
Ask HN: $10k in cryptos stolen off my desktop from an encrypted folder, how? - kbenzle
I kept 500 Ether, 1,000 Litecoin and 500 PPC (and a little btc) in cold wallets in a password protected .rar file on my desktop, when I happened to check my watch address yesterday all the balances were emptied two days ago.
I made two mistakes (1) I download a lot from Torrent sites, (2) I kept ALL my &quot;cold&quot; storage paper wallets in one encrypted WinRar file with a 12 character password. I thought this security was enough and am still at a loss as to what happened.
The other day I noticed a program running in the Task Manager called, &quot;Wool Department&quot;, there was no google results for it, so I closed it but it kept coming back up (on Windows). Next I got an e-mail from Microsoft about verification, then a few other sites I have not used for a long time. My email was hacked years ago, so I changed my password and did not connect the two events at all.
<i>My Ether address: 0xea13bae3f4d94b43d2224bb8a1abb0f4e7e0e24d </i>My Litecoin address: LhfSd3ZzJMrWawrFimQcTnCx8rYQ3XYiVG *My PPC address: PPM4tkGmx9f4LMchhCqQAn6j843KDU3ELk
I assume I will never see any of it again, but would like to offer 1&#x2F;2 of any recovered funds as a reward to anyone that can help to find the criminal(s) responsible&#x2F;return the funds.
======
Obi_Juan_Kenobi
How are they cold storage paper wallets?

They certainly aren't paper. They also aren't cold, being on a networked
computer.

I don't like victim-blaming, especially because this is really a usability
issue for crypto, but I have never heard anyone say that a pw protected .rar
file is appropriate security. If you're going to make a significant investment
into crypto, I just don't understand how you can ignore all the security
advice.

~~~
brianwawok
Which is one reason I could never see my parents using a cryptocurrency. So
many things can go wrong.

~~~
bbcbasic
It's the reason I don't (seriously) use it. I have 3 bitcoins or so floating
about somewhere.

------
cloudjacker
a) thats not how cold wallets work, they weren't supposed to be on a networked
computer at all.

b) check Teamviewer and remote desktop viewers. Especially the ports those
programs would typically use. It is a common attack vector to come in through
those and view your machine, install key loggers as you, etc. Which leads to
the next part:

c) How was the 12 character password stored? Only in your head? In a password
manager? in gmail? used in other areas?

------
jbmorgado
This story illustrates perfectly one of the big reasons why Bitcoin and
company aren't and will probably never be used by the general population for
anything really.

If even someone that is technical savvy (I don't know much about the OP but
someone that uses RAR, knows how to make crypto wallets and knows how to check
the processes running in his computer is much ahead of the average person in
terms of IT knowledge) can't be safe with their Crypto coins, you really can't
expect that the average person ever trusts Bitcoin and company for anything.

I'm sorry for your loss, but there is nothing you can do really. Try and
contact Poloniex for the Ether, but unless you have some prof those coins
actually belong to you, it will be next to impossible to have them do
anything.

~~~
bobbygoodlatte
Coinbase 2-factor auth plus their long-term Vault storage is plenty secure for
the general population.

~~~
bbcbasic
Or even better a checking account.

~~~
ThisIs_MyName
Yeah, if you're ok with a third part like Coinbase holding your money, just
use a bank. That's what banks are meant for!

------
beaker52
My best guesses:

a) Your machine was already compromised when you made the rar

b) The attacker logged your password, either when you entered the archive or
into another service which shares the same password

c) perhaps WinRAR encrypted archives have a cyptographic flaw making them
easily broken by software

d) perhaps the attacker has been bruteforcing for a while

------
irl_zebra
"Wool Department"? Sounds like you got fleeced.

------
howtofixthis
Well I'd start by sweeping out whatever is left. Your ether address still has
5 ether left in it...

Just following the transactions I can see that 125 ether were sent to Poloniex
so I'd contact them to see if they can help you.

------
orf
Yeah... The moment you see a windows process called "Wool department" that
restarts itself you unplug your computer and rebuild it from scratch.

------
gesman
Keylogger likely was installed on your computer and everything you was doing
been monitored.

Culprit: >> (1) I download a lot from Torrent sites

Solution:

1\. Wipe out computer / reinstall everything from clean sources.

2\. Don't download crap!

------
kristianp
Was your password based on a phrase that's in a book TV show or movie? It
could have been guessed by a dictionary attack. Even a phrase from urban
dictionary could be guessed for example.

------
curiousgal
I could to relate to you doing all of what you mentioned (torrents, "cold"
wallets", hacked email) up until you mentioned Windows.

------
philip142au
What if you had an anti-virus? Do you think that would have helped?

------
tenismyanswer
This is shocking. Let's all donate to the above addresses to try and get this
fella back on track

~~~
stephenr
Are you serious?

