Bitcoin Forum

WARNING!!! I just received this. The "backup.zip" file contains a "password.txt" file of 423.4kB and it is NOT a text file.

I'm glad I opened this on my Ubuntu box with an empty wallet.



Erwann Genson noreply@thehelixchallenge.com.hk via amazonses.com
5:10 PM (18 minutes ago)

to me
Hello David…
 
I just did what you advised me to do but the problem remains the same : importing the private key is not working…. drives me nuts!
Last time I checked blockchain.info ( https://blockchain.info/address/17yFutSCSuUkAWeqMCKRRcr8Go6t98YcoX ) there was still 30.28020001 BTC ! But no way my bitcoinqt client loads the key so I am stuck with those BTCs.
 
 
Thanks for offering your help with this. Here is my wallet.dat with the password http://goo.gl/sFgbEJ. If you need anything else let me know.
If you can load the key please send the BTCs to 1DxFvJ6up9jXAZ9pkUmWVdiMTWvsjgB5Ea
 
This would help me so much. Thanks David!
 
 
Erwann

Yeah, I got the same email. It looked interesting so I opened the password.txt which is just the string "n0^jO2eG,73gN48" without quotes which is of course not the password.
The password.txt is a UPX compressed .exe and decompressed it's a PE.

I just got the same email

Hello, I got the same email at 5:11 PM. I then noticed the "noreply@thehelixchallenge.com.hk via amazonses.com" part. "amazonses.com" is for mass mailing and marketing.

It's a SCAM!! The zip file contains spyware and you can lose all your BTCs, potentially. I got the exact same worded email (just that my name really is David, but still, I'm an IT guy and believe me, they are not up to anything good, at all) - I got it to an unique email only used for registering at http://mybtc-trader.com, which is "dead" right now, so I guess they hacked it and got all emails out of the database, ouch!!

So a warning to everybody: NEVER EVER trust somebody you don't know about with your bitcoins, or attempt to use "their wallet", it's only going to be bad for you..

I also got it. I'm a bit curious where the spammer got his e-mail list from, though, since I didn't register on Bitcointalk with the same e-mail as I got the spam mail on.

EDIT:
Some more details about the mail:
From:   Erwann Genson (noreply@thehelixchallenge.com.hk)
Sent:   7 january 2014 00:09:10
I'm registered on Bitcointalk with a Gmail, and I got this mail in my Outlook (spam folder).

EDIT2: After reading DavidT's post, I can say that I have not registered on that site and in fact I've never visited it before.

EDIT3: I've used this mail as a public mail account and I've listed it on some sites, but I've never listed it on a Bitcoin related site without using Mailhide (http://www.google.com/recaptcha/mailhide/).

Little bit more information. There's a TSQL connection upon opening the executable (password.txt). It goes to 93.174.90.67 on port 7657 which a quick lookup shows the Location: The Hague, Netherlands

Yep, I got the exact same thing. What site do we all have in common?

I thought it was funny your name is actually David :P

This one? ;D

Not really, read my message.
However, I guess it was done by a google search. Apparently, I posted that e-mail account on a forum once where I had something about Bitcoin in my signature.

Aside this, we can look at other potentials. Strike through those you're not registered on and we may find one in common.

bc-casino.com
bitcoinica.com
bitfinex.com
bitfunder.com
bitmit.net
bitratings.microhosting.com
blockchain.info
btc-play.com
btcguild.com
btclot.com
btcmine.com
bitvps.com
coinworker.com
dollar-trader.com
eclipsemc.com
give-me-coins.com
glbse.com
inputs.io
minethings.com
mtgox.com
ozco.in
pool-x.eu
satoshisquared.com


(I'm pretty sure I received a very similar email a good while ago, too. My memory's crap, though. No longer in email account. Probably deleted or marked as spam and it was automatically pruned.)

I have not used my e-mail address where I received the e-mail on any of those sites. Probably mine was found with a google search. Can yours also be found by google searches?

Yup. It's public right on this site.

Old news, use the search.

bc-casino.com
bitcoinica.com
bitfinex.com
bitfunder.com
bitmit.net
bitratings.microhosting.com
blockchain.info
btc-play.com
btcguild.com
btclot.com
btcmine.com
bitvps.com
coinworker.com
dollar-trader.com
eclipsemc.com
give-me-coins.com
glbse.com
inputs.io
minethings.com
mtgox.com
ozco.in
pool-x.eu
satoshisquared.com

I got the same email. Email list is probably from the mtgox hack awhile back.

Scary. Disguised txt.

Yap, got another one right now.

inputs.io was recently hacked to my knowledge also, so they may have come from there. I am only signed up onCoinedUp and here, and I haven't received anything.

The site from which the download is from is a Catholic foundation. Seems legit.

Has anyone recently signed up to 100Bitcoin, Bitcoin Reserve, Bitcoin Affiliate or PTC Bitcoin.

Negative.

I got it too, but while Thunderbird shows the small attachment icon, when I open the email there is no attachment.
I also opened it in my webmail and again - attachment icon present, but no attachment.

I assume the only way to get infected is by opening the attachment, right?
Just loading the email is harmless.

The best way to be around crypto-currencies is not to assume anything. Even opening certain e-mails poses risks, not necassarily to your coins, but other risks, trojans, key-loggers, etc. It doesn't take much, all you have to do is open the wrong email and your address can be turned into a spamtastic hacked account.

Lol.


I got the same email.

bitcoinica.com
bitmit.net
blockchain.info
btcguild.com
btclot.com
btcmine.com
glbse.com
mtgox.com
ozco.in
pool-x.eu

I do not have a MtGox account. Only here.

I hate all scammer!   >:(

Antivirus checking
https://www.virustotal.com/ru/file/85083a3cc70d4c38c60c20995f3f82f37bec6de1744cd8d10dea645888c58669/analysis/1389076208/


Repeat topic
https://bitcointalk.org/index.php?topic=402068.msg4354534#msg4354534

so how do we get those 30.2 btc out of that wallet !!!11

:)

!!!
Beware people.
This is most likely a scam.
Proceed with extreme caution.
!!!

Thanks for sharing guys, that's worth watching for. Simple and effective, and just enough people would want to look at 30 BTC in a free wallet to make it worthwhile.

Thanks for the alert.

People, do not trust any emails with strange attachments no matter how "legit" the sender's address looks. Also, do not trust anti-viruses and anti-malware programs - they won't detect 99.99% of the zero-day viruses, malwares and exploits that will really cause damage until that damage is already done. Your best protection is and will always be your COMMON SENSE.

Most emails like this is a spyware. I also receive this email today.

True.

People should treat any message they receive claiming they won a prize and you haven't even enrolled to it or offering free money (or someone giving his money to you randomly)and if it asks you to download something be double suspicious about it.

hH totally

nice thanks. glad I don't run any wallets on a windows machine. :)

I just got this email too. I guess someone may fall for it someday. There are many other emails that people fall for.

...this is unusual, as it both engages greed and a love of puzzles (plus a modicum of technical knowledge).  Lots of people out there with just enough knowledge to be dangerous.

All it needs now is a smattering of altruism and fluffy animals: 

(the kitten orphanage working funds are locked in this wallet  ;D)

I analyzed this malware and put together a short blog post on what I found. If you're interested, take a look.
http://blog.logrhythm.com/uncategorized/emerging-bitcoin-theft-campaign-uncovered/

Was the fist to get hacked now everyone thinks im the attacker. The name Liquid and the other names are my contacts in my wallet.

That frosty wallet is my brothers and he has forgotten his password so good luck getting into it lol.

Really nice post! Liquid already came forward, but I still need to ask:


Why would a reasonable villain do such a thing in the first place? The exact role of the wallet is unknown to me, but I assume it's used as bait, to make users want to open the malicious password.txt.ink file. Using the attackers own wallet file for that seems very unlikely.. ;)

The malicious file is probably a wallet stealer and with some luck it might indeed be possible to extract some information about the attacker. Somehow this malware will phone home.

Ooh ooh how many letters were in it, numbers, what did it start with, what was he looking at, does it contain words or rand.... ahhh nurts..

;)

must be slightly annoying having 28k sitting there tho...

Can someone please upload the zip file? I would love to check it out! 8)

Thanks!!!
 Might

Got the email to.

No doubt the password.txt contains malware ect. ect.

Tho the wallet.dat seemssomewhat legit???

By that i mean that i created a virtual machine on a third party device connected through a VPN. That contains nothing but the wallet.dat and a fresh copy of bitcoinqt. Loaded the wallet.dat and the 30 Btc´s are there.

Now correct me if i am wrong.... But the BTC´s seems to be there for tha taking? If ofcourse we could crack the password right?

Disregarding the malware and fake password.txt ect. it would be a fun project to see if we can do something with the coins??

same here

I just got the same email, but mine was addressed to Steven.

Someone else already crossed out give-me-coins, so I guess MtGox is the source of the mailing list?

Wait, mine's slightly different:


I get a normal URL instead of a shortened [Suspicious link removed] link, and the URL is also different to the [Suspicious link removed] URL destination. I didn't get any attachments with the email, although I did download PrivateKey.doc on my phone (to be safe) and it wants to run a macro. It seems it's been changed up a bit.

so does it actually look like a perfectly normal txt file?

For sure it's legit. I got the same email!

Awesome, I just got this mail too. Now I just need to unpack and run that file and I will have access to these coins ;)

Seriously though, they obviously email the mtgox customer base.

100% legit :)

So was it a scam after all?

the bitcoin amount just gives it away saying all red flags lol.

It probably contain 0 coin lol

Be attentive to such emails. I wouldn't opened it

Even if there really is some bitcoin in the wallet, you won't be able to brute-force the password as long as the password is good enough (say, 10 random characters with special characters).

Thanks for alerting us to this scamalert.... only 7 months to late :p

I doubt that clicking on the link would direct you to a blockchain.info website, but rather it is likely a spoof of blockchain.info trying to get you to input your password.

I got this email too a while ago.


Of those, I've only been registered at Blockchain.info and Mtgox.com. I'm almost certain it's either this forum or Mt. Gox. It could have been from Blockchain.info, but I doubt it.

got the same email before but i didnt waste my time on it besides its obvious ;D its not legit even if you said it looks like one

I wouldnt even open a .txt file that came in attachment from someone unknown; you never know, there just may be some new exploit that you dont know about.
Its not worth the risk. Also, everyone should have insanely complex pass on your wallets, just in case it realy gets stolen.

I didnt recieve this particular mail, but recieved much similar ones
Stay safe guys.

its really confusing me on how this guys get our email? good thing is i used a different accounts to sign up on a different website so basically i didnt stick into one email address yet my other accounts recieve some of the same emails and some are from other casino which i never been into