How someone made my XCH disappear in their wallet

I’ve seen similar post with the same problem as mine and no solution to it, but still I decided to explain my situation so maybe someone finds a problem and prevent this from happening again.

Long story short almost of all of my chia from my wallet are gone …
Until today I was running 1.2.11 full node on my RPi and honestly haven’t checked my balance for few week and yesterday I finally went to take a look if everything is OK and was quite surprised whit what I saw … almost all of my XCH gone from my wallet and the funniest thing is 1.2.11 is synced and not showing any outgoing transaction(s) …
I’ve checked both and Chia XCH | ALL THE BLOCKS - Chia & forks | blockchain explorer and it all of the sudden I’ve seen my coins going from unspent to spent …
Only after I’ve installed 1.3.3 I’ve been able to see outgoing transaction from a week ago which for sure wasn’t done by me …
At first I was comforting myself thinking some change happened with new DB in 1.3 and new wallet address was created for under my main wallet but I knew this wan’t the case …

I really don’t know how someone could have got access to my passphrase protected wallet (yeah 64 chars long …) but obviously it happened … and most importantly how 1.2.11 node hasn’t shown any outgoing transaction …

So now back to square one … reinstalling node from scratch, creating cold wallet and hope for the best …

Potentially (most likely) you have some malware on your box. So reinstalling chia may not help that much. Another possibility is that you are using some flakey pool (for OG plots?).

1 Like

1 2.11 doesn’t show all transactions , as its not compatible with the new light wallet.

However your coins got sent before you upgraded the client so its not a client issue.

Somehow your pvt key or comp are compromised.
You can try setting up a new cold wallet and direct funds to go there via your payout addresses.

Sorry for your loss.


By the way, if you keys got compromised, you need to create new keys, and thus replot everything you have. Passphrase is only relevant to the box it is used on (doesn’t protect mnemonics), so having keys / mnemonics means a full access.

1 Like

Was the Pi running any other services exposed to the web? Was it firewalled, using NAT, or exposed to the internet?

If someone did compromise it (which seems likely) there may be some traces of their actions. Somehow, they were able to instruct your wallet to send transactions, so the most likely way was through a shell (or SSH) rather than some wildly complex exploit. Anything is possible here though.

The passphrase protects your local wallet, but if they got the seed some other way, the compromise may not have happened locally. Otherwise, this may indicate they were in the Pi and had access to the unlocked wallet.

1 Like

The transactions weren’t visible on their node, so nothing was done on that pc.
The light wallet was used to send coin , and now upgraded client can see those transactions.

Most likely compromised keys / mnemonic and light wallet installed on a different box to send coin.


Re-plotting hundreds of TBs or more could take an eternity. So is it possible to keep your plots, and as @Bones wrote “You can try setting up a new cold wallet and direct funds to go there via your payout addresses.”?

So when an XCH win arrives, it goes to the cold wallet?

I am not sure about the intricacies of a cold wallet, which is why I am asking.
Doesn’t the cold wallet have its own, unique mnemonics? If “yes”, then wouldn’t that allow you to continue to use your existing plots, because your XCH wins will not go into the your compromised wallet?

Aren’t the mnemonics more about access to the corresponding wallet, and less about the plots associated with those mnemonics?

1 Like

There was before a discussion about it, but the outcome was not that clear (potentially for me). So, let’s say that what you are saying is the case (one can create a new cold wallet, …).

As @Bones indicated, one (most likely, or maybe the only) possibility is that the mnemonics were lifted. As @chiameh indicated an audit is needed to find out how (shitty pool, or such pool’s utility, some chia specific malware (some useful crap from github), or just a wide open box (kind oof similar to malware)). In such a case, there is a high chance that a key logger is already on that box or potentially in that location (also on other boxes). What would you do?

By the way, until that wallet is not looked at, to check where that XCH went to, and that destination wallet looked at what activities are on that wallet, there is one more possibility that this is just a user error.

1 Like

Wow, thank you all for your replies … I really wasn’t expecting this much feedback.

Pool is not the problem it’s flexpool …

More or less it was my fault by not taking enough care of cold walleting my XCHs’.
The bigger problem is replotting so I thing I’m just gonna keep using existing wallet and keep a close eye on incoming transactions and instantly move them to cold wallet as soon as they arrive.
Unless there is a better solution I’m not aware of.

I don’t think other devices are compromised as RPi was/is on separate VLAN blocking all connections to other LAN networks …

Everything you wrote is correct. But I am trying to figure out whether or not re-plotting is necessary.

If re-plotting could be avoided, then @LITTLEbig could keep his plots, wipe his OS / partition, reinstall his OS, install Chia, enter his possibly compromised mnemonics, and he could continue plotting and farming from where he left off.

But the above is useful only if a cold wallet with its own unique mnemonics would be accepting the wins.

It is not clear to me, either. Maybe someone else can chime in with the answer?

I gave you a better solution.
On a new box that has never been online install chia and create a new mnemonic, copy your receive address. ( cold wallet ).

Add that address to the 2 fields where you can specify future funds to go on your compromised wallet.

All funds will then go to the cold wallet and be safe.
However if someone has your mnemonic they can change your pooling of your nft’s to mess with you, but with no reward for them this becomes unlikely if you stay on top of it.

That new machine will need to be put online to send funds, or you can figure out how to sign a transaction offline and push it to the network, this is supposedly possible but I’ve yet to hear of anyone doing it with success and posting instructions.
Just treat is respectfully and with care.

@Bones Thank you …

Add that address to the 2 fields where you can specify future funds to go on your compromised wallet.
I guess you’re referring to:

  1. pool payout address in Chia GUI - so just one field to modify under Pool → Edit payout instructions …
  2. Pool payout address @ pools’ settings …

No logs left to see with grep “Failed password” /var/log/auth.log so I guess someone has removed them.

I guess, my question was what would you do.

I was referring to the 2 addresses you specify in the gui under farm tab, one to receive .25 rewards, the other where your 1.75 goes when your solo and claimed from the nft.

Indeed, set your pool payout address if your pool has a separate specified address.

Kinda depends how your farming / pooling, but change those 3 to the cold wallet address, or whichever apply to your situation.

I would nail down the answer, in order to know what to do. Alas, I still do not know that answer.
But if it turns out that if wins can go to a wallet with its own mnemonics, then that would be what I would do.

Criminals are after access to your wallet; not access to your plots. So if wins go to a wallet that is inaccessible to criminals, then no need to re-plot.

There was never an official statement from Chia what to do in that case. People were trying to test what happens if …, but in my opinion, all that was rather inconclusive.

Also, as @Bones stated, those criminals can have a parallel setup and can start messing with yours. I am not interested in knowing what happens after a reboot or chia update.

I would really not want to have that extra burden on my shoulder. I did replot my OG plots.

I think the big unanswered question is still how the baddies got access to the Pi, assuming you didn’t enter your mnemonics anywhere.

There’s no reason why a reasonably secured Pi should end up compromised, was there internet-facing VNC access? SSH? There has to be something there.

It’s also possible that the Pi wasn’t compromised at all, but rather your mnemonics leaked somehow - did you enter them on any website? Are you storing them anywhere? (password manager, .txt file, etc)

As for what I’d do: Nuke everything, install fresh, new mnemonics, replot. You do need to be reasonably confident that you understand how this happened though, else you just risk it happening again.


Another option is “friends and family.” Although, I would also scrutinize the wallet that received those XCHs (i.e…, user error).

I also believe that it was not done on RPi (still I would follow what you wrote, or rather follow what @Bones wrote and go with a parallel setup and slowly replot and dump all references to old one when done).

By the way, creating a “cold” wallet, while not knowing whether that was a keylogger is also not what I would want to do.

I agree to bring this topic to an end.

But before I do it from my side just one more thing I’ve forgot to mention (but as far as I can comprehend) isn’t changing anything for me but could provide some additional info to other people who stumble upon this thread is - this device was used just for hosting full node, not farming. I’ve completely separated farming from full node (except of payout addresses of course).

Once again thank you all for your participation so to sum up less secure approach would be:

  1. Create a completely mint “cold” wallet (on completely different device with clean OS/Chia install) with a new set of mnemonics and copy new receive address
  2. Put copied address from step 1. into both existing (compromised) wallet pool options (receive address) and pool settings page
  3. Keep existing plots.
  4. Block SSH access to full node device from external IP addresses.

Or more secure approach:

Clean install of full node with re-plotting and setting up cold wallet as described in less secure approach.

I can agree the most important part is discovering how leak happened in the first place. I haven’t typed my mnemonics anywhere and my family isn’t interested at chia at all and I doubt they’re aware of (digital) chia existence.

1 Like

Sorry for your loss again, I wish you luck getting up and running again whichever route you choose.

By running a node you put a potential target on your device and network because somewhere out there is an insecure node with private keys that are holding chia. Scanning Chia peers for vulnerabilities is probably happening so take good care to secure your device. Here are some basic security practices to take for your public node.

Disallow password auth for SSH and require SSH keys, block ALL external SSH access, and have a firewall block everything except for permitted traffic.

Keep your OS current and install updates when available, don’t install unnecessary software and try to have just what is needed to run what you need to.

Not to mention all the best practices for keeping your keys and wallet secure.

Sorry for whatever happened. I hope you didn’t lose too much and that it was the first and last time you have to deal with compromise.

1 Like