Hello need help.
Today i got lucky and got 2 chias
Coin 0x56528556faab8bacc0292ffe32ae2c383891da97158d5abbeb1f549228a5c808
Coin 0x878bbd6f807339af119daba9180aad8f4c95627f18976cc5365c72457d80bce5
When i got home and went to check the farm, i got a surprise, my wallet was empty.
I didn’t sent nothing to nowhere… so i suspect i got “liberated” somehow…
Is there somewhere where i can file a complaint?
2 Likes
Is your wallet at home synced? Not just the blockchain but the wallet.
1 Like
Yes everything is sync…
It does look like those coins have been moved. If I am reading the blockchain correctly, those coins have moved twice and ended up in this wallet:
Are you running anything Chia related but non-official on the farmer (or on any other machine that has access to your private key), like a custom plotter/farmer, software provided by any pool, any kind of plot manager or ‘helper’ or have you ever run anything like that?
If you didn’t move these yourself, it is unlikely that you’ll be able to get them back.
1 Like
did you farmed in HPOOL in present or in past?
1 Like
I using only one computer to farm, but used swar and now windows variant of madmax but creating the plots on a diferent computer
When hpool appeared I started to install the software but the antivirus pop up and cancel the installation, and that was my experience with hpool.
Does the PC you plot on have your private keys stored? If so, I only could imagine Swar/Stotiks reading out the keys based on the info you passed along, but given the reputation swar has that is very unlikely. Stotiks on the other end uses a newly created github account, which is very sus.
Is it possible that you have run other 3rd party apps or potentially farming greenchain?
Yes it has, it was where I use the gui for the first time
I thought so. So someone got access to your Private Key and transferred your XCH to their wallet. The question for me now is how they did that and especially if a widely-used 3rd party Tool (eg. Swar or Stotik) was involved.
Have you ever run any of those below?
- CorePool Client (another unifficial pool)
- A PowerShell Script that adds some Introducers to your farm
- MrPig91 PS Module
- Ploto
- Greenchain Client
- Or any other Chia specific tool?
Your XCH is gone, sorry to say that… but that’s how crypto works… there is no way to reverse the transaction other than a hard fork or chain rollback and this simply won’t happen unless a huge percentage of all farmed XCH gets stolen or Chia’s pre-mine.
Sounds harsh, but let this be a lesson in crypto… many of us already learned this the hard way.
- Do not install any 3rd party software on the PC with your privateKey.
- Farm into a cold wallet
Your XCH are valuable, people will try to steal them.
You can help the community by reporting all the 3rd party software you have (or attempted to) install(ed), so that we as a community can figure out what happened… It’s likely software geared towards Chia users was to blame, but it could have been any malware really.
3 Likes
A version of the Chia installer was compromised at one point, if you downloaded one with a .rar extension that installer was compromised. Paste below from Reddit.
The RAR file contains two win32 executables, ChiaSetup-1.1.4.exe and
mkvtool.exe along with several DLLs, TXT files, a font folder with fonts
and a folder with object handlers for various file formats. The
attackers appear to have deployed using the mkvtool to unpack an image
and begin the installation of backdoors. Contents appear to include a
network scanner and media rendering binaries (likely packaged with
mkvtool). When the binaries execute, several Windows services are
stopped (event logs, wmi, wer) and then installation to the user profile
occurs (\AppData\Local\Temp). This directory contains a payload of C2
files:
I used some poweshell codes for add the introducers, then only swar and the new plotter from Stotiks.
Just decided to replot with a new account. On the pc where I create the plots there is no software from Chia… The gui will be on other pc that I will reformat
Do you still have the powershell code you ran?
However it happened, assume your current key is compromised, delete it, you will have to replot too.
If you can confirm that it was just a powershell script sending the keys to some HTTP endpoint, then that’s as far as you need to go, but if you suspect it might be some other software that you’ve run, it might be wise to assume the OS is compromised, and depending on how your network is configured and what services on other PCs are reachable might have to assume that other PCs on the LAN are compromised too - is pretty brutal but you have to be pretty brutal once you’re compromised.
That’s most likely what did it was the powershell script for introducer. Found this below with a quick search.
For instance there was/is a PowerShell Script that should add some Introducers to your farm. It does that yes. But it also empties your wallet and sends your private keys home.
1 Like
Thats like certain that your keys got compromised trough that script.
See here: If you were using "chia-powershell-tools" your Wallet has been compromised
1 Like
Created a new account on a other computer and removed every remains of the older key on the plotting pc, and remove all the powershell codes I know that this wallet is ruined…
Thanks all for the support and explanations.
Is the someplace where I can report the destination wallet?
1 Like
That destination wallet has 2 more coins in it from when I last looked, so obviously ongoing, and is unlikely that this is the only wallet being used to steal coins in this way - honestly am surprised it’s not single-use.
There isn’t really anything that can be done about it besides forking the blockchain to reverse these transactions, and unless it is was so widespread it threatened the acceptance of the network you wont be able to get consensus to do that.
I’m not saying there’s nowhere it can be reported, you’ve technically been stolen from, which is criminal, but the blockchain can’t/shouldn’t be able to reverse that. Your local law enforcement will take a statement, but it would be hard/impossible to get them to take it very far.
Personally, I’m not in favour of blockchain reversals whatever the reason, to my knowledge they’ve only ever been done when huge amounts of the right people’s money are involved (like after the ETH DAO hack), and I didn’t agree with that - it’s inherently unfair to selectively reverse transactions at the blockchain level, however much of whoever’s money is involved.
1 Like
That’s an indication it may not be the powershell exploit from 20 days ago.
Why’s that? If it sent the private keys home, the thief will just scan the blockchain waiting for XCH wins to those wallets and then withraw them to a wallet or wallets that he/she owns, could be many people yet to realise they’re affected.
However, without seeing the powershell code that Alex ran, we can’t be sure either way - but still seems most likely to me.
1 Like