Bitcoin Forum

Dear all,

stupid as i am i allowed some hacker to somehow install a trojan horse on my pc where i stored some of my bitcoins. (around 2600), With keylogger he got all my passwords and, of course stole my local wallet file (encryption did not help)

The hacker sent the bitcoins to the address: 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS

http://blockchain.info/address/1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS


Of course i will have the police investigate, but they do not even know what bitcoin is.....
Maybe some of you are expert enough to track the bitcoins so the hacker can loose anonymity by selling them on some platform or similar.


At the same time of course he also stole 200 from my mt gox account, for that the hacker used the email address avolokova@bk.ru and the transaction data was Transaction reference:
f5e5acd4-50a6-4de5-9061-1c0e3964eafe
Date: 2012-11-16 03:30:13 GMT
IP: 178.177.115.229

If you have a hint that discovers the identity of this person so i can get the bitcions back, i offer a reward of 600 BTC or bitcoin equivalent.

Thanks

You will never get the coins back. Bitcoins is irreversible. This was a one time bang operation most likely that took place all the way in russia, I highly doubt the IP you have is even useful. Sorry man.

Good luck   :-\

Everyone who has a stash of bitcoins this big:

You can avoid this problem in ONE EASY STEP by sending your bitcoins to paper wallets.  If you have bitcoins in a "hotwallet" (any wallet that is online), you should move them to a cold paper wallet today.

1. Go to BitAddress.org
2. Print yourself a dozen paper wallets
3. Send your bitcoins to the PRINTED addresses (not the ones on your screen).  Best if you divide them into 10-12 equal parts so you never have to put them all back online at once unless you intend to spend them all at once.
4. Put the paper somewhere safe.

REDEMPTION is easy.  Just create a temporary wallet at BlockChain.info.  Import the paper wallets via their private keys.  You can spend your coins immediately without having to wait for confirmation.

Skeptical?  Try it out with 0.01 BTC.

Another one bites the dust. This is why we need protocol modifications enhancing user security such as those I describe here:

https://bitcointalk.org/index.php?topic=115608.msg1319612#msg1319612 (https://bitcointalk.org/index.php?topic=115608.msg1319612#msg1319612)

How many $10,000s plus casualties will it take before people see reason?

Your paper wallets are all well and good, but highly inconvenient. Security does not need to be inconvenient.

Here you have the contact information for the IP Address
https://apps.db.ripe.net/search/query.html?searchtext=178.177.115.229#resultsAnchor

But as they mention before, it may be a Tor Exit node or another victim.

If the thief isn't careful there might be some possibility that he will create a transaction that will move some of those coins he now owns (or give a receiving address associated with the stolen coins) to someone who can identify him , and with a huge amount of luck that person could end up being an honest person who is aware of the theft from this discussion.  This is highly unlikely, but from a blockchain standpoint there really aren't any better options.

Looking at the blockchain today, I can confirm at this point in time the thief seems to own the following addresses:
1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS
1PJHvJWKLH9qwaRKeyVS2rC5gfZMr344LB, 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12, 1EPwBwuxyfyQF9kwkwDLoqYw2vcxFCDSYa, 1MGpi8ChSTbDRTA7h3gHh89UGirvsXMCZ1, 1CoTHatdK7hEsZJvymuCNf7eQoApMCuJxo, 126ZVBxjad3BtATBXeeq3uZPcKn24zr4gf, 1MmzRFGAg8HdDHnDJTKo1cKNsgxxiMYUtP, 15QUs9EGw283oisjzSF8XP28Kg4FVugveE, 14PnHT4YonpSzccX9GBpmkh4ohs8dDYDaN, 1BmSgffyC6WAJBBSJbXXodcvcw4cQsthW5

In addition the thief has received from or sent to the following addresses (many of which the thief may also own, but I am not able to confirm this yet).  If anyone happens to own any of these addresses (or know who does), then there is a good chance that they know who the thief is (or they also were stolen from):
1129ApiFKympPgHnzNnW8VNaDAYwgTEtMG, 126RfCopCdAS4qoZjTQPaufnvkDCmtsiwp, 12J8nM48ZNZMBaxFRBcyMbHhNkiPKCzQaY, 12Lt8DgTSwbDfQ5EKDkdoiX5czsJfSQcrK, 12r5PLeSPCcTFE78o1SbgaqUXoiY9LfWMV, 1322uvUdCME77yt8tQfkUAGpRtmRXf4EQp, 139TaFcXGJVuTDbR3TfpiGfiegt4jAFpiY, 13ja4sRDMG1uyAwxeAtV52dU4mtk8cHW73, 13XgASZP7N6pTMeyS5Sq8JeuCAkNzefnT7, 142qkA5L4sy1suDJRWfm6njmg3NPneqXmk, 14FSCmXntye2Hm9FGXnbBXiGiziKD41Zzb, 14KThQGAxVcqFLWF5QvESWPWoRqQ5L6i5z, 14oByZkGE9TxPMTeYZYzeNakJuSk7xWXa2, 1513U6VjSwhr3ZAAN3MnDnFHmcXY1HPWdF, 15bGw4QDZNqPPqFqV2kq3oAZB5r5dvUaER, 15GyGHvCUoG1KTPtycoVcqATGu4Ex4DVXo, 15kBvBLejU14VroJgdr863i1FqT6QkWB7U, 15UjaZJxjWdgB8jC6KivuuhbhbxoLuWwDm, 15yk8fiyuAXDTqGL8ekPCsNN7vX6dV6ALf, 163ZekxCzX7RKU49DUc4mda5knqNc3NF3z, 168NqBEoGjWbUwxhKXeCiALiGU8suxW1Ue, 16DnRquyKbsrGAPbp1Z8GxNctLia9t12Ee, 16mMWkKrERWVzAGWbnCxMFoAF9ghTB67MM, 17CLN16PvCdgTYzWKyuc3FjSu1nhGFtFEf, 17KJ3M8vBMNp7vBwwsGp33QN81jNXPa5u, 17m9n5uFTwK1Nfg9Py9STfGg3BNDvVwGyk, 17Vk6E3mNzfyTmZKpRWquKZGR51T7HEXiu, 18drKV9xUJNgKwWPQdpKYUspkKiHsob8xK, 18r9qqqMMtrx1i1xaH624uSFoRkQGqPK7x, 18vWaDD9djRFuZF672PfSzgN19Duvcivsj, 198hk8Qk8v7y2tRaxpE1iJU9fVkX6Tb7ph, 199Y5zwijtZbB6hE77MQxgG7vmDuD4Jv7Y, 19SQ9iFCGyKWeoxDktrVNczWkH6cQ3kmpV, 1A7SukLsFZDNezR2BX4LhJo73HJdBkH6Ua, 1AbY3D7VFRemePM2NgUTquQmAjXLKPg7XH, 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT, 1Ah5hZVevKbDcFLJiwxUTJs2BaySe9S1sV, 1ApkrEjJ5ByihAQZrJxqeau5P19HF8wPSw, 1BDWwDLNAUwAiaqJHvNmMKUNo1U4gbiRHA, 1Bn7XjuwZqScjgT7eytm8mpU8PEpCxXdMN, 1Byx2Wt8phzcuHf5XDZwoFqQq5nErxqrt, 1Cig4FxUY59xVJYeUaF8YtEyfbxDsfVkYm, 1CLVnMWEwzuGVcQ6L2WBoUJQFj3B9XeVmx, 1CMpywEPKTBBsWxccWkTk5tzizteyRG1WZ, 1Dm9XuD28BGYDxi5Rxt38S66ehRSZ2ajtV, 1EcFFZ7eykZQjw6LnDKiXg8NfjSUvqHKZE, 1EedaVtSyVrmkbbAx7iJQpUfFr5beeNHbY, 1Ff3XukPtmVtk9JFr8JVyRZ7rWKoKEY5TV, 1EgQM7unQm59oPm4F87ZRD6JwX4a9WGdTz, 1FbaMihMDCANJ6Xgxc7BgNroKXF1yrEho9, 1FbASjLhfbmF5eKJKzK3Cb55rCN1REuXSY, 1FRb654gcqj38rx9UadziGjLEs1fMSeFjD, 1FuzUfqkWrNaac3j6c8CiWmjCjRMiWjjFZ, 1FyVmocPa9wWwY5WjKtzHwrU8r1NkFE8h9, 1FzVCGK5n9tmj6hPFFffWnC8mjnWZL7bCn, 1FZVJD95CaDAheHCP6R9PiA2Jb4ojVhBSx, 1GjrbSXP1mYCoZbUnGjp5JGvPH4cNK8epK, 1H9QXBc3a4qkRgsLdD1BVoaVKm9UP5PWfa, 1HJ2U8ckG24UADWF1M6DEfnuUmMgcsURot, 1HV2sYHjAZEueYe5fF14CBEwQJ9Fawnaqo, 1Jo3M8W6F9ACiLRaAiZs3LMSZfnniCStPz, 1JoTxrqZAhWXTDFPoChKFk7hqDfmkC6tUG, 1JuTf9JFpV4wDYLSCKQZHF4hBX6edxr4R6, 1KGxAeHHALMnJPzGbSb6A6BxRLyrmhmgkQ, 1KNpeXAxx4qLctNv2XKVVCPoMPt2BmbH6o, 1KPy4EJFV8ZRgMDoZQ9usZKRrdq1eKGgeK, 1KXNoekZ8VjZrkrchr6UUVPbBfyGsXcQcr, 1LEJa3uDvwpZJTH7ygbV6Fjskfc3AZ7ns9, 1Lgq3bdysYJYBAJrvjKCXWgiP3kC7tgusE, 1LNqumVxZLpMmk2YAZv94dcoZgyG5FnN3J, 1LUAZUR3zFBaf3kxmpmD18gXCU68tQnTnK, 1MmzRFGAg8HdDHnDJTKo1cKNsgxxiMYUtP, 1MUDnDKYbkMqZjDapcb69dct83xxwXkNp1, 1MZWEMTQAb1PPnNi2rFYLMakxHuGAkVK73, 1N2BPjxdD46AxYiWSLSvx1THG9xhzHNC2c, 1NePkjQCHgJ4u94qgS2WjQMqivTYrk2ZGA, 1NomJEEBXuUU2ioaqNdkYYY7PKqdwd3sUx, 1NTAA7itEJ9R8zgqCobi4JqJ4eC4ZtAr7c, 1P8edr8cDnnRxtU745V9w9am9DQbf287Cw, 1P9ZJaeAG6vY6XH29P1orTRk1JKm7TEaqf, 1Pkio2icGqKkghPHYREinMFFcuDN14s8A8, 1Pu6uF7A2DfuAsaxM637j3H1wtFKAGB2BV, 1q543G6muPvXJ6bXETJL3S7tuAthMtDkM, 1QAgtMUhna8dgM4HuhAuvtwSxXFMLMjgxq, 1y2PkvvtkkkV4uVZuePVuXmMUYHBWr4Zn

That being said, if a forensic team gains access to your hard drive their is probably a better chance of them finding useful information to track down the thief than the chance that the thief will engage in a transaction using one of these addresses with an honest person who happens to see this discussion.  (Both possibilities are so unlikely that you probably need to consider the coins gone).  I hope you get lucky though.

Remember what software you run before being hacked. Also I have read in some forum members signature "Don't deal with Anna Volkova she will scam you" or something similar. I just cannot find the forum members profile but he probably knows much more including some contact details.

Meanwhile take a read about solution for lost coins here https://encyclopediadramatica.se/An_hero because you will not see them again. Trollolol

Here is where a new feature might just come in handy.. On the taint analysis the address of bitcointalk user nyana is tagged.

https://i.imgur.com/ICA4t.png

http://blockchain.info/address/18V845FZ8UnQNCDiSH1fE1xu6T4HHbJCUu

You could try PMing that user and seeing if they know anything about the address in question. It's a long shot but you never know.

Don't follow the blockchain as it becomes useless if the mixing service is used. The luser should need someone who takes a look at the infected computer and server from what infection happened. Think different!

http://blockchain.info/tx/8d6602b0e8e4479d79e5dab0c35bdb4f7545513cb426411348ec1502413a8f80

Could you prove that you control at least one of the original addresses?

Yes i could prove this, i have a backup copy of the wallet.dat and everything is connected to me (my identity) via mtgox

Please, prove it.

is this prove enough?
http://imageshack.us/photo/my-images/29/adressbook.jpg/

Otherwise you can come and see if i really possess the wallet.dat ;-)

I know the chances are very little to see the money again...



It turns out that the infection came via teamviewer application for remote control, either 0day exploit or brute force and then the intruder could execute the trojan

In case you're not aware of it, you can prove ownership of any address by signing a message with the corresponding private key. You can use brainwallet.org (http://brainwallet.org/#sign) to do this. You can also use the bitcoind's signmessage command (https://en.bitcoin.it/wiki/Original_Bitcoin_client/API_calls_list).

Link?  I see quite a few apprently legitimate links (I say legitimate because one normally doesn't charge for trojans) where did the bad copy come from?

I do not think you be able to find it, however, I wish you good luck!

No.

That is a screenshot of your address list. You can add or remove the addresses at any time. I recommend you to follow prezbo's suggestion:

Why did You have that teamviewer installed? Did someone know the password for the connection or was given access to it at any point in past?

There is probably some exploit for Team Viewer so he didn't have to know the password. If you have that kind of money on your wallet you are definetly a hot target.

What version of Team Viewer? Where did you download it?

just the standard version from teamviewer.com
i dont recall which exact version, but it was running 24/7 with permament IP

this is the result of signing the message

"This is a test message"

on the public key 1MTscp1WQz2QRBgpWPy2ctmiQ7zvXZPy5g


Result:
G7SvfRszZfLipOXVvy8pGEgiRKcugumXb7Oo+8uvAX0RCqqAuhOuOcPk5JQHA7l4ulmsijgwmMAYEGHrrKPXPmg=


This should hopefully prove ownership of my (now empty) wallet.dat :-(



i had to run the teamviewer to access my data / computer network from outside, since i have several IT projects running (not only bitcoin mining) besides my full time job. Obviously this was a mistake. I now will pay a professional network security specialist to redo my whole IT setup. This costs a lot but will be cheaper than losing more bitcoins in the future ;)


Still, for any hints to catch the guy, no matter how small the chances are, I will pay 600 BTC reward.

You always want to at least include your nickname in such a message. You could find something like this online and claim it was you that signed it. Or better yet, have someone else in this thread tell you what to sign.

Get some common sense while you're at it.

Machines hack machines. Hackers hack you.

Do you have a copy of the trojan you installed?
If so it may be possible to 'decompile' it to find the IP/Email of where the key log results were being sent.

well, the hard drive was erased, so i could not identify the program. But i am sure you fill find more information when you can log into the guys email:
 
avolokova@bk.ru

There is something wrong about your allegations. You said the wallet.dat file was stolen from your computer by a Trojan horse. That means the thieves would have to extract the private keys from your wallet.dat file and then redeem the electronic coins.

The redemption occurred on 16 November 2012, 03:28:22:

http://blockchain.info/tx/8d6602b0e8e4479d79e5dab0c35bdb4f7545513cb426411348ec1502413a8f80


You alleged that Bitcoins in your Mt.Gox were also stolen on the same date:


At that time, you would not have had access to your computer files because the hard drive was completely erased:


When required to prove you are controlling the address listed in the alleged transaction, you provided a screenshot showing your address list. Moreover, you also indicated that you became aware that the Trojan horse was inserted in your computer by the software Teamviewer:


This is completely inconsistent. If your hard drive was really erased, then you would:

1. Not have access to your Bitcoin client to take a screenshot of your address list.
2. Not have access to your operating system to determine how the Trojan horse was inserted.
3. Not have access to your wallet.dat file to determine how the electronic coins were redeemed.

How do you explain this?

To be fair, he did also provide a signature for address 1MTscp1WQz2QRBgpWPy2ctmiQ7zvXZPy5g (http://blockchain.info/address/1MTscp1WQz2QRBgpWPy2ctmiQ7zvXZPy5g), from which ~2600 coins were transfered.


He could have his wallet.dat backed up somewhere, and import it on a different computer. That would explain 1. and 3., at least.

Poor guy. Lost his coins now this....

Oh come on!


I have a home network of several (14) more or less high-end computers, which i need for various tasks, not only for bitcoin. The wallet was stored at three places, on my bitcoin mining server plus on my laptop (which was the access point for the hacker) and i also have a backup copy of my wallet.dat on a USB stick totally offline from all IT infrastructure i have. Via TeamViewer all PCs were connected, so the hacker managed to delete the wallet.dat on my mining server AND on my laptop.

Even though my hard drive was erased, i still had a copy of the wallet.dat on my offline storage and i could make a screenshot after reloading this wallet in my newly setup computer. Even though 2600 were stolen from my local wallet, this was luckily "only" the minor part, since I stored the rest at other "offline" places or for example simply on my MtGox account.


Still, losing 2600 BTC + the 200 from MtGox is also for me quite a lot of money, but why the hell should this be inconsistent. I know these coins will be lost forever, nevertheless i was hoping that some more skilled person than me might be able to help me for what i am offering a reward of 600 BTC.

What if you are an attention whore, and you stole your own Bitcoins?

For a guy that just lost 30 grand, you don't seem to care.
If I lost that much, I'd be doing my best to figure out what was in charge of my 30k. Also wondering how someone knew I had Bitcoins, and that I was running Team Viewer. How did they know where to look? You story doesn't sound very convincing

I'm still a bit unclear... so it wasn' really a trojan but he was able to just walk in the front door using your remote admin software?
what makes you think this?
How much you paying? ;)

The wallet.dat file was used at the same time by the server's Bitcoin client and the laptop's Bitcoin client?


You did not explain how you managed to discover the deposit address used by the thieves. When you discovered the erased hard drive? Please, provide an accurate date and time. From that point, how did you managed to recover the wallet.dat file?

Running windows and bitcoin is not a good idea..

well...no further comment, as already stated earlier, i had a backup copy of my wallet "offline" (and i still have). And regarding the timing....(for whatever reason this is so interesting) It took me 30 min to reinstall windows, 5 min to download the bitcoin client, 2 min to reinsert the wallet from my backup copy and about 6 hours or so for the blockchain to be downloaded again and tadaaa, i could see the address where my bitcoins went to. The time of the stealing can easily be seen in the blockchain, it was thursday to friday early in the morning, but i still dont understand why this is such a problem to understand, to say "i invented the whole shit because i want to get some attention" is just laughable.

I could get some useful tips here and thanks to all constructive comments

Actually i invested quite a lot of time and resources into this bitcoin project, not because i think it is a "get rich quick" scheme. (At the moment it is more a getting poor quick scheme), but because it is one of the greatest inventions ever and i still believe in the concept. And yes, it was my fault to run windows machines and yes, now i know that wallet encryption does not help against keyloggers.

I will simply resetup my IT stuff together with some expert, (I agreed to give him 300 euro for his services) and life has to go on...  Still, for any tipps that could identify the guy, the reward is still valid

It could also be that the computer you used to access your teamviewer connection got compromised
and the thief got in that way, I would take a close look at the computer you used for remote access.

Maybe its time that we setup some honeypots for bitcoin malware... ???

mralbi, don't worry about AugustoCroppo. He's the resident oddball.

He is very, very jealous of those who have (or in your case, had) more Bitcoins than he does.

I once mentioned how many coins I control. Months later, AugustoCroppo went through my post history, found the post and demanded that I prove I genuinely have control of the coins.

The guy is a psycho and best ignored. Sorry about your coins.

Running windows is not a good idea at all.. :)

Blasphemy!

Err... Do you happen to think that BTCurious is lying as well?


What about Cdecker: (More than 8000 BTC stolen.)


I'm scared.

Is not a problem to understand. You just did not explained how exactly happened in the first post. Therefore I made relevant questions. I do not think you invented this event to obtain attention. I am sorry if I sounded suspicious. I am very skeptical regarding the theft of Bitcoins.

Sad story... MTGOX /w Yubikey would have been safer to use in this case.

dear all,
i have received NEW important information in this issue


the hacker also owns the key 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT and his "real" email address is sam.rankin@me.com
he used IP address 97.106.160.84
on 2012-10-05 at 20:51:51

he used to mine on deepbit, but they do not hand out any info about their users and do not answer to my mails.


Maybe one of your guys are smart enough to get any useful information about this case


the 600 BTC reward are still available

Did a reverse email search for him and found this information:
http://www.peoplefinders.com/search/preview.aspx?searchtype=people-email&email=sam.rankin@me.com

Samuel Rankin of Scottsdale, Arizona.

I can see here that the thief who controls 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS also controls 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12
http://blockchain.info/tx/7e1455f12fdbb7119fe350edb1410f2e1cdff723c15b7e2d9acb8568124e1bb5

And I can see here that the thief who controls 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12 received bitcoins from someone who controls 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT
http://blockchain.info/tx/83d2fd573e5ce47fca38bc3895356b8ed4a6b98a4c2b49c030dd0444a2ac506f

But I'm not sure how you determined that the person who controls 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT is also the person who controls 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS

It certainly is possible that Mr. Rankin is the thief and sent bitcoins to himself, but isn't it also possible that the thief is someone else and received bitcoins form Mr. Rankin (or stole bitcoins from Mr. Rankin)?

???

You may want to set up a wiki so people can colaborate in finding information in this case. With many eyes looking, there may be a higher chance of finding the thief.

Best wishes.

How did you get this information? You can't just drop an email address and not say why you believe this is the guy.

Extrapolating from the information OP has made public:  

Samuel Patrick Rankin (about age 41) previously lived in the Scottsdale Arizona area.  He works in the field of semiconductors.  He has patented a "current to voltage converter" (whatever that means).  This same Samuel P. Rankin also attended the University of Nebraska at Lincoln where he studied Physics.  

The IP address that has been posted, appears to originate out of Tampa, FL.  This guy works (or worked) for Linear Technology Corporation and Medtronic, Inc.  Those are two companies whom the patents he invented are assigned to.  

This guy's father is Samuel H Rankin (age 70) and lives in Chadron, NE.  

Scott Vernon was his co-inventer on one of the patents.  Here is his linkedin page with a picture.  http://www.linkedin.com/pub/scott-vernon/54/901/b?trk=pub-pbmap

Here is Rankin's LinkedIn page but no picture:  http://www.linkedin.com/profile/view?id=5046482&authType=name&authToken=gERZ&goback
It says he still works at Linear Technology.  He is a Senior Design Engineer.  Corporate Headquarters: 720 Sycamore Dr.  Milpitas, CA 95035-7417  Phone:  408-432-1900
He also studied Physics at Arizona State University.  

Brendan Rankin has extensive experience with FPGAs and ASICs. (Something that might have led him into the bitcoin scene.)

His father is dead, and Brendan and Samuel are brothers.  Here is his father's obituary:

The obituary points out that Sam now lives in Phoenix with his wife Vicky.  

Here is his wife's facebook page:  https://www.facebook.com/vicky.k.rankin
She graduated from Hanover College in 1993.  She donates to the school.  

Here is their address and property tax information:
http://mcassessor.maricopa.gov/Assessor/ParcelApplication/Detail.aspx?ID=214-50-116

Looks like their home currently appraises for about $120,000.  They purchased it in 1998 for $146,000.  Bad investment it looks like.  Although that is just the property tax assessment, so the real market value might be much higher.  In fact it looks like Zillow puts a value of about $177k on it, and realtor.com puts a value of about $207k on it.  http://www.realtor.com/realestateandhomes-detail/1826-E-Sheena-Dr_Phoenix_AZ_85022_M14205-84656?source=web

Here's the deed to his house:  http://156.42.40.50/UnOfficialDocs/pdf/19980647620.pdf


I want to put out the disclaimer:  All of this information is freely available on the internet.  I have no knowledge of any wrongdoing by this individual, and I am certainly not accusing this individual of any wrongdoing.  mralbi asked for information on someone associated with the email address sam.rankin@me.com.  All I have done is provide information on whom I believe is associated with this email address.  

With respect to my post above, I believe I have met the requirements of OP's first post:

I relied on the information provided in OP's subsequent post as a starting off point:

Everything else was just tracking one lead after another.  

My analysis being correct, of course depends on OP's statement of his real email address being correct.  

Here is my bitcoin address: 19GpqFsNGP8jS941YYZZjmCSrHwvX3QjiC  I'm very happy to have been able to have helped you :) 

ok thank you so far, I will check the traces.


The connection between the keys came from bitmarket.eu data which should be sufficiently acceptable as proof before court.

But how accurate is this information? I mean is it SURE that the personal information posted above is PROVABLY connected to the email address? Or was ist just a name search? (I mean I could also easily create an email adress sam.ranking@gmail.com or whatever)

Samuel Rankin used that email address you provided to register with Pandora and Vimeo when he was living in Scottsdale AZ. 

I guess my question is, where did you get that email address from? 

+1

I've got a list of over 901 addresses (I suspect that many of them are change addresses that were only used once and don't even show up in the user's wallet user interface if they are using Bitcoin-Qt) that almost certainly belong to the same person as 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT.  It's going to be a mess to read as a forum post, but if there were a wiki, I'd add the list there.

In the mean time, if anyone wants the list get me your email address and I'll send it to you.

If more of these addresses can be tied to the same person it would seem to increase the certainty of identity.

If bitcoins becomes even more used the Bitcoin developers should serious take a look into a the keyloggers problem.
Yes now the wallet is encrypted with a password... but that doesn't mean shit if your infected with a keylogger.
A virtual keyboard sucks IMHO.

Isn't two-factor something that's already been implemented, or already worked on ? Ie. you want to send coins, and then you have to use two devices to do it ?

Feature request: Can we have 2-factor authentication for Bitcoin-Qt plz.

the email address (and the IP) i got also from the bitmarket.eu database of users. Of course first idea i had was write an email to this address and ask directly, but of course he did not get an answer.

Ok thanks a lot, i will check this guy asap

Good luck!

It is very high on the priority list, yes. Miners already support it, but there are still a couple of steps to go before you can create a wallet split between Bitcoin-Qt running on your desktop computer and an app running on your iPhone.

Interesting... So the thief funneled some of the money stolen from mralbi through bitmarket.eu, but didn't count on mralbi buying BitMarket and getting access to the database. ;D

yes, the bitcoin world is small.... and despite of all the mess i am in with my losses on bitmarket and with the hack, this is still from some point of view funny....

mralbi,

I've finished my program that scans the blockchain and uses the inputs from transactions to link addresses to a single entity that controls the list of addresses.  A person can keep addresses from being tied together by being careful to keep their bitcoins in separate wallets or using raw transactions for coin-control to avoid connecting addresses together in inputs, so the program will not be able to report those addresses that are carefully segregated.

Running the program, I find 901 addresses that can all be said to have been used in inputs by someone who has the private key to 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT.

I've emailed the list to you.

Just discovered this website:
http://blockviewer.com/#1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT

Looks like my program missed a few addresses (the website reports 954 addresses controlled by the controller of 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT).

It also shows a list of who they've sent transactions to and who they've received transactions from.  If you can positively identify any of the people who have engaged in transactions, they might be able to assist you in identifying.

Would love for the first btc thief to be caught. It's a longshot, but not impossible, if the thief fucked up somewhere, there may be some leads back to him.

The IP address corresponding to the owner of a Bitcoin address can be determined if the owner has bitcoind or bitcoin-qt listening on a publicly-available Internet address.

https://bitcointalk.org/index.php?topic=135856.msg1447232

if you do track him down, please break an extra knee/elbow just for me.

I would just like to claify the following things for a few people, the 600 btc reward isnt a 1 person reward it is a multi person reward given to the most helpful hints. The 600 BTC are also not given to anyone until the scammer is taken to court and looses. Weather he pays or not does not affect the reward. As far as the most helpful hints go, currently as per my talk with mralbi, danny and maceij(yes the bitmarket owner who stole/lost users bitcoins). Also As far as escrow goes it is not an option. i would recommend it as after speaking with mralbi his story changed multiple times but this seems the be the final view of how everything will go.

This isnt meant to rip mralbi just clarify what he conveniently seems to leave out as after i contacted him willing to provide him with info and link the people and he basically quickly changed how the reward went multiple times.

thanks starsoccer for offering your help;-)

and also thanks for your clarification. Indeed the 600 btc is meant as total reward in case several hints in combination would lead to catch the guy.  It does NOT mean that when i receive 4 "small" hints that i pay 4 times 600 BTC = 2400 btc. Also, i do not pay the reward bitcions beforehand and especially not before i can see the information, like you proposed. Also not to an escrow service, It has to prove as useful first to catch the guy. But it is independent from the question if he later can actually pay back the stolen coins or not.

I have received really valuable hints so far from the admin from bitmarket.eu, from danny for the detailed block chain analysis with his tool(s) and also for personal info for the email address in this forum and i really hope these hints will help me further in this issue. But unless it is some totally new trace that gives me the hackers identity from A to Z the mentioned persons would get a good share of the reward.

An exception regarding pre-payment is of course when expenses are concerned. I am glad to pay for any expenses that search for information would cause (like data base access fees or whatever)

it is flawed, I have atleast one address with multiple transactions that do not even show up.....

What if thief turns himself in, will he receive additional 600 BTC?

And two factor authentication will bring more disasters and total coin loss than trojan horses on computer. Mobile phones are very susceptible to total data loss due to misplacing and water damage, accidental resets, hardware failures. Mobile phones are inherently anti-privacy devices, with remote data wiping features on some models.

If You cannot keep the computer secure like 90% of derps out there, then only way to go is using offline wallets with Armory. Run Armory on computer that have no network connection and create watching only copy on your primary computer. Sign large transactions on offline computer.

considering 1 us could very easily jump to 1 satoshi with global acceptance

i reckon op dosn't quite realize the size of the target they really are maybe this will help

http://www.all-wallpapers.net/wp-content/uploads/2012/12/Army-Military-Navy-Navy-Seals.jpg

Where did you download your bitcoin client from? It might have been a binded file

no, it was from the official website. I simply did the mistake and combined windows with pirate copies

If it were me, I would reverse engineer the original binary that contained the keylogger. There is software that does this. The keylogger has to send the key events somewhere for him to receive them. Maybe they are sent directly to his computer. Another option would be to run the keylogger in a virtual machine and catch him in the act or even just run netstat -o to see where it's connecting to.

A long shot... You could install your own trojan in the virtual machine so that if he downloads the files and browses them he would be infected.

We already have his ip

Your plan of action can only be to feed the keylogger into IDA Pro, and like above determine where the stolen wallets are going. Now jack that email address and steal from the stealer or flood it with false information, or flood it with your own trojans, or call the FBI and have them do nothing cuz Russia doesn't care.