Chia heist 250 XCH stolen from "cold" wallet

Someone on r/chia reporting that they had 250 XCH stolen from a “cold” wallet which they connected to the Internet to check the balance. It instantly became a hot wallet on clearly a compromised machine.

Keep your cold wallets cold. Create them on a clean machine, put them on paper or something equally unconnected and use blockchain explorer to keep tabs by entering the payout address. Have farming or pool rewards sent to them.

This sucks and I feel for the guy, lets not let this happen again.

I guess the challenge is how to actually use, spend or convert your XCH when you need to.

The best way I can think of, and the method I will use, is to create a windows virtual machine. Which is a fresh load of windows that has never had any activity on it. You could even get fancy with the virtual switch to isolate it from your local network (in case you are worried about an infected network system somehow attacking the new system). Load Chia and input your phrase. Let it sync. Then do with your XCH as you wish. Just don’t leave it running or go browsing the internet on that system. Kill and delete the VM when you are done with what you were wanting to do.

And make a new cold wallet and move all your funds.

1 Like

Quote from his post:

"I’m really frustrated because someone stole all my Chia (250 XCH) - yes 250 Chia. I don’t know how they managed to do it. So keep your wallets as secure as possible. I tried to be cautious and used an Ubuntu VM that was barely connected to the internet but somehow I wanted to be sure and so I let the machine sync to see the balance in the wallet after the transaction I made. I switched it off and then 2 months later the Chia was gone. See for yourself… Chia (XCH) Transaction 0xf261a6f2124ebd1b009b296738e20ef05e73d3343c1b8e9ccc6cf47cb0024add | XCHscan

This all so hard because I followed this project for so long, started even in alpha stage. So if you’re the thief - come on, have mercy and give it back.

I don’t know what to say…"

There are also suggestions that the poster had been using hpool software.

Sounds terrible to me, and makes me rethink using my warm wallet.

We know having a totally cold wallet is secure, but it is unreasonably inconvenient in a long run unless you hodl; XCH is supposed to be used not stored. A better way to use the coin securely is desperately needed.

4 Likes

Things I would consider:

  1. Dedicate a clean machine exclusively use for creating cold wallet and checking balance of your cold wallet and delete cold wallet key after use.
  2. Create multiple cold wallets, each holding up to a limited XCH. E.g. 5 XCH or 10 XCH or any amount you feel it won’t devastate if someone hack it.
  3. Create an exclusive hot wallet for fiat exchange that hold XCH temporary.
1 Like

If you create a windows VM you can always ask it to do a reset and it will reinstall itself, so you destroy all links to any crypto wallet after you have finished what you were doing.

This would be fairly trivial on a fast machine.

Waiting for a full sync might be quite tedious. Anyone see any risk to copying the DB files from a hot machine (with Chia/whatever-fork temporarily offline) and using it to sync faster on the cold (warm) machine?

If block chains are trying to reach mass acceptance, all these methods of wallet storage IMO are going to prevent it. Correct me if I’m wrong, but isn’t half the point supposed to be security? A 1000 word nemonic is no more secure than a 2 word nemonic when your computer is hacked, which is probably the simplest of all tasks in the heist when your network can easliy be scanned for port 8444 advertising you have chia. Sure we can do the cold wallet and keep completly secure, but I don’t think thats a mass acceptable practice when you say the blockchain is secure and nemoics cannot be cracked.

You don’t need to sync the cold wallet. You can transfer the xch from hot to cold wallet, and check the balance on chiaexplorer.

6 Likes

He must try to identify how this information has been exposed. I always say that forks and no oficial chia client installation are like play the russian roulette in your local area lan world.

Good luck in recovering.

3 Likes

wow, what a bad assfu**ry…

i was planning to let my cold wallet synchronise one last time and then send all XCH immediately to nucle.io wallet… wouldnt this be safe even if my machine in worst case would have been compromised too?

What is the link to chia explorer?

https://www.chiaexplorer.com/blockchain/search

Put your wallet receive address in here, never your private key.

2 Likes

nucle.io is not necessarily more secure than a synchronized wallet;
Your OS could have key logger or clipboard sniffing malware on it already; I guess it would be as safe as your sync-ed wallet in this case.

Before we have hardware wallet, a true cold wallet is probably the only safe thing (a device that is disconnected from the internet when the key was being generated and never see the web afterwards)

1 Like

Basically it wont be secure until 2FA is implemented on transactions.

4 Likes

Not just suggestions… Further down in the thread he admits to it directly

1 Like

It would be good if the chia program was also secured so that logs, config, keys cannot just be read by anyone able to send a machine “chia keys show”.

3 Likes

Securing that information can’t be done by the Chia app easily because they are things that a user needs access to from outside the app itself (especially if they are a CLI user). Instead the onus is on the user to secure their system. It’s not unreasonable for Chia, ETH, and thousands of other applications the world over to expect a user to exercise good security practices themselves.

I’m going to set up a cold wallet now, been putting it of for a while now. I’m making a fresh install of Ubuntu on a spare PC. Is it enough to click create a new private key in the GUI and save the Mnemonics pass phrase + receive address and then wipe the machine? Do i need to let is sync o or can i just generate and instantly wipe it? :grimacing:

Just create it, save everything you find under the eye icon next to the key (phrase and keys). Then open it and get the receive address. That’s it, kill it, delete everything.