Wallet Cleaned out!?!?

  • Hey, so does anyone know why my savings wallet was cleaned out? The key was only kept local, so I kinda doubt it was hacked, but my entire balance was transferred to another account and I lost everything... It was transferred to BURST-5BGX-C7EA-A6ET-BAQCD on transaction number 61736480142754900. Does anyone know anything about this?

  • @fenix12585 said in Wallet Cleaned out!?!?:


    That is the infamous "H" bot that hacks accounts. A few others here have been bitten by him.

  • @rds

    Is there anything that can be done? He got over 200k burst... I didnt have a weak passcode either... random generated... at this junction, what the point of BURST if this is so easily done?

  • as far as anyone can tell that is the only account that seems to be able to do this to people and has been doing it for a wile , even cleaned out @haitch asset wallet . but i have not heard if anyone has figured out how he is doing it

  • well, that is horrifying! I have no idea how I can even start recuperating from this... thanks for the info and responses

  • @fenix12585 the community set up and ran test on pass phrase security with bountys being what was in the test wallets if they could be cracked .... last i heard wallets with 4 words or less pass phrases got cracked but no wallet with over 5 words was ever cracked and the 12 word random generated pass phrases are secure. i seriously doubt they are being brute force hacked its far more likely he is hacking computers and finding text doc's with stored passphrases or running some type of phishing program no one has detected. with a select few people acidently making pass phrases publicly known . however the people that have come forward that have been hit by that account a very large chunk of them acctuly had very very weak short pass phrases.

  • @fenix12585 ,

    Sorry about the hack, but this happened 6 months ago?? He was very active back then.

    Horse after the barn door advice:

    break up your stash into reasonable amounts in multiple wallets (eggs in one basket issue). I never leave any real coin in a mining wallet, sweep it to another account that doesn't send passphrases to the network and pools. Some will say the password cannot be deciphered, but I don't know that so it is better for me to push minging earnings to another wallet,

    If you look at "H" activity, once he gets into an account, he continuously scrapes the account for any new coin that shows up. These accounts are miners that are asleep at the wheel not watching their accounts.

    Can you give us an idea of what your passphrase looked like? Was it a 12 words phrase or something like "Passw0rd!"?

    I think that this creature is brute forcing weak passphrases and every so often hits a big one like yours was.

    Again, sorry for your bad luck.

  • @rds That is sound advice, and kinda what happened. I was asleep at the wheel with these in a savings account waiting for the ddosing drama to die down a bit, and burst to hopefully come back stronger than ever, which it appears to have done... I think Ill do the several accounts thing if I ever manage to get enough burst to do it again, but without a serious drop in value again, I don't think ill ever be at that level again... As for my password, it was a 29 character random generated string. Not words or anything, just straight 29 random characters.

  • @fenix12585 Sorry to hear that your wallet has been hacked by the Serial Wallet hacker H. A significant number of wallets that he hacked used weak / short / obvious / quotation based passphrases, there are very few cases of the standard 12 Word passphrase being compromised. Can I ask if you used the standard 12 Word Passphrase when you opened the account or something of your own?

    EDIT. Just seen your password description above. If your 29 Characters were truly random, then it will not have been hacked.


  • @richbc This account was created before that was advised or implemented... it was 29 random characters... In have seen the 12 word generator setup now and will of course use that in the future

  • @fenix12585 ,

    This "H" is bold and brass.
    I sent 1 BCC asset I had laying in an account to your hacked account last night.
    Looks like "H" put 5 Burst into the hacked account from a non "H" account.
    Then a sell order was created to sell that 1 BCC for 5 Burst.
    Six minutes later, 8 Burst was transferred to the "H" account. This has to be a bot, who is going to manually do this for 3 Burst net gain?

  • Did you ever use an online wallet, or did you only use your local wallet? Just curious if maybe it has to do with an online wallet getting compromised.

  • did you ever use the SurfBar that was going around last year ?

  • @rds said in Wallet Cleaned out!?!?:

    Six minutes later, 8 Burst was transferred to the "H" account. This has to be a bot, who is going to manually do this for 3 Burst net gain?

    Agreed it's small beer, but have seen this from H many times. It is a lot of work for a small amount but it would be one sophisticated Bot to carry out that sequence of events, so I reckon it's manual?


  • @richbc its rather simple automation. As its probably sitting 24/7 on and i am pretty sure scanning blocks as they coming in to see any changes on all tracked accounts (read hacked).

  • @lithstud You may well be right, it's just that for some Weeks I Monitored H and the raids seemed to take place in batches as if it had a human behind it....

    Either way it's not the main issue and it continues to be a pain in the ass. I urge anyone with the time or skills to do some further analysis of what's and how he does it to take a look.

    It has changed over time, in the early Days the accounts were all easy to crack for a variety of reasons which I won't go into. Now there are some that do not look like they should have been possible.

    The possible approach that worries me the most is when a while ago we were shown that with a small hack to an online Wallet that passphrases could just be logged.

    Finally I have not seen this mentioned but in his recent hits there is this sequence.

    12201425830678183656	 5,170 Burst	E925-FACX-C2X8-49772	2017-12-03 19:30:49
    1008693753108881926	 3,922 Burst	E925-FACX-C2X8-49772	2017-12-03 17:32:12
    17469318369740058545	 10,357 Burst	E925-FACX-C2X8-49772	2017-12-03 03:42:46
    5750588520185042574	 2,582 Burst	E925-FACX-C2X8-49772	2017-12-02 21:33:34
    11436595209164785365	 3,861 Burst	E925-FACX-C2X8-49772	2017-12-02 19:33:55
    10892710347538568685	 2,580 Burst	E925-FACX-C2X8-49772	2017-12-02 18:00:58
    13755455755917716828	 553.72 Burst	E925-FACX-C2X8-49772	2017-12-02 17:01:04
    2556441643706570330	 12,499.4 Burst	E925-FACX-C2X8-49772	2017-12-02 14:29:31

    Where the address is for pool.poolofd32th.club

    Would have thought this would have had a mention somewhere?


  • @richbc said in Wallet Cleaned out!?!?:


    are you saying that he might be mining there ?

  • @ariasentheyn No, not with this account. I only used it on my local wallet, and the password was stored on a thumb drive i keep in a lock box...

  • admin

    Just to resolve - the H account raider is not me ...............


  • @haitch I hope no one thinks that you!