Silk Road forums
Discussion => Security => Topic started by: foxen624 on July 13, 2013, 04:39 am
-
I'm not sure what to do. Yesterday, I bought BTC through BitInstant and gave them the address of a personal wallet (like I usually do then transfer from there to SR). Well, BitInstant held up their end, but when I went to get the BTC from the wallet to move them to SR, fist thing I saw was that my BTC balance was ZERO. Alarmed, I checked the transactions, and this is what I found:
2013-07-13 05:26:31 -4.08108663 Payment sent to address: 1NRMGqPYXwPoAGHiPAMzBgkqCcmgms3hjH
TXID: ca9fb20db76fe62965e9eba5d9c12dc276eade3397db39ef06f3534c95bbbb59
2013-07-11 23:45:58 4.08208663 Payment received.
TXID: 98e9d29043efb4ff11abb7ef018e62cfa7dc3a6fbae159fe662eef5becb06198
The second one is where the BTC was deposited into my wallet, the first/top shows that someone, somehow transfered my BTC to the wallet address shown.
Can someone PLEASE advise me what I should do?
Thanks.....
-
What kind of personal wallet was it? An ewallet? Someone could have hacked / accessed your account and transferred the coins.
Unfortunately, there's nothing you can do to get the coins back.
-
What kind of personal wallet was it? An ewallet? Someone could have hacked / accessed your account and transferred the coins.
Unfortunately, there's nothing you can do to get the coins back.
That was the answer that I was so hoping NOT to get, but at the same time feared that it is true.
This one was an EasyCoin wallet at: easycoinsay7p51.onion Accessed through TOR and as every time I buy BTC, being that I had been under the impression that it would be safer to have them deposited into a wallet unrelated to SR, then wait a day and deposit to SR wallet from where they were initially deposited.
Each time I do this, I use a new wallet I've never used before. I used a strong password never used on any other wallet and never wrote it down anywhere.. it was ONLY in my head.
I guess my hope was that because the transaction log showed the wallet where the BTC was transferred to, that someone who understands the whole process better than I do might know how to track the coin through the wallet it was transfered to from my own wallet... possible? That was $375.00 I paid for those.... if it's gone, nothing can be done obviously... I'm afraid I'm grasping at straws... but I'm grasping....
Thanks....
-
At first glance, I was going to suggest that what you were seeing was the Silk Road coin tumbler in action, but then I read your post and see that you weren't talking about your SR wallet. What this means is exactly what astor suggested - it's possible that someone accessed your bitcoin wallet or hacked it, and transferred the coins out.
This may be a good time to make sure that your computer isn't compromised - check it for malware / viruses, etc. - and also make sure you are using strong passwords.
-
What kind of personal wallet was it? An ewallet? Someone could have hacked / accessed your account and transferred the coins.
Unfortunately, there's nothing you can do to get the coins back.
That was the answer that I was so hoping NOT to get, but at the same time feared that it is true.
This one was an EasyCoin wallet at: easycoinsay7p51.onion Accessed through TOR and as every time I buy BTC, being that I had been under the impression that it would be safer to have them deposited into a wallet unrelated to SR, then wait a day and deposit to SR wallet from where they were initially deposited.
Each time I do this, I use a new wallet I've never used before. I used a strong password never used on any other wallet and never wrote it down anywhere.. it was ONLY in my head.
I guess my hope was that because the transaction log showed the wallet where the BTC was transferred to, that someone who understands the whole process better than I do might know how to track the coin through the wallet it was transfered to from my own wallet... possible? That was $375.00 I paid for those.... if it's gone, nothing can be done obviously... I'm afraid I'm grasping at straws... but I'm grasping....
Thanks....
Isn't easycoin's url: https://easycoin.net/ ???
The address you mention seems sketchy because I was under the impression that EasyCoin was a clearnet site ...
-
@cirrus Thanks much for your wanting to help me with this and I want you to know it's much appreciated. As far as checking my computer for malware/viruses/security holes, etc... just the day before I bought the BTC, I saw a post regarding that the PGP keys should be made as strong as possible. Mine was about medium and O.K as far as current SR standards, but I decided to make it as strong as possible, so I upgraded it. But before doing so, this is what I did to try to make sure my computer was clean. I have AVG antivirus running all the time in R/T anyway, but I ran a full computer scan as well as I ran a rootkit scan using AVG. They both came up clean. I also ran anti-malwarebytes - full scan and it also came up clean. I have another program I've used for several years that seems to catch anything missed by other programs, Adanced Systems Care Pro (ASC), which I ran all areas of the program and it came up clean as well. I use CC cleaner every day, and it always finds various things that it cleans off... those are the programs I have that I use regularly and so just less than a day before the BTC was deposited into my wallet, my computer was clean to the best of my knowledge.
If you have any recommendations for more superiour anti-malware/anti-virus programs, I'd be most appreciative of any information like that which I will immediately try.
As far as your second comment regarding the address of EasyCoin, yes, both: https://easycoin.net/ ... and ... easycoinsay7p51.onion take you to the exact same page - it has both addresses on it. I had just thought it would be safer to access it through TOR, but apparently something or things that I had believed to have been safety precautions were just the opposite... :(
-
Regarding the BTC address of EasyCoin, I just went to one of my other computers that I use only for the clearnet to see if anything was different if I logged into https://EasyCoin.net on the clerarnet, rather than having used their TOR address of: easycoinsay7p51.onion. I was able to log in using the same details as I had used to log using the .onion url.... and found the same thing. ZERO balance as well as the same two entries in the transaction log that I posted in my OP here. It also showed the message that I had sent to EasyCoin support via thier 'contact us' page (which has yet to be answered, though it's been less than an hour).
One thing I noticed which I don't know if it's significant or not, but the pages I get when logging into EasyCoin either via their clearnet address, and by logging in via the .onion address from TOR are [almost] identical... not [exactly] identical as I'd said a post or two down. The one difference being that the one accessed through the clearnet at https://easycoin.net does not have the TOR Onion symbol with the url: easycoinsay7p51.onion on the front page, whereas when I access that address through TOR, it does show the onion and the .onion address....
Is it possible that the one with the .onion address is a phishing site? Does anyone know? What about the wallet the BTC was transfered to? No way to trace it at all? (I suspect there is not... but I ask anyway)...
Also, does anyone know if it is generally safer to sent just bought BTC to another wallet than to send therk
-
My best guess is that the .onion site was a phishing site. It doesn't mention that address anywhere on easycoin, as far as I can see. :(
You may want to use a different wallet like the wallet at blockchain.info, as it seems like easycoin has some issues.
-
My best guess is that the .onion site was a phishing site. It doesn't mention that address anywhere on easycoin, as far as I can see. :(
From easycoin.net clearnet site:
"We respect our users privacy and dont store any information, if you are worried about someone knowing about you using Bitcoin, you can use out Tor hidden service: http://easycoinsayj7p5l.onion/"
I suspect the OP got a keylogger in his machine. Even with strong AV they many times don't get found, especially if they are new and/or created ad-hoc by some hacker (heuristic search should prevent this but it not always works).
OP I suggest you to remove completely your OS by cleaning your HDD very well before putting it on again. Start anew. I'm sorry for your loss of BTC but there it's obvious that someone entered in your wallet and transferred the coins. So or you did enter in some other phishing site (also this can be probable) or you got a keylogger/rootkit in your OS and since it's always best to be paranoid then be sorry, clean everything and start anew.
EDIT: Looking now at the address mentioned by the OP it looks where he entered is easycoinsay7p51.onion and NOT easycoinsayj7p5l.onion , so either the OP made a typo here or he entered a phishing site. I tried opening the url gave by the OP in ToR but there's no access there. So it's probably a typo but it can also be that it existed before and it was a phishing site.
-
I use an electrum wallet with at least an 20 digit password. I usually send the coin from my wallet straight to my SR wallet since I am able to receive my orders in a way that can never be linked to me.
-
If you have any recommendations for more superiour anti-malware/anti-virus programs, I'd be most appreciative of any information like that which I will immediately try.
You can try with ZoneAlarm. It's one of the best for heuristic scans and it's either one of the best at cleaning.
Still, as I say, it is NOT guaranteed that a keylogger/rootkit will be found (and even less cleaned) no matter the AV you have. For security, clean everything and start anew.
-
Is it possible that the one with the .onion address is a phishing site? Does anyone know? What about the wallet the BTC was transfered to? No way to trace it at all? (I suspect there is not... but I ask anyway)...
Yes, it is possible (actually phishing sites - if done well - are done exactly that way: they try to copy all the legit page to the minimum detail, but many times some very little thing get escaped) and sometimes they even redirect you to the legit site when you click on links. I tried to enter the site you gave and it was not available, so you either made a typo here or it was a phishing site.
As for tracing the wallet, alas that's the point of BTC wallets. They are impossible to trace back, especially with a tumbler (that any person worth his/her salt uses).
-
Many, many thanks to all of you who tried to help me out and put your time, knowledge and experience into it..... cirrus, BlackIris, mrmda & astor. And, actually, after having gone thoroughly through each and every reply, I've gotten bits and pieces from all your replies, checked some things out that I could, and in fact, you guys did help me out. I didn't get the answer I was hoping for (though I had a sickening feeling that it would not come), but I did get what I needed to know to prevent this happening again.
Let me first say that I did find it somewhat interesting... the observation that BlackIris made in regard to the discrepancy in the .onion address I had included in my OP and the .onion address listed on the EasyCoin.net site. I had indeed typed easycoinsay7p51.onion and NOT easycoinsayj7p5l.onion as is the address mentioned on the EasyCoin.net site. I definately thought that worth looking into, which I did, but found that it was nothing more than a typo on my part.. and any subsequent places in other posts in this thread by me were the same as the original typo because rather than keep looking it up, I simply copy/pasted it from the OP. When I typed the .onion address that includes a "j" (which is the letter I accidentally left out), it took me to the correct site. I then tried it with the address I had in my OP (w/o the "j") and I doubt it was any kind of phishing site, it just went nowhere... wouldn't connect at all... I had found the observation by BlackIris to be potentially an important one, which is part of the reason I tested out all angles in case it was an intentional discrepancy and was indeed a phishing site. Had that been the case, it would not have gotten my money back, but getting out knowledge like that could have potentially helped others to avoid falling into the same trap.
However intreaging though, turns out it was just a stupid typo on my part... perpetuated by my use of copy/paste in subsequent posts.
As far as alternative wallet suggestions made by several of you, the only one I've not used is electrum wallet suggested by mrmdma, though I think I will check into that one. Currently, I have several wallets - each with different usernames and passwords from both EasyCoin and from blockchain.info. I do believe that blockchain.info is more secure than EasyCoin... much more secure depending on how many.. extra layers of protection you choose to put on the wallet. I put several on each of mine, and for that reason, due to uncalled for laziness, I often opt not to use them because I don't feel like going through all the extra steps. A MISTAKE.. that it seems I learned the hard way to never make again.
Even though I have come to believe that the wallet I used was not in and of itself the problem as far as that I think that EasyCoin had anything directly to do with someone having transfered my BTC out of it and into another wallet, (although I did consider this as a possibility as being the cause at first due to having read a few cases of others having had problems with EasyCoin), but after having read what all of you had written in your replies, I think that the only way I could blame the wallet I used would be to blame myself for not having used one of the ones with a lot more security (such as the wallets offered by blockchain.info)... as I now am fairly convinced that no matter how dilligent I THOUGHT I had been in keeping my computer.. especially this one free of any compromises, I wasn't dilligent enough... and/or as was suggested by BlackIris, there is probably a keylogger and/or very well hidden rootkit somewhere on this machine.
I'd just like to mention also, I may be wrong in having come to this conclusion, but I did quite some time ago.. that even though I use tumblers as well as SR does and all of the wallets that I do currently use claim to... I still have felt that it would be safer - maybe not along the lines of preventing what happened to me, but along the lines of staying untraceable to LE, to have the BTC sent initially to a personal wallet - btw, I've never used the same wallet more than once as far as having BTC initially sent to, and I always generate a new btc address on SR do deposit coins. And I'm still interested in the thoughts of anyone else as to whether this is indeed a good practice (assuming that I am not using a compromised computer in which to do it, of course)
After having given all your thoughts serious thought and done some checking into of... I now do believe that somehow this computer did become compromised and I will not feel comfortable enough even with wiping the HDD and reinstalling the OS as was suggested, and probably is in fact safe enough, but I'm of the nature where I will get a brand new computer (I'm talking laptop/notbook still in the box - not a real fancy, expensive new system) and start over that way rather than trusting that I've wiped the HDD clean enough. And mad as it makes me to HAVE to do [that or wipe & reinstall] because of some thief... that is exactly what I'm going to do. Today.
I don't remember if I mentioned it in this thread, but I in fact have 4 computers (counting this one), that I use each for seperate purposes. Sound paranoid? Probably, but I do... this is the only one that I have used for nothing but TOR, I use another for things like banking, bill paying, legal purchases from Amazon, etc... and the other two for communicating with various people, some that I don't necessarily wish to have knowledge of some of the others... Until this unauthorized transfer of my newly purchased BTC to an unknown wallet, I was fairly certain that none of my computers were compromised... now, that has changed as I'm pretty certain that this one is... the others I don't know about, but part of the reason I took a while to get to this reply, is that I went onto one of the other computers that I've never used to access the TOR network, and have used it to change ALL my passwords... to all TOR sites, wallets, etc... in an effort to prevent any further instances like this one between now and when I'm set up on a brand new machine straight from the box.
If anyone thinks I'm missing something still... or know of a better and safer way to prevent any further happenings like this one... or any related info that may be helpful, I'm more than happy to know of it.. though you have all been so helpful already I don't expect anyone to go to any inconvenient lengths to look into this as it is my problem and you have already helped me considerably... at least as far as understanding what is the most likely problem so that while I won't be able to recover the missing BTC, I think that with the passing on to me of your knowledge, I will have a better chance at preventing a re-ocurrance.
One last thing.. I realize this reply is pretty long, but anyone still reading, I'm just wanting to confirm what I suspect already would be the case when starting all over on a new machine... that if this one is compromised, and I don't know for how long, I'm figuring that I will need to get a new PGP key as I have typed my passphrase into this comupter numerous times... I've not had any TorMail problems, other than the ones everyone experiences from time to time of it being down, and have just changed the passwords to my Tormal accounts from a different compugter when I changed my wallet and SR passwords and accdess codeds... so, am assuming my existing TotMail accts and SR account... ???
Thanks again guys/gals.....
-
Oh, I almost forgot, I wanted to also acknowledge BlackIris's mention of Zone Alarm. I have intalled and then uninstalled that countless times over the years.. installed because ofr all the positive feedback I've read on it, but always wound up unisntalling because at the time, I really didn't need all the security that it offered and found it too inconvenient. But I just this morning went and took another look at their site and it seems they offer more options as far as how often you want to be notified of every litttle thing. I am seriously considering trying it once again after I've gotten a perfectly clean computer/HDD. Thanks for reminding me of ZoneAlarm.
And one general comment that prior to the unauthorized transfer of my whole BTC purchase, I'd had no plan to ever even mention this.. and I probably really shouldn't even now... except for the fact that it just makes me double mad that whoever did this did... because while I really doubt that they care at all... it just so happens that they didn't just fuck me over, but they also fucked over people they had no idea they were because I was going to purchase around $100.00 worth of BTC for my own needs, but the night before, I'd noticed in the 'spare coins thread' that there were a couple of people who had mentioned problems with BitInstant.. and I'd also read in other threads of people having problems with BitInstant, whereas I had not and currently have not personally experienced any problems with them... and btw, would like to re-iterate that it was NOT BitInstant that had anything to do with this theft, as the logs I posted show that they had held up their end and had deposited the correct amount of BTC into the wallet I'd given them to deposit into. It happened AFTER BitInstant had already held up their end and deposited the coins.
But that was a side note to what I started to say about my having noticed that others had had problems with them. The reason I purchased more BTC than I had originally planned was because while I had no intention on attempting to make any sort of profit, since I'd seen a couple of posts in the spare coins thread of people with BitInstant problems wanting to trade their moneypak for BTC, I had figured that since I have personally not had any problmes with them, and planned on using them anyway... I purchased the additional ones for the purpose of being able to help a few of those who did have problems with BitInstant and do a straight trade with anyone who still was requesting that kind of help. Only for the reason that I've been helped in many areas in life by others and I just looked at it as a small way I may have been able to help another person or possibly two.. Unfortunately, now I won't be able to help anyone... at least not in the near future, or make the purchase that I had planned to make. >:(
*sigh*
I only recently reached enough posts to be able to give Karma and am not sure if there is a limit on how much can be given at a time, but after I post this, I'm going to attempt to give a +1 to each of you who has contributed to helping me with the problem I started this thread about... hope I'm able to give a +1 to BlackIris, cirrus, mmda and astor... in that order. If I can, I will... if not, it won't be for lack of trying...
Best to all of you..... :)
-
If anyone thinks I'm missing something still... or know of a better and safer way to prevent any further happenings like this one... or any related info that may be helpful, I'm more than happy to know of it.. though you have all been so helpful already I don't expect anyone to go to any inconvenient lengths to look into this as it is my problem and you have already helped me considerably... at least as far as understanding what is the most likely problem so that while I won't be able to recover the missing BTC, I think that with the passing on to me of your knowledge, I will have a better chance at preventing a re-ocurrance.
A Tails OS with a persistent volume or a Whonix VM (to both you can find instructions on how to set-up on the security subforum by astor) is how to go. A whonix VM gives you the benefit to use the OS you want as a guest but it can be (just for this) a little less secure than Tails (you trade a little of security for ease of use but anyway the Whonix Host should prevent something like a rootkit to work. for example).
I suggest you to incorporate one of those two methods depending on which of the two you prefer. At the very least a VM inside the OS (naturally encrypted) so that in any case also if this last gets infected you can simply scrape it up and not get all your OS infected too.
Best of luck.
-
Here are the links for the two threads:
http://dkn255hz262ypmii.onion/index.php?topic=114141.0 (Tails)
As for the Whonix tutorial it has been removed and I don't know why (I don't know why the thread has been removed - or maybe moved? - maybe someone can shed some more light on it. Astor?)
Anyway this is the original text of that thread (that I copied myself), if you are interested.
----------------------------------------------------------------------------------
Whonix is an anonymity solution that uses two virtual machines to enchance security. The Workstation is the main VM, with a full desktop environment based on Debian and KDE. The Gateway runs Tor. All network connections from the Workstation run through the Gateway and over the Tor network. Even if the Workstation is rooted, the attacker can't disable or bypass Tor and the firewall settings. It is safer than Tails, but requires more RAM and CPU because of the overhead of running two VMs.
For more information, here's the Whonix web site: http://sourceforge.net/p/whonix/wiki/Home/
The interesting thing is that you can use any VM with any OS as the Workstation, as long as you configure the network settings properly.
In this tutorial, I will show you how to torify any operating system running in a virtual machine, using examples from Windows XP, Lubuntu and Linux Mint.
IMPORTANT: Applications that you run in the workstation can leak information about you. In general, it's safer to use Whonix-Workstation or Tails than a random OS, especially Windows. If your Windows install is registered to your name and autoupdates over Tor (providing the license/key to Microsoft), that will link your identity to the exit node that you are using at a specific time. You should disable automatic updating of your operating system. You should preferably use a pirated, unregisteerd copy of Windows that isn't linked to you in any way. You should also carefully review the potential anonymity leaks of any applications that you run in the Workstation.
With those caveats out of the way, here are some advantages of this configuration. You may have a need to torify applications that run on specific operating systems. For example, you may want to access a web portal that only works in Internet Explorer, or you may prefer to use mIRC as your IRC client, but can't get the SOCKS5 proxy settings to work. Or you may not like Tails and the Whonix Workstation, and want to use your favorite Linux distro with all the benefits of a virtual anon middle box. This is a solution for those use cases.
To get started, download the Whonix-Gateway VM from the web site: http://sourceforge.net/projects/whonix/files/whonix-0.5.6/
Import it into VirtualBox by going to File -> Import Appliance, selecting the .ova file, and accepting the default configuration. You can click Start in the toolbar to start the VM. It will do some auto-updating while we setup the Workstation.
We'll start by installing Windows XP.
Create a new VM for Windows XP by clicking the New button in the toolbar and answering the questions. 384 MB RAM and 10 GB for the virtual hard disk are fine. Everything else you can pretty much click "ok" through.
IMPORTANT: Before starting the VM, click on Network.
Change Adapter 1 to be Attached to Internal Network, and select the name Whonix (it should exist after you import the Gateway). You can leave the advanced options alone.
The dialog box should look like this: http://32yehzkk7jflf6r2.onion/whonix/vbox1.png
Then click Start in the toolbar and it will prompt you to select the WinXP installation image. (Of course, it can be any installation image).
Follow the instructions in the WinXP installer. Format the virtual hard disk as NTFS, choose a generic username like "user", enter WORKGROUP for the domain, etc. The more common or generic the answers, the better. When it asks you to register, obviously don't do that.
The important part here is the networking. At a certain point the installer will try to auto-configure the networking through DHCP and fail. You must manually configure it by selecting the LAN option and entering this info:
IP address 192.168.0.50
Subnet netmask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.10
Here are what those two screens look like:
http://32yehzkk7jflf6r2.onion/whonix/winxp1.png
http://32yehzkk7jflf6r2.onion/whonix/winxp2.png
Increment the IP address for each new Workstation VM that you add to your collection. So my WinXP VM is 192.168.0.50, the Lubuntu VM is 192.168.0.51, and the Mint VM is 192.168.0.52. This also means I can run them simultaneously.
That's it for the networking!
WinXP will bug you to turn on automatic updates and all that shit. You can disable the warnings by going to the Security Center and selecting Change the way Security Center alerts me. Uncheck the alerts for Firewall, Automatic Updates, and Virus Protection.
If you did everything correctly, you can check at check.torproject.org. Here's a screen shot of torified Internet Explorer :)
http://32yehzkk7jflf6r2.onion/whonix/winxp3.png
This works for clearnet sites. Unfortunately, it won't resolve onion addresses out of the box. We'll use Tor's mapaddress feature to fix that. On the Gateway, which is entirely command based, you can add a series of mapaddress lines to Tor's configuration file, which is /etc/tor/torrc. Here are some examples:
mapaddress 10.10.10.10 silkroadvb5piz3r.onion
mapaddress 10.10.10.20 dkn255hz262ypmii.onion
mapaddress 10.10.10.30 silcroadg3c3mtu6.onion
What it does is, when you enter 10.10.10.10 as the address in your browser, Tor will translate it into silkroadvb5piz3.onion and access the hidden service. You can add these lines for as many hidden services as you want, up to the logical number contained in the 10.0.0.0/8 private IP space, which is more than enough.
To edit Tor's config file, type "sudo nano /etc/tor/torrc", add those lines at the bottom, and hit ctrl+X to exit. You will be prompted to save your changes. Here's what the end of my torrc looks like:
http://32yehzkk7jflf6r2.onion/whonix/gateway1.png
The default password for this administrative "sudo" command is "changeme", which you can change by entering "passwd" at the prompt.
Then you reload Tor to make it use the new options: sudo /etc/init.d/tor reload
So, after entering http://10.10.10.10 in IE, I was able to access SR. Here's a screenshot:
http://32yehzkk7jflf6r2.onion/whonix/winxp4.png
As you can see, it doesn't render correctly. I guess they never had a reason to test it with IE, LOL. You'll also notice the IP address was rewritten to silkroad*.onion, because of a redirect on the site.
Here's IE accessing the forum:
http://32yehzkk7jflf6r2.onion/whonix/winxp5.png
The URL is still the IP address in that case, because of no redirect.
Lastly, I used mIRC to access the silcroad IRC server, which is a hidden service:
http://32yehzkk7jflf6r2.onion/whonix/winxp6.png
I didn't change any proxy settings in mIRC. It connected after I simply entered that IP address for the server.
Once you're satisfied that the Workstation works properly, you can back it up by shutting it down, then selecting File -> Export Appliance, and following the instrutions. It will be saved as a .ova file. Then whenever you want to start over with a fresh VM, you delete the old one and import the clean back up. That way you don't have to go through the installation process again.
For some other examples, to configure Lubuntu, start the Live CD (select the "try Lubuntu before installing" option at boot), then right click on the networking icon at the right end of the panel (it will be spinning), select edit, select Wired 1 connection and edit again, and in the IPv4 tab, change Method to Manual and fill out the info. A pop up should say "Connected".
Here's a screenshot of the networking dialog: http://32yehzkk7jflf6r2.onion/whonix/lubuntu1.png
And here's a screen shot of Chromium on check.torproject.org: http://32yehzkk7jflf6r2.onion/whonix/lubuntu2.png
Lastly for Linux Mint, the networking configuration is similar. Click the spinning network icon, edit connections, Wired connection 1, edit, IPv4 settings.
Screenshot of networking dialog: http://32yehzkk7jflf6r2.onion/whonix/mint1.png
Lastly, to shutdown the Gateway, enter "sudo poweroff" at the command prompt.
Here's a list of all the screenshots in this tutorial: http://32yehzkk7jflf6r2.onion/whonix/
-
If anyone thinks I'm missing something still... or know of a better and safer way to prevent any further happenings like this one... or any related info that may be helpful, I'm more than happy to know of it.. though you have all been so helpful already I don't expect anyone to go to any inconvenient lengths to look into this as it is my problem and you have already helped me considerably... at least as far as understanding what is the most likely problem so that while I won't be able to recover the missing BTC, I think that with the passing on to me of your knowledge, I will have a better chance at preventing a re-ocurrance.
A Tails OS with a persistent volume or a Whonix VM (to both you can find instructions on how to set-up on the security subforum by astor) is how to go. A whonix VM gives you the benefit to use the OS you want as a guest but it can be (just for this) a little less secure than Tails (you trade a little of security for ease of use but anyway the Whonix Host should prevent something like a rootkit to work. for example).
I suggest you to incorporate one of those two methods depending on which of the two you prefer. At the very least a VM inside the OS (naturally encrypted) so that in any case also if this last gets infected you can simply scrape it up and not get all your OS infected too.
Best of luck.
Thank you Iris for the additional info. As matter of fact.. I do have a Darknet Bootable USB which I ordered a while back from a SR vendor that is a professionally configured bootable drive with Linux OS and Ubantu Desktop, i2P & i2P Bote, Truecrypt, GnuPG and Tor Browser Bundle all preinstalled.
When I received it and verified that it booted up, being that it's been a long time since I've used linux at all and never did really get comfortable with it, and the fact that at the time and is still the case, I have too many unrelated projects I'm trying to work on simultaneously as well as I currently have some urgent family related circumstances that have been occupying much of my time and energy, I put the USB aside with the sincere intention to read up on the various aspects of it and familiarize myself with it. Unfortunately, that kept getting pushed aside as there seemed always something else I had to take care of first.
But in light of what's happened, and the reminder that I have it due to your suggestion of the VM or tails... obviously (except for my truly urgent family related circumstances), I need to make it the very next priority to anything other than my family circumstances to learn and use that USB which has many security features and put it off not one second longer than necessary... All other projects, etc... can wait!
Thanks again.... and btw... still not sure if there is a limit on giving Karma, but if so, it must be higher than 4, as I was able to give a +1 to the four people I mentioned who are all who took time to reply and offer advice in this thread.
:D
P.S. I was about to post this as it was, and am not changing anything.. only adding to it as I got a "warning" as I went to post it that there was another comment posted while I was writing this one.
Thank you Iris! I will carefully look over your instructions as well and look into your link. You are soooooooooooooo kind and thoughtful! And, as I've been painfully made aware by the recent theft of my BTC, I don't believe that there is such a thing as too much security. I will probably wind up over-doing it, but how I feel right now, I doubt I'd regret a bit of inconvenience with the knowledge I have so many more safety features. I still plan however to start with a brand new clean HDD......
Don't know how to truly thank you enough for all the time you put into this and the invaluable advice you gave.....
-
IMPORTANT: Applications that you run in the workstation can leak information about you. In general, it's safer to use Whonix-Workstation or Tails than a random OS, especially Windows. If your Windows install is registered to your name and autoupdates over Tor (providing the license/key to Microsoft), that will link your identity to the exit node that you are using at a specific time. You should disable automatic updating of your operating system. You should preferably use a pirated, unregisteerd copy of Windows that isn't linked to you in any way. You should also carefully review the potential anonymity leaks of any applications that you run in the Workstation.
While all appears to be valuable knowledge in your post... this bit I just noticed, INVALUABLE!!!
-
Hi....
I'm currently writing from an extremely cheap, but new laptop (which I kind of plan to return within the 30 period allowed if possible), but need a machine that at least I know doesn't have some hidden keylogger or something similar hidden on it while I figure out just what to do with my probably infected one.... I've not done much with the other computer as I've not had time, as well as that I had remembered something I should have thought to have mentioned in my OP or at least in subsequent replies here... but I didn't think of it then, so while I'm remembering now.... just wanted to run it by those who were so kind in their efforts to help me the other day as well as anyone who happens to read this....
Somewhere around 2 - 3 months ago, I'd noticed that computer starting to more and more often get "hung up" and take forever at times to get from one page to another. It was getting annoying and I'd done a bunch of basic optimization stuff, defragged the HDD, etc.. nothing I did really changed anything as it was fine some days, but other days I would frequently get the same error message after it had been hung up for a long time trying to go to another page. I don't remember the exact wording, but it was to the effect:
"There is a script running on your computer that is taking a long time to finish. Would you like to stop the script now?" and there would be 2 boxes below - one for 'no' the other for 'yes'.
I would always click the box indicating 'Yes stop the script', then the page would finally come up if it hadn't already timed out.
As I recall, it seems as if I was getting that more and more frequently, and as I think I did mention somewhere in here that I have several computers, each for different uses and the one with the 'long script' error message was the same one that I had designated for TOR use ONLY... the same one that I used EasyCoin's .onion address to access the wallet from which my $375.00 worth of bitcoin was transfered out of.
And, since I ALWAYS have my Scripts settings as high as possible... each page always shows at the bottom "Scripts Currently Forbidden", it seems like any script at all that has been doing who knows what on that TOR ONLY computer must be malicious, as it shouldn't have been allowed to run at all...
Does anyone know anything more particular about what I just wrote of here about the scripts? And if so, could that be the cause of my password, etc.. info getting into the hands of an evil person? If this is the case, what about the possibility of there being a remedy to stop further scripts or block wherever they are getting in... rather than having to replace or wipe the HDD and start all over?
I really don't know if any of this is even relevant or not, but in case it is... looking for any thoughts on the subject from those who are far wiser than I on this subject....
Thanks!
P.S. This is NOT in any way to say that I'm not very interested in following up on BlackIris's excellent tutorial as well as familiarizing myself with my bootable USB that I mentioned earlier in this thread that's already configured for TOR, truecrypt, i2p, GnuPG and all kinds of stuff like that....