Yum.

I can understand the reasoning behind the bug bounty programs not accepting your crowdfunded audit, mainly because, you aren't the main developers or owners of the project - some would even say you should instead put forth an initiative that would instead use tip4commit as a means for security researchers to audit BitMessage, and get paid for commit fixes to bugs instead.

"Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security.""

We did indeed say we would be interested, for full disclosure, if you were to figure out or set up a bug bounty program for the security audit. And since you failed so, we clearly didn't take you up on the idea of accepting a large number of BTC for an audit that would rely entirely on my teams findings. It goes back to my point: if you intend to properly audit the project it will require a large number of eyes with security knowledge to fully inspect the code over time. Not a one off audit.

It is very nice of Kristov to accept the potential job of auditing BitMessage for the sum of >$6k USD but the problem will be that after his audit is complete, regardless of how extensive or thorough it is, a month later someone else will potentially find exploitable holes and will look for the same sort of payment for his findings. The point is there is little to no security in the real world past an audit.

You should however:

- Do the crowdfunding effort to raise the funds.
- Put together your own bug bounty program (and we will gladly help you set this up, free of charge to the community)
- And pay researchers depending on level of exploitation

And for full disclosure: we have helped dozens of exchanges, dozens more merchants, and hundreds of sites in the last year (since December 2013) with their security (mostly Bitcoin related, but also Microsoft, Yahoo, and Paypal). Free. Of. Charge.

Thanks!
Mike

Hey,

We talked on reddit a bit back and although I agree an audit of BitMessage is essential the problem is simply paying someone over $6k in BTC for an audit is a waste.

He is one man, with his own specific set of skills. You need an entire community of security researchers to audit BitMessage as they all will be able to provide their different skillsets to the table.

I suggested before to use a bug bounty program like:

- hackerone.com
- bugcrowd.com
- crowdcurity.com

HackerOne or BugCrowd will more than likely yield you real results. You don't pay for one audit. You pay per bug disclosure. When you submit BitMessage to a bug bounty program like the above not only does my security team (BITCOMSEC), and Atlas audit the code, but also another 20,000 security researchers from around the world with different skills and experience will provide you REAL results.

I really do hope that you listen to what I'm telling you and look at the alternative. Relying on one security audit is dangerous for the project. You give people a sense of false security.

Cheers!
Mike

Wonderful! If you need the raw logs to forward authorities (although, I posted them unredacted in our investigative report) message me anytime.

Hopefully others will do the same and get enough attention to go after these people.

All of our logs, and evidence have been forwarded to authorities in PH.

You have a good point. How many of you MidasCoin holders made complaints to the authorities?

Cheers!

This isn't an argument. I'm providing you reality - whether you want to except it or not depends entirely on you.

I provided you JBA's personal IP addresses from globetel.com.ph, and smart.com.ph two ISPs he uses at home. Why do I have them? Because he was careless.

I also provided you MidasCoin owners IP addresses and range which point to an Italian netspace. Why do I have them? because prior to JBA's compromise of the MidasCoin servers, MidasCoin owner logged into his servers with disregard for 'masking' his IPs.

I'm not talking about two seperate IP addresses. I'm talking about two seperate IP ranges that point to the reality that both persons were using dynamic IPs through their ISPs via DHCP.

I put a lot of effort and research into this, and I think I put all of the evidence as plainly as possible as well as readable.

Now whether or not you want to accept or reality, or remain fixated to your conspiracy theorist that the 'hack' was an inside job is entirely on you.

What holds in the reports:

1) JBA hacked CR and MidasCoin servers
2) MidasCoin, post our compromise report, fled with the coins.

But to say that JBA, a random thief from .PH == Italian MidasCoin owner is dangerous. Because then you distort fact with fiction.

"Again" I'd suggest you read the actual reports first and second part.

I understand scrutiny but ignoring the facts is plain ignorance. I provided proof both CR and MidasCoin were hacked by the same attacker. With logs nonetheless.

MidasCoin decided that was probably a great time to bolt with the rest of the coins and rob the community. If you pay close attention, perhaps with reading comprehension, you'll note the original attacker stole 3000MID which was at the time was less than 2BTC.

The MidasCoin owner took the remaining ~20BTC that was left. The report doesn't say that the 'hacker' stole all of the coins. It clearly says that MidasCoin stole the rest of the coins. What is the point of building up this conspiracy theory about it being an inside job when in reality I state and explicitly separate both scenarios.

Unless you mean to say that Jimmy Bluey Amatong, the attacker who stole CR's wallets, is MidasCoin? And it was a roose from the start. Then that is a worthy question and potential argument. But let me disable that theory for you:

- JBA's methodologies, although careless, were much more sophisticated than simply setting up an entire coin project and running away with all the coins
- The IP addresses used by both perpetrators were from different continents.
- Both perps were identified and seem to be completely different people.
- Whether or not they knew each other is also a bit irrelevant because why would they go through all the work, of again setting this entire operation up, only for both of them to leave logs behind showing they both stole coins?

If indeed MidasCoin==JBA, or they knew each other, why wouldn't MidasCoin simply tell JBA to steal all the coins and make it look like a really bad hack?

I responded to your other post, but I guess you ignored it. So I'm glad I was able to respond to you here more thoroughly.

If you read my report you would see that:

- Its servers were compromised
- Owner ends up fleeing with remaining coins

So in this case it was both. The hacker walked away with a tiny fraction of MIDs. And the owner basically ran off with the rest. Dealing with disclosing compromise to the community was probably too much for him.

Cheers

djm34,

We are working with victims as other scams as well. Unfortunately we are a small team of researchers so it requires time and evidence to put these kind of reports together.

Thanks for the read!

Thank you for the kind comment! We appreciate it. It's a small team, and we're really passionate about Bitcoin, crypto currencies and Security. So why not combine them all and at the same time? also we feel the community is too lax when it comes to these incidents and it is mostly because people have lost so many Bitcoins, or have been hacked so many times - and very little has been done about it until now. We hope to change that. And at the same time bring security awareness to the community we hope can grow and change the world.

Thanks again!
Mike

Hey!

1.1: If you read our previous report on the CryptoRush hack (https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/) you would come away from the thoroughly investigated report with the sense that the original attacker (Identified as Jimmy Bluey Amatong of Philippines) had an apparent modus operandi which started towards the end of 2013/January 2014 which consisted of:

a) (initially started with) setting up pools to utilize mining power towards personal gain and logging their usernames/emails/passwords
b) traverse email accounts for further login information
c) traverse exchanges for email/password or username/password combinations until he was able to log into accounts and exfiltrate coins
d) log into skype/dropbox/emails/other third party services looking for sensitive information he can use to further his attacks

By following this MO he was able to infiltrate CryptoRush.in servers via universal passwords. Locating administrative communications on the victims Skype account. Locating login information in emails from ISPs and Skype conversations and eventually finding access onto a backup server for CryptoRush.in.

In the case of JBA's attack on multipool.us he utilized a combination of Cookie brute forcing and CSRF attacks (this was the only attack that did not fit his MO from the evidence and logs we have seen - it is also evidence that it was failed attack on the pool).

Now finally to MidasCoin - the logs we were able to recover from the Elance customer server showcased JBA's activity regarding all of these attacks ending with the MidasCoin project - at this point we were able to communicate with the Elance customer, and remove his stash and access.

If you read our MidasCoin server audit (the PDF link above) you will see the entry points of the attacker which used the same IP addresses (the 66.*.*.* chunkhost server) to infiltrate CR months back.

In comparing our logs and evidence from JBA's hack of MidasCoin, and the complete theft of the coins by MidasCoin founder - you see extreme differences. Using deduction and logic we determined that JBA more than likely obtained access to these servers the very same way he had access CR - by having access to a leaked password list belonging to miners/traders/users and logging into all of their accounts looking for treasures.

1.2: The second person who was part of the staff was accessible to me over IRC and I was not able to identify him. From what I can see / tell he, and the coin developer were robbed of what was owed to them for working on the projects. Shortly after the founder stole the rest of the coins - everyone pretty much left and I no longer received responses from anyone.

2: I have had no contact with anyone involved in investigating this case, or Coin Source. I will try to reach out to them. As for LEAs I can provide my research to anyone who requests it - although I've published everything I have in the links above.

3: The information regarding the persons name we discovered during the process of our research by looking at who has been using those email addresses publicly, and the information we were able to see from the user accounts in the database. We do not know if the name is a pseudonym, or actual. We threw it out there in case the community can make sense of it.

Thanks for the questions!

Hi all,

As some of you may know we have been releasing reports discussing security incidents within the Bitcoin/Altcoin/Crypto Currency communities for some time now and we unveil to the community our latest report:

https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-part-ii/

It discloses what happened to MidasCoin, who was involved in the original hack of its servers, and ultimately who stole the rest of the MIDs to collapse the market (its founder).

You can also read our post-hack audit report of their servers at:

https://pdf.yt/d/frMzLRBnwbna725z

The story in a gist:

- The guy responsible for the CryptoRush hack was also involved in attacking MultiPool.us accounts back in early January (CSRF attacks)
- He hacked CryptoRush.in and stole most of users BTC and altcoins
- We tracked down his stash server where he stored most of his stolen goods (wallets, login databases of miners/traders/users)
- We discovered he was actively attacking MidasCoin.io/Pool and was able to stop him
- We were hired by MidasCoin to do an audit of the compromise
- Owner of MidasCoin spooks and instead of dealing with consequences of disclosure to community simply runs off with 200k+ MIDs and crashes market

Unfortunately he stole from the community, its miners and traders and simply vanished. We put together a good report with logs and evidence to back it all up.

If you'd like to show us support for our work you can:

Donate to: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9
twitter.com/bitcomsec and RT: https://twitter.com/bitcomsec/status/535308255158083584
reddit: http://www.reddit.com/r/Bitcoin/comments/2murh2/tracking_a_bitcoin_thief_pt_ii_disclosure_as_to/ Discuss and upvote!

Thanks,
Mike @ BITCOMSEC

We have released our report into the MidasCoin collapse which you can read at:

https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-part-ii/

It went live a few moments ago. Any reddits/retweets would help spread the truth of what happened would be helpful to the community.

Regards!
Mike

Yeah, I'm giving them away for free too. Anyone want a free one just PM me. I love keybase.io.

https://keybase.io/bitcomsec

I have several as well, if you need one just send me a quick PM with your email (As the invite is sent to an email) and I'll send it your way.

Cheers!

P.S. Keybase.io is awesome

Martin,

Great information. Thanks!

Mike @ BITCOMSEC

Hi Roger,

My name is Mike and I'm with the BITCOMSEC (Bitcoin Community Secuity) Project. Our aim is to provide the community security services free of charge, and we're donation based. In the last year we've extensively audited exchanges, pools and merchants for security issues and provided the research to each of them respectively. Recently we've focused more on investigative research into these thieves:

Tracking down the CryptoRush.in hacker:
https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/

Exposing and shutting down an elaborate Coinbase.com/Blockchain.info phishing network:
https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

With that being said we are in the business of tracking down and exposing Bitcoin thieves to the community.

- Is there an archived copy of the extortion email + headers?

Thanks. Looking into this immediately.

Mike

Thank you so much for the kind words. We hope by doing these reports, and shutting down these operations people will break out of the apathy in regards to Bitcoin thefts and begin pursuing it more often than not.

A bit shout out to BitcoinVPS and Apexy.com for shutting down the phishers networks. Also a shout out to Blockchain.info staff for working with us and quickly handling the information we were able to provide them as we followed the phishers from server to server.

reg.ru/2domains.ru however is blatantly accepting of this behavior and have ignored my emails regarding the attackers use of their domain registrar and VPS servers for the scams.

Hi all,

My name is Mike and I am with the BITCOMSEC (Bitcoin Community Security) Project and we are a team of dedicated security researchers and developers who take our spare time in doing security research, audits and investigative reports that aim to bring security awareness to the Bitcoin and OSS communities.

Last time we did a report on the CryptoRush.in hack which I think was a major blow to the entire altcoin scene: https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/

This week we have done an in depth investigative report into an elaborate and effective Coinbase.com and Blockchain.info based Phishing scam that many of you may have seen throughout the blockchain. It basically involved the use of sending bits of dust to a large number of addresses associated with Coinbase.com/Blockchain.info/BTC-e and other misc wallets.

We studied the phishers methodology, monitored their activity, and discovered their logs of compromised accounts (all the while reporting the compromised accounts/passwords/GUIDs/IPs to Blockchain.info and Coinbase.com). Finally, after exhaustive research we communicated with all of the VPS companies that the phishers used and effectively shut the entire operation down.

You can read all the details, with logs, evidence and screenshots of how we managed to infiltrate the phishing network:

https://bitcomsec.true.io/bitcomsec/coinbase_com-and-blockchain_info-bitcoin-wallet-phishing-scam-exposed/

Thanks all.

And if you'd like to support us check out https://bitcomsec.true.io for our donation address or upvote the following to help spread awareness:

http://www.reddit.com/r/Bitcoin/comments/2l7tk1/coinbasecom_and_blockchaininfo_bitcoin_wallet/
https://news.ycombinator.com/item?id=8554708

Regards,
Mike

EDIT: Typos

Hi all,

I'm with the BITCOMSEC (Bitcoin Community Security) Project and I've actually been writing a report on this situation to be released as soon as possible. We were hired by the MidasCoin staff to do a post-hack forensic report once I approached them with evidence that MidasCoin may have been compromised by the same attacker involved with the CryptoRush.in hack. Evident by FTP logs from attackers stash FTP server:

Thu Sep 18 23:18:21 2014 0 222.127.174.73 409 /home3/[redacted]/public_html/upload.php a _ o r [redacted] ftp 1 * c
Thu Sep 18 23:20:19 2014 0 222.127.174.73 1769 /home3/[redacted]/public_html/wall/redis.py b _ o r [redacted] ftp 1 * c
Thu Sep 18 23:23:55 2014 16 222.127.174.73 8069055 /home3/[redacted]/public_html/wall/ubuntu.tar.gz b _ o r [redacted] ftp 1 * c
Fri Sep 19 00:18:17 2014 111 222.127.174.73 55368374 /home3/[redacted]/public_html/wall/php-mpos.tar.gz b _ o r [redacted] ftp 1 * c
Fri Sep 19 01:03:34 2014 12 222.127.174.73 917504 /home3/[redacted]/public_html/wall/mpos.sql b _ o r [redacted] ftp 1 * c
Fri Sep 19 01:49:25 2014 9 222.127.174.73 2842624 /home3/[redacted]/public_html/wall/midaswallet.dat b _ o r [redacted] ftp 1 * c
Fri Sep 19 01:49:27 2014 0 222.127.174.73 22769 /home3/[redacted]/public_html/wall/history.txt a _ o r [redacted] ftp 1 * c
Sun Sep 21 18:48:47 2014 0 120.28.228.59 74 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 18:51:16 2014 0 120.28.228.59 225 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 18:51:59 2014 0 120.28.228.59 254 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 18:56:31 2014 0 120.28.228.59 254 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 18:56:49 2014 0 120.28.228.59 254 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 18:57:01 2014 0 120.28.228.59 255 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:02:14 2014 0 120.28.228.59 729 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:03:52 2014 0 120.28.228.59 874 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:06:32 2014 0 120.28.228.59 903 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:06:46 2014 0 120.28.228.59 903 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:07:43 2014 0 120.28.228.59 910 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:07:47 2014 0 120.28.228.59 910 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:08:08 2014 0 120.28.228.59 923 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:08:25 2014 1 120.28.228.59 929 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 19:08:57 2014 0 120.28.228.59 888 /home3/[redacted]/public_html/wall/sqltest.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 21:36:46 2014 0 120.28.228.59 922 /home3/[redacted]/public_html/wall/log.php a _ o r [redacted] ftp 1 * c
Sun Sep 21 21:37:48 2014 0 120.28.228.59 911 /home3/[redacted]/public_html/wall/log.php a _ i r [redacted] ftp 1 * c
Sun Sep 21 21:38:05 2014 0 120.28.228.59 919 /home3/[redacted]/public_html/wall/log.php a _ i r [redacted] ftp 1 * c
Tue Sep 23 17:58:58 2014 18 121.54.58.246 14647192 /home3/[redacted]/public_html/wall/web.gzip b _ o r [redacted] ftp 1 * c
Tue Sep 23 17:59:04 2014 4 121.54.58.246 2397961 /home3/[redacted]/public_html/wall/stratum-m.gzip b _ o r [redacted] ftp 1 * c
Tue Sep 23 17:59:06 2014 1 121.54.58.246 272205 /home3/[redacted]/public_html/wall/stratum.gzip b _ o r [redacted] ftp 1 * c
Tue Sep 23 17:59:17 2014 10 121.54.58.246 7132833 /home3/[redacted]/public_html/wall/midascoin.gzip b _ o r [redacted] ftp 1 * c
Wed Sep 24 01:54:38 2014 0 121.54.58.246 1 /home3/[redacted]/public_html/wall/ss.txt a _ i r [redacted] ftp 1 * c
Wed Sep 24 01:54:45 2014 0 121.54.58.246 108 /home3/[redacted]/public_html/wall/klss.php a _ i r [redacted] ftp 1 * c
Wed Sep 24 02:05:19 2014 0 121.54.58.246 114 /home3/[redacted]/public_html/wall/klss.php a _ o r [redacted] ftp 1 * c
Wed Sep 24 02:05:38 2014 0 121.54.58.246 137 /home3/[redacted]/public_html/wall/klss.php a _ i r [redacted] ftp 1 * c
Wed Sep 24 02:05:50 2014 0 121.54.58.246 3 /home3/[redacted]/public_html/wall/ss.txt a _ o r [redacted] ftp 1 * c
Wed Sep 24 02:06:19 2014 0 121.54.58.246 22 /home3/[redacted]/public_html/wall/ss.txt a _ o r [redacted] ftp 1 * c
Wed Sep 24 02:08:19 2014 0 121.54.58.246 108 /home3/[redacted]/public_html/wall/klss.php a _ i r [redacted] ftp 1 * c
Wed Sep 24 02:41:49 2014 0 121.54.58.246 450 /home3/[redacted]/public_html/wall/midas/ipsearch.php a _ i r [redacted] ftp 1 * c
Wed Sep 24 02:48:15 2014 0 121.54.58.246 138 /home3/[redacted]/public_html/wall/midas/error_log b _ o r [redacted] ftp 1 * c
Wed Sep 24 02:48:48 2014 0 121.54.58.246 138 /home3/[redacted]/public_html/wall/midas/error_log b _ o r [redacted] ftp 1 * c
 
You can read my CR hack report at: https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/

Currently I'm finalizing my report on this entire hacking scandal with a conclusion, complete with logs and evidence, as to why MidasCoin shut down and who was involved in it shutting down.

But to give you a quick breakdown before my report goes live:

- CR hacker infiltrates MidasCoin
- CR hacker steals a chunk of MidasCoins and dumps on Bittrex
- I was brought in to do the live forensic research
- MidasCoin owner flees without paying me for my research, steals the remaining MidasCoin and dumps it all on Bittrex and has yet to return.

There's another member of the staff who got scammed in the process, as well as the coindev. All victims and two perpetrators (hacker, and owner). As far as I know the community, and staff got scammed by the Italian gentlemen listed elsewhere in this thread.

Hope this clears up some unanswered questions!

Cheers,
Mike

+1 on signing.