Hello, my NXT & IGNIS accounts have been emptied; help finding the hacker ?

Hello, I've created a dedicated Ardor wallet to move funds from 2 exchanges, and I've found out while doing a global assessment of my accounts that they have been completely emptied, to addresses that feel like they are "very used" (like a hacker/exchanges who moves a lot of money).

These already weren't worth much, but I wonder how secure is Ardor client wallet, after that has been stolen (only coin I've ever lost...).
Can you help, point me in the right direction for a small investigation? Right on this ticket, or via private messages/mails ?
Thank you for your help.

12-word passphrases are secure.

By default, to create your passphrase, the wallet uses the javascript secure random number generator to produce the necessary entropy, and selects each word from a wordlist of 1626 different words, this gives us 1626^12 possible combinations and an entropy level of Log (1626^12)/log (2) = 128 bits of entropy

So to bruteforce it, even with one trillion guesses a second, it would take until beyond the heat death of the universe to compute the entire keyspace and find your passphrase.

So if someone learned your passphrase, there must be an easier explanation, such as

  • having manually chosen an easy-to-hack passphrase, such as “123 hello ardor account″
  • having shared your passphrase somewhere or with someone
  • having entered your passphrase in fake online wallets
  • having stored your passphrase in a plain text file in your computer, and someone got access to it
  • ...

PS - Double check you are looking at the right Ardor address (check it's not the exchange's destination address for example), and that you have the passphrase for that address.

Hello @josenxt , thank you for your answer.
I only generate passwords with a generator, I don't know them myself.
Never had a password "stolen" before, except for online leaks.

Here's the transaction nxtportal | Nxt Blockchain Explorer
Doesn't it seem like the destination is a hacker, that empties N accounts and drops it after ?
Can you tell me if there's a way to know where this came from ? Or is it super anonymised and I've just funded some terrorist or a hacker in a small country ?
Anyway, NXT has disappeared into ARDOR, which doesn't cost anything anymore, same for IGNIS, so I think these lost funds are like 99% down from their purchase date. But that's really a "shitty" network if that's the only one on 100+ coins I've ever had stolen, or you just prefer to tell me my password must be 1234, or 80085 ?

If you let the wallet generate the 12-random password, it's impossible for a hacker to bruteforce your passphrase. Period. There are just too many possible combinations to be tested for any bot trying to find weak passwords

But if instead of using the default series of 12 words as passphrase, you use a personalized -but weaker- password with just a few characters, it may be possible for it to bruteforced.
That's why long passwords are strongly recommended anywhere, not just to create an account in your wallet. The longer the password, the safer. And that's why the wallet comes with the passphrase generator tool built-in, to create strong passwords

Check what your password was, if you can, because if it really was bruteforced by a hacker (and not involutarely leaked somehow) it must have been a really weak and short password.

Just in sight of the transaction and time (year 2020) I can't tell if it really was a hacker who devoted his time to discover weak passwords. That destination account only had 16 transactions during all 2020, most of them with small amounts. And it seems the total was later sent to an account with >45,000,000NXT (an exchange I guess)

All the transactions are public in the blockchain, and can be tracked using a block explorer. You can even use the wallet as a explorer. But knowing the sender and recipient accounts doesn't mean you know who owns these accounts. That's the tricky part.

I left a very strong password, as I said, I always use password generators.
No way this was brute forced, so I really don't know what I did wrong, except bet on that shitcoin.
At least that's not a winner among all my other coins, which I still have access to.

As explained in my answers above, either your password was bruteforced because it was weak, or either your passphrase was somehow leaked, as explained in my first answer to this thread: shared your passphrase with someone, entered it on fake online wallets -or even fake clone wallets-, stored your passphrase in a plain-text file, etc)

And there's no other way around. No other possibilities.

Now, in sight that you have just joined this forum a day ago and since you are constantly talking about "shitty network", "shitcoin", etc. while you claim you did everything right and made none of the above mistakes, I'll leave you to it.

2 Likes

Where did you download the Nxt wallet?

Hello Lior,

Here: Nxt Downloads | Jelurida
I had some NXT & IGNIS, both have been stolen, they had the same address (except for the prefix)

If I had the details of the target exchange, at least I could expose the thief, that has found a way to steal those. I use hardware wallets and generated passwords (Keepass, Lastpass), very long & complex, no way this alone has been stolen, there has to be a backdoor or big vulnerability in the software wallet I used (but taken from the official site at the date I did the transfers, this is still visible on my addresses), or the network itself (not probable, seeing as this chain is like all others).

Assuming that your passphrase is indeed hard to brute force (can you share it with us?) then the only other explanation is that your account wasn't protected by a public key see Ardor Frequently Asked Questions (jelurida.com) and someone was able to brute force another passphrase which maps to your 8 byte account id.

Actually I take back my request to know your passphrase, no need for that.

What we do need you to do is to sign a token with your passphrase and share it with us. We can then compare the token's public key with the account public key to determine if you passphrase was brute forced or your account id was brute forced.

Hi @lior.yaffe , how can I do that please ?
Do you mean to use the " Issue an Asset" feature, or any other feature in the wallet ?
I have 0 NXT & 0 IGNIS due to the theft, I'm not about to buy some more to check that.
At that point I'm confident no one (even a target exchange) can help recover this, even if that's a know thief, am I right ? So anyway I'm fucked, but that just a 1/50 of the total value, I had lost already lost the rest due to these coins fast devaluations.

For me the first cause is to persist in pointing the blame to others at all costs.
The second cause is having used Keepass and Lastpass instead of using the internal system of the Ardor Nxt software, if there is a reason there will be. Never use online password generators everyone can listen, it is good not to trust even the password generator software could communicate in secret.
Third cause it is more likely that you have used a third party wallet but it seems you are saying otherwise, I am not accusing you but I have seen it happen many times to get back cryptocurrencies but then they got unmasked.
Fourth cause if you would have really acquired information on the cryptocurrency / blockchain world, you would know that they are not traditional banks. In this world you are the sole owner and responsible for your finances, if you lose your keys or give them to someone nobody can do anything for you. Teams and software don't hold the keys.
I forgot if many work honestly, the "exchanges" are almost all centralized and for me it is equivalent to keeping away. There should be only "decentralized" exchanges.