Your XCH is gone, sorry to say that… but that’s how crypto works… there is no way to reverse the transaction other than a hard fork or chain rollback and this simply won’t happen unless a huge percentage of all farmed XCH gets stolen or Chia’s pre-mine.
Sounds harsh, but let this be a lesson in crypto… many of us already learned this the hard way.
Do not install any 3rd party software on the PC with your privateKey.
Farm into a cold wallet
Your XCH are valuable, people will try to steal them.
You can help the community by reporting all the 3rd party software you have (or attempted to) install(ed), so that we as a community can figure out what happened… It’s likely software geared towards Chia users was to blame, but it could have been any malware really.
A version of the Chia installer was compromised at one point, if you downloaded one with a .rar extension that installer was compromised. Paste below from Reddit.
The RAR file contains two win32 executables, ChiaSetup-1.1.4.exe and
mkvtool.exe along with several DLLs, TXT files, a font folder with fonts
and a folder with object handlers for various file formats. The
attackers appear to have deployed using the mkvtool to unpack an image
and begin the installation of backdoors. Contents appear to include a
network scanner and media rendering binaries (likely packaged with
mkvtool). When the binaries execute, several Windows services are
stopped (event logs, wmi, wer) and then installation to the user profile
occurs (\AppData\Local\Temp). This directory contains a payload of C2
files:
I used some poweshell codes for add the introducers, then only swar and the new plotter from Stotiks.
Just decided to replot with a new account. On the pc where I create the plots there is no software from Chia… The gui will be on other pc that I will reformat
However it happened, assume your current key is compromised, delete it, you will have to replot too.
If you can confirm that it was just a powershell script sending the keys to some HTTP endpoint, then that’s as far as you need to go, but if you suspect it might be some other software that you’ve run, it might be wise to assume the OS is compromised, and depending on how your network is configured and what services on other PCs are reachable might have to assume that other PCs on the LAN are compromised too - is pretty brutal but you have to be pretty brutal once you’re compromised.
That’s most likely what did it was the powershell script for introducer. Found this below with a quick search.
For instance there was/is a PowerShell Script that should add some Introducers to your farm. It does that yes. But it also empties your wallet and sends your private keys home.
Created a new account on a other computer and removed every remains of the older key on the plotting pc, and remove all the powershell codes I know that this wallet is ruined…
Thanks all for the support and explanations.
Is the someplace where I can report the destination wallet?
That destination wallet has 2 more coins in it from when I last looked, so obviously ongoing, and is unlikely that this is the only wallet being used to steal coins in this way - honestly am surprised it’s not single-use.
There isn’t really anything that can be done about it besides forking the blockchain to reverse these transactions, and unless it is was so widespread it threatened the acceptance of the network you wont be able to get consensus to do that.
I’m not saying there’s nowhere it can be reported, you’ve technically been stolen from, which is criminal, but the blockchain can’t/shouldn’t be able to reverse that. Your local law enforcement will take a statement, but it would be hard/impossible to get them to take it very far.
Personally, I’m not in favour of blockchain reversals whatever the reason, to my knowledge they’ve only ever been done when huge amounts of the right people’s money are involved (like after the ETH DAO hack), and I didn’t agree with that - it’s inherently unfair to selectively reverse transactions at the blockchain level, however much of whoever’s money is involved.
Why’s that? If it sent the private keys home, the thief will just scan the blockchain waiting for XCH wins to those wallets and then withraw them to a wallet or wallets that he/she owns, could be many people yet to realise they’re affected.
However, without seeing the powershell code that Alex ran, we can’t be sure either way - but still seems most likely to me.
I got the first 2 coins about a month ago and then had no problems, but after had a power outage and lost the sync, it was only 4 hours but I was taking over a day restoring the sync and then I used the powershell for accessing the intruders, this where about 15 day ago…
Here law enforcement wouldn’t be able to do nothing…
It was a lesson that had to be learned…
Last effort to save replot till you have no spare space, of course its a gamble.
If you were to change your payout address in the wallet, perhaps that would transfer coins faster than someone scanning the chain and trying to move the coins.
Risky certainly, but with a big farm maybe worth the gamble while you finish filling available space and replot.
Sorry for your loss.
I thought of that, change in the config file… Reploting 750 plots will take some time but after formating the pcs will think about if will take a risk as Reploting, I will have to be in a lookout for prizes and very quick to remove the coins before they
Yesterday went they desapeared I was very angry but then I realized I need to learn more and I have to face this as a lesson and a mistake not to repeat…
For future readers: I‘d like to add that there is no claim and that I don’t want to imply that the mentioned 3rd Party Tools above may harm your system/wallet (besides the bad powershell repo that was taken down). I listed my own 3rd Party repo aswell.
The idea was to narrow down possible sources of the attack.