[TronLabsRO SR Partner] Somebody stole our crypto and transferred it elsewhere

Reddit Thread: https://www.reddit.com/r/Tronix/comments/x7ib06/tronlabsro_sr_partner_somebody_stole_our_crypto/

Original story

I was just checking the price on the phone in a watch only account via Tronlink
SR Account: https://tronscan.org/#/address/TYTYuSyiEpxNsjakQSRmjiZAymvxoBbziH (TronLabs Romania).

-> And saw bogus numbers. We were at place 96/97 in the partners list yesterday.

Frozen Funds and Tokens were all transferred to this account https://tronscan.org/#/address/TVJN4SjNZrRtHz2GA46ioRDm71grC8i7Ck

Some of our backers have been cleaned up as well:
– TVXkHyMWitcBseK6UCwPH3pfHX1sgBjCLh
– TCEB1pg14dTmP3CG4NroHmrPg7PG2tSt5j
– TronLabsRomania-DAPPS-Fund TXgbWCjqoM7QKSntXW9t1d9eoA3j9
JUhCG

ID’s of the transactions:
https://tronscan.org/#/transaction/14700b66527c505d46c19cff014f7f3a819883c7bbfcfbda4296accfeaf5fe0c
https://tronscan.org/#/transaction/eafe57712ee95cc264cae6a13cc6191b863a649fe5a2a1d73574d396dec9c7ea
https://tronscan.org/#/transaction/2332218ea71e74622f35421a42b2ce9f406b1863d92b01d245bfea16f5f6c8d8

Sending it here for awareness as this was a serious breach. I am sure that my system was not compromised, but others were also hacked and all were transferred at the same time.

To Do
I will audit my PC anyhow and if anything is found i’ll post updates here. So far, sadly, Tronlabs ROMANIA is done as SR with no funds and no votes. 🙁

If anyone can advise about possible next steps, I would be grateful.


Update at 22:20 / 06.09.2022
Website was inaccessible as password was not accepted. After recovery, Sucuri shows successful login from 41.141.15.174 and a username change.

Successful Logins (all)
Username IP Address Hostname Date/Time
Dorian (dexter) 41.141.15.174 41.141.15.174 4 days ago
Dorian (dexter) 41.141.15.174 41.141.15.174 4 days ago
WHOIS Lookup ( 41.141.15.174 )
% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to  the following terms of Use. See https://afrinic.net/whois/terms

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '41.141.0.0 - 41.141.127.255'

% No abuse contact registered for 41.141.0.0 - 41.141.127.255

inetnum:        41.141.0.0 - 41.141.127.255
netname:        ADSL_Maroc_telecom
descr:          ADSL_Maroc_telecom
country:        MA
admin-c:        DMT1-AFRINIC

First conclusions:
1. Full system scan shows no infections nor compromise.
2. Site and private keys were unrelated, there are no active links, scripts or app that sync between the two.

Full site dump incl logs was secured.
—-
Update 2 / 07/09.2022

Update thread
  • Subsequent scans with different AV returned no infections.
  • System is fully patched and up to date.
  • The Auth (Keys) were present in Tronlink Google Chrome extension that was password protected.
  • Private Keys were also present on disk, as I had a backup. They were generated right at the beginning via Tronscan when TRON was launched. This was maybe the problem, as they should have been elsewhere. I blame it on me, unless there is a way to get the private keys via brute force and then again, they went for mine and some of my voters, not others who were bigger (had more money).
  • Web site was also compromised, it was also up to date on the latest WP version, but this is more or less a separate thread as there are no keys, scripts or any data imports between the two. As it runs on WordPress there was some exploit used to upload a plugin that was used to change something. Apparently you cannot change the username, but the logs show that exactly this happened. The site was used to post news and technical information about how to set up nodes, and provide knowledge. The only links it has with the hack are an older post where I was posting a list with our backers (copy from tron scan at that time) and the DAPPS funding report where I wrote from time to time for transparency how many tokes we’ve stacked. The first 3 from that list were hit, maybe more, but no one reached out yet. This is still not fully analyzed, maybe this was an entry point.
As I see it is performed like this:
  1. They got hold of the keys somehow and I still need to figure how they did.
  2. Everyone who voted had the funds frozen, so they went and unfrozen the first and then transferred everything in the same hour.

Open questions:
  1. How did it happen?
    a) Site runs un server with Imunify.
    There was a shell script present and some cpanel exploit that does change the users. It was removed by imunify after a few hours, but this is how they breached the site.
    b) How did they get the private keys? This is still open and relevant. In the absence of a plausible explanation, I do accept full responsibility and blame myself for my keys.
  2. How were several hit at once? I have no idea where others are browsing, as I have no control over them. Maybe they had a backup of their keys, locally, like I had.This is relevant if I can find out how they got to mine. This is either through exploit of my pc or via a compromised website or browser extension.
  3. How should I go forward? I mean, if the private keys are compromised, there is no point in continue and using them, but again this means to create a brand new SR account from scratch.
    Later edit: I looked and saw that owner permissions can be set to another accounts, so after all this might no require a new SR account.

The story will be updated as it develops. In the meantime, I’ll go on and rebuild from scratch.

Word of advice: Please scan your systems and stay safe !

[Release] Java Tron GreatVoyage-v4.5.2 (Aurelius)

Official link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.5.2

Important note: This is a Non-mandatory upgrade
New Features
Core
API
Changes
  • Improve node link stability #4542 #4540

  • Improve fault-tolerance capabilities of API parameters #4556 #4560

  • Optimize the eth_estimateGas
    and eth_call
    JSON-RPC API #4570

The universe is change; our life is what our thoughts make it.

—Aurelius

[Release] Java Tron GreatVoyage-v4.4.6 (David)

Official Github Link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.4.6

Note: This is a Non-mandatory upgrade

Changes

  • Upgrade fastjson version

Beauty in things exists in the mind which contemplates them.

— David Hume

[Release] Java Tron GreatVoyage-v4.4.3(Pythagoras)

Official Link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.4.3

This is a Non-mandatory upgrade

New Features

Changes

  • As an additional precaution, in addition to upgrading to logback version 1.2.9
  • we also recommend that users set their logback.xml configuration file to read-only

logback official news

http://logback.qos.ch/news.html

Silence is better than unmeaning words.
—Pythagoras

[Release] Java Tron GreatVoyage-v4.4.1(Protagoras)

The Java Tron GreatVoyage-v4.4.1(Protagoras) has been released today.

Note: This is a non-mandatory update.

GitHub link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.4.1

Changes

  • issues-4122 Solved the problem caused by database optimization. #4124
    Notes: Two solutions are proposed in this release, you can choose any one of them.

    • Restart the node with the latest configuration file. config file
    • Change the limits of the system file descriptor via unlimit -n -1 before the node startup.

There are two sides to every question.

— Protagoras

[Release] Java Tron GreatVoyage-v4.4.0 (Rousseau)

Java Tron GreatVoyage-v4.4.0 (Rousseau) has been released today.

Note: This is a forced update!

Link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.4.0

New Features

Core

  • TIP-289 Block broadcast logic optimization. #3986
  • TIP-290 Dynamic database query optimization. #3993
  • Transaction broadcast interface optimization. #4000
  • Database parameter optimization. #3992 #4018

TVM

  • TIP-272 Add a proposal to provide compatibility with Ethereum Virtual Machine. #4032
  • TIP-318 Add a proposal to be adapt to Ethereum London Release. #4032
  • The energy limit supports customization and the default value is increased in constant mode. #4032

API

  • Support ETH compatible JSON-RPC APIs excluding filter APIs. #4046
  • Support to disable specific APIs via the configuration file. #4045
  • Optimize the TriggerConstantContract API. #4032

Changes

  • Upgrade event plugin to support BTTC data. #4067
  • Increase the upper limit of the MaxFeeLimit network parameter. #4032
  • Optimize the quick deployment script start.sh see detail

 

The world of reality has its limits; the world of imagination is boundless.

— Rousseau

[Release] Java Tron GreatVoyage-v4.2.2 (Lucretius)

Today Java Tron GreatVoyage-v4.2.2 (Lucretius) was released by the Tron foundation.
Official Link: https://github.com/tronprotocol/java-tron/releases/tag/GreatVoyage-v4.2.2

Note: This is forced Upgrade !

New Features
Core
Changes
  • Optimize the initialization of the pre-complie contract BatchValidateSign
    #3836

TronLabs Romania DAPPS Fund Report

TronLabsRomania-DAPPS-Fund
TXgbWCjqoM7QKSntXW9t1d9eoA3j9JUhCG

Update 25.05.2020
Today all the voting rewards that were accumulated by the SR Candidate since we started and until now (5636 TRX) were claimed and sent to the Tron DAPP Development fund. The initial 2000 TRX generated 65 TRX from voting rewards in the same time frame of 18 months. The DAPP Funds needs more, as the projects need to be worked on, and I will have to pump in every cent.

Update 06.07.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 25.05.2020 – 07.07.2020 (160 TRX) were claimed and sent to the Tron DAPP Development fund. An additional 9 TRX were claimed as voting rewards and added on top. The fund balance has been increased by 169 TRX.

Update 18.07.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 07.07.2020 – 18.07.2020 (160 TRX) were claimed and sent to the Tron DAPP Development fund. An additional 37 TRX were added on top for a total of 197 TRX. In addition to this, the Dapp Fund account also claimed 9 TRX, it’s rewards for voting.
The total fund balance has been increased by 206 TRX.

Update 27.07.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 18.07.2020 – 27.07.2020 (160 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 8 TRX, it’s rewards for voting.
The total fund balance has been increased by 168 TRX.

Update 06.08.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 27.07.2020 – 06.08.2020 (163 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 8 TRX, it’s rewards for voting.
The total fund balance has been increased by 172 TRX.

Update 18.08.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 06.08.2020 – 18.08.2020 (207 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 10 TRX, it’s rewards for voting.
The total fund balance has been increased by 217 TRX.

Update 11.09.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 18.08.2020 – 11.09.2020 (454 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 29 TRX, it’s rewards for voting.
The total fund balance has been increased by 483 TRX.

Update 10.10.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 11.09.2020 – 10.10.2020 (740 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 49 TRX, it’s rewards for voting.
The total fund balance has been increased by 790 TRX.

Update 19.11.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 10.10.2020 – 19.11.2020 (601 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 51 TRX, it’s rewards for voting.
The total fund balance has been increased by 652 TRX.

Update 17.12.2020
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 19.11.2020 – 17.12.2020 (327 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 31 TRX, it’s rewards for voting.
The total fund balance has been increased by 359 TRX.

Update 29.05.2021
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 17.12.2020 – 29.05.2021 (1595 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 169 TRX, it’s rewards for voting.
The total fund balance has been increased by 1764 TRX.

Update 07.10.2021
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 29.05.2021 – 07.10.2021 (1372 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 163 TRX, it’s rewards for voting.
The total fund balance has been increased by 1535 TRX.

Update 02.11.2021
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 07.10.2021-02.11.2021 (306 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 39 TRX, it’s rewards for voting.
The total fund balance has been increased by 345 TRX.

Update 15.11.2021
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 02.11.2021-15.11.2021 (142 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 18 TRX, it’s rewards for voting.
The total fund balance has been increased by 160 TRX.

Update 17.01.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 15.11.2021-17.01.2022 (753 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 98 TRX, it’s rewards for voting.
The total fund balance has been increased by 851 TRX.

Update 05.02.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 17.01.2022-05.02.2022 (280 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 38 TRX, it’s rewards for voting.
The total fund balance has been increased by 318 TRX.

Update 15.03.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 05.02.2022-15.03.2022 (541 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 76 TRX, it’s rewards for voting.
The total fund balance has been increased by 617 TRX.

Update 16.04.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 15.03.2022-16.04.2022 (353 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 51 TRX, it’s rewards for voting.
The total fund balance has been increased by 404 TRX.

Update 02.05.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 16.04.2022-02.05.2022 (170 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 25 TRX, it’s rewards for voting.
The total fund balance has been increased by 195 TRX.

Update 30.07.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 02.05.2022-30.07.2022 (766 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 113 TRX, it’s rewards for voting.
The total fund balance has been increased by 880 TRX.

Update 22.08.2022
Today all the voting rewards that were accumulated by the SR Candidate in the timeframe from 30.07.2022-22.08.2022 (178 TRX) were claimed and sent to the Tron DAPP Development fund. In addition to this, the Dapp Fund account also claimed 27 TRX, it’s rewards for voting.
The total fund balance has been increased by 205 TRX.

Again on the Tronscan Map..

And.. we are again back on the map! (14.09.2019 – 9 AM GMT+2)

How come we’ve disapeared?
Sadly.. in Romania, it seems that we are the only server (tron nodes) operators. There were some folks who ran the nodes but now ours are the only one. Once we dropped back to 10.. puf, the country was removed from the map.

Screenshot (before)

10 nodes before 14.09.2019

10 nodes before 14.09.2019 that were run by our SR Candidate

 

 

 

 

 

 

 

 

In order to address the issue I’ve deployed the 11th node. Now, all 11 that are shown on the maps belong to this SR Candidate (TronLabs Romania)

This is how it looks now

11 nodes Tronlabs Romania candidate

11 nodes after 14.09.2019 at 9 AM that belong to our SR candidate