EOSCommunity.org Forums

Wallet Hacked; Looking For Hope

I recently found out my wallet was hacked through a phishing airdrop link that popped up on my wallet. Long story short, they changed my keys and took a good chunk of my airdrops but left my EOS in the wallet. I have no idea why they haven’t drained the entire wallet (maybe they don’t have permission to transfer EOS tokens). Even though I’ve been told it’s a lost cause, I just wanted to know if it is possible to reset the active keys that the hackers created back to my original public and private keys so that I can have permission to move my EOS to a new and safe wallet?

It depends on which keys they changed - and if you still have keys that are valid for the account.

Mind sharing the account name? I can check on a block explorer the status of the account, what they changed, and let you know if there are any options.

Not a problem. Here is my account: guzdcmjsgmge

Pretty odd that they left the EOS tokens…

It does look like they changed both the active and owner keys to the account. If you don’t have the key matching:

EOS86VGWyV9YTotP8tuuUCz9PF6vtzbPyyR9WRQWdhCf15t5tvcke

I’m afraid there’s not much anyone can do. That key is completely in control of the account right now.

What was the airdrop name and how did they present things so no one else does this?

Typically it’ll be in your transaction history, as either a very small EOS token transfer or some other kind of transaction. Anyone can send a transaction involving your account and make these types of transactions show up with links and fake messages, just like anyone could email you.

It’s safe to assume that if something shows up as a transaction with a link claiming to be “free anything” or “action required”, it’s a scammer. EOS nor anyone reputable sends messages like this.

1 Like

There are 80 identities with that address (EOS86VGWyV9YTotP8tuuUCz9PF6vtzbPyyR9WRQWdhCf15t5tvcke) common to them all is the following transaction:

account:    x........
permission: active
parent:     owner
auth: 
  waits: 
    (empty array)
  accounts: 
    (empty array)
  keys: 
    - 
      weight: 1
      key:    EOS86VGWyV9YTotP8tuuUCz9PF6vtzbPyyR9WRQWdhCf15t5tvcke
  threshold: 1

soon after you get this:

[Tx:82b3a3])

Mar-03-2021, 11:03:18

voicecpufree (contract) processed the following data

signup: Free resources from Block.one!
user:   ..............

It is from an invite like this:
Receive Transfer

[Tx:e80a5c]

Apr-13-2021, 18:59:19

invite.chain → [onkelknarf12] 5.5500 INVITE

MEMO: :crown:Regìster in the Voìce and Claìm your Voìce tokens(1:0.9 ratio,1 Voìce≈0.1202 EOS) . Just visìt the short invitation link

follow the link and it encourages you to put in your private key to get voice tokens. It is possible that many of the people behind the identities dont realize they have been hit because you can still look it up on a explorer but many of the transactions after lead to exchanges and defi swap/ staking apps

Yeah this is a pretty common attack vector.

Send a transaction with a memo claiming something with a link. Then on the web page ask for seed/private keys. If the user enters them, steal either funds or the account.