MyDashWallet.org Compromised

HeyMichael

New Member
Dash Core Team
Jul 19, 2018
14
35
13
34
Mydashwallet.org is an online wallet developed and maintained by DeltaEngine, an independent developer. It has no relation with the official wallets maintained by the Dash Core Group development team, which are unaffected by the compromise described below.

Today it was discovered that mydashwallet.org was compromised. The hacker was able to obtain private keys used between May 13th and July 12th. Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet.

Based on our understanding, people who used mydashwallet.org in conjunction with a hardware wallet or with associated tipbots are not affected. We also don’t believe that the vulnerability affects other third-party wallets.

Dash Core Group is assisting the developer to resolve this issue and collecting relevant information to provide to law enforcement. For any users affected please use this forum post to share and provide any helpful information you want to share and visit mydashwallet.org for updates.
 
Last edited:

tungfa

Administrator
Dash Core Team
Moderator
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,890
6,715
1,283
1) In April 2018, MyDashWallet was modified to load an external script from the script hosting website GreasyFork. While not abnormal, this is not considered a secure practice, particularly since the reference loaded the latest version of the script, rather than a specific version. On May 13 2019, a hacker compromised the GreasyFork account of the original author of the script, Jixun Moe, and added code to send users' private keys to an external server. This change was detected on July 12 2019 when the hacker used the private keys to move user funds. MyDashWallet is not maintained by Dash Core Group, and at no time was the Dash network itself compromised.
2) The hack itself was only active for two months before being detected. The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties. In the future, all code handling private keys should be reviewed thoroughly before being trusted with user funds. In particular, the use of local keystore files should be discouraged in favour of hardware wallets, similar to best practices implemented by MyEtherWallet.
3) Dash is an open protocol built on open source software. As such, anyone is free to implement wallets or other software interacting with the Dash network. All software released by Dash Core Group is both open source and subjected to stringent quality testing prior to release. Third party software should be reviewed carefully before use, with preference given to open source software where the code is available.

tx @strophy
 
  • Like
Reactions: GrandMasterDash

FabioEcoe

New Member
Jul 14, 2019
5
0
1
39
EEYYY!!! My account was hacked ... have I lost my funds? I think there is not much to do, they must return the chain to before the hack... it's incredible that I may have an error like that there ... please recover the funds
 

FabioEcoe

New Member
Jul 14, 2019
5
0
1
39
1) In April 2018, MyDashWallet was modified to load an external script from the script hosting website GreasyFork. While not abnormal, this is not considered a secure practice, particularly since the reference loaded the latest version of the script, rather than a specific version. On May 13 2019, a hacker compromised the GreasyFork account of the original author of the script, Jixun Moe, and added code to send users' private keys to an external server. This change was detected on July 12 2019 when the hacker used the private keys to move user funds. MyDashWallet is not maintained by Dash Core Group, and at no time was the Dash network itself compromised.
2) The hack itself was only active for two months before being detected. The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties. In the future, all code handling private keys should be reviewed thoroughly before being trusted with user funds. In particular, the use of local keystore files should be discouraged in favour of hardware wallets, similar to best practices implemented by MyEtherWallet.
3) Dash is an open protocol built on open source software. As such, anyone is free to implement wallets or other software interacting with the Dash network. All software released by Dash Core Group is both open source and subjected to stringent quality testing prior to release. Third party software should be reviewed carefully before use, with preference given to open source software where the code is available.

tx @strophy
Have I lost my funds? I think that there is not much to do, they must return the chain before the hacking ... it is incredible that there could be an error like that there ... please help to recover the funds
 

FabioEcoe

New Member
Jul 14, 2019
5
0
1
39
The total robbery was 143.84 DASH in mydashwallet ... the funds have just been moved to two accounts today at the "mined Jul 14, 2019 9:28:15 AM" ... please help ... the accounts CAN BE tracked !!!
 

camosoul

Grizzled Member
Sep 19, 2014
2,265
1,130
1,183
It blows my mind that people still stick their money in the cloud and then act surprised when it disappears... DUMB! This has been going on since 2009 and you STILL haven't learned your lesson?
 

FabioEcoe

New Member
Jul 14, 2019
5
0
1
39
I am not an expert programmer ... BUT it is very easy to know that NO external libraries are requested ... and accounts can be traced ... I ASK DASH to replace at least part of what was stolen from a portfolio his name and is authorized on his official page.

what happens if DASH does NOT have an accessible and safe wallet ... in South America, it is very necessary ...
also, if DASH does not know who he works with...
 

AgnewPickens

Moderator
Moderator
Mar 11, 2017
297
100
103
56
Dash knows who the 3rd party contractor was, that is not the issue, we have many options in S. America, he was one of many contractors, I suggest you look up some local providers @FabioEcoe Like George Donnely.
 

FabioEcoe

New Member
Jul 14, 2019
5
0
1
39
Dash knows who the 3rd party contractor was, that is not the issue, we have many options in S. America, he was one of many contractors, I suggest you look up some local providers @FabioEcoe Like George Donnely.
DO NOT. the facts say otherwise ... my hacked account: XhnL2H26iBGGRAjnpjApbnMhc9os6F5PyD ... you can follow it
 

Hello Kitty

New Member
Jul 17, 2019
3
0
1
55
the MDW is fishy now! so many persons lost the DASH in MDW during 2 months, and MDW found nothing before. It's so wired!
 

Antti Kaikkonen

Active Member
Jun 20, 2017
257
167
103
dashradar.com
Dash Address
XnZdwT1w2kGeH6RujwoyJ7BBNrukdyTBRB
@FabioEcoe I tried to see if I can follow the money from the address that you provided, but I can only see that it had 0.83 Dash. Is that a wrong address since you said you lost 143 dash? What is the transaction id of the transaction(s) that you didn't authorize?
 

Hello Kitty

New Member
Jul 17, 2019
3
0
1
55
@HeyMichael What about the issue now? If the DASH core or The DAO do something about the MDW compromised? And why the Deltaengine keep silence all the time ?