I felt it was crucial to share my recent experience and lessons learned after a security incident that resulted in the theft of my Chia coins. My hope is that others can benefit from my experience and avoid making the same mistakes I did.
Upon investigating the incident, I am now almost certain that the hack occurred due to an open port via UPnP. I cannot emphasize this enough – never leave your ports open without a good reason.
But why did I open the port in the first place? A few weeks ago, I faced a situation where my Chia full node was not synchronized and wouldn’t connect to the network. I searched for a solution, and the only thing that seemed to work was opening the port. I initially did it manually, but eventually, I decided to use UPnP for convenience.
However, I suspect that the attacker may have somehow caused my node to disconnect from the network intentionally, preventing it from reconnecting. This could have been a ploy to make me open the port, giving them access to my private key. I believe this may be related to my previous issue, which I discussed here: Security issue problem with antivirus
Despite this unfortunate incident, I am determined to continue farming. I’ve reinstalled the operating system, set up a brand-new node, and I’m in the process of plotting. From now on, rewards will go directly into cold storage. This incident has been a valuable lesson for me.
I share this story not as a victim but as a survivor who is committed to securing my Chia farm and helping others avoid the same pitfalls. Please learn from my mistakes and be vigilant about your network security.
Thank you for reading, and I hope this information proves useful to others in our Chia community.
Could you share more info how you investigated it and what exactly lead to that conclusion?
From what I understand, previous UPnP vulnerabilities were mostly due to the router having UPnP enabled, and thus any internal binary being able to open UPnP ports at will. What this also implies is that UPnP is rather a secondary mechanism used by threats that already landed on the box. Based on what you stated such threat was blocking syncing and enabling port-forwarding was the missing key. (In my opinion, if such threat was already there, it already had your keys, and could access outside world without any problems, so not sure why enabled UPnP would be needed).
On the other hand, if your router has UPnP disabled, and you manually forward just 8444 port to your farmer, potentially there is not yet know UPnP attack on Chia’s protocol. (Again, not yet known.)
Maybe you could share a bit more info about your investigation.
I cannot say that I am a security expert, rather far from it. However, with the information you provided I don’t really see a connection with UPnP (yet).
if you just RTFM Chia documentation, there is clearly written “DO NOT LEAVE ANY COINS ON FARM”
pick the amount that you are willing to lose, and happily farm…once, threshold is reached…send it to a secure wallet.
I highly doubt, it is so easy just to get your keys…unless, the problem already started between keyboard/ground/chair of course, if you are one of WinLovers…do not wonder, MS Win has got Emmental security since beginning, it is basically virus/security problem itself
This forum has rapid increase in Rtdr/m^3 every time I came to visit so many surprised kids, that still wait for XCH to return back to 1600 USD ROFL Mental diarrhoea just follows.
And I was born in Russian colony.
