Seed Phrases in Evernote Theft jbtravel84

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Evernote Login Attempt

Reddit user jbtravel84 stored all their seed phrases online on their Evernote account and posted in January 2023 to brag about being a moon whale. Their funds were safe for 2 months before they all got taken. They are working with different authorities to investigate what happened.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About Various

"This is my first post and my most sad one to date. There of my wallets got hacked totaling over 300k.

I'm a complete moron for storing passwords and seed phrases for these accounts in Evernote here.

Metamask - 0x023D8a816A8b6394f3144fD74aA3820689fEcaA0

Rocketpool Node - 0xa24757BC32579541F33B1bCD2E36355D39B1686a [withdrawl address was changed]

Deadalus - addr1q9h9ul8puyl3pa7yuwur72jj4rtk675zrqajgk5ppw209r567tjydwsrrnwhxlktacnusp0af8w6l645u0fyps6swg9skrqlgl

I'm a big fan of MOONs and had over 80k. I can see the hacker swapped all my Metamask assets into ETH where they are currently stored at this address - 0xe147a73e7d783166f791f10342a0122db80814c4

I'm absolutely devastated and not sure what to do.

Should I contact the FBI?

It appears the hacker could be from Germany based on the Evernote access logs. I could be wrong and both logins could be from a VPN. [UPDATE - These login attempts came from a TOR Exit Node as mentioned in the comments. The below, however, was the first attempt to connect to my Evernote. It was not a successful login.]

https://preview.redd.it/85vyv47upkoa1.png?width=998&format=png&auto=webp&s=f829d32552cb2c833180a5a0738770ff9b25185c

My biggest loss is the Rocketpool Node. I may have the first compromised node? He changed the withdrawl address to - 0x8294b95d303949699167f7579c9da49f6359d4ff. I can do nothing while he collects rewards. I believe I have some time here since nothing can be physcially withdrawn until the Shanghai Upgrade.

Lastly the Deadalus account had maybe 8k in ADA where it currently hits in the Hackers address here - addr1q8lee9tt64w6uwj9xwne2hnca8x8e2vg87prhl43uqdhdgk232uaxahskg735wxx28xwrhjj97fhphnyz3ppn3fjpygsywcdlv

Thanks again and I deserve all the shame headed my way!

UPDATE 1 - Thanks for the love and support. I biggest concern is the Rocketpool Node which has about 250k staked. I can't change the the withdrawl address but looking at other options since the hacker can't withdraw until Shanghai upgrade

UPDATE 2 - We've found a number of wallets the hacker has used to move funds around. All of these were created on or after March 15th.

0xe147a73e7d783166f791f10342a0122db80814c4 0x8294b95d303949699167f7579c9da49f6359d4ff 0x85690F09b37b5B5c27DA2f2996D0C19a83eb7164 0x63ffb856c7b0078e92385b88127d252122f70b63 0x08ae8dc7a2dfdc3e70841986b882778fe8f1b890 0x9E9f8a913D23fBd78b2b47b61af0DA35D1c7cd60 UPDATE 3 - Funds are withdrawn from rocketpool node. New wallets created to move:

0x6ce770476203fd13ce77e98299767ff51b2713cb 0xb58088bf3df7309ad22c62ba27310f7f28df0ff8 0xB129845c082b3BD6Ce163e8B0369aCc6E929B7bC [KuCoin Deposit Address]"

"I came across your 83580.59 Moons transaction on ccmoons website today and thought looks like some whales are moving their Moons around."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Seed Phrases in Evernote Theft jbtravel84
Date Event Description
January 24th, 2023 4:06:55 PM MST Moon Whale Post jbtravel84 posts on Reddit to state they are a moon whale.
March 15th, 2023 3:29:45 PM MDT First Transaction The first transaction taking the 83,580.587999058412634247 moon from their wallet.
March 15th, 2023 3:37:47 PM MDT Ethereum Taken Another transaction takes the 0.997523152341412699 ethereum from their ethereum wallet.
March 15th, 2023 11:05:40 PM MDT Post On Reddit Post is made on Reddit.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $300,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Stankoman comments on I got Hacked and lost over 300K Today (Mar 16, 2023)
  2. Honey_-_Badger comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  3. Arbitrum Nova Transaction Hash (Txhash) Details | Arbiscan (Jan 31, 2024)
  4. https://etherscan.io/tx/0xeb36559b8e5b1a2058cbcffba72f1dda9f659b874b4ac3cddbc9741b9f67c4db (Jan 31, 2024)
  5. jbtravel84 comments on Do you own Moons? Congratulations! You're the top 1% of the top 1% of the top 0.1%! (Jan 31, 2024)
  6. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  7. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  8. Smigol_gg comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  9. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  10. tg1ams comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  11. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  12. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  13. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
  14. jbtravel84 comments on I got Hacked and lost over 300K Today (Jan 31, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Seed_Phrases_in_Evernote_Theft_jbtravel84&oldid=5436"