BillyBurns (OP)
|
|
October 18, 2016, 07:19:27 AM Last edit: October 18, 2016, 07:35:05 AM by BillyBurns |
|
Player is up 66k XMR in 2 days these are the rolls that just happened.. I didn't see the others but this just doesn't seem right to me.
7908821 3000.000000000000 +3000.000000000000 <49.50 46.38 07:23 PolakPotrafi 7908820 3000.000000000000 +3000.000000000000 >50.50 57.52 07:22 PolakPotrafi 7908819 1400.000000000000 +5600.000000000000 >80.20 81.28 07:22 PolakPotrafi 7908818 789.600000000000 +7106.400000000000 <9.90 2.06 07:21 PolakPotrafi 7908817 1535.200000000000 +6140.800000000000 <19.80 13.15 07:21 PolakPotrafi 7908816 935.200000000000 +8416.800000000000 >90.10 94.58 07:20 PolakPotrafi 7908815 1.000000000000 -1.000000000000 >80.20 45.19 07:20 PolakPotrafi 7908814 1.000000000000 -1.000000000000 >80.20 51.31 07:20 PolakPotrafi 7908813 1.000000000000 -1.000000000000 >80.20 24.50 07:19 PolakPotrafi 7908812 1.000000000000 -1.000000000000 >80.20 42.30 07:19 PolakPotrafi 7908811 1.000000000000 -1.000000000000 >80.20 60.60 07:19 PolakPotrafi 7908810 1.000000000000 +4.000000000000 >80.20 84.71 07:19 PolakPotrafi 7908809 1.000000000000 +4.000000000000 >80.20 87.64 07:19 PolakPotrafi 7908808 1.000000000000 -1.000000000000 >80.20 28.28 07:19 PolakPotrafi 7908807 1.000000000000 -1.000000000000 >80.20 32.78 07:19 PolakPotrafi 7908806 1.000000000000 +4.000000000000 >80.20 87.45 07:19 PolakPotrafi 7908805 100.000000000000 +400.000000000000 <19.80 17.08 07:19 PolakPotrafi 7908804 100.000000000000 +200.000000000000 <33.00 28.76 07:19 PolakPotrafi 7908803 100.000000000000 +100.000000000000 <49.50 44.78 07:18 PolakPotrafi 7908802 100.000000000000 +100.000000000000 >50.50 51.85 07:18 PolakPotrafi 7908801 100.000000000000 +100.000000000000 <49.50 18.59 07:18 PolakPotrafi 7908800 100.000000000000 +100.000000000000 <49.50 37.56 07:18 PolakPotrafi 7908799 100.000000000000 +100.000000000000 >50.50 72.20 07:18 PolakPotrafi 7908798 100.000000000000 +100.000000000000 >50.50 57.99 07:18 PolakPotrafi 7908797 100.000000000000 +100.000000000000 >50.50 62.63 07:18 PolakPotrafi 7908796 938.800000000000 -938.800000000000 <9.90 90.87 07:17 PolakPotrafi 7908795 1.000000000000 +1.000000000000 >50.50 88.01 07:15 PolakPotrafi 7908794 1.000000000000 +1.000000000000 >50.50 99.63 07:13 PolakPotrafi
|
*Image Removed*
|
|
|
oxygen88
|
|
October 18, 2016, 08:08:52 AM |
|
which dice site are this bets from? that is a tons of crazy wins, the guy is rich now
|
|
|
|
BillyBurns (OP)
|
|
October 18, 2016, 08:12:46 AM |
|
which dice site are this bets from? that is a tons of crazy wins, the guy is rich now MoneroDice according to FLuffy they manually do cashouts but what I want to know is how they can prevent this from happening to someone who does it at level that is much less noticeable.
|
*Image Removed*
|
|
|
Jungian
Legendary
Offline
Activity: 930
Merit: 1010
|
|
October 18, 2016, 08:29:14 AM |
|
They do look unusual. Like he knew exactly what percentage to change to in order to win.
Edit: Looks like he did and FluffyPony is on to it (according to the monerodice chat)
Maybe the seed has been compromised a long time. The site has not been running at EV (although nothing particulary strange about that).
|
|
|
|
oxygen88
|
|
October 18, 2016, 08:35:00 AM |
|
Yes, especially this few big bets
7908821 3000.000000000000 +3000.000000000000 <49.50 46.38 07:23 PolakPotrafi 7908820 3000.000000000000 +3000.000000000000 >50.50 57.52 07:22 PolakPotrafi 7908819 1400.000000000000 +5600.000000000000 >80.20 81.28 07:22 PolakPotrafi 7908818 789.600000000000 +7106.400000000000 <9.90 2.06 07:21 PolakPotrafi - looks most unusual 7908817 1535.200000000000 +6140.800000000000 <19.80 13.15 07:21 PolakPotrafi - looks most unusual 7908816 935.200000000000 +8416.800000000000 >90.10 94.58 07:20 PolakPotrafi - looks most unusual
As if he already knew the result and he does big bets, and looking at the bet ID 8816, 8817, 8818.
This shows he knew the result beforehand, 3 continuous roll with that percentage to win, the chance is 0.000000001% in real life to hit all 3 wins.
|
|
|
|
fluffypony
Donator
Legendary
Offline
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
|
|
October 18, 2016, 09:11:47 AM |
|
Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!
|
|
|
|
itod
Legendary
Offline
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
|
|
October 18, 2016, 09:19:18 AM |
|
5 biggest win in the last 24h 22000.000000000000 PolakPotrafi 12000.000000000000 PolakPotrafi 10000.000000000000 PolakPotrafi 9352.000000000000 PolakPotrafi 8000.000000000000 PolakPotrafi and: 5 biggest win alltime 22000.000000000000 PolakPotrafi 12000.000000000000 PolakPotrafi 10000.000000000000 PolakPotrafi 10000.000000000000 othe 10000.000000000000 othe If he only was less greedy he could make much bigger damage. Luckily he had idiotic betting strategy regarding being painfully obvious.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3822
Merit: 6547
Looking for campaign manager? Contact icopress!
|
|
October 18, 2016, 09:23:41 AM |
|
Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!
It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too. Of course patching your own is top priority.
|
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
|
|
October 18, 2016, 09:24:25 AM |
|
#HackThatGotTrumpedByAPony
|
███████████████████████████████████████
,╓p@@███████@╗╖, ,p████████████████████N, d█████████████████████████b d██████████████████████████████æ ,████²█████████████████████████████, ,█████ ╙████████████████████╨ █████y ██████ `████████████████` ██████ ║██████ Ñ███████████` ███████ ███████ ╩██████Ñ ███████ ███████ ▐▄ ²██╩ a▌ ███████ ╢██████ ▐▓█▄ ▄█▓▌ ███████ ██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─ ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌ ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─ ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩ ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀ ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀` ²²² ███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ . LEALANA BITCOIN GRIM REAPER SILVER COINS. |
|
|
|
fluffypony
Donator
Legendary
Offline
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
|
|
October 18, 2016, 09:33:22 AM |
|
It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too. Of course patching your own is top priority.
Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.
|
|
|
|
Jungian
Legendary
Offline
Activity: 930
Merit: 1010
|
|
October 18, 2016, 09:42:57 AM |
|
It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too. Of course patching your own is top priority.
Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario. Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.
|
|
|
|
fluffypony
Donator
Legendary
Offline
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
|
|
October 18, 2016, 09:49:09 AM |
|
Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.
Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score. It's entirely possible, but one of the Monero Research Lab wrote a paper (for fun) a year ago establishing a way to analyse whether someone is cheating by determining whether they are massively changing the deviation of the site. We run this analysis in the back all the time, so if someone was consistently cheating, even if they were using multiple accounts and small amounts, we'd see it show up because the site would (statistically speaking) be far out of the expected variance. You can read the paper here: https://lab.getmonero.org/pubs/MRL_Monte_Carlo_Edition.pdf
|
|
|
|
NLNico
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
October 18, 2016, 01:22:46 PM |
|
Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it. The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons: 1) "I already stole enough so I will just show you that your site has a vulnerability" 2) "I can cheat on here, but don't want to receive a reward and rather just show it off" IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood". In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.
|
|
|
|
hubballi
|
|
October 18, 2016, 01:49:12 PM |
|
Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it. The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons: 1) "I already stole enough so I will just show you that your site has a vulnerability" 2) "I can cheat on here, but don't want to receive a reward and rather just show it off" IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood". In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything. What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3822
Merit: 6547
Looking for campaign manager? Contact icopress!
|
|
October 18, 2016, 01:54:09 PM |
|
What you told is absolutely correct, the way he was betting on continuous bets it is clear that he has done it wantedly to know the site that they have been hacked and the site seed key is known to others who are cheating the site.
I think that there's still a chance he didn't know the withdraw is processed manually and got greedy. A white hat hacker would have told the owner, not like this. Somebody who would try only to show off would mean that 66k XMR (over 400 000 $) means nothing to him, since he already stole more than that.
|
|
|
|
fluffypony
Donator
Legendary
Offline
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
|
|
October 18, 2016, 02:17:51 PM |
|
Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it. The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons: 1) "I already stole enough so I will just show you that your site has a vulnerability" 2) "I can cheat on here, but don't want to receive a reward and rather just show it off" IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood". In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything. Yes we're taking a look at the API logs, and correlating it against recent betters. We'll weed out any other accounts he has;)
|
|
|
|
Daffadile
|
|
October 18, 2016, 04:23:48 PM |
|
So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....
Just like a losing streak a winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.
|
|
|
|
BillyBurns (OP)
|
|
October 18, 2016, 04:27:46 PM |
|
So.... When someone is unlucky and gets 21 loses in a row you say nothing but as soon as someone makes a whole lot of wins in a row you get jealous ?? Lol ok.....
Just like a losing streak a winning steak can happen too. Also what difference would it make if you saw his other rolls ? It is pure luck.
Yeah its not very weird for him to make all those 1Xmr bets and lose every single one of those and then win all of these huge bets with tiny win % over and over, the only big bet he lost was the first one where he made a mistake... ohh and on top of all those rolls be up another 33k xmr.
|
*Image Removed*
|
|
|
BillyBurns (OP)
|
|
October 18, 2016, 05:05:37 PM |
|
The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:
If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better. I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins. That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that Look at his bet pattern and the outcomes of the bets, its extremely obvious he was intentionally showing he could cheat.
|
*Image Removed*
|
|
|
BetKing.io
Legendary
Offline
Activity: 1400
Merit: 1021
|
|
October 18, 2016, 05:11:44 PM |
|
The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:
If the attack was super simple (e.g. the server was blindly giving the user the server seed) it's also possible it was a non-sophisticated attacker that got hold it of it, and was just dumb enough to not even try to cover his tracks better. I actually believe this recently happened to PrimeDice in their latest upgrade, with something along the lines of the beta server was a fork of the production server and someone realized this and revealed their server seed and abused the crap out of it to the point it was super obvious. I also heard about another bitcoin site where someone social engineered their way into getting root credentials to the server, but was sufficiently unsophisticated he couldn't figure out how to withdraw the bitcoins. That said, this is basically a nightmare situation for an investment site. Let's say they suspect or find out that the attacker actually had been abusing this before, who should be on the hook? The investors or the site? Kind of strange how no site ever clarifies that I've said it to the investors before (noticed FAQ used to say it but not now after re-enabling investments a long time ago) that if this happens (or any big mess up) the investors lose/pay for it. That's the risk they take investing in the site/me. Fortunately this hasn't ever happened at BetKing anyway.
|
|
|
|
|