Bitcoin Forum
June 19, 2024, 08:23:09 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Cryptsy was hacked - lost 13,000 BTC & 300,000 LTC  (Read 2080 times)
ethought (OP)
Legendary
*
Offline Offline

Activity: 1316
Merit: 1000



View Profile
January 15, 2016, 04:08:54 AM
 #1

http://blog.cryptsy.com/
Bobsurplus
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


Making money since I was in the womb! @emc2whale


View Profile
January 15, 2016, 04:11:36 AM
 #2

And he covered up it for over a year.
Vern is fucked. Royally.
Robertt
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
January 15, 2016, 04:13:03 AM
 #3

Let's be honest, we all saw this coming.
Anyway here is the tx for those interested in hunting for the 1,000 Bitcoin bounty. Not sure if it's even legit or not.
https://blockchain.info/tx/c7b46a79fd8887038bd3a8e884b04820038415a60e0b9d2c2f5bcff68a2687bf
Have fun and good luck hunting. Sucks to see over 4.5 million was stolen and that's just from the BTC, the LTC is worth some money as well.
Bobsurplus
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


Making money since I was in the womb! @emc2whale


View Profile
January 15, 2016, 04:13:45 AM
 #4

Let's be honest, we all saw this coming.
Anyway here is the tx for those interested in hunting for the 1,000 Bitcoin bounty. Not sure if it's even legit or not.
https://blockchain.info/tx/c7b46a79fd8887038bd3a8e884b04820038415a60e0b9d2c2f5bcff68a2687bf
Have fun and good luck hunting. Sucks to see over 4.5 million was stolen and that's just from the BTC, the LTC is worth some money as well.

Hell nahh it aint legit. It's an inside job and the only one who knows where those coins are is Vern.
Robertt
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
January 15, 2016, 04:15:23 AM
 #5

Let's be honest, we all saw this coming.
Anyway here is the tx for those interested in hunting for the 1,000 Bitcoin bounty. Not sure if it's even legit or not.
https://blockchain.info/tx/c7b46a79fd8887038bd3a8e884b04820038415a60e0b9d2c2f5bcff68a2687bf
Have fun and good luck hunting. Sucks to see over 4.5 million was stolen and that's just from the BTC, the LTC is worth some money as well.

Hell nahh it aint legit. It's an inside job and the only one who knows where those coins are is Vern.


Do you have any information on "Vern"? Even his personal email or full name would be sufficient. I'd like to see what I can find on this guy and hopefully do something in the case that it actually was an inside job (Most likely was, if you have over 5 million in a wallet then you would obviously pay quite a bit for your site to be fully secured and safe from hacks)
If you do have any information on the guy could you please PM me with it, I'd like to attempt to dox this guy.
ethought (OP)
Legendary
*
Offline Offline

Activity: 1316
Merit: 1000



View Profile
January 15, 2016, 04:17:22 AM
 #6

I just can't believe they did not disclose it as soon as they were aware of the losses.
ethought (OP)
Legendary
*
Offline Offline

Activity: 1316
Merit: 1000



View Profile
January 15, 2016, 04:22:45 AM
 #7

How the hell did a Trojan steal from their cold wallets??

Quote
About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies.
Chris Sokolowski
Full Member
***
Offline Offline

Activity: 194
Merit: 100


View Profile WWW
January 15, 2016, 05:44:37 AM
 #8

Looks like as I predicted on November 14, Deathpixie was real.  http://forums.prohashing.com/viewtopic.php?f=11&t=655

How the hell did a Trojan steal from their cold wallets??

Quote
About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies.
That was the same thought I had.  This screams incompetence.  They ignored three basic security protocols in setting up a secure daemon server:

  • Sandbox each coin daemon to prevent it from accessing any other files
  • Encrypt wallets so that even if the server is compromised, the wallet.dat is useless
  • Store the cold wallets on a different machine

I already knew they couldn't maintain a daemon server since they always had about 20 coins in "maintenance" and never fixed any of them, but now this proves that they had no clue even how to secure it.  At the Prohashing mining pool, we run over 150 coin daemons each as a separate user and restrict each one so that they cannot access any files other than their own.  Even if we ever accidentally installed such a trojan, it could not gain access to the wallets of any other coins.  Even if a bug in Debian allowed users to access others' files, the wallets are locked with the keys stored on a separate server.  And they never could access our cold wallet because that is on a flash drive that is never connected to any PC.

We got out in November when we saw the cracks forming.  I wish the best of luck for others to retrieve their funds.  I wish the employees the best in finding new jobs, but at the same time I am glad that I do not have to deal with their customer support any longer.

Prohashing - Professional Mining Made Simple
Visit us at https://prohashing.com
Optimized for performance - 15 algorithms - Payouts in 200 coins - PPS, PPLNS, or solo
cryptomann420
Full Member
***
Offline Offline

Activity: 180
Merit: 100


Invest Today For What You Want For Tomorrow


View Profile
January 15, 2016, 06:02:13 AM
 #9

Maybe this will explain something or nothing---@ https://github.com/alerj78/lucky7coin/issues/1
You be the JUDGE!! Cool

BTC Tip Jar 1K7r4cmGHELDEfWJdJo37N5UH5BrDjTMDD
Need A Trading Bot Go To https://cryptotrader.org/?r=595
foxbitcoin
Sr. Member
****
Offline Offline

Activity: 593
Merit: 250



View Profile
January 15, 2016, 07:27:46 AM
 #10

Looks like as I predicted on November 14, Deathpixie was real.  http://forums.prohashing.com/viewtopic.php?f=11&t=655

How the hell did a Trojan steal from their cold wallets??

Quote
About a year and a half ago, we were alerted in the early AM of a reduction in our safe/cold wallet balances of Bitcoin and Litecoin, as well as a couple other smaller cryptocurrencies.
That was the same thought I had.  This screams incompetence.  They ignored three basic security protocols in setting up a secure daemon server:

  • Sandbox each coin daemon to prevent it from accessing any other files
  • Encrypt wallets so that even if the server is compromised, the wallet.dat is useless
  • Store the cold wallets on a different machine

I already knew they couldn't maintain a daemon server since they always had about 20 coins in "maintenance" and never fixed any of them, but now this proves that they had no clue even how to secure it.  At the Prohashing mining pool, we run over 150 coin daemons each as a separate user and restrict each one so that they cannot access any files other than their own.  Even if we ever accidentally installed such a trojan, it could not gain access to the wallets of any other coins.  Even if a bug in Debian allowed users to access others' files, the wallets are locked with the keys stored on a separate server.  And they never could access our cold wallet because that is on a flash drive that is never connected to any PC.

We got out in November when we saw the cracks forming.  I wish the best of luck for others to retrieve their funds.  I wish the employees the best in finding new jobs, but at the same time I am glad that I do not have to deal with their customer support any longer.
As a normal user, we would't know that. Until now i know nearly all of the exchanages got hacked at different extent.Some cant survive and collapse. We shouldn't trust these exchanges with our money.
Chris Sokolowski
Full Member
***
Offline Offline

Activity: 194
Merit: 100


View Profile WWW
January 15, 2016, 09:01:42 AM
 #11

Until now i know nearly all of the exchanages got hacked at different extent.Some cant survive and collapse. We shouldn't trust these exchanges with our money.
The avenue of attack was not especially sophisticated or unique, and it could have been easily prevented with security precautions commonly employed by all server admins.  While I will never store large amounts of money in an exchange, I find it hard to believe that most exchanges are that vulnerable.  While no server is ever completely immune to hacking, it doesn't take much knowledge to secure a server.

Prohashing - Professional Mining Made Simple
Visit us at https://prohashing.com
Optimized for performance - 15 algorithms - Payouts in 200 coins - PPS, PPLNS, or solo
mxnsch
Sr. Member
****
Offline Offline

Activity: 474
Merit: 252



View Profile
January 15, 2016, 09:48:15 AM
 #12

While no server is ever completely immune to hacking, it doesn't take much knowledge to secure a server.
Wrong or exaggerated simplyfied. It does take years of experience and dedication not to take any shortcuts.

Also we are talking (or should be talking) about dozens of systems and services that need to be firewalled, segregated, sandboxed, pentested, updated and monitored. This is a job for experts and should be done internally and externally in regular intervals.


██  ███  nope ██  ███
bobyhodob
Sr. Member
****
Offline Offline

Activity: 1162
Merit: 253



View Profile
January 15, 2016, 10:57:23 AM
 #13

oh my god  Shocked 13,000 and 300,000 LTC
sorry cryptsy i heard it  Cry im only have 0.1 on there

STUDENTCOIN


















Powered by,
Melech
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile
January 15, 2016, 06:48:43 PM
 #14

I think I found the stolen LTC tx: (247,501 LTC)
http://explorer.litecoin.net/tx/61e61a63f35c951a16870df9e0a34df462ee473fde819d134da9485d2e7d8f44

Literally 3 minutes after the BTC tx Vern posted...

I also believe this to be Dash/DRK stolen 4 hours later: (456,501 Dash)
https://chainz.cryptoid.info/dash/block.dws?110242.htm

Both addresses were storing coins in 10k, 25k, 50k units, and both were started with a single 1 unit coin:
2014-05-20 05:44:45   + 1.0 LTC
2014-05-25 20:55:13   + 1.0 DASH

                ▄▄▓▓█▓▓█▀▀▀▀█▓▓██▓▄▄
             ▄▓█▓▀                ▀▓█▓█
          ▄▓█▓      ▄▄▄▓▓▓▓▓▓▄▄▄      ▀█▓▄
        ▄▓██    ▄▓▓██████████████▓▓▄    ██▓▄
       ▓██    ▓▓████████▓▀▀██████████▓    ██▓
      ▓█░   █▓█████▓▀ ▓██  ▓██ ▀▓▓█████▓    ▓▓
     ▓█    ▓█████▀  ▄▓▓██████▓▓▓▄  ▓████▓    ██
    ▓██   █████▓ ▄▓▓  ▄██░▐███▄ ▀▓▓ ░▓███▓   ██▓
    ██    █████ █▓  ▓████░▐████▓█ █▓ ░█████   ██
    ██   ▐████ ▐█  ▓█████░▐██████░ █▌ █████   ██░
    ██   ▐████ ▐██ ▓█████░▐█████▓ █▓ ░█████   ██░
    ██    ████▓ █▓█ ▀▓▓██░▐██▓▓  █▓  ▓████    ██
    ▐█▓  ░████▓▄  ▀▓▓▄▄██░▐███▄▓▓  █▓████░   ██▌
     ▐██   ▓████▓▄▄  ▀██░▐███  ▄▓▓████▓░   ██▓
      ▐█▓    █▓██████▓▓██████▓▓████████    ▐█▓
       ▐█▓▄    ▀▓██████████████████▓▀    ▄▓██
         ▐█▓▄     ▀▀▓▓████████▓▓▀▀     ▄▓██
            ▓██▄                    ▄█▓▓▀
              ▀▓█▓▓▄▄          ▄▄▓▓█▓▀
                   ▀▀▓▓██████▓▓▀▀
██
██
██
██
██
██
██
.Together we can change
❍ ❍ ❍ ❍ ❍ the internet ❍ ❍ ❍ ❍ ❍
██
██
██
██
██
██
██
  Social Media
▄███████████████████▄
██████████████████████▌
██████████████████████▌
████████████     █▀███▌
███   █████        ▐██▌
███               ▐███▌
███               ████▌
████             █████▌
█████▄▄         ██████▌
████         ▄████████▌
██████████████████████▌
██████████████████████▌
▄▓█████████████████████▓▓▄
▓██████████████████████████▌
███████████████████▓▓▀  ▓██▌
██████████████▓▀▀       ▓██▌
████████▓▀▀      ▄█    ▐███▌
███▓▀        ▄▄▓▀      ▓███▌
███▓▄▄▄   ▄▓█▓         ████▌
████████▓ ▓▌          ▓████▌
█████████▓    ▄       █████▌
██████████▌ ▄▓██▓▄   ▐█████▌
███████████████████▓▓██████▌
▐██████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
                  ,▄▄▄▄▄▄▄
               ▄████▀▀▀▀████▄
             ▄███`  ,▄▄,   ▀██▄
            ▐██▀  ▄███████   ██▌
          ,▄███   ████████▌  ▐██▄,
      ,▄███████▄  █▄▄██▄▄█  ▄███████▄▄
     ██████████████████████████████████,
    ▐████▌   ██████████████████   ▐█████
     ▀████▄▄████████▀  "████████▄▄████▀
       `▀████████████▄▄████████████▀▀
            '▀▀▀▀▀█████████▀▀▀▀
         ▄▄                      ▄▄
        ███          ▄▄⌐         ███
       ███           ██▌          ▀██
      ███            ██▌           ▀██
                     ██▌
galbros
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000


View Profile
January 15, 2016, 07:40:51 PM
 #15

And he covered up it for over a year.
Vern is fucked. Royally.

The hack was bad and the cover up just makes it worse.  I'm not even sure this is really all there is to it.

I'm starting to worry that alt coin exchanges are only one step away from cloud mining services - they may be legitimate, but no way to tell for sure that they are.

Condolences to everyone who lost coins on this one.
Bobsurplus
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


Making money since I was in the womb! @emc2whale


View Profile
January 15, 2016, 07:45:57 PM
 #16

And he covered up it for over a year.
Vern is fucked. Royally.

The hack was bad and the cover up just makes it worse.  I'm not even sure this is really all there is to it.

I'm starting to worry that alt coin exchanges are only one step away from cloud mining services - they may be legitimate, but no way to tell for sure that they are.

Condolences to everyone who lost coins on this one.

And that's another reason why bitcoin is failing.
Just sell now and cut ur losses dude.
Epinnoia
Full Member
***
Offline Offline

Activity: 209
Merit: 100


View Profile
January 15, 2016, 09:39:46 PM
Last edit: January 15, 2016, 10:28:06 PM by Epinnoia
 #17

Looks like someone took the gox script and made very tiny edits to the facts.  We have someone of a privileged position coming in through a hidden back door.  We have coins sitting without being accessed.

Do we also have creditors that needed paid first?  Employees that needed paid?  Credit lines that were extended when there was no competition, which never should have been extended?

How is this NOT a cryptocoin shakedown?  Give us ~$4million, or Cryptsy dies...

We deserve to see Cryptsy's books... Perhaps in a court of law.  Were they operating profitably these past years?  Or were they enriching themselves off of funds that were meant to be deposits?

Put more simply:  How do we know that isn't a little after-prison nest egg put there by someone inside Cryptsy?  I'm not seeing the PROOF of Lucky7coin's involvement.  For all I know, they concocted that proof because they know the creator of Lucky7coin died in a car crash recently.  I'm not saying he did die in a car crash...but only that they may have another reason for choosing him to be the fallguy.  But they'd be in a better position to know his identity than most anyone else.  And just WHY have they not released his name?  Do they REALLY think he'll be more likely to return the coins if they don't reveal his identity?  Or are they just SAYING that?

Has Cryptsy fired anyone over this?  Or was there conveniently no point?  SMH  Not even the idiot who would have had to put the cold storage coins onto the same machine as an IRC server for this to have happened?

Maybe Cryptsy felt they weren't getting enough from those they are laundering for?  And this is a way to put the squeeze to them...

A blog without any incriminating time-stamps....  I wonder if they let archive.org hit that blog? (re: http://blog.cryptsy.com/ )

What were they intending to do for this period of time that has passed since they discovered the loss of coins?  I think they said a year and a half.

Were they planning for a year and a half on eating the loss from their future profits?

And now they realize suddenly that they CAN'T?!!!?!!!?


They were letting people pay bitcoin to temp ban others in chat!  THe more you paid, the longer the ban!

That screams they're hemmoraging money!!

``I'd love for them to point to the timestamped github repo for the coin and say lines XXX-YYY is the malicious code, and here's what makes it malicious.``

Not my words, so I will put them in quotes.  If he wants to claim them, he's welcome to.  But I agree.  I want to see this little bot that goes in and drains wallets like they said.  I want to see how they hooked this irc bot into the lucky7coin client, as they claim.  Because what I do find in that blog is remarkably free of what I would consider proof positive.  It's an accusation and a wallet address with a LOT of coins in it.

I have some history of compiling IRC servers and playing around with IRC bots in the early 90s.  And this sounds rather far-fetched to me.  And more importantly, he has to know he has not given us PROOF -- proof that it happened AS HE CLAIMS.  And what one calls a malicious bot, another calls a hole in the irc server.  He seems with that blog post to be insisting that his irc server just couldn't have been to blame...  pffftt...  What version of the IRC server were they running at the time, and how obsolete was it at the time?  If it looks like a smokescreen, it may well be...

My first miner -> ATI 4550 (7.2 Mh/sec): 
https://www.facebook.com/groups/cryptospeculators/
tittiecoiner
Full Member
***
Offline Offline

Activity: 224
Merit: 100

★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
January 15, 2016, 11:29:25 PM
 #18



Epinnoia
Full Member
***
Offline Offline

Activity: 209
Merit: 100


View Profile
January 16, 2016, 12:10:28 AM
Last edit: January 16, 2016, 03:08:20 AM by Epinnoia
 #19

https://bitcointalk.org/index.php?topic=935898.msg10259625#msg10259625


Without more familiarity with the code, my reading of this code is that it would, at most, have allowed the hacker to push the contents of some file (ONLY if said file/directory is set readable by the username executing the irc server and/or infected client program!) back to the person (and others) who put it in place. In short, it would explain how an attacker could pull a wallet.dat file off of an infected machine (which, assuming the wallet was password protected/hashed, would make the brute-force much MUCH easier). But it doesn't explain why the IRC server or wallet client progrm was running on a server which also had the filled wallet.dat files!!!!   And it sure as hell wouldn't explain the stupidity of running an irc server or infected client as root or however else we're expected to believe this happened.

Furthermore, it wouldn't grant more access to the user running the irc server or infected client than he had been given by root. And if the wallets were not owned and not readable at the OS level by the user account running the irc server or infected client, then this little exploit would NOT be able to read the wallet.dat file!!  The OS itself would have blocked it!!  Each and every coin's client, as well as the irc server itself, should have been running under its own separate username account that ONLY had, at most, access to an empty wallet file owned (so far as the OS is concerned) by that same username account.  User Bitcoin (or something appropriate) should have been running the bitcoin client, with another user like user Litecoin running the Litecoin client, etc., etc.  This would have limited the reach of any infected clients.  A separate or virtual machine for each coin would have been even better!

Are we really expected to believe that Cryptsy had a wallet.dat file with pub/priv keys that controlled $4mil or so on the same physical machine as one running an infected Lucky7coin client?  Sorry.  That's gross negligence if true.  And I for one do not believe it for a second.

My first miner -> ATI 4550 (7.2 Mh/sec): 
https://www.facebook.com/groups/cryptospeculators/
mxnsch
Sr. Member
****
Offline Offline

Activity: 474
Merit: 252



View Profile
January 16, 2016, 07:20:23 PM
 #20

https://bitcointalk.org/index.php?topic=935898.msg10259625#msg10259625


Without more familiarity with the code, my reading of this code is that it would, at most, have allowed the hacker to push the contents of some file (ONLY if said file/directory is set readable by the username executing the irc server and/or infected client program!) back to the person (and others) who put it in place.
This code is generic enough to alllow everything from uploading a webshell, to running a local kernel exploit to elevate privs.

Think about it like this: In Unix/Linux ANYTHING is a file.

██  ███  nope ██  ███
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!