Bitcoin Forum

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

This is the IP I have from the forum 176.10.115.120 He used the name all4coins.

We have this...

[17:39:43] Tristan Weir: 1  alan5 (193.62.127.129)  2.912 ms  0.897 ms  0.819 ms
 2  gw-fw (193.63.74.131)  0.320 ms  0.268 ms  0.254 ms
 3  c-pop (193.63.74.226)  30.257 ms  18.952 ms  16.952 ms
 4  193.62.116.18 (193.62.116.18)  1.167 ms  1.095 ms  1.099 ms
 5  ae6.manckh-sbr1.ja.net (146.97.41.61)  1.249 ms  1.231 ms  1.252 ms
 6  ae29.erdiss-sbr1.ja.net (146.97.33.41)  3.124 ms  11.640 ms  3.116 ms
 7  ae31.londpg-sbr1.ja.net (146.97.33.21)  6.970 ms  6.958 ms  6.969 ms
 8  ae30.londtw-sbr1.ja.net (146.97.33.6)  7.530 ms  8.338 ms  7.499 ms
 9  ae29.londtn-sbr1.ja.net (146.97.33.10)  7.549 ms  7.510 ms  7.535 ms
10  ae0.lond-gw-ixp4.ja.net (146.97.35.182)  7.550 ms  7.496 ms  7.473 ms
11  linx-1.solnet.ch (195.66.224.169)  7.667 ms  7.659 ms  9.574 ms
12  dexfra-bbr01.solnet.ch (212.101.0.122)  18.743 ms  18.785 ms  18.690 ms
13  iwbbas-bbr01.solnet.ch (212.101.0.117)  34.010 ms  24.271 ms  23.409 ms
14  eq1zrh-bbr01.solnet.ch (212.101.0.74)  34.268 ms  24.251 ms  24.375 ms
15  eq2zrh-bbr01.solnet.ch (212.101.0.61)  29.418 ms  24.333 ms  24.268 ms
16  datasource-gw-as51395.customer.solnet.ch (82.220.32.126)  24.827 ms  24.891 ms  24.805 ms
17  176.10.115.120 (176.10.115.120)  25.190 ms  25.106 ms  25.094 ms

I don't know if this will be of any use or if we can do anything at all but if someone knows how to help and if they have any experience with this then please get in touch... Also if you see this kind of message never download. I guess the lesson here is to never download anything at all.

Feel so bad about this and don't really know if we can do anything. Is there? Can we do anything?

:(

EDIT More data

Abuse contact for '176.10.96.0 - 176.10.127.255' is 'noc@datasource.ch'

inetnum:        176.10.96.0 - 176.10.127.255
netname:        CH-DATASOURCE-20110518
descr:          Datasource AG
country:        ch
org:            ORG-DA327-RIPE
admin-c:        RT488-RIPE
admin-c:        RT4480-RIPE
tech-c:         RT488-RIPE
tech-c:         RT4480-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      ch-mgw
mnt-lower:      MNT-DA327
mnt-routes:     ch-mgw
mnt-routes:     MNT-DA327
mnt-domains:    MNT-DA327
source:         RIPE # Filtered

organisation:   ORG-DA327-RIPE
org-name:       Datasource AG
org-type:       LIR
address:        Datasource AG
address:        Christian Mitros
address:        Boesch 69
address:        6331
address:        Huenenberg
address:        SWITZERLAND
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        CH-MGW
mnt-ref:        MNT-DA327
mnt-by:         RIPE-NCC-HM-MNT
tech-c:         RT4480-RIPE
tech-c:         RT4480-RIPE
admin-c:        RT4480-RIPE
admin-c:        MITR2-RIPE
abuse-mailbox:  noc@datasource.ch
abuse-c:        DA5093-RIPE
source:         RIPE # Filtered
phone:          +41417633088
fax-no:         +41417633090

person:         Rolf Tschumi
address:        Datasource AG
address:        Boesch  69
address:        CH-6331 Huenenberg
phone:          +41417633088
fax-no:         +41417633090
nic-hdl:        RT4480-RIPE
mnt-by:         MNT-DA327
abuse-mailbox:  noc@datasource.ch
source:         RIPE # Filtered

person:         Rolf Tschumi
address:        mgw online service
address:        Roetihalde 12
address:        CH-8820 Waedenswil
mnt-by:         CH-MGW
phone:          +41 79 242 25 04
abuse-mailbox:  abuse@mgw.ch
nic-hdl:        RT488-RIPE
source:         RIPE # Filtered

% Information related to '176.10.96.0/19AS51395'

route:          176.10.96.0/19
descr:          Routing via Datasource-Schweiz
origin:         AS51395
mnt-by:         MNT-DA327
remarks:        Info RT4480-RIPE
source:         RIPE # Filtered

What was his loss amount in the BTC equivalent?

sorry to hear, it seems a Switzerland IP address - track him here: http://ip2location.com/

Did he not have them encrypted? This is why I don't bother with most alts, and if I did I would have all the wallets on a separate computer.

I dunno $10,000, I know that.

Yes he had them all encrypted. And yeah you should I guess, I mean BTC has had it's problems regarding this in it's life. It isn't immune, is it?

Unless his password was really simple I don't know how it could've got his coins that quick. Did he use one password for them all?

=[

I was hoping i could cover some or all of his loss, but that's insane.



MUST scan ALL items before opening!!!!! I know it's already happened, if there's a lesson to be learned, it's that right there.

Just warn your friends and spread the word so this does not happen to anyone here.

Yeah I don't know how either mate, obviously I don't know the passwords, but no he said he had a different one for all of them.

Ahhh well that is nice of you mate. But yeah it is an insane amount. I feel so bad for him cos he is a great guy as well. I have put a warning on my forum right at the top and I think I will copy paste the OP form this thread there too.

What an end to the year :(

It is a scary thought that someone can get to these coins so easily. :(

But yeah must scan everything.

Oh man.... I dunno what else I can do for him. :(

Is there any precaution to avoid this malware?

Malwarebytes is a program you can use, it is a bit of an inconvenience as it deems a lot of things a threat including things like skype but after this I think it is a good idea.

As another poster said scan everything before you download.

Also paper wallets? Or some other kind of offline storage?

Running any third party software that involves your wallet is STUPID, no other word for it.

If you are ignorant enough to use 3rd party software involving your wallet, you DESERVE to be ripped off.



~BCX~

Yep.

Scan whatever you download if it has not been verified clean by other members of the forum here.
Edit2: Here's a link for individual file online virus scanning: https://www.virustotal.com/ for that purpose.

No exclusions, no exceptions.



Edit: BCX, have some mercy.  Not everyone starts out as a jaded, paranoid watchdog.   In fact, when you get ripped off next and you look for commiseration, i hope you get people giving you your response back at you.

As much as I agree that people need to be a lot more careful, and to be so wreckless with what is essentially money invites scam artists, nobody deserves to be ripped off.

is his nick all4coins?
http://quark.freeforums.net/thread/1259/release-quark-messenger  ???

Yes that is his nickname! Delete and block as soon as you can, seems he's going around everywhere then!

Man....

Never made a mistake then I take it? Man... yeah the guy did a silly but it could so easliy be any one of us. We all make rash decisions sometimes.

Have a little heart :(

He also pm for his crap messenger asking me to use it  >:(

So if he is in Switzerland someone should report him to the Swiss authorities. Is there anyone here who can speak Swedish and report this turd? We have his IP and the fact he stole 10,000.00. In Canada and USA that amount gets you jail time.

  nice that guy got only one post.

Yep that'll be him mate! I hope you didn't download it, please warn everyone on your forum! At least we can stop others getting rinsed like that.

Swedish? Switzerland? Lelwut?

This isn't anything new as I have seen this pulled off by several others over the past 3-4 years.

FYI, I highly suspect that "all4coins" is actually another scammer by the name of Hydroponica.

The IP is easily manipulated and is child's play for someone that can code a messenger.




~BCX~

I think this could be the way forward... We can't let this scumbag run around dropping his trojan off all over our scene and get away with it! I bet you there are others that have been effected but just don't know it yet.

Man I just hope there are not many :(

https://doges.org/index.php?action=profile;u=6122
https://www.gldtalk.org/index.php?action=profile;u=1261
http://www.peercointalk.org/index.php?action=profile;u=30110
http://infinitecointalk.org/index.php?action=profile;u=3739
http://forum.feathercoin.com/index.php?topic=6503.0

active guy  >:(

Yeah I thought this too. :(

I doubt he would go to the trouble to code the trojan but then not cover his tracks... BUT with that said there must be a way to find this asshole surely?

Or ehat we just let him make another character in a few months and do the same again?

I know it hasd happened before too... But you have to remember that there are always new people coming into the scene everyday. They can read everything and take in all knowledge in seconds can they?

But yeah more precautions are needed for sure.

Right yeah, what an arse... Jeez... Well I guess we had best let all these other forums know. That is all we can do right now. Stop the rot and then I think we should do all we can to track the guy down!

If it is possible for the victim to post in here and verify himself, perhaps the community could donate a bit to him to lessen his impact.

Hell no  :D :D :D i dont have time for peoples shady applications

*edit
Hes tried it here also https://nextcoin.org/index.php/topic,1759.msg16397.html#msg16397

i very much doubt that is his actual home ip address, people coding this stuff probably know about proxies etc.. could be anywhere. People have lost 100's thousands of dollars worth of crypto before like this, i never hear about any of them getting any back.

All these noob posters publishing new coins daily, at lot of people are going to get raped hard sometime soon. Sometimes these coders/hackers get one step ahead of the antivirus malware companies, when that happens next a lot of coins will vanish from wallets.

Sad to hear for sure, i hope he does get some back but i very much doubt it :( those coins are long gone.

Thanks for the warning, the Same guy is at the Litecoin forums trying to steal wallets. I've warned the Litecoin community.

I'd like to add that with VPN you can't really tell where he is exactly.

I think wallet security is the biggest fundamental flaw with Bitcoin.

Everyone compares Bitcoin with cash with good reason.  After all, storing Bitcoin in an online wallet is akin to stuffing your cash in a stranger’s mattress.  No one would do that, yet people still use online wallets and, in the case of inputs.io, lose a lot of money by doing so.

The wallet stealing viruses can easily be prevented, but it is not something that most people really think of when downloading programs.  It’s not really the same as being pickpocketed because you never even have to come in contact with the criminal.  It’s more similar to someone leaving a business card on your windshield and you placing that in your wallet and then when you get home you notice that the business card just ate all of your cash.  

Cold storage is the best way to prevent this, but even with Armory’s efforts to make it as easy as possible; this is a very complicated process for some people and a deterrent for them to actually spend their Bitcoins.  

Online storage is easy to spend but it is not safe.  
Cold storage is very safe but is not easy to spend.

Is there a happy medium (safe and easy to spend) that I am missing?

So let me get this straight, the wallets, ALL of them had their coins emptied. The passwords were all different.

So how did he do this? This must mean that Satoshi's client is broken and needs more security! This is insane.

here is the Quark messenger run in sandbox
https://malwr.com/analysis/NDAwOGQwZjliMDRiNDg4ZmE1OTc2NDlhMWM2ZTVlZDg

Okay he is here, https://bitcointalk.org/index.php?topic=393618.new#new

He's a bit upset and I must say that he told me after that the $10,000 came out wrong and it was 10,000 gold that went missing as well as 250,000 NET and a bunch of other coins. He can obvioulsy tell you more than I anyway.

Thanks guys.

Yeah I think you're dead right it is a tough one... I wonder too if there is a happy medium, I reckon it is probably not possible because really anything connected to the internet is a risk. It looks like if you are storing coins cold storage is the best bet and then maybe have some in your normal wallet to play around with.

I think I will get to work on making a cold storage thread on my forum. Do you know if armory id available for other coins or is it just BTC?

Maybe the passwords were weak and all similar? So easy to crack? I really don't know. I guess he can tell you more about it.

I think the above is highly likely :(

Good work, thanks for helping to spread the message, about all we can do. :(

I never understood why people blame the victim. Grow some empathy for fuck sake.

some think because it doesnt get flagged by anti virus its safe  ???

I don't think Armory is available for any altcoins, just Bitcoin.

Thread with a little discussion on it from the developer of Armory:
https://bitcointalk.org/index.php?topic=187835.0

Until it happens to them, then they cry bloody murder.

So there you have it folks. Use a brainwallet next time. Or, a trusted exchange with 2FA.

how to use virustotal.com to scan a wallet before you download?  do you have to download it first and then scan?

I DL the object in a win7 VM and scan it there. No need to open it, just scan the entire thing. 

That way, if it indeed is a virus it only blows up the VM.  I just restore the VM to the clean image.

You should write to police if they have department which research sybercrimes. Usually they should have. They can find this man, but process is comlicated here.

Sorry to hear about the loss.  :(   I'm sure with the advent of crypto currency, we'll probably have some form of a global Crypto police out there in a matter of years. 

Oh boy, why would he do such a thing. He was just fishing for newbs :/ Sorry about your luck.

I highly suspect this guy is using a keylogger.

So once you do anything with your wallet and type in your password he has it. Then he downloads your wallet and has the encryption password - end of story.

site:bshades.eu "All4coins"  ???
http://lmgtfy.com/?q=site%3Abshades.eu+%22All4coins%22

winning negative money is fun. doge doge!

Except it won't happen to them, because they have common sense.

It wasn't a mistake on the users part, it's not a clever con by the scammer; it's people just being ignorant.

Your digital wallet is the same as the physical wallet in your pocket. Your wallet address is the same as your bank account number.

Why and how on earth could anyone even begin to think that it would be safe to run a 3rd party program from someone you don't know on your computer that requires that sensitive information? I mean, really, if someone released a chat client that required you to enter your bank account #, would you do it? If you would, you're dumb as a sack of rocks. This is exactly the same thing. Unknown unofficial 3rd party software + wallet address = SCAM. No ifs, ands, buts or exceptions about it.

The only thing you run on your computer regarding your wallet IS your wallet. That is it, nothing else. Except maybe an auto-trade script, and that is ONLY if you write the script yourself.

Its seriously pretty darn sad that this needs to be explained to people at all. Makes me wonder what else needs to be explained to some people. Don't wash your eyes with bleach. Don't take a nap in the middle of an intersection. Don't lick an electrical outlet. Don't buy a Rollexx for $50 from that guy out of his trunk. Your welcome!  ::)  ::)  ::)

I don't even understand what the interest in this was anyways. Like there aren't enough legitimate chat clients out there that everyone can use safely for free that don't require such information.


Exactly. When someone chooses to fore go common sense and do something that is very dumb, anything that happens ultimately becomes their responsibility.

wait





that wasn't the Wallet Inspector!

https://i.imgur.com/9FUHdl.png