Some days ago someone posted a Mac download for a vanity generator. I've had the thread deleted by the mods, but the poster was a brand new user and the only user who commented was also a new user. The software presents itself as a GUI to vanitygen, but in reality seems to harvest the generated addresses and keys, and upon receiving a certain amount of BTC the credit is transferred to a different address. I'm exposing this although it makes me look like a turd since it stole 14 BTC from me this morning.
The software can still be downloaded from
https://github.com/trevory/bitvanity. I've downloaded the source and will look for some clues, but of course the precompiled binary can be something completely different.
In a moment of absolute stupidity and after having read about and being excited about vanity address generation, I generated a couple of addresses with this app and transferred some hard earned BTC into the address. Almost immediately all the bitcoins disappeared.
I've tried again with a much smaller amount and so far nothing has happened. It clearly triggers above a certain amount (the only other transaction to the receiving address is 2.09 BTC) in order to stay undetected. They may be using different addresses to receive and the limits might be variable or the thefts random.
The transaction ID is: ad46e931ff3ac203ed522c9fcba8a6b156ac4b0d73f3079b2b8e158d5e1be861
In the end 14 BTC lost, but a valuable lesson learned. Hopefully we can shut this scam down from the very beginning. If someone else wants to verify my findings, be my guest.
Obviously also now have to wipe the machine where I ran the software.
--chanba
1Hs6emZobgr5NqW1LGa2vRP5NvGwrYf84w (No vanity nor BTC left...)
Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/Hmmmm this has me thinking of a new way to do cold storage.
Dowload a vanity gen to a pc.
Disconnect PC from the internet.
Generate a new address and private key.
Keep a hard copy of the Address and private key, or perhaps on a usb stick that you only use on offline computers
You could then send coins to that address even though it wouldn't be linked to a wallet anywhere.
Then when you finally want to take the coins out, add the private key to a wallet at that time and away you go.