[TronLabsRO SR Partner] Somebody stole our crypto and transferred it elsewhere

Reddit Thread: https://www.reddit.com/r/Tronix/comments/x7ib06/tronlabsro_sr_partner_somebody_stole_our_crypto/

Original story

I was just checking the price on the phone in a watch only account via Tronlink
SR Account: https://tronscan.org/#/address/TYTYuSyiEpxNsjakQSRmjiZAymvxoBbziH (TronLabs Romania).

-> And saw bogus numbers. We were at place 96/97 in the partners list yesterday.

Frozen Funds and Tokens were all transferred to this account https://tronscan.org/#/address/TVJN4SjNZrRtHz2GA46ioRDm71grC8i7Ck

Some of our backers have been cleaned up as well:
– TVXkHyMWitcBseK6UCwPH3pfHX1sgBjCLh
– TCEB1pg14dTmP3CG4NroHmrPg7PG2tSt5j
– TronLabsRomania-DAPPS-Fund TXgbWCjqoM7QKSntXW9t1d9eoA3j9
JUhCG

ID’s of the transactions:
https://tronscan.org/#/transaction/14700b66527c505d46c19cff014f7f3a819883c7bbfcfbda4296accfeaf5fe0c
https://tronscan.org/#/transaction/eafe57712ee95cc264cae6a13cc6191b863a649fe5a2a1d73574d396dec9c7ea
https://tronscan.org/#/transaction/2332218ea71e74622f35421a42b2ce9f406b1863d92b01d245bfea16f5f6c8d8

Sending it here for awareness as this was a serious breach. I am sure that my system was not compromised, but others were also hacked and all were transferred at the same time.

To Do
I will audit my PC anyhow and if anything is found i’ll post updates here. So far, sadly, Tronlabs ROMANIA is done as SR with no funds and no votes. 🙁

If anyone can advise about possible next steps, I would be grateful.


Update at 22:20 / 06.09.2022
Website was inaccessible as password was not accepted. After recovery, Sucuri shows successful login from 41.141.15.174 and a username change.

Successful Logins (all)
Username IP Address Hostname Date/Time
Dorian (dexter) 41.141.15.174 41.141.15.174 4 days ago
Dorian (dexter) 41.141.15.174 41.141.15.174 4 days ago
WHOIS Lookup ( 41.141.15.174 )
% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to  the following terms of Use. See https://afrinic.net/whois/terms

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '41.141.0.0 - 41.141.127.255'

% No abuse contact registered for 41.141.0.0 - 41.141.127.255

inetnum:        41.141.0.0 - 41.141.127.255
netname:        ADSL_Maroc_telecom
descr:          ADSL_Maroc_telecom
country:        MA
admin-c:        DMT1-AFRINIC

First conclusions:
1. Full system scan shows no infections nor compromise.
2. Site and private keys were unrelated, there are no active links, scripts or app that sync between the two.

Full site dump incl logs was secured.
—-
Update 2 / 07/09.2022

Update thread
  • Subsequent scans with different AV returned no infections.
  • System is fully patched and up to date.
  • The Auth (Keys) were present in Tronlink Google Chrome extension that was password protected.
  • Private Keys were also present on disk, as I had a backup. They were generated right at the beginning via Tronscan when TRON was launched. This was maybe the problem, as they should have been elsewhere. I blame it on me, unless there is a way to get the private keys via brute force and then again, they went for mine and some of my voters, not others who were bigger (had more money).
  • Web site was also compromised, it was also up to date on the latest WP version, but this is more or less a separate thread as there are no keys, scripts or any data imports between the two. As it runs on WordPress there was some exploit used to upload a plugin that was used to change something. Apparently you cannot change the username, but the logs show that exactly this happened. The site was used to post news and technical information about how to set up nodes, and provide knowledge. The only links it has with the hack are an older post where I was posting a list with our backers (copy from tron scan at that time) and the DAPPS funding report where I wrote from time to time for transparency how many tokes we’ve stacked. The first 3 from that list were hit, maybe more, but no one reached out yet. This is still not fully analyzed, maybe this was an entry point.
As I see it is performed like this:
  1. They got hold of the keys somehow and I still need to figure how they did.
  2. Everyone who voted had the funds frozen, so they went and unfrozen the first and then transferred everything in the same hour.

Open questions:
  1. How did it happen?
    a) Site runs un server with Imunify.
    There was a shell script present and some cpanel exploit that does change the users. It was removed by imunify after a few hours, but this is how they breached the site.
    b) How did they get the private keys? This is still open and relevant. In the absence of a plausible explanation, I do accept full responsibility and blame myself for my keys.
  2. How were several hit at once? I have no idea where others are browsing, as I have no control over them. Maybe they had a backup of their keys, locally, like I had.This is relevant if I can find out how they got to mine. This is either through exploit of my pc or via a compromised website or browser extension.
  3. How should I go forward? I mean, if the private keys are compromised, there is no point in continue and using them, but again this means to create a brand new SR account from scratch.
    Later edit: I looked and saw that owner permissions can be set to another accounts, so after all this might no require a new SR account.

The story will be updated as it develops. In the meantime, I’ll go on and rebuild from scratch.

Word of advice: Please scan your systems and stay safe !