I recently found out that my ETH funds were stolen from two MEW wallets and moved to an unknown address.
Below are addresses of my two MEW wallets.
1) 0x16bf750Ee569F0A173BCCfD7b3F92F9Bb46c6AfC (19.99 ETH stolen)
https://etherscan.io/address/0x16bf750Ee569F0A173BCCfD7b3F92F9Bb46c6AfC
2) 0xe781A741342e35d21C12352a8e3465bED03e8109 (24.99 ETh stolen)
https://etherscan.io/address/0xe781A741342e35d21C12352a8e3465bED03e8109
The above funds were stolen and moved to an unknown address below, and last moved to ShapeShift:
0xD8d594f8dAba1091c5cbECD99Bc84DC15359E2a2
https://etherscan.io/address/0xd8d594f8daba1091c5cbecd99bc84dc15359e2a2
The above 2 wallets were created in Sep 2017 about 148 and 145 days ago. The funds were stolen in Nov 2017 about 62 days later as seen from https://etherscan.io/.
When I created the above wallets, I had my keystore file (JSON) stored offline (in a USB), and also my printed paper wallet stored offline at a safe place.
I did not visit any phishing sites before. When checking balance in the wallets, I only used etherscan.io, and did not use the private keys to open the wallets. I followed every security procedure suggested from MyEtherWallet site on how to protect my funds.
I just could not think of a reason how the funds got stolen. It is almost impossible to happen with the fact that the funds were stolen 2 months later.
With the JSON file containing the password (second layer of security) for access, I would rule out that this was used to steal the funds.
However, with the printed paper wallet containing the private key, I have a strong opinion that somebody managed to brute force the private keys. I have a question below.
Question on Creating Paper Wallets from MEW
I would like to ask whether it is possible to assign a password/ pin when creating a paper wallet from MyEtherWallet site. What I mean is if I would like to access funds on my paper wallet, I would first need to enter the private key printed on the paper and then enter the password created as an additional security step. Is it possible to assign a password/ pin when creating paper wallets from MyEtherWallet site as a second layer of security?
I also have thought of using Trezor or Ledger hardware wallets for storing ETH.
They are more secure than generating your own MEW paper wallets for storing ETH.
I am wondering if anyone could offer any advice on the above question and any useful security measures that I can take in future.
Thank you
Best Answer
Did you create the address while online? It is almost impossible to brute force a private key in a life time with current computer power, much less several of them in a very short amount of time. The recipient address has a total 10 transactions in less than 15 minutes, you were not the only victim.
One possibility is you inadvertently used a scam site, or your computer was compromised with a malware, you connection was not secure and the generated private key was copied by hackers. To avoid any suspicious they didn't use the private keys immediately.
Hardware wallets should be secure, they advantage is the private key is securely stored in the device internal memory and never reaches your computer.
Advices is you verify MEW site is the correct one. Generate keys offline in a computer that never was connected to the internet. Do not use public computers or unsafe connections to make a transactions.