Bitcoin Forum

Important update: user who claimed to have lost bitcoins is now saying his account was hacked and someone else made those remarks:  https://bitcointalk.org/index.php?topic=202068.msg2110230#msg2110230

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Reports are spreading that the YACoin windows binary may be stealing Bitcoins. I am setting this topic up as a non-FUD only discussion. Post facts that you have.

Reports that have come in so far:

https://bitcointalk.org/index.php?topic=202087.0 -bennybong has lost his bitcoins
https://bitcointalk.org/index.php?topic=202070.0 - Aahzman seeing unusual activity in this Wireshack logs (network monitoring program)
https://bitcointalk.org/index.php?topic=202062.0- Brewins has lost his bitcoins
https://bitcointalk.org/index.php?topic=202089.msg2110113#msg2110113 - User poly posted in this topic to say he had lost bitcoins
https://bitcointalk.org/index.php?topic=196196.msg2110188#msg2110188 - user Destroyer has had 256 bitcoins stolen
https://bitcointalk.org/index.php?topic=202122.msg2110421#msg2110421 - Skytape has lost bitcoins

How you can help:

1. Please add reports. It seems this is occuring to individuals who ran the windows binary downloaded from mega.
2. If affected, PLEASE state what programs you downloaded. if you downloaded the windows binary, was it definitely from the first page of the Launch topic or was it a repost to Mega you downloaded? Important!

Everyone:

1. If your Bitcoin wallet isn't encrypted, encrypt it immediately.

Possible source of Trojan is NOT in the client:

The possible cause of these claims maybe this miner which has suspicious activity in it: https://bitcointalk.org/index.php?topic=202089.msg2110724#msg2110724 This is NOT the client and is NOT officially connected to YAC.

I belive this people work togetter to make 100posts to reduce the YAC price. Where is the proof?

So far the reports are contained to 4 people creating all these topics (some of them making multiple topics): bennybong, Aahzman, Brewins and hdclover. Now poly has stepped forward.

It is looking increasingly likely something bad is happening here.

I have lost coins too.

Also, in the newbie section:

https://bitcointalk.org/index.php?topic=202081.0

https://bitcointalk.org/index.php?topic=202058.0

https://bitcointalk.org/index.php?topic=202079.0

Oh my god this is some well orchestrated FUD.

Mods will be busy today.

FACTS:

- No proof has been posted as of yet
- Initial claims by non-reputable persons on the forum
- At least one claim probably debunked (bennybong's claim https://bitcointalk.org/index.php?topic=202087.0) <-- He also seems to say his account is hacked? Possibly his account was hacked by FUD spreader.
- User Poly has not been online since april 18, and suddenly comes in here right now to spread this <-- hacked or FUD.

 Those people who "lost" coins don't really fury about it and it makes that suspicious...

Post the name of this people. Fast!

www.yacoinstealmybtc.com

need someone to register that domain :)

Hi, i am the Admin at Yacointalk.com i posted this now

http://yacointalk.com/index.php/topic,26.0.html

Add me to the list.. Not much stolen (just stuff I got from CV), but my wallet has indeed being stolen.

Donations are welcome

Gotta agree, after monitoring the situation for almost an hour something very fishy is going on and it smells a lot like like FUD. There is a good chance if it is real then it is not the executable linked in the YAC OP launch topic but some other .exe or even miner software downloaded afterwards.

All of my spelling errors. You sure you're not a badly educated chinese hacker?

Post a stupid claim about me and get deleted. This is for reports of people who are claiming lost Bitcoins.

Wow, you actually deleted his post.

beenybong now says his account has been hacked and no BTC were stolen:
https://bitcointalk.org/index.php?topic=202068.msg2110230#msg2110230

Already added to the original post.

See also, https://bitcointalk.org/index.php?topic=202101.msg2110256#msg2110256 - along with comedy response from hdclover, who seems to be posting fairly indiscriminately :)

--Tom

Add me to the list .. I am quitting bitcoin

Fuck you bitcoin24 Fuck you blockbet.net Fuck you yacoin

I AM NEVER USING BITCOIN AGAIN. $200 IS A LOT OF MONEY TO ME, AND YOU STEAL IT

But what about source code? If I will compile it for windows, can wallet steal my bitcoins?

I am deleting all messages in ALL CAPS bright red font. Nothing personal. Looking at you hdclover.

Just Jr. Members lost ther BTC and they registed in this Forum just to post, that they lost some BTC. A bad  joke

Looks like there's another report here: https://bitcointalk.org/index.php?topic=202122.msg2110421#msg2110421

I haven't being able to reproduce this (but my wallet is encrypted, hmm)

Says the JR member? I'm not saying it's true or false, but I will say that its amazing so many people are willing to download a random 'wallet' and run whatever commands some random member tells them to with NO idea what it is they are doing.

Ehh, not really amazing.  The herd mentality is really popular nowadays; why think, when you can be led?

I think all posts with ALL RED or special fonts are very suspicious and seem to be either FUD or hacked accounts.

Hopefully administrators can clean this up, delete all those posts, suspend any accounts that look hacked, and get any substantive posts into an official thread

I think it's more the profit motivator at play. Throw in the opportunity to make money, and much reason/caution goes out the window for most folks. It's all about getting there before the other guy. Not saying I don't suffer from this too, but I realize it. Can only mitigate it when you realize it.

Thank you!

For what it is worth, I had no coins stolen. I used the original executable from the OP announcement, plus compile from source on linux. If (if!) this is true, I suspect it is one of the later binaries that came out.

FACT: YAC fear mongering is a testament to YAC's success.  They want it.

I installed the client and miner for YACoin on a windowscomputer to test it yesterday, the computer has several altcoin clients on it, there was still an old bitcoinwallet on that computer (unencrypted!) that had a very small amount of btc's in it. Not really enough to get worried about so I actually didn't bother much and didn't transfer them. Also a wallet with an even smaller amount of Litecoins in it is on that computer (also unencrypted), just checked and everything is still there and no suspicious activity is going on. I downloaded them from the mega link.

I know i keep posting this but, can we get ONE screenshot of peoples bitcoin wallet with transactions going out?

One of the minerd.exe programs is infected, see here:

http://i39.tinypic.com/dtzl4.jpg


That's probably how some people's coin got stolen. This was the minerd.exe that was downloaded from the "virusscanner friendly" Minerd topic.

Nice find Mushoz. Updating the OP.

The only way to find out is to reverse the exe, forget about virus scans etc, these are 100% proof, also the fact that some people claim to be affected is also not much proof, its possible its either made up, or caused by another exe or attack too, plus if its caused by this exe, it may not be attacking everyone for various reasons.
Luckily the exe does not seem to be protected with a strong packer. Running a packet sniffer alone also may not show much. So if anyone has had a look through the source to start off with that can be helpful but we need someone experienced with reversing exes to check em out to be sure.

Yea its seemed suspect to use themida in order to stop the original minerd.exe from showing up in virus scanners as themedia causes even more propblems for virus scanners and can be very hard to reverse too.

(the win32 binary downloaded soon after release)

tested under a VM for ~30minutes.
no read operation toward bitcoin wallet yet.
and no dns request to the suffix yet.

although the motivation to release yacoin is still highly suspicious.

Even the normal minerd (for scrypt and sha256) gives an anti virus warning, have to whitelist the dir to start it...
So the windows compiled "new minerd for scrypt-jane" posted later could indeed have a trojan and most wouldn't notice as the program is already known to cause false positives.

Cannot show the whole list, as it won't fit my screen, but I've checked all entries, and the ONLY wallet.dat Yacoin accesses, is the one it's supposed to access (Yacoin's wallet.dat). I have NOT seen it access Bitcoin's wallet.dat

http://i39.tinypic.com/4j9f7q.png

+1

although so all altcoin clients should first go to a vm

So not one person has come up and posted a screenshot of there bitcoin wallet :-( that is sad

At this point, I think we can safely say this was a coordinated FUD campaign rather than a genuine vulnerability with the *original* windows client.

The fact that bitcointalk.org accounts were compromised and used to post FUD is a smoking gun

Agreed; show your support for 2FA security here. (https://bitcointalk.org/index.php?topic=200279.0)

Did nobody find it strange that the "virus-free" minerd binary size was so large?  my tinfoil hat is pointing at the "virus free" minerd.

Agreed.

My dumb bitcoin wallet is not stolen, and it has no encryption

(who will steal 0.0001 BTC?)

I only use the miner within yacoin and GPU miner...

connected to http://pool01-cnc.coinloot.com:8400/static/...

lol... i know my system is crap, but I am just playing with it (Q6600+9500GT)

 ;D


https://docs.google.com/file/d/0B9JEkkyp5LfIbjZPS3ZIcUswM0U/edit

Could someone run all of the minerd binaries in a VM and check process monitor?

If these isn't just a FUD campaign, an infected minerd binary makes a lot of sense.

The only people downloading them would be people running YAcoin. It would be pretty easy to assume it is YAcoin.

Basically, I guess its only the minerd.exe with jane in them :D

Lol...

Normal minerd and cudaminer, etc don't have the virus in them

So, don't trust miner softwares other than the ones that are verified to be real, because I have tried 'jane' edition and always got a fail message  8)

 :D

Slander!!! looks like a smear campaign YAC community better get this under control. you are loosing your network!!!

DO NOT like being involved with this!

I've been running minerd_scrypt_jane_x64_avx.exe all day and have the yac wallet installed.
So far my btc wallet is intact but it is encypted !

If there is a keylogger of some sort my bitstamp and blockchain wallets will be empty very soon... I will post again if this ever happens !

Edit :

That is for the exe I have, there could be a corrupted one somewhere...

SHA256:    f2d76e2df4c42254b2f62fd42bc748c538818c786bb86ae92b316b94eae79034
File name:    minerd_scrypt_jane_x64_avx.exe
Detection ratio:    0 / 47

https://www.virustotal.com/en/file/f2d76e2df4c42254b2f62fd42bc748c538818c786bb86ae92b316b94eae79034/analysis/