Almost ~$10,000 in stolen funds, hacker located on Bitcoin Talk Forms!

[kbenzle]

With a ton of help from the community I have been tracking almost $10,000 is stolen crypto funds, and we have a good lead! It seems an "Ethical Hacker" (https://bazaarbay.org/b26788279ce73de5b53de7a32c4b74114c932e81/listing/5fd045457e0ff9596d43203c5ff831d1cc5421b0) named Paul Golding (https://bitcointalk.org/index.php?action=profile;u=838056) has my funds! I have filed a local and British police report and have written to the dozen or so e-mail address he has all over the internet, (no response yet).

What is the best way to go about this? Even if the UK authorities do get involved I would never likely see the funds, I don't want to scare him either, he might just disappear (seems like it already). I have all his front company info (https://ghostbin.com/paste/xqz9k) but is goes nowhere.

I am offering a reward of 1/2 of recovered funds or 1 btc for info that leads to any of their return. In my e-mail I have offered to him that I will drop the reports if he return the funds, any other ideas?

Thanks all!



Background (re-post)

   I kept 500 Ether, 1,000 Litecoin and 500 PPC in a cold wallet in a password protected .rar file on my desktop, when I happened to check my watch address yesterday all the balances were emptied two days ago.

   I made two mistakes (1) I download a lot from Torrent sites, (2) I kept ALL my "cold" storage paper wallets in one encrypted WinRar file with a 12 character password. I thought this security was enough and am still at a loss as to what happened.

   The other day I noticed a program running in the Task Manager called, "Wool Department", there was no google results for it, so I closed it but it kept coming back up (on Windows). Next I got an e-mail from Microsoft about verification, then a few other sites I have not used for a long time. My email was hacked years ago, so I changed my password and did not connect the two events at all.


My Ether address:    0xea13bae3f4d94b43d2224bb8a1abb0f4e7e0e24d
My Litecoin address: LhfSd3ZzJMrWawrFimQcTnCx8rYQ3XYiVG
My PPC address:      PPM4tkGmx9f4LMchhCqQAn6j843KDU3ELk

   I assume I will never see any of it again, but would like to offer 1/2 of any recovered funds as a reward to anyone that can help to find the criminal(s) responsible/return the funds.

[1715581506]

1715581506

[1715581506]

1715581506

[1715581506]

1715581506

[1715581506]

1715581506

[1715581506]

1715581506

[BARR_Official]

It's not a cold wallet if it's connected to the internet

Every time you type your password, there's a chance someone can see what you're typing with a keylogger or full remote access to your machine

[PaulieGolding]

So I have spent half my day now trying to catch up all these posts I've resorted to just copy pasting a response. i have my deepest sympathy for this guy and I'm trying to help out the best i can. my response is as follows:

So this was an interesting morning checking my mails to find all of this. I'd read just about as much as I could find on the matter and would like everyone to take a second to read this.

I'm not the guy, this is a case of a little misunderstood information leading everyone in the wrong direction.

The user has been infected with a Remote Admin Tool, a legal bit of software that has been used for malicious purposes so the attacker has been able to access the crypto funds.

The person who analysed the malware has seen a call to one of my domains, this is correct I was hosting some files for the developer of the remote admin tool (see more below). This has been incorrectly described as the "attack server" Today I have removed those files in order to slow down the attacker, though all he needs to to is upload a copy somewhere else. The files themselves are pertain to password recovery and are again totally legal.

The person who analysed the malware has seen a call to bnaf12[dot]no-ip[dot]biz This is the control server of the attacker. He is using a dynamic DNS service so he can change the location of his control server quickly. The last update to that domain points to an IP in Palestine.
OP mentions is places he has seen me "bragging" about the hack. This is not true and again misunderstood information. I have a keen interest in network security and a part of my job is ensuring servers a secure. Following the rule of keep your enemies closer I crafted a few identities that hang around the blackhat world in order to keep my finger on the pulse. The "bragging" in question is all smoke used to gain trust in these communities, I'll also mention that none of my identities concern themselves with financial fraud and there is no "bragging" anywhere close that subject matter. Simply a few posts claiming my user has "got a load of installs"

Some of you may wonder why I was hosting the files in the first place, this is simple. The developer was looking for a place to host them and asked if I would do it. I saw this as a great way to get an insight in how popular the tool was and collect some usage data. No information from an infected machine would be sent to me this all goes to the control server configured by the admin using the tool (or the attacker when used for malicious purposes)

The OP has contacted me via email and as of now I am awaiting his reply. I've offered to help him in any way I can to get his funds recovered.

[mrhelpful]

A harsh lesson to pay for, is if a trojan or any form of malware is on the computer.

Regardless of what type of wallet it is, its pretty much compromised if thats what they are targeting since it pretty much has access.

This is why the coldwallet "hardware" are really preferred so it has no form of internet connection.