Yes, if you are referring to the hacked pools, like Hpool or CorePool (to name a few), then yes, big issues. But just switching back to non-pool farming does not make the threat go away. That person already had the software loaded. They already compromised their system. There is a lot that would have to be done to regain trust in the setup.

If you said “Don’t join a pool that doesn’t use the chia pool protocol because the software you would have to download cannot be trusted.”, well, that would make sense. But simply un-joining one of them does not magically make the threat go away.