Bitcoin Forum

Dear all,

stupid as i am i allowed some hacker to somehow install a trojan horse on my pc where i stored some of my bitcoins. (around 2600), With keylogger he got all my passwords and, of course stole my local wallet file (encryption did not help)

The hacker sent the bitcoins to the address: 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS

http://blockchain.info/address/1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS


Of course i will have the police investigate, but they do not even know what bitcoin is.....
Maybe some of you are expert enough to track the bitcoins so the hacker can loose anonymity by selling them on some platform or similar.


At the same time of course he also stole 200 from my mt gox account, for that the hacker used the email address avolokova@bk.ru and the transaction data was Transaction reference:
f5e5acd4-50a6-4de5-9061-1c0e3964eafe
Date: 2012-11-16 03:30:13 GMT
IP: 178.177.115.229

If you have a hint that discovers the identity of this person so i can get the bitcions back, i offer a reward of 600 BTC or bitcoin equivalent.

Thanks

Good luck

Are you just trying to figure out who the person is? That alone could be a daunting task. If you are actually trying to get your coins back you might be living in a dream world.

I haven't found anything with the most basic avenues, those were all things you could have tried yourself though and probably did. I think if you really want answers you are going to have to find people who do this for money. Make sure you get out of the Newbies section and put up some pay for information posts in the correct forums. You might find some hits that way.

It's a bit strange that someone who successfully stole your wallet would use an already existing address to send the money to, instead of using a brand new one.

From the information on the blockchain, I would create a list of addresses which have sent to that one address in question, or recevied from it.

Then offer a bounty for anybody who owns one of these addresses; they should be able to tell you who they sent their coins to, or from who they received them.

Those previous transactions are most probably from other victims of the trojan.

When exactly did you get the trojan? While installing what application or visiting what site? What is the trojan name? This would be very useful information to investigate upon.

I always told that wallet encryption is not good at protecting the coins, here is proof now!

You did not allow him to install, You installed the trojan yourself!

How You supposed to pay these 600 coins? From returned coins? Because I cannot imagine how to return the coins in this case. I have few ideas how to try to unmask the thief but it is private talk.

The police should not need to know what the bitcoins are. All they need to know that computer have trojan installed and they need to do their job and try to find who compromised the system. It may or may not be possible depending how the hacker realized the operational security.

2600 coins are 30 kilodollars!

With the exception of OP's coins and a 15btc tx all others are multiples of 50btc though.
I also looks like each of those 50btc transactions goes through 1CLVnMWEwzuGVcQ6L2WBoUJQFj3B9XeVmx or 1HeyN2fuKPurGPQsSSpt3S2Ruy7zc5rye9 if you just go back long enough.
Maybe it's a mixing pool?

Probably a long shot however do you still have the binary of the trojan used to steal your wallet file. Majority of the wallet stealers originate from the same source which uploads the wallet.dat to an FTP server. With a little RE using some debug tools you may be able to find a little more info about the person by finding the ftp host name user and password.

If that does not help running the binary within a virtual machine and checking to see the outbound connection would possibly allow you to see the ip of the command and control server used for his trojan horse in which case you could use do a whois on it. However there could be a possibility that they may have used false credentials for their c&c.

Again a longshot, will post if anything more springs to mind.

thanks for the tipps so far,


well, to be honest, i do not know how long the trojan was active before that. I only realized of course when the bitcoins were gone. Unfortunately he also erased my whole harddrive, so i could not even figure out which trojan it was.

Luckily i did not store all my coins there, i still have most of it at other places, also offline, but still this is a very bad thing...


Also, i do not think i would have a chance to get these coins back, but at least it would be good to get the identity of this guy. Mazbe he makes some mistake and there is a chance to catch him with the info from the blockchain.

I was hoping here is some expert that could connect hash information with IP data or personal data somehow.

Sorry to hear of your loss.

This never happens when you store your bitcoins on paper wallets.  Print yourself some paper wallets today from BitAddress.org

EASIEST WAY to redeem a paper wallet is at BlockChain.info - create a digital wallet, and use "Import Private Key" function.  You don't have to be a regular BlockChain.info user - just create a throwaway wallet if you wish.

PROTIP: Divide your stash into 10 equal parts, and put each part on its own paper wallet.  This way you never have to put more than 10% of your stash online at any given time unless you are spending more than that.

Dude, turn off your computer, go to police and tech-savvy private investigators.

Using Armory front-end on two separate computers, one without network connection is the safest approach in my opinion.

Erased harddrive? The thief got his lulz in addition of 2600 BTC proft!

I am reporting a hack as well, by the same email. Most exchange accounts were protected by google authenticator, these seem okay. I've lost 100 Bitcoins on one account that didn't offer GA, and one got compromised but didn't suffer losses.

Still investigating method of attack.

Edit: My harddrive has not been erased.

Unfortunately for you in this instance (and fortunately for bitcoin as a currency system) there isn't any connection between hash information and the IP or personal identity of the person who creates a transaction.

If the thief isn't careful there might be some possibility that he will create a transaction that will move some of those coins he now owns (or give a receiving address associated with the stolen coins) to someone who can identify him , and with a huge amount of luck that person could end up being an honest person who is aware of the theft from this discussion.  This is highly unlikely, but from a blockchain standpoint there really aren't any better options.

Looking at the blockchain today, I can confirm at this point in time the thief seems to own the following addresses:
1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS
1PJHvJWKLH9qwaRKeyVS2rC5gfZMr344LB, 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12, 1EPwBwuxyfyQF9kwkwDLoqYw2vcxFCDSYa, 1MGpi8ChSTbDRTA7h3gHh89UGirvsXMCZ1, 1CoTHatdK7hEsZJvymuCNf7eQoApMCuJxo, 126ZVBxjad3BtATBXeeq3uZPcKn24zr4gf, 1MmzRFGAg8HdDHnDJTKo1cKNsgxxiMYUtP, 15QUs9EGw283oisjzSF8XP28Kg4FVugveE, 14PnHT4YonpSzccX9GBpmkh4ohs8dDYDaN, 1BmSgffyC6WAJBBSJbXXodcvcw4cQsthW5

In addition the thief has received from or sent to the following addresses (many of which the thief may also own, but I am not able to confirm this yet).  If anyone happens to own any of these addresses (or know who does), then there is a good chance that they know who the thief is (or they also were stolen from):
1129ApiFKympPgHnzNnW8VNaDAYwgTEtMG, 126RfCopCdAS4qoZjTQPaufnvkDCmtsiwp, 12J8nM48ZNZMBaxFRBcyMbHhNkiPKCzQaY, 12Lt8DgTSwbDfQ5EKDkdoiX5czsJfSQcrK, 12r5PLeSPCcTFE78o1SbgaqUXoiY9LfWMV, 1322uvUdCME77yt8tQfkUAGpRtmRXf4EQp, 139TaFcXGJVuTDbR3TfpiGfiegt4jAFpiY, 13ja4sRDMG1uyAwxeAtV52dU4mtk8cHW73, 13XgASZP7N6pTMeyS5Sq8JeuCAkNzefnT7, 142qkA5L4sy1suDJRWfm6njmg3NPneqXmk, 14FSCmXntye2Hm9FGXnbBXiGiziKD41Zzb, 14KThQGAxVcqFLWF5QvESWPWoRqQ5L6i5z, 14oByZkGE9TxPMTeYZYzeNakJuSk7xWXa2, 1513U6VjSwhr3ZAAN3MnDnFHmcXY1HPWdF, 15bGw4QDZNqPPqFqV2kq3oAZB5r5dvUaER, 15GyGHvCUoG1KTPtycoVcqATGu4Ex4DVXo, 15kBvBLejU14VroJgdr863i1FqT6QkWB7U, 15UjaZJxjWdgB8jC6KivuuhbhbxoLuWwDm, 15yk8fiyuAXDTqGL8ekPCsNN7vX6dV6ALf, 163ZekxCzX7RKU49DUc4mda5knqNc3NF3z, 168NqBEoGjWbUwxhKXeCiALiGU8suxW1Ue, 16DnRquyKbsrGAPbp1Z8GxNctLia9t12Ee, 16mMWkKrERWVzAGWbnCxMFoAF9ghTB67MM, 17CLN16PvCdgTYzWKyuc3FjSu1nhGFtFEf, 17KJ3M8vBMNp7vBwwsGp33QN81jNXPa5u, 17m9n5uFTwK1Nfg9Py9STfGg3BNDvVwGyk, 17Vk6E3mNzfyTmZKpRWquKZGR51T7HEXiu, 18drKV9xUJNgKwWPQdpKYUspkKiHsob8xK, 18r9qqqMMtrx1i1xaH624uSFoRkQGqPK7x, 18vWaDD9djRFuZF672PfSzgN19Duvcivsj, 198hk8Qk8v7y2tRaxpE1iJU9fVkX6Tb7ph, 199Y5zwijtZbB6hE77MQxgG7vmDuD4Jv7Y, 19SQ9iFCGyKWeoxDktrVNczWkH6cQ3kmpV, 1A7SukLsFZDNezR2BX4LhJo73HJdBkH6Ua, 1AbY3D7VFRemePM2NgUTquQmAjXLKPg7XH, 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT, 1Ah5hZVevKbDcFLJiwxUTJs2BaySe9S1sV, 1ApkrEjJ5ByihAQZrJxqeau5P19HF8wPSw, 1BDWwDLNAUwAiaqJHvNmMKUNo1U4gbiRHA, 1Bn7XjuwZqScjgT7eytm8mpU8PEpCxXdMN, 1Byx2Wt8phzcuHf5XDZwoFqQq5nErxqrt, 1Cig4FxUY59xVJYeUaF8YtEyfbxDsfVkYm, 1CLVnMWEwzuGVcQ6L2WBoUJQFj3B9XeVmx, 1CMpywEPKTBBsWxccWkTk5tzizteyRG1WZ, 1Dm9XuD28BGYDxi5Rxt38S66ehRSZ2ajtV, 1EcFFZ7eykZQjw6LnDKiXg8NfjSUvqHKZE, 1EedaVtSyVrmkbbAx7iJQpUfFr5beeNHbY, 1Ff3XukPtmVtk9JFr8JVyRZ7rWKoKEY5TV, 1EgQM7unQm59oPm4F87ZRD6JwX4a9WGdTz, 1FbaMihMDCANJ6Xgxc7BgNroKXF1yrEho9, 1FbASjLhfbmF5eKJKzK3Cb55rCN1REuXSY, 1FRb654gcqj38rx9UadziGjLEs1fMSeFjD, 1FuzUfqkWrNaac3j6c8CiWmjCjRMiWjjFZ, 1FyVmocPa9wWwY5WjKtzHwrU8r1NkFE8h9, 1FzVCGK5n9tmj6hPFFffWnC8mjnWZL7bCn, 1FZVJD95CaDAheHCP6R9PiA2Jb4ojVhBSx, 1GjrbSXP1mYCoZbUnGjp5JGvPH4cNK8epK, 1H9QXBc3a4qkRgsLdD1BVoaVKm9UP5PWfa, 1HJ2U8ckG24UADWF1M6DEfnuUmMgcsURot, 1HV2sYHjAZEueYe5fF14CBEwQJ9Fawnaqo, 1Jo3M8W6F9ACiLRaAiZs3LMSZfnniCStPz, 1JoTxrqZAhWXTDFPoChKFk7hqDfmkC6tUG, 1JuTf9JFpV4wDYLSCKQZHF4hBX6edxr4R6, 1KGxAeHHALMnJPzGbSb6A6BxRLyrmhmgkQ, 1KNpeXAxx4qLctNv2XKVVCPoMPt2BmbH6o, 1KPy4EJFV8ZRgMDoZQ9usZKRrdq1eKGgeK, 1KXNoekZ8VjZrkrchr6UUVPbBfyGsXcQcr, 1LEJa3uDvwpZJTH7ygbV6Fjskfc3AZ7ns9, 1Lgq3bdysYJYBAJrvjKCXWgiP3kC7tgusE, 1LNqumVxZLpMmk2YAZv94dcoZgyG5FnN3J, 1LUAZUR3zFBaf3kxmpmD18gXCU68tQnTnK, 1MmzRFGAg8HdDHnDJTKo1cKNsgxxiMYUtP, 1MUDnDKYbkMqZjDapcb69dct83xxwXkNp1, 1MZWEMTQAb1PPnNi2rFYLMakxHuGAkVK73, 1N2BPjxdD46AxYiWSLSvx1THG9xhzHNC2c, 1NePkjQCHgJ4u94qgS2WjQMqivTYrk2ZGA, 1NomJEEBXuUU2ioaqNdkYYY7PKqdwd3sUx, 1NTAA7itEJ9R8zgqCobi4JqJ4eC4ZtAr7c, 1P8edr8cDnnRxtU745V9w9am9DQbf287Cw, 1P9ZJaeAG6vY6XH29P1orTRk1JKm7TEaqf, 1Pkio2icGqKkghPHYREinMFFcuDN14s8A8, 1Pu6uF7A2DfuAsaxM637j3H1wtFKAGB2BV, 1q543G6muPvXJ6bXETJL3S7tuAthMtDkM, 1QAgtMUhna8dgM4HuhAuvtwSxXFMLMjgxq, 1y2PkvvtkkkV4uVZuePVuXmMUYHBWr4Zn

That being said, if a forensic team gains access to your hard drive their is probably a better chance of them finding useful information to track down the thief than the chance that the thief will engage in a transaction using one of these addresses with an honest person who happens to see this discussion.  (Both possibilities are so unlikely that you probably need to consider the coins gone).  I hope you get lucky though.

The attacker used IP address 178.176.96.4 for one of the exchanges he logged into.

He withdrew coins to this address: 15TDgQpCaNjxyBpi7Jp6EmZW1bHAEaxTxY (http://blockchain.info/address/15TDgQpCaNjxyBpi7Jp6EmZW1bHAEaxTxY)
Unused, and the coins have not yet been moved.

[Deleted Information I provided]

Op I'm going to compile a list on everything I can find out this thief. Just give me time to filter all the relevant information.

Op still haven't told how he got infected.

Now I'm all paranoid.

Damn inconvenience of additional security.

I suppose it was a windows operating system?

it was windows 7 operating system, i still dont know 100% how i got infected, but it was for sure some trojan horse with keylogger.

Thanks for the info. maybe I really have a chance to catch as soon as he tries to convert to FIAT currency

Have you ever thought,  maybe the Bitcoins were crying out for freedom, yearning to flow among exotic wallets, being one with the community.

I guess they got tired of being hoarded. The attacker will be seen as a liberator.

Stockholm Syndrome will take effect soon. At this point, it's hopeless dude.

Most likely it was a trojan binded to some executable file that OP run. Also it can be a 0-day exploit on system or some misconfiguration of computer such as reused passwords or something.Likely Windows, because to infect Windows you need to double click file. To infect Linux you need to use SU. It is a sanity check and dumbness filter.

Message to the thief if he is reading this: I will launder the coins for a small fee. Additional guarantees available. Price and other terms negotiable. Also I can give instructions for do-it-yourself laundering.

OP is not going to pay me for my great knowledge!

For me it's also on Windows 7, and it is indeed probably some trojan*, but it's one that can read password fields, not just keylogging. One of my accounts he got into has a password that I don't physically type.

*I don't remember clicking any, but who knows.

Most trojans are like remote desktop or Radmin that can give full control over computer. This is nothing special.

Interesting, most popular way to spread a virus is warez & exploit kits.

http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=49933867
http://www.utrace.de/whois/178.176.96.4
http://www.utrace.de/ip-adresse/178.177.115.29

I would contact this ISP
However, russian hosting are not very responsive unless the is a court ruling, maybe offer them the bounty xD.

EDIT:
There are professional private detectives located in russia of course, maybe thats an option, no idea how much they charge and how high the success probability is.

Nothing to worry about too much, download Comodo firewall its a good program for monitoring and blocking any malicious connections. Most malware is spread the traditional way such as via torrents, Youtube, drive by's etc. So staying protected just means staying wise and being cautious of sites you visit and files you download.

If you're worried just send bitcoins to a paper wallet, and you'll be fine.

Isn't it possible to port scan then buffer overflow whatever listening service?

Yeah all it is, is either a RAT or IRC/HTTP bot which has downloaded and executed a open source wallet stealer which uploads the wallet to an FTP. If its a rat then the attacker would of just used remote file manager.

Either way nothing special, having the binary used however would allow us to find the point of origin. Especially if a RAT was used because they make connection to the attacker themselves and not a centralized command and control server.


I think OP you being infected and having your wallet stolen would of been in the time frame of 24 hours max. So thinking back to when your had you wallet stolen anything within a day of downloading some form of exe would help.

Not only would you wallet of been stolen but you would of probably fell victim to the attacker actually mining on your computer. This is something else that saddens me because people who do this do very little to hide the login and password to the Pool they are mining for :(.
 

I would try a simple dictionary attack on the mail.ru for the email however I do not posses and Russian based pass lists. Either way ill keep trying and see what I can find.

Why does this happen to other people and not me, I WANT to be infected by such malware :(.

Cold-storage? Agreed. That's why I'm annoyed with the inconvenience of that security.

I hope multisig transactions will soon be implemented in a way that they are easy to use, that will make things a lot safer.

3-rd party software firewalls are shit. Windows7 built-in firewall is great if configured properly, but firewall is like last line of defense if malicious code already is executed on computer. Advanced malware can disable all software firewalls. And they are useless if lamer does not know how to use them properly.Most malware is spread by social engineering retards into downloading and running the malware on computer. So You are correct.Not anymore. You need to have service with working exploit accessible from outside. Router/NAT between your computer and internet prevent this. The address space layout randomization and data execution prevention makes these types of attacks very hard.The FTP wallet stealer was more proof of concept code than real malware but I know it was used successfully on many times :) For grabbing the password you need RAT.The best rats now use Tor and Tor hidden services for C&C. But the RAT or the haxor might not be so advanced and it really might contain some leads.You are too smart to infect your own computer :)Second computer for cold wallet without network connection and Armory on both of them is workable solution. Offline computer might be any computer capable of running WindowsXP such as Pentium3 or 4. They are really cheap. You don't need to keep 2000 coins online.They will not be completely safe and will create additional problems. Armory and offline wallets are the way to go.

Nothing will ever protect against the competency of the operator.

Obviously nothing will ever be as safe as cold storage. Unfortunately, armory is far from being user friendly (it requires shitload of memory, for starters).
Multisig txs seem to be like a decent solution when needing good security and easy access to bitcoins. Obviously cold storage will still be the way to go for any large amount of coins.

Because I cannot post to the thread in Bitcoin/Legal I'm posting this here.


In case you're not aware of it, you can prove ownership of any address by signing a message with the corresponding private key. You can use brainwallet.org (http://brainwallet.org/#sign) to do this.

600 BTC (~$7000 at current rates) is a lot of money, I hope the thief made (or will make) some mistake along the way, I wish I could help but my knowledge of how the bitcoin/blockchain works is poor.

yep, for this bucks you can eventually get things moving even in russia^^.

There are a lot of people who demand that bitcoin is not user friendy and should be plug-and-playable.
When I see thefts like this, I'd rather demand the opposite. Maybe that'll force people to understand which precautions are necessary to avoid digital theft.

Not to burst the little mutual agreements you guys seem to be having, but I don't regard myself as a retard who was social engineered to click yes to every dialog box. I use a separate password for every site, have encrypted backups of my wallet and gpg identity, use 2-factor authentication whenever possible, and don't just execute random stuff.

Apparently, that isn't enough. Granted, some of those habits prevented much larger losses: I only lost 101 Bitcoins because the attacker couldn't access my accounts with 2-factor authentication, and I had no Bitcoins in my wallet. However, my wallet encryption means nothing if my computer is compromised, and technically I should consider my gpg identity compromised as well, which sucks major ass.

The thing is, it doesn't take a retard to have an unsecure computer. It only takes one slip-up, or sometimes not even that (0-days).


So what would be the best way to make something secure, but still usable? (ie, not cold storage, I need to trade my coins on exchanges) My current plan is to buy a lightweight netbook, carry it with me all the time, put ubuntu and full-disk encryption on it, and only do bitcoin stuff from there.

Oh, and I'll try to find out what infected me, but it might take a while.

I was referring to the OP with my statement, who comes off as the type that would be vulnerable to this kind of thing.

Ever tried NOD32? Never had a problem in the 3 years I've been running it, and it catches a lot of potential bullshit.

A smartphone app that could scan paper wallets and initiate transactions would make paper wallets just as mobile as your netbook.  I don't know if that smartphone app is part of the present or part of the future, but I gather your netbook won't be powered on 24/7 so it's just as cold as paper when it's off.

The hardest part of using paper wallets is having to type the codes if you can't scan them.  Eliminate the typing, and they are very convenient.  They weigh far less than the netbook and can be given away IRL if you end up needing to give someone bitcoins.

That's exactly why I'm working on bitcoin hardware wallet: https://bitcointalk.org/index.php?topic=122438.0 . Such theft with hacked machine and sniffed password would be impossible...

Thing is, I need the security for more than just my wallet. As a trader, most of my bitcoins are on various exchanges, so I need a secure computer in any case. Plus two-factor auth, which has proven its worth nicely for me in this case.

On the topic of virusscanners: Many of them report false positives on things like cracks. Having a few false positives makes your virusscanner completely useless, since you won't know if a report is a false positive or an actual risk. Someone whom I told about my problem suggested microsoft security essentials, which sounds really counter-intuitive, but apparently it comes out on top in comparisons. Of course, when I get my netbook, I won't need a windows virusscanner...


Anyway, in the meantime, I need to have some virusscanner scan my infected harddisk to find the source. Preferrably I'll scan from ubuntu, since I don't want to risk any autoruns or whatever. I am not too familiar with ubuntu. I'll google myself, but maybe someone has a suggestion?

Virusscanners are useless, sorry to be that harsh but i can crypt any virus undetectable for at least a week. Its not hard to modify a crypter source or buy a crypter for a few bucks.

Getting to know how viruses are spread is a great step in prevention as you know what to look for.

A firewall is only useful before an attack occurs, a trojan/bot dont cares if you run a firewall as long there is internet access, you always have something open, even if its port 80.
One way to extend the firewall is a VPN, this indeed can make a hardtime for trojan/bot.
Most viruses get detected after one week but it very much depends if it submitted and how much vics it has.
And yeah, things like cracks are perfect for spreading, because them noobs turn off the scanners.

Bottom line, a virus can only be detected if its in a anti virus database or fits in heuristic.
Scan every file where you i doubt on virustotal or jotty, both submit the sample to a ton of av vendors, they probably dont detect it from the start but at least after 1 week the same file is detected.

The below text is just copied from a skiddy forum, they sell these crypters for example....
On a PC with important/confidential data just dont surf nasty porn, dont load warez and dont visit useless flash gaming sites, dont download docx or PDF (there are exploits) from warez (for example ebooks).
+1 If you use linux
+1 If you use a virtualbox

Dont get me wrong, its not like the whole net is infected but there are standard ways how viruses are spread and you should know them.

Its a big Loss.
But....i think u ll not recover them bro.

Is that assuming your scanning device is secure? I have a paper wallet set up, but know nothing of what happens to the private key I scan in, memory/app-wise...

Wow, wish there were anyway I could help - ATm I am looking for a way to retrieve a password I set on one of my BTC wallets a few weeks back but my loss of 60 BTC can't even compare.

I hope your situation turns out for the best.

As long as you know you can spend it faster than anybody else, you're safe.  Paper wallets are worthless once the balance has been moved to another address.

It's really easy to test: simply try a transaction with some small sacrificial amount.  If it works, then you're probably safe.  If it gets stolen, at least your losses are very limited.  If you divide your holdings across multiple paper wallets and you're careful, then your risk should be limited to the balance of one paper wallet.  If you ever need to send more than one paper wallet's worth of funds somewhere, then do them back-to-back, verifying safe arrival of funds between each one: import - send - verify - import - send - verify - etc. rather than importing them all and risking they all get stolen at once.

This explains a lot.

Hello slush I just happen to read an article just a while ago about your USB Wallet Project on bitcoinmagazine.net (http://bitcoinmagazine.net) and it looks promising btw :D

Best advice I've read on here!

I think the OP could try contacting the ISP or whoever administers that range of IP addresses (600 BTC is ca. 10x avg wage in Russia)
https://bitcointalk.org/index.php?topic=125641.msg1342936#msg1342936

Even if you knew who it was and had conclusive evidence that they were guilty, what exactly would you be able to do about it if they're in another country?

Pirateat40 lives in somebody's back yard, we know who he is, and nobody has collected a satoshi from him.  So what could be expected to come if someone were able to dig up some identity of somebody in Russia without any proof of guilt (knowing that even with proof of guilt, collection is unlikely)?

Paper wallets!  This is how you protect your bitcoins.  Just for fun, send 0.01 BTC to a paper wallet right now and then import it back.  Seeing it work is a valuable learning experience.

Paper wallet work until you need to load coins back to hacked machine.

Ahh, Pirate :)
US is different from Russia where a scammer such as Pirate would be properly (or maybe a bit too severely but better than not at all) punished if the identity was known.
600 BTC might be enough for OP fly and bribe his way through to find the scammer (maybe with the help of the police after they have had received a generous tip).

At least you'll only lose 1/10 of your coins, assuming you split them across 10 paper wallets, and that's assuming the hacker can redeem them faster than you.  If you are being actively keylogged while you redeem a paper wallet, and you click OK or hit enter before he has a chance to initiate the theft transaction, he still won't be able to steal.  The normal password trojan that logs keystrokes and sends logs periodically to the hacker is good for stealing passwords and credit card numbers but won't be of any use if the entered key becomes worthless moments after entry - he either has to be watching you in real time, or use more sophisticated malware adapted to detecting you entered a key and then preventing you from completing your transaction once you enter the key.

I've tried scanning with 2 different virusscanners, and neither seems to find a likely culprit.
Both of course mark all bitcoin miners as a potential threat, but clearly marked as "mining" or something like that.

At this point I'm giving up the search. Sorry about not being able to provide the details, but maybe being paranoid will be good for your security.

Also, my new netbook is spiffy ^_^

Twitter, Facebook, google, Anonymous - The hacker group.

Offer them the reward.

Its gonna take a good hacker to find that person.  Anon loves bitcoin - they will for almost for sure help you.  You MAY get lucky and they will do it for a reduced fee because they like it so much.

Good luck to you.

Witches and magic.

What did you scanned?
The public bitcoin miners are detected because the same miners are used in botnets, i doubt any official miner has a trojan attached.
As i wrote above, if you scan files scan on virustotal or jotti.


A hacker wont probably find anymore than already presented here unless he can get direct acces to the ips mentioned, however, as there are dynamic ips nothing fancy nowadays id expect th ip of the attacker has changed by now.
A professional local investigator should be a step right after trying to contact the ISP.

So called hackers, i guess you mean professional pentesters and security auditors are seldom have a lot of spare time to chill on facebook, lol. The success rate should be higher when hireing a real proffesional from an agency/firm, of course you culd be lucky to find an bored unemployed genius.

You obviously have no idea how anon works, I'll leave it at that.  Rather then throwing in your worthless two cents - why dont you actually provide some ideas besides your loose and general crap that is right in front of you.

Yeah all it is, is either a RAT or IRC/HTTP bot which has downloaded and executed a open source wallet stealer which uploads the wallet to an FTP. If its a rat then the attacker would of just used remote file manager.

Either way nothing special, having the binary used however would allow us to find the point of origin. Especially if a RAT was used because they make connection to the attacker themselves and not a centralized command and control server.


I think OP you being infected and having your wallet stolen would of been in the time frame of 24 hours max. So thinking back to when your had you wallet stolen anything within a day of downloading some form of exe would help.

Not only would you wallet of been stolen but you would of probably fell victim to the attacker actually mining on your computer. This is something else that saddens me because people who do this do very little to hide the login and password to the Pool they are mining for .
 

I would try a simple dictionary attack on the mail.ru for the email however I do not posses and Russian based pass lists. Either way ill keep trying and see what I can find.

Why does this happen to other people and not me, I WANT to be infected by such malware .

So what happens if you do find out who it was?  Even if he gets prosecuted, those Bitcoins are locked away with a key that the thief only knows.  As for him paying any restitution, good luck when he'll never have a real job.

Sorry but I think your bitcoins are good as gone.

Shouldn't any virus running be visible as a process? (I use http://systemexplorer.net (http://systemexplorer.net) to check them, beyond AVG free)

dear all,
i have received NEW important information in this issue


the hacker also owns the key 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT and his "real" email address is sam.rankin@me.com
he used IP address 97.106.160.84
on 2012-10-05 at 20:51:51

he used to mine on deepbit, but they do not hand out any info about their users and do not answer to my mails.


Maybe one of your guys are smart enough to get any useful information about this case


the 600 BTC reward are still available

how are we going to help you get it back..?

yes, some data from bitmarket.eu also show that the addresses are used at least by the same computer

If that's true, then there is probably a MUCH larger list of addresses controlled by the thief and addresses that engaged in a transaction with the thief.

I'll try to put together the list for you later this week.  If you PM your email address, I'll email you the list when I've got it complete.

mralbi,

I've finished my program that scans the blockchain and uses the inputs from transactions to link addresses to a single entity that controls the list of addresses.  A person can keep addresses from being tied together by being careful to keep their bitcoins in separate wallets or using raw transactions for coin-control to avoid connecting addresses together in inputs, so the program will not be able to report those addresses that are carefully segregated.

Running the program, I find 901 addresses that can all be said to have been used in inputs by someone who has the private key to 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT.

I've emailed the list to you.

So paper wallet once used, it should be emptied and no longer consider cold wallet, right?

the bitcoins are still remaing on the theefs wallet - maybe the 600 btc reward are now more interesting

that hacker is doing good indeed. +$2.5MM with a lousy trojan horse.

Is this still on?  ;D

Quite sure both sides forgot about it :)

Sorry to tell you this. Well most likely you won't see those btc agan. How could he trick you into installing it. Try contacting mail.ru and tell them the situation, maybe they can help you. IP is proxy or VPN so it is a dead end.

well i actually have new evidence in this case.

The hacker had provably an account at http://www.tf2whx.com/ and used various addresses to launder other coins. the admin of the website however refuses to hand out the IP/email address of the hacker, so i am now pursuing the official way which might take another 3 years.....


The only information i received from the website admins was:

These are the withdrawals that go to 1Bu..."
 Also I am only able to do this because this person was not in fact a customer of ours at all, it seems they just laundered their coins here. Which is illegal. If they would have purchased even 1 credit I would only be able to give this to law enforcement, so GG whoever this guy is. Good luck.
 




5:29 AM
ok, give him this:
 
transaction ids



5:29 AM
83d2fd573e5ce47fca38bc3895356b8ed4a6b98a4c2b49c030dd0444a2ac506f
 6b341d138d598e0164bf47176a613364a7dc979df88bde43579cdece323bd42a
 76f312c30b4109136859b7e5b30c67b0aebcf0a05411183d0eecb7a751f76c7c
 9e05e5f6c61ee2e900fba73599dc8d01f4430f08d57f101bdc2d8cd7008f7bc2
 d90536ed805519c1563a5af9c44121a289f86e8bc9edbf896f149e7511e0217b
 a3c17c0bc7b4ea1572a750b83a1711710c716be3f51d81e5af9a5988605b30df
 bbb6a33fc4beda28887c413fc52f4bc2107d909113fb0ea46538ed2d2fc0cda1 0643e458b597f43712c5cbed82b93db54cb1ed029d3d9c7bc546002ba855baf3 1e5b1a537a99c86db2d903373d7606ecaaa8bb5b60139a848e27c9946c918883 51f8013ae8a9f4bd0c9182747c5731ee6cde36e6c5e7380f62f52244d7c784a8 fdf76f34d4fcb497acb96a46d33c5b2d234e92e897f86214c05cbeb6bc2257e3
 This is a list of all the bitcoin transactions that the user who controls the 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12 address has made through our system
 That should be all he needs in order to track down the comings and goings of the bitcoins.
 

5:35 AM
His deposit address in our system was: 1EcFFZ7eykZQjw6LnDKiXg8NfjSUvqHKZE



If this would help anyone to identify the hacker, the 600 btc are still open reward

hey let it go. everything happens for a reason.  :)

You have to be really stupid to store that much btc on the most unsafe operating system out there. Before you store btc on windows you should store them in online wallets, it's way safer.

at that time is was not so much ;-) And yes it was stupid