I have just read the last 50 pages of this topic and wow this is crazy.
First of all yes the client was posted by me and I added some code that would send the secrets to my server.
A week ago there were all the ddos issues and billions created which led to a lot of client updates.
During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated.
So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour.
The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.
Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked.
The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it.
To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.
Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength.
That point has been made very clear now in an unfortunate way.
To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.
I know there are other modified clients around whether they use the same type of attack I don't know.
Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account.
Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know.
People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.
Nice to meet you. I haven't received a response from Digital Ocean yet. The clock is ticking. I don't back down. Ask my wife. |
|
|
|
If anyone else wants to contribute anything to helping reimburse those who were affected my account is: 7692313866255280204
I just received 35K NXT from neer.g. Once we get some confirmations on that I will begin sending it out.
I think this is a great effort but I urge you to hold off for a day or two and see if we can get EpicThomas to rethink the wisdom of keeping his ill-gotten gains and put the money back that he stole. Worth a shot. And I am 99.99% sure I will have the law on his tail if he doesn't. I am a persistent fellow once I take up a cause. |
|
|
|
The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex. That ain't gonna happen.
This is a major crime in the tens of thousands of dollars range and we know who did it. People go to prison for years for this kind of crap.
(Are you reading this, EpicThomas? I know you are.)
You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city.
Do you feel lucky, punk?
A MESSAGE TO EPIC THOMAS:Dude, I'm coming for you. You had better put back the NXT where it belongs before I find out who you are and go to the police. I will stop if you repay the NXT you have taken from others. Once I find out a name and address and turn it over to law enforcement, things are out of my hands. Until that time you can save yourself. Do it. My email to customer service at Digital Ocean: Can you identify the real name, email address, mailing address, and telephone number of the user renting a cloud server from you at 162.243.246.233 for the past several days? This person is involved in illegal activities and has stolen over $23,000 that we know of so far through unauthorized transfers of assets. When you have obtained this information, please let me know the name and location of the representative who may be contacted by local law enforcement. This is not a prank or joke. My name is X. I am a resident of X and you can contact me at my cell number of X if needed. Thank you, and I look forward to your prompt response. |
|
|
|
You guys need to rethink this. The evidence shows pretty conclusively that Sparta_cuss was actually robbed and reported it before either PaulyC or newcn. Plus Framewood beat them all to it by a couple of days.
So - we gonna create a loss fund to cover 300K NXT and counting?
I'm relatively NXT poor, but I'll contribute 1k to a theft fund if it's set up. The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex. That ain't gonna happen. This is a major crime in the tens of thousands of dollars range and we know who did it. People go to prison for years for this kind of crap. (Are you reading this, EpicThomas? I know you are.) You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city. Do you feel lucky, punk? |
|
|
|
Going forward from this moment:
How can we be 100% sure someone coins are actually stolen? the victim could himself open an account and send the funds there....then after a period of time he then transfers the stolen funds to some new account and carries on happily ever after.
MOTIVATION: Those who have there funds stolen may get some sort of funding to compensate for their loss. An greedy individual may take advantage of this.
Because of this reason, I think only PaulyC and newcn are eligible for some type of reimbursement/ bounties for uncovering the bogus client. You guys need to rethink this. The evidence shows pretty conclusively that Sparta_cuss was actually robbed and reported it before either PaulyC or newcn. Plus Framewood beat them all to it by a couple of days. So - we gonna create a loss fund to cover 300K NXT and counting? |
|
|
|
OK, a summary of that we know so far: The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun. Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from: http://info.nxtcrypto.org/nxt-client-0.4.8.zip". The mouseover link that appears goes to http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says http://info,nxtcrypto.org/nxt-client-0.4.8.zip. http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=deEpicThomas made is original post which contained the bad link at 31.12.2013 13:23:22 and then later edited his post and CHANGED IT BACK to the correct client. The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K). The 0.4.8 losses we do know of came in a 8 minute window: Time Victim Vic Account Thief Account NXT 01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665 01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808 01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197 01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690 There may well be more 0.4.8 losses that haven't been discovered or reported yet. There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on December 27, 2013, 06:26:16 PM See: https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532 . If so, here is the first reported loss: Time Victim Vic Account Thief Account NXT 26.12.2013 17:09:30 Framewood 697109629372813510 13643712185318669838 100088 Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000. There's got to be more. Keep digging. |
|
|
|
Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:
Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM
Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?
Quote from CfB:
Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.
There's a clear pattern if you look at all the data:
Time Victim Vic Account Thief Account NXT
01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665
01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808
01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197
01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690
Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period.
Don't forget Framewood, too. Please notice the date and how little the community paid attention.https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532This bears repeating: Please notice the date and how little the community paid attention. |
|
|
|
The hacker might have tried it for a while, but he hit multiple targets with 0.4.8 versions.
This means the forensic investigation has got to go deeper and not limit itself to 0.4.8. Have we figured out yet just who the hell did this? |
|
|
|
Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:
Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM
Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?
Quote from CfB:
Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.
There's a clear pattern if you look at all the data:
Time Victim Vic Account Thief Account NXT
01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665
01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808
01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197
01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690
Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period.
Don't forget Framewood, too. https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532The scary thing about Framewood: I was using 0.4.4 client. I'm now on 0.4.7e HE SAYS HE WAS NOT USING THE 0.4.8 CLIENT |
|
|
|
Going forward from this moment: How can we be 100% sure someone coins are actually stolen? the victim could himself open an account and send the funds there....then after a period of time he then transfers the stolen funds to some new account and carries on happily ever after. MOTIVATION: Those who have there funds stolen may get some sort of funding to compensate for their loss. An greedy individual may take advantage of this. Because of this reason, I think only PaulyC and newcn are eligible for some type of reimbursement/ bounties for uncovering the bogus client. Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB: Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM Hey, looks like I just got robbed, too. Someone please check this account: 12152013998194592943 They now have 147k+ from me. Had a 40 char random password, capital, lower, numbers, symbols. WTF? Quote from CfB: Can u prove that ur coins were stolen? My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt. There's a clear pattern if you look at all the data: Time Victim Vic Account Thief Account NXT 01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665 01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808 01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197 01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690 Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period. |
|
|
|
|
Good morning everybody. I just got up from bed and found a PM to me from somebody who says they've been hit and lost around $7000. This poster says he wrote me because he felt I would not ridicule or judge him. He is apparently embarrassed to post his experience here because he used a very weak password that was patterned after one he uses routinely at many locations. Of particular interest is his statement, "So I checked my zip file and got a different checksum than I think I'm supposed to, in fact, one that isn't posted anywhere on the forum." I've asked for a copy of his infected file and will check the SHA-256 on it if I get it. I also gave him step-by-step instructions on how to check it himself.
I applaud the ongoing efforts to flush out how the bad file got posted. We need to start a similar movement to flush out just who has been hit, and if there is going to be any kind of reimbursement plan. PaulyC is getting made whole, which is a good thing. But we need to start thinking about if everybody will be, and that is a chicken-and-egg question until we know the scope of the heist. In this vein, how hard is it to come up with a list of accounts involved in transactions since the bad client came out?
In a security breech situation, I think it is very important to not castigate people involved for any poor security habits they exhibited such as weak passwords, so they will feel more comfortable in coming forth with badly needed facts.
|
|
|
|
By the way, I just checked and Drexme was last online here two hours ago.
There is a good chance he will try to cash in tonight if he read this thread now that we are on, to him...
And just how many accounts is he gonna plunder, I wonder? This is gonna get really, really bad... I will be the first to ask the question "Do we wanna stop the blockchain and roll it back?" |
|
|
|
So, are most people with the new client boned?
If not, what should you check?
if the sha256 of your nxt-client-0.4.8.zip is: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 you are fine, if it's: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 you should download legit client and transfer your NXT immediately to another account if it's still there how to get sha256 hash of your file is explained in this thread (nice windows tool here: http://sourceforge.net/projects/quickhash/) OK, so I've verified I lucked out and got the "good" download completely by chance. What's this about malware listening at digital ocean? Can it only get data from the bad clients or all clients? |
|
|
|
rickyjames,
I wasn't saying we should cover it up, I was saying that the feature to broadcast messages to all NXT clients is not there yet.
James
Ah, sorry. I'm a little agitated at the moment and my paranoia needle has broken off the peg over in the red zone. My apologies. We still see eye to eye on security, dude. |
|
|
|
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
I made a pact with Intel to publish news at http://info.nxtcrypto.org/, and this is news. I will be typing something up for submission ASAP. If you want to keep a lid on it, good luck with that. Absolutely PaulyC should be made whole via bounty fund. |
|
|
|
Ok here are the two zip files in one file. The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page? DO NOT USE THIS FILE FOR NXT: https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo Got it. The bogus client is in the link. Can someone check where is the modification ? You have got to be absolutely fricking kidding me. I have downloaded from mega.co.nz on Tues and walked it over to my nice sterile laptop.... Excuse me while I go do an emergency client download from a trusted source and move my NXT to a new account with a zillion character new passcode.... And when this all settles down I'm going to bring up again a few more dozen times the idea of implementing a withdrawal freeze code.... |
|
|
|
|
We just topped 3000 members at nextcoin.org . Not bad for a forum that only opened 30 days ago.
|
|
|
|
With the current method of account protection in place, where a brute force password attack is a simultaneous attack against all NXT accounts, I would argue that a good motto for NXT is the Spartan's cry of "Molon labe". http://en.wikipedia.org/wiki/Molon_labe |
|
|
|
EDIT: If transparent mining reveals the node's ability to forge, there's also the incentive to bring down large holders to improve your own forging income.
how about this? This reminded me... From https://en.wikipedia.org/wiki/Laconic_phrase: After invading Greece and receiving the submission of other key city-states, Philip II of Macedon sent a message to Sparta: "If I win this war, you will be slaves forever." In another version, he warned: "You are advised to submit without further delay, for if I bring my army into your land, I will destroy your farms, slay your people, and raze your city." According to both accounts, the Spartan ephors replied with one word: "If" (αἴκα). PS: There is no way to find IP of a forging node if it wants to hide the address. Even better: they cut off the other parts of the message and just sent back the word "if"  Spartans apparently recycled  |
|
|
|
I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check? What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly. And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat. If a hacker has ALREADY gotten your main account password once to get in the account in the first place, having to type it AGAIN is no additional security at all. This only prevents somebody physically in front of your keyboard from ripping you off. This is absolutely a concern and why a withdrawal verification/unfreeze password shouldn't enable the LOCAL CLIENT/SERVER do something, it should be COMBINED WITH SOMETHING PERVIOUSLY PUT ON BLOCKCHAIN that is processed by THE REMOTE SERVER PROCESSING THE BLOCK to enable the withdrawal. The latter is MUCH MORE SECURE. The first time a local client is hacked in NXT (and you should assume this WILL happen) then NXT has a HUGE PR problem.... |
|
|
|
|
Show Posts
