Official Lite Wallet (2.5.4) Hacked?

[shday]

I know there are a few cases like this one, but this is a little different.

I am new to IOTA and installed the 2.5.4 client a few days ago on a fresh Ubuntu machine. I securely generated a seed (using /dev/urandom) and made a deposit from Binance. A few hours later, my funds got moved out.

I think the client was displaying a hacker's address somehow as I can no longer generate the address with my seed. It was the first time using the wallet expect for putting the address on the tangle the day before. To make it worse, I made another deposit before noticing the issue and lost those funds as well.

https://thetangle.org/address/GRBPHDAASU9QALTVR9GQJBLDAGGFHNGA9OVSTJBAAMHETVDPGCTJSCZIMRZQKYCIQUJKPPFXMBLMOLBAY

[ScotchWiskey]

I am also new and downloaded the 2.5.4 wallet recently. I cancelled first withdrawal transaction to the wallet when I noticed the wallet address changed from the original one it was showing. Upon doing a little digging online I found out that the wallet creates a new address everytime you send or receive. Apparently this is supposed to make it harder for hackers to crack your wallet and is a safety feature. I don't know if that helps you but thought I would let you know that anyway. No sure about your missing funds though. I'm still waiting to receive my first withdrawal also.

[shday]

The thing is, my wallet doesn't show any transactions now. I suppose it is possible that I entered another seed by mistake, but then how did a hacker get the funds out? If it was some trivial seed, like all 9's, I would have expected other transactions showing when I first started the client and/or against the address I used.

[ScotchWiskey]

Well I am new at this too, but I believe if you did not enter your seed exactly correct and it logs in, that's not your wallet details you are looking at. Either a wallet not in use or one that belongs to someone else if you enter your seed incorrectly.

[ScotchWiskey]

Hopefully an expert can comment. Any out there?

[shday]

I downloaded the wallet from Github and checked the hash. I still have the file and the hash is still fine.

I was able to create that address initially, as the wallet showed it to me along with the transactions, as they happened. It was only after restarting that I didn't see the address (cannot create it) or any transactions.

I never did any transactions using IOTA before putting that address on the Tangle and doing a deposit of 40Mi from Binance. I never sent any funds or had any reason to put an exchange address on my clipboard.

I should mention that I had attempted to withdraw funds from Bitfinex earlier, but cancelled the withdrawal as it was taking forever.

[g3n0cyb3r]

I have had the same issue. I updated my light wallet and I transferred my Iota from Bitfinex. It took 3 days to show up but right after it was sent to another address. I have been depositing and not withdrawing. However, since I didn't see it show up during those 3 days, I kept hitting the rebroadcast and reattach button. Now, I don't know where that deposit is, as it was sent to a different address.

[max1mn]

the same thing happened to me, also on 2.5.4. iotas were gone after 4 hours

my address https://iotasear.ch/address/KOJNBXHES9WHB9AJGDGWUQVPZNEMQMVRWNUEIBUFBGENRN9VMJPBGORPWSFFEONAFZCEDQRTNDMMT9BTYGPUUDJLTZ

[BDenBleyker]

I made a deposit from Binance to my paper wallet, which I had sent iotas to before to test it (denoted by the 5 Mi), and then there were 3 transactions each with the total balance of my wallet outwards to some other address. 1 was confirmed and the other two are still pending because I now have a balance of 0i (2nd image). I have another wallet, which came with the lite wallet download, that I have iota in, so could that be hacked as well?

I am also opening another issue, but I am posting this here in case it is related.

[imolev]

same with my lite wallet, funds from Bitfinex - #564

[Fogi10]

Hello guys... trying to move funds out of Bitfinex but seeing all the issues and missing funds I think it may be convenient to leave them there until the devs solve this... Any developers care to comment on all these issues? Would be greatly appreciated! IOTA rocks!

[AlexanderPoschenrieder]

521 Happens to me. In my case the wallet gave me (and is still giving me) already used addresses. Minutes after sent i saw my funds getting stolen. If you lost your funds the same way (address re-use), we could stop all the smart ass that keeps saying us the problem is our weak seed or the social ingeneering.

[ThomasPepperz]

Stick to the technical issues and review the community rules once more please. Any user in violation of the terms including profanity can be dismissed. You want technical assistance or to foment discord?

On Sat, Dec 2, 2017 at 5:12 PM AlexanderPoschenrieder < notifications@github.com> wrote:

521 https://github.com/iotaledger/wallet/issues/521 Happens to me. In

my case the wallet gave me (and is still giving me) already used addresses. Minutes after sent i saw my funds getting stolen. If you lost your funds the same way (address re-use), we could stop all the smart ass that keeps saying us the problem is our weak seed or the social ingeneering.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/iotaledger/wallet/issues/513#issuecomment-348730049, or mute the thread https://github.com/notifications/unsubscribe-auth/Ac-6w595Fdo9mwtfr6vY9OSfTFI_vABzks5s8edzgaJpZM4QqhDc .

[ThomasPepperz]

The 2.5.4 wallet is safe to deposit addresses. I successfully sent all of my IOTA from BFX to the wallet. People with balance issues are having them because of address reuse or because the transition, which will not affect you since the transition has already happened and bitfinex automated the task for you and you just didn’t realize it happened. A laregely-revised GUI is due out anytime now.

[shday]

Does putting an address on the Tangle count as using an address? That is the only time I used the address before receiving IOTA. A few hours later the funds were transferred to another address.

[mathiasrw]

I have a feeling it does - as I understand it its a transfer of 0 i.

If so, I suggest that the address is automatically renewed as soon as it has been put on the tangle

[ThomasPepperz]

Attaching to the Tangle is necessary prior to that address receiving funds. It is not a transaction.

On Sat, Dec 2, 2017 at 6:11 PM Mathias Rangel Wulff < notifications@github.com> wrote:

I have a feeling it does - its a transfer of 0 i

If so, I suggest that the address is automatically renewed as soon as it has been put on the tangle

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/iotaledger/wallet/issues/513#issuecomment-348732567, or mute the thread https://github.com/notifications/unsubscribe-auth/Ac-6wwRzYdBJ0U_8f4fd0gVRInJepgkrks5s8fUpgaJpZM4QqhDc .

[onemoreitguy]

I notice a similar pattern on the biggest wallet of the tangle $1,319,459,129.86. Was this some sort of injection or spam on the 13th-14th? https://iotasear.ch/address/FFUIAREGAAAHNTPJRGRFCNCNOTKTKPWJEGUDWQHZVVO9MTAXZIDMXBMWJXTLUBHNFNKYCCTQUXOUYFKX99MUZJEPYD

reference: https://www.reddit.com/r/Iota/comments/7cihsn/9999stolen9iotas999fuck9you/ " these transactions are invalid the tangle explorer has to be updated because it shows invalid bundles if you use the iota.lib.js and you run these bundles in valid.isBundle you will get false he is just fooling around with the signatures, and attaching it with the address to this account lol"

[patchthecode]

What is the status on this?

[shday]

No change, except that all the unconfirmed transactions I mentioned are no longer showing in the explorer.

[mathiasrw]

@rajivshah3 its all good that you close the issue - but would be awesome with a few words to why. Are you cleaning up old issues? is this not relevant to the repo?

[patchthecode]

@mathiasrw i do not think these guys (or at least that guy) has any OpenSource developer sense. Just look at the way he responded to this EXTREMELY IMPORTANT issue i opened this morning -> https://github.com/iotaledger/wallet/issues/938

That says a lot.

A normal developer in their right mind (given the severity of this issue) should have said something like:

"We are working hard to fix this. We will immediately load a patch which displays a warning message to all users that the wallet itself can potentially generate an a duplicate address which can cause funds to be stolen. Please double check the generated address. A new wallet is being developed which resolves this"

But what does he do instead?

1. Says the issue cant be fixed.
2. Schools me on how to properly fill out a github issue
3. Then closes it.

like really?

[rajivshah3]

@mathiasrw I closed it because I assumed it was solved. Even if it wasn't solved, this is not a wallet issue. The wallet is not hacked, according to https://thetangle.org/address/GRBPHDAASU9QALTVR9GQJBLDAGGFHNGA9OVSTJBAAMHETVDPGCTJSCZIMRZQKYCIQUJKPPFXMBLMOLBAY the address was reused which will pose a security risk. This isn't really an issue that needs to be reported as it is the nature of a Winternitz one time signature, and any subsequent signature poses a security risk

[rajivshah3]

@patchthecode please read the reply I posted to your slack message. I'm not sure how else to respond, this is not a bug.

[ThomasPepperz]

Thank god some order has been imposed on this repo. Close this issue like it’s the last Blockbuster standing.

On Tue, Jan 2, 2018 at 3:38 PM Rajiv Shah notifications@github.com wrote:

@patchthecode https://github.com/patchthecode please read the reply I posted to your slack message. I'm not sure how else to respond, this is not a bug.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/iotaledger/wallet/issues/513#issuecomment-354881807, or mute the thread https://github.com/notifications/unsubscribe-auth/Ac-6w0JrtsVvjC458_bbUk-NV1KUVSWvks5tGqG9gaJpZM4QqhDc .

[shday]

This issue was not solved. I list what is now over 2k worth of iota. I never reused the adress.

[shday]

There was a security breach that I don't feel responsible for in any way. I call that a bug or at least something worth reporting.

[AlexanderPoschenrieder]

In my experience i can tell that the problems could be two. 1-Reuse of an address because: a- The wallet can keep track of the already used address after a snapshot and requires you to remember and reattach all of the used addresses. b- The wallet cant keep track of already used addresses when you install it on a new device. In both cases the wallet may give you used addresses (happens to me for some of those reasons) .

2- The wallet don't generate a random seed and you created it with windows console random function. I know that this method was recommended by the community before they realize it was not secure.

I feel that the responsability is from the iota foundation and the developers for delivering a software that suppose to manage value and have this issues.

In any case, i understand them when they say the wallet was not hacked and maybe this is not the right channel or the right way to bring our concerns, but they look not care at all about people loosing a lot of money because,what i consider, negligence.

[patchthecode]

@AlexanderPoschenrieder

I spoke to @rajivshah3 this morning via slack.

It turns out that the Official Wallet has that issue of possibly generating an already used wallet (after snapshot occurs). They are currently working on a new wallet to fix this. But as to the reason why the current official wallet devs have not warned users that their wallet can literally cause funds to be stolen (because of generating an already used address) is beyond me. Many people have lost thousands.

@rajivshah3 noted that this issue was raised in some posts here (plus others)

https://iotatangle.slack.com/archives/C1TH3NXJP/p1514867833000048 https://iotatangle.slack.com/archives/C1TH3NXJP/p1514758801000044 https://iotatangle.slack.com/archives/C1TH3NXJP/p1514749959000033

But this is not enough. A warning needs to be placed within the wallet app warning people that they should double check the generated address to ensure that the wallet didnt make a mistake. Because the damage is already happening. This guy suffered the latest loss -> https://www.reddit.com/r/Iota/comments/7njjyy/here_is_what_i_learnt_after_losing_53_gi_to_a_hack/

[AlexanderPoschenrieder]

Thanks. I thaught the same and i already create an issue here a month ago for that warning message.Here it is #542. It's still open and although i know there is a new wallet coming it is extremely needed to fix this.

[sidharthramesh]

This needs to be fixed. Atleast a warning sign. It will save people a lot of trouble and money and it probably will take like 5 mins to implement. Please do implement this.

[sidharthramesh]

I have lost my funds because of not knowing that the wallet reuses addresses after snapshots. I mean this IS a bug in the wallet. It's not the tangle, not the node, but the wallet. Please get it fixed.

[shufps]

This makes me so angry ... People over and over loosing their IOTAs because the same mistakes happen over and over again.

PLEASE make IOTA wallet DAU-proof ... This bug-tracker sheds a very dark light to IOTA and preventing such "user-mistakes" is easy!

Just consider the monkey-re-attaching of all hundreds addresses after a snapshot because the wallet stops searching for IOTAs after one address doesn't have transactions.

It is EASY to simply search further ... To search a couple of 1000 adresses for IOTAs would be no issue at all. But no - people, who simpley mentally resigned about the BAD support, are explaining over and over the things again and sooooo many people land in this trap.

It's ridiculous ... really it is!

[jasonkyc]

same issue all my fund had been moved 14 hours ago...what happened?? https://iotasear.ch/address/DWGRNCZASEYBP9JMTMJIADWITURXE9IDA9IASTVNVBUTPRIMWXPUGTVZKMRIXCL9ZPGQYBSIFM9USGVSXH9WABYPVX

[patchthecode]

@jasonkyc did yo u create your seed online?

[jasonkyc]

https://iotaseed.io i create seed here...and i rarely open and my seed placed offline

[shufps]

iotaseed.io is scam ... lots and lots of people reporting to be scammed by iotaseed ... your iotas are lost unfortunately

[onemoreitguy]

@jasonkyc. Generating passwords or any wallet seed or private key online is a good idea. Although I cannot see malicious code on the site and the announced source code, it can be obfuscated or hacked to save on a background database or send to some email address. I created these instructions that you can use to create future wallet seed offline and using just your PC: https://forum.helloiota.com/9162/How-to-create-your-own-seed-safely-withouth-any-online-seed-generator

If you are serious about cryptocurrency I encourage you to learn how to create seeds/privates keys. It's your money, learn how to protect it.

[jasonkyc]

@shufps iotaseed.io not an official IOTA cold wallet generator?? @@

[shufps]

Wow, I wished the idea of iotaseed was my own idea ... I would be rich by now ...

[jasonkyc]

@onemoreitguy please advice see what i missed. I lost all my coin for the 1st time and its happen in IOTA. my others coins no issue till now.... I'm using TREZOR store all ETH, BTC, and others coins...

[onemoreitguy]

IOTA as a 'seed' just like ETH, BTC have a 'private key'. If someone has access to them, doesn't matter if it's stored on a Hardware or paper wallet. I don't have a Trezor, but I assume that you generate the wallet private key with the app which doesn't use any Internet resource and therefore safe.

I forgot to post the URL link, but this is one way to have make a seed by yourself without any internet access: https://forum.helloiota.com/9162/How-to-create-your-own-seed-safely-withouth-any-online-seed-generator.

Can you share your wallet address that got the funds 'ripped off'?

[ghost]

Same happened to me:

Any tips? Or are my IOTAs gone forever? I read this article and it seems in october there was huge reclaim action going on for people who got hacked: https://blog.iota.org/claims-and-reclaims-finalization-e692844c505a

My reused address (last two transactions are from the hackers): https://iotasear.ch/address/EBZUEHHAXHE9TEHACXJIAELCNSP9YJAKTHIPFSNHH9SOILEA9VOOZMZFRENDSRMQDWCUXXGFFFAXKJ9X9MIAFZCNAW https://thetangle.org/address/EBZUEHHAXHE9TEHACXJIAELCNSP9YJAKTHIPFSNHH9SOILEA9VOOZMZFRENDSRMQDWCUXXGFFFAXKJ9X9

Hacker wallet (he has collected a nice sum of approx. 30k USD. Im not the only target it seems!): https://iotasear.ch/address/KRDTGTERZCIXCCAE9ERSLFD9UWIYSKKXALVUTDVAOGZLNOOTKVHRWWTNRPFPTWSQMRCYR9HGMCSATQUPY https://thetangle.org/address/KRDTGTERZCIXCCAE9ERSLFD9UWIYSKKXALVUTDVAOGZLNOOTKVHRWWTNRPFPTWSQMRCYR9HGMCSATQUPY

[VinnyxJones]

Glad to find this thread - just came back from holiday and noticed my funds were transferred yesterday ... Not sure the reclaim tool does much... can you guys suggest a way to flag this as well? As for how I generated my seed: I honestly can't remember - my funds haven't moved in 3 monts and now it's gone there.

Thanks for your tips, as I'm unsure what next steps I should take.

[ghost]

My friend's wallet also got hacked yesterday at around the same time. However in his case he didn't reuse his private key as I did and in the target address wallet was about 10 Gi worth of ingoing transactions. So it smells like some big hack is going on. Someone has a script running over the network and is siphoning people dry! This is my friends address that got drained:

https://thetangle.org/address/GVRWDMGXPBIOVQTZFNAIWHXTTZPODLKWHNKTCJTPSRI9YKTOMLMACE9PSHHCSCNCFVSNSNAGIKCISHZVYW9RCGFPLY

[patchthecode]

@tzminversion Did you use online seed generator?

There is a huge post here. Many are hacked, and the number is climbing -> https://medium.com/@ralf/what-happened-last-night-on-iota-b6157ade1e03

[onemoreitguy]

I've tracked several scammed wallets published by people on the 19th. The biggest gather I've found was 2 wallets: one with 5Millions USD and another with 1.5

[jasonkyc]

IOTA Dev should look in to their security issue... and look like IOTA dint take their security measure serious... Sad :( and should warn and direct users to recommended URL to get our wallet.... seem lots of victims here... what should we do? wait? ?

[yippykaiyay012]

There is nothing wrong with the security measures of the iota wallet and the iota protocol. Generating an unsafe seed is nothing to do with iota. This is the same for any crypto currency. Wallet upgrades will come making it more retard proof. If I gave you a seed would you trust it? Why trust it from a random website?

[AlexanderPoschenrieder]

Wallet should generate the seed. Where did you see a wallet that can't do that. But anyway, in my case wallet starts to give me already used address. That looks a security issue to me

[patchthecode]

Ok, lets not confuse things.

1. online seed generators are stupid but are partly the fault of IOTA team. When you provide a wallet that does not create its own seed, then you are inviting users to do stupid things. Adding a generator the LiteWallet is stupidly simple. Millions of IOTA have been stolen showing this is a huge pitfall. At this point it is BOTH the fault of user's ignorance, and IOTA devs apathy for not fixing/upgrading the wallet to do something this simple.

2. The fact that the wallet generates duplicate addresses is totally IOTA devs fault. This needs to be fixed immediately. It is a security issue.