HELP, BITCOINS STOLEN - REWARD 600 Bitcoins or equivalent in Euro

[sippsnapp]

I've tried scanning with 2 different virusscanners, and neither seems to find a likely culprit.
Both of course mark all bitcoin miners as a potential threat, but clearly marked as "mining" or something like that.

At this point I'm giving up the search. Sorry about not being able to provide the details, but maybe being paranoid will be good for your security.

Also, my new netbook is spiffy ^_^

What did you scanned?
The public bitcoin miners are detected because the same miners are used in botnets, i doubt any official miner has a trojan attached.
As i wrote above, if you scan files scan on virustotal or jotti.

Twitter, Facebook, google, Anonymous - The hacker group.

Offer them the reward.

Its gonna take a good hacker to find that person.  Anon loves bitcoin - they will for almost for sure help you.  You MAY get lucky and they will do it for a reduced fee because they like it so much.

Good luck to you.

A hacker wont probably find anymore than already presented here unless he can get direct acces to the ips mentioned, however, as there are dynamic ips nothing fancy nowadays id expect th ip of the attacker has changed by now.
A professional local investigator should be a step right after trying to contact the ISP.

So called hackers, i guess you mean professional pentesters and security auditors are seldom have a lot of spare time to chill on facebook, lol. The success rate should be higher when hireing a real proffesional from an agency/firm, of course you culd be lucky to find an bored unemployed genius.

[1715471719]

1715471719

[1715471719]

1715471719

[1715471719]

1715471719

[MKEGuy]

You obviously have no idea how anon works, I'll leave it at that.  Rather then throwing in your worthless two cents - why dont you actually provide some ideas besides your loose and general crap that is right in front of you.

[constitution]

Yeah all it is, is either a RAT or IRC/HTTP bot which has downloaded and executed a open source wallet stealer which uploads the wallet to an FTP. If its a rat then the attacker would of just used remote file manager.

Either way nothing special, having the binary used however would allow us to find the point of origin. Especially if a RAT was used because they make connection to the attacker themselves and not a centralized command and control server.


I think OP you being infected and having your wallet stolen would of been in the time frame of 24 hours max. So thinking back to when your had you wallet stolen anything within a day of downloading some form of exe would help.

Not only would you wallet of been stolen but you would of probably fell victim to the attacker actually mining on your computer. This is something else that saddens me because people who do this do very little to hide the login and password to the Pool they are mining for .
 

I would try a simple dictionary attack on the mail.ru for the email however I do not posses and Russian based pass lists. Either way ill keep trying and see what I can find.

Why does this happen to other people and not me, I WANT to be infected by such malware .

[Kryptox]

So what happens if you do find out who it was?  Even if he gets prosecuted, those Bitcoins are locked away with a key that the thief only knows.  As for him paying any restitution, good luck when he'll never have a real job.

[constitution]

Sorry but I think your bitcoins are good as gone.

[conspirosphere.tk]

Shouldn't any virus running be visible as a process? (I use http://systemexplorer.net to check them, beyond AVG free)

[mralbi]

dear all,
i have received NEW important information in this issue


the hacker also owns the key 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT and his "real" email address is sam.rankin@me.com
he used IP address 97.106.160.84
on 2012-10-05 at 20:51:51

he used to mine on deepbit, but they do not hand out any info about their users and do not answer to my mails.


Maybe one of your guys are smart enough to get any useful information about this case


the 600 BTC reward are still available

[DannyHamilton]

dear all,
i have received NEW important information in this issue . . .

I can see here that the thief who controls 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS also controls 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12
http://blockchain.info/tx/7e1455f12fdbb7119fe350edb1410f2e1cdff723c15b7e2d9acb8568124e1bb5

And I can see here that the thief who controls 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12 received bitcoins from someone who controls 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT
http://blockchain.info/tx/83d2fd573e5ce47fca38bc3895356b8ed4a6b98a4c2b49c030dd0444a2ac506f

But I'm not sure how you determined that the person who controls 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT is also the person who controls 1Q3KFL7Z1BTpUboDaU6Qj3t9xCXWpzNntS

It certainly is possible that Mr. Rankin is the thief and sent bitcoins to himself, but isn't it also possible that the thief is someone else and received bitcoins form Mr. Rankin (or stole bitcoins from Mr. Rankin)?

[constitution]

how are we going to help you get it back..?

[mralbi]

yes, some data from bitmarket.eu also show that the addresses are used at least by the same computer

[DannyHamilton]

yes, some data from bitmarket.eu also show that the addresses are used at least by the same computer

If that's true, then there is probably a MUCH larger list of addresses controlled by the thief and addresses that engaged in a transaction with the thief.

I'll try to put together the list for you later this week.  If you PM your email address, I'll email you the list when I've got it complete.

[DannyHamilton]

mralbi,

I've finished my program that scans the blockchain and uses the inputs from transactions to link addresses to a single entity that controls the list of addresses.  A person can keep addresses from being tied together by being careful to keep their bitcoins in separate wallets or using raw transactions for coin-control to avoid connecting addresses together in inputs, so the program will not be able to report those addresses that are carefully segregated.

Running the program, I find 901 addresses that can all be said to have been used in inputs by someone who has the private key to 1AFs9GrQyPQpN5W73RzizcEap1CQ7whPZT.

I've emailed the list to you.

[twolifeinexile]

Paper wallets!  This is how you protect your bitcoins.  Just for fun, send 0.01 BTC to a paper wallet right now and then import it back.  Seeing it work is a valuable learning experience.

Paper wallet work until you need to load coins back to hacked machine.

At least you'll only lose 1/10 of your coins, assuming you split them across 10 paper wallets, and that's assuming the hacker can redeem them faster than you.  If you are being actively keylogged while you redeem a paper wallet, and you click OK or hit enter before he has a chance to initiate the theft transaction, he still won't be able to steal.  The normal password trojan that logs keystrokes and sends logs periodically to the hacker is good for stealing passwords and credit card numbers but won't be of any use if the entered key becomes worthless moments after entry - he either has to be watching you in real time, or use more sophisticated malware adapted to detecting you entered a key and then preventing you from completing your transaction once you enter the key.

So paper wallet once used, it should be emptied and no longer consider cold wallet, right?

[pelim]

the bitcoins are still remaing on the theefs wallet - maybe the 600 btc reward are now more interesting

[Rampion]

that hacker is doing good indeed. +$2.5MM with a lousy trojan horse.

[JayB]

Is this still on? 

[Kane49]

Is this still on? 

Quite sure both sides forgot about it

[Sheldor333]

Sorry to tell you this. Well most likely you won't see those btc agan. How could he trick you into installing it. Try contacting mail.ru and tell them the situation, maybe they can help you. IP is proxy or VPN so it is a dead end.

[mralbi]

well i actually have new evidence in this case.

The hacker had provably an account at http://www.tf2whx.com/ and used various addresses to launder other coins. the admin of the website however refuses to hand out the IP/email address of the hacker, so i am now pursuing the official way which might take another 3 years.....


The only information i received from the website admins was:

These are the withdrawals that go to 1Bu..."
 Also I am only able to do this because this person was not in fact a customer of ours at all, it seems they just laundered their coins here. Which is illegal. If they would have purchased even 1 credit I would only be able to give this to law enforcement, so GG whoever this guy is. Good luck.
 




5:29 AM
ok, give him this:
 
transaction ids



5:29 AM
83d2fd573e5ce47fca38bc3895356b8ed4a6b98a4c2b49c030dd0444a2ac506f
 6b341d138d598e0164bf47176a613364a7dc979df88bde43579cdece323bd42a
 76f312c30b4109136859b7e5b30c67b0aebcf0a05411183d0eecb7a751f76c7c
 9e05e5f6c61ee2e900fba73599dc8d01f4430f08d57f101bdc2d8cd7008f7bc2
 d90536ed805519c1563a5af9c44121a289f86e8bc9edbf896f149e7511e0217b
 a3c17c0bc7b4ea1572a750b83a1711710c716be3f51d81e5af9a5988605b30df
 bbb6a33fc4beda28887c413fc52f4bc2107d909113fb0ea46538ed2d2fc0cda1 0643e458b597f43712c5cbed82b93db54cb1ed029d3d9c7bc546002ba855baf3 1e5b1a537a99c86db2d903373d7606ecaaa8bb5b60139a848e27c9946c918883 51f8013ae8a9f4bd0c9182747c5731ee6cde36e6c5e7380f62f52244d7c784a8 fdf76f34d4fcb497acb96a46d33c5b2d234e92e897f86214c05cbeb6bc2257e3
 This is a list of all the bitcoin transactions that the user who controls the 1BuXv589E9pqYrLfcMiUPnurgBZZS6sL12 address has made through our system
 That should be all he needs in order to track down the comings and goings of the bitcoins.
 

5:35 AM
His deposit address in our system was: 1EcFFZ7eykZQjw6LnDKiXg8NfjSUvqHKZE



If this would help anyone to identify the hacker, the 600 btc are still open reward

[jongameson]

hey let it go. everything happens for a reason.