PaulieGolding Sorry, not the guy

[kbenzle]

PaulieGolding Sorry, not the guy

[cryptoheadd]

Is this the ID you're talking about?

https://bitcointalk.org/index.php?action=profile;u=838056

[amacar2]

Is this the ID you're talking about?

https://bitcointalk.org/index.php?action=profile;u=838056

He seem to be not active since may 8 and as he is newbie nobody gonna trust him if he try to sell those coins.

Which country are u from? That is important and also the country of hacker in lots of asian and african country cyber crime get unnoticed by government.

[AGD]

There is a PaulieGolding account at OpenBazaar. Possible to contact him over there.

[alyssa85]

Remember that it is easy for these users to set up alternative accounts on bitcointalk under a different name and sell the coins. You need to alert all the exchanges with the addresses you think the coins have been sent to - if the thief sells them over-the-counter, and the buyer then tries to sell on an exchange, the exchange should be able to freeze them just by tracking the movement in the blockchain.

Good luck with retrieving them.

[Jasad]

I recently wrote about having ~$10,000 in cryptos stolen from a password protected file on my desktop, user munteanualex_ro over at Reddit (https://www.reddit.com/r/btc/comments/4jkdhy/i_found_some_information_about_the_guy_who_stole/) has helped tracked this to a bitcoin talk user: PaulieGolding

He seems to be a regular scammer and might be trying to sell the coin through this site, he made this account right after the theft.

I have added this info to my police report about the theft, if there is anything anyone else can offer I am still offering a 1 btc reward for info that leads to the arrest/return of the funds or 1/2 of any returned funds. Thank you All!

Original Bitcoin Talk post:

https://bitcointalk.org/index.php?topic=1451715.0;all

i'm feel sorry about your story,its hurt and sad story. but its good for us to know people around us can scamming without any corious. but so far we dont find any reliable solution to chase this scammer,the only one to make this not happen is prevent from scammer by set our wallet security with high level security.

[Kprawn]

I recently wrote about having ~$10,000 in cryptos stolen from a password protected file on my desktop, user munteanualex_ro over at Reddit (https://www.reddit.com/r/btc/comments/4jkdhy/i_found_some_information_about_the_guy_who_stole/) has helped tracked this to a bitcoin talk user: PaulieGolding

He seems to be a regular scammer and might be trying to sell the coin through this site, he made this account right after the theft.

I have added this info to my police report about the theft, if there is anything anyone else can offer I am still offering a 1 btc reward for info that leads to the arrest/return of the funds or 1/2 of any returned funds. Thank you All!

Original Bitcoin Talk post:

https://bitcointalk.org/index.php?topic=1451715.0;all

i'm feel sorry about your story,its hurt and sad story. but its good for us to know people around us can scamming without any corious. but so far we dont find any reliable solution to chase this scammer,the only one to make this not happen is prevent from scammer by set our wallet security with high level security.

Dude, this place and almost all other Bitcoin related sites share the same users on different platforms... You cannot just single out Bitcointalk users, because these users just use other profiles on

other platforms, but they are still the same scammers. The good thing is, that you warned other people about this person and I would also place something under this thread to make it easier for

people to discuss this : https://bitcointalk.org/index.php?board=83.0 {Just follow the bread crumbs and it will lead you back to the source} Even if you have to pay someone to do it for you. 

[killerjoegreece]

wow man thats a lot of money :/ i hope u get it back.

[Bitcoinpro]

How did u link him too it

[instacalm]

How did u link him too it

I was about to ask the same but found the answer here: https://www.reddit.com/r/btc/comments/4jkdhy/i_found_some_information_about_the_guy_who_stole/

@OP: I really hope you get your money back!

[Bitcoinpro]

How did u link him too it

I was about to ask the same but found the answer here: https://www.reddit.com/r/btc/comments/4jkdhy/i_found_some_information_about_the_guy_who_stole/

@OP: I really hope you get your money back!

you could have just explained it in one line

[Joel_Jantsen]

Found something interesting from his Bitcointalk profile :


I'm working on getting his images and other contact info.To my short search I suspect maybe he is from United Kingdom.

[Laniakea]

I'm working on getting his images and other contact info.To my short search I suspect maybe he is from United Kingdom.

I've found another profile that claims she/he lives in Spain. That's what she/he put there at least

https://bazaarbay.org/b26788279ce73de5b53de7a32c4b74114c932e81

edit:
and here she/he is asking for "Help Remove DDOS protection from BritainFirst.org":  http://pastebin.com/ZUxmAes8

edit2: ok so Paulie Golding is a fake handle in reference to "Paul Golding"
http://www.ibtimes.co.uk/britain-first-leader-paul-golding-run-london-mayor-wants-hang-opponents-1521415


Her/him behind this will hopefully in jail shortly. Bitcointalk community will help enforce this.


@OP: Give this info to the police - - - the FBI will retrieve the real information behind the domainsbyproxy whois protection. I've seen this happening before. The guy will be caught. If you are reading this, scammer, enjoy the heartbeat.

Domain Name: paulie.rocks
Domain ID: ab31b713a9bf4ea5a44da5a905eb55f5-RSIDE
WHOIS Server: www.godaddy.com
Referral URL: http://www.godaddy.com
Updated Date: 2016-04-28T05:32:09Z
Creation Date: 2016-04-23T05:31:26Z
Registry Expiry Date: 2017-04-23T05:31:26Z
Sponsoring Registrar: GoDaddy.com, LLC
Sponsoring Registrar IANA ID: 146
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant ID: cr238400268
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: paulie.rocks@domainsbyproxy.com
Admin ID: cr238400270
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: paulie.rocks@domainsbyproxy.com
Tech ID: cr238400269
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: paulie.rocks@domainsbyproxy.com
Name Server: ns-1544.awsdns-01.co.uk
Name Server: ns-227.awsdns-28.com
Name Server: ns-867.awsdns-44.net
Name Server: ns-1037.awsdns-01.org
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-05-16T17:59:42Z <<<

[Wendigo]

The thief will probably want to sell the coins off the exchanges and to a private buyer. And what if a mixer is used? Can the police still track the original funds if the money is run through a mixer? I mean the guy will want to stay low under the radar. Please keep us updated while the story is unfolding and I wish you luck in recovering your money.

To OP:
Are you by any chance from Romania because on the screenshot rdsnet.ro must be your Internet Service Provider? If bnaf12.no-ip.biz is the attacker's destination whose is the Romanian one?

[chennan]

Is this the ID you're talking about?

https://bitcointalk.org/index.php?action=profile;u=838056

He seem to be not active since may 8 and as he is newbie nobody gonna trust him if he try to sell those coins.

Which country are u from? That is important and also the country of hacker in lots of asian and african country cyber crime get unnoticed by government.

I don't understand why the guy wouldn't just sell the coins over at localbitcoins, that's what I would personally do if I were this hacker since they are probably pretty tainted now... so you might want to check over there?

Plus, do you really think the police (especially in the US) is going to do anything to get you back those bitcoins?  I'd be surprised if your local police even know what Bitcoins are, rather than them actually know how to go about a process of identifying and retrieving the Bitcoins for you.

[cryptosecurity]

Plus, do you really think the police (especially in the US) is going to do anything to get you back those bitcoins?  I'd be surprised if your local police even know what Bitcoins are, rather than them actually know how to go about a process of identifying and retrieving the Bitcoins for you.

I'm surprised they didn't throw OP in "protective custody" or "observation" to chill him out a bit.

Hi Cloptrix,  are you the scammer?

[Laniakea]

Thank you, I will add it to the report!

No problem. I hope you get your property back!

[KenR]

So what happens now ? From the previous posts, I can make out you have more than enough information to base your accusation in the court with relevant details [except for the theft].

[Racey]

paulie.rocks@domainsbyproxy.com

So I searched here.

http://w3bin.com/domain/paulie.rocks

Edit to add:

IP: 52.49.13.68

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/67 2016-05-14 18:36:58 http://paulie.rocks/

https://www.virustotal.com/en/ip-address/52.49.13.68/information/

[PaulieGolding]

So I have spent half my day now trying to catch up all these posts I've resorted to just copy pasting a response. i have my deepest sympathy for this guy and I'm trying to help out the best i can. my response is as follows:

So this was an interesting morning checking my mails to find all of this. I'd read just about as much as I could find on the matter and would like everyone to take a second to read this.

I'm not the guy, this is a case of a little misunderstood information leading everyone in the wrong direction.

The user has been infected with a Remote Admin Tool, a legal bit of software that has been used for malicious purposes so the attacker has been able to access the crypto funds.

The person who analysed the malware has seen a call to one of my domains, this is correct I was hosting some files for the developer of the remote admin tool (see more below). This has been incorrectly described as the "attack server" Today I have removed those files in order to slow down the attacker, though all he needs to to is upload a copy somewhere else. The files themselves are pertain to password recovery and are again totally legal.

The person who analysed the malware has seen a call to bnaf12[dot]no-ip[dot]biz This is the control server of the attacker. He is using a dynamic DNS service so he can change the location of his control server quickly. The last update to that domain points to an IP in Palestine.
OP mentions is places he has seen me "bragging" about the hack. This is not true and again misunderstood information. I have a keen interest in network security and a part of my job is ensuring servers a secure. Following the rule of keep your enemies closer I crafted a few identities that hang around the blackhat world in order to keep my finger on the pulse. The "bragging" in question is all smoke used to gain trust in these communities, I'll also mention that none of my identities concern themselves with financial fraud and there is no "bragging" anywhere close that subject matter. Simply a few posts claiming my user has "got a load of installs"

Some of you may wonder why I was hosting the files in the first place, this is simple. The developer was looking for a place to host them and asked if I would do it. I saw this as a great way to get an insight in how popular the tool was and collect some usage data. No information from an infected machine would be sent to me this all goes to the control server configured by the admin using the tool (or the attacker when used for malicious purposes)

The OP has contacted me via email and as of now I am awaiting his reply. I've offered to help him in any way I can to get his funds recovered.