Check your ports. What software are you using? If you are not using the official miner binaries, there may be malware. But more likely, the attacker has somehow gotten past your firewall some other way and is able to query your network. We've only had reports of miners getting their coins stolen. Most up until this point have later confessed that they were serving the API over the public internet with their wallet unlocked. (Wallet does need to be unlocked to mine - this is something we can address, but it will take time).

The first reports of theft were only a few weeks ago. It's a new set of attacks, but largely the problem seems to be miners doing insecure practices.

I want to work with you to figure out how the attacker is getting access to your wallet. You need to know though, that after the attacker has stolen coins once, he will be able to steal them again as many times as he wants without access to your API, because the attacker will have the wallet seed. Once the attacks start, the only protection is to get a completely new wallet and hope you can transfer your coins to it before the attacker takes them.

Can you tell me more about the attack though? How many coins are getting stolen? Are you using the v0.5.2 GUI, because that has some bugs in the way it talks to the wallet, and sometimes reports transactions as 'negative' erroneously. The best way to know your balance and know the status of the miner is to use `siac`.