Monitoring WannaCry hackers' bitcoin addresses in real time

[stompix]

wonder where they will sell their coins, some big exchanger must verify id right? even in my country some fiat exchanger ask user to verify their ID and must selfie to make sure it is real person

They will mix their coins 2-3 times , exchange to ltc or other coin on an exchange that doesn't require id for crypto withdrawals change them back into btc on another and then coin by coin on localbitcoins to fiat .

LB is also a bit of a mixer itself so by the time people will finish tracking those coins and altcoin movements...it will be 250

all the exchanges that i have seen so far (even exchanges like btc-e that are too flexible and anonymous themselves) have a line in their terms of services that says if any law enforcement asks them, they will give your information to them (full cooperation) and in case of such a big scam like this, i am sure a lot of agencies are watching where the coins are going to go and will find them if use an exchange.

Yeah and what info will they give? The addresses of those altcoins?
Then they will have to check again where those altcoins went? By the time they finally get a bit closer to their target they will stumble on a shady exchange that is already gone )).

Trust me, those guys will not get caught because of the bitcoin trail they leave behind.
And that is a good thing.
Otherwise the so called anonymity of btc would be considered a joke.

[1714659236]

1714659236

[youdamushi]

That's funny, they made a global attack in my company.

To be fair you've got to be a bit stupid to actually fall for it...
Added to that the fact athat big companies all have data save of important files.

[deisik]

Do people really not back up their files regularly?

No they don't. Especially in public services where users call the IT for everything because they don't know or they don't like to do anything related to computers even though is a very stupid thing. So the most part of the day IT do lesser important tasks than it has to do. As an example ' local printer has a stuck piece of paper ' and so on

That depends on the public service

The one that I once was hired by as a "contractor" of sorts had strict policies in this regard. They had some enterprise level document management system in place (something like Lotus Domino at the time) and also had a guy specifically appointed to manage that system. I guess it was one of his duties to back up all documents that entered the system. Indeed, small hospitals and minor public services are as irresponsible in this regard as it could ever get

[btcforall777]

Some of the media are blaming them on the drop in BTC price as they happened simultaneously. Make sense to me. What do you think?

I doubt it. The bulk of people being affected don't control the btc market. The whole market is in a bubble. Bubbles burst...eventually.

Maybe the market is just looking for a reason or reasons. Like you said people are afraid to jump.

20.95 BTC hardly seems like enough to manipulate the market. Fear could but I don't see the fearful affecting this market because I doubt that many have more than a cursory knowledge of bitcoin.

The ones without knowledge would be the ones that would dump over something relevant as this. maybe.

[wxa7115]

Some of the media are blaming them on the drop in BTC price as they happened simultaneously. Make sense to me. What do you think?

I doubt it. The bulk of people being affected don't control the btc market. The whole market is in a bubble. Bubbles burst...eventually.

But since bubbles are created with the optimism of the people, this hack without a doubt has an impact since once again people see this as  a way for criminals to use bitcoin without anything being done, so I think this was a factor that stopped confidence and created the environment in which the price of bitcoin could go down once again.

[coinits]

In the beginning internet is not a safe place for everyone. Click, download, register etc. at your own risk.

It has been revealed that this did not spread by clicking on any links.

See this link https://www.wsj.com/articles/cybersecurity-experts-first-task-find-out-how-virus-spread-1494868250

From the article:

Investigators have already ruled out phishing—tricking someone into opening a seemingly legitimate email attachment that actually contains the virus—as a possible tactic. One of their hypotheses centers on something called port 445, an outlet that isn’t supposed to be connected to the internet.

[coinits]

Do people really not back up their files regularly?

No they don't. Especially in public services where users call the IT for everything because they don't know or they don't like to do anything related to computers even though is a very stupid thing. So the most part of the day IT do lesser important tasks than it has to do. As an example ' local printer has a stuck piece of paper ' and so on.
 

I would assume that a huge part of the reason the thieves aren't getting as much money as we'd expect is because most people back up their files at least every month or so.  Institutions should back up their files much more regularly than that.

No most people are too lazy to do a regular back say after a month or more. I believe hackers they didn't target whom computer would infected from virus.  

Unless there's very significant new sensitive information that needs decrypting, there's not much reason for people to pay such a big ransom.  If it was $20 instead, I would probably pay it anyway, but there's really no point.

I believe that $300 as a ransom is not a big amount of money for many services or institutions especially if these are located in Europe or USA or some rich countries in Asia. I don't know for the rest countries in the world.

It's $300 per computer, not per company.

[deisik]

In the beginning internet is not a safe place for everyone. Click, download, register etc. at your own risk.

It has been revealed that this did not spread by clicking on any links.

See this link https://www.wsj.com/articles/cybersecurity-experts-first-task-find-out-how-virus-spread-1494868250

From the article:

Investigators have already ruled out phishing—tricking someone into opening a seemingly legitimate email attachment that actually contains the virus—as a possible tactic. One of their hypotheses centers on something called port 445, an outlet that isn’t supposed to be connected to the internet.

Port 445 is open by default in Windows. At least, on versions prior to Windows 7 (Windows XP is the last version that I am more or less familiar with). This port is required for Windows local networking (for file and printer sharing), so if it is open and computer is connected to Internet, it will be exposed as well. Personally, I think that here we have a case with a backdoor intentionally left by Microsoft and information of which (how to use it) got stolen from an Alphabet agency

Chickens always come home to roost

[BitcoinHunt3r]

wonder where they will sell their coins, some big exchanger must verify id right? even in my country some fiat exchanger ask user to verify their ID and must selfie to make sure it is real person

They will mix their coins 2-3 times , exchange to ltc or other coin on an exchange that doesn't require id for crypto withdrawals change them back into btc on another and then coin by coin on localbitcoins to fiat .

LB is also a bit of a mixer itself so by the time people will finish tracking those coins and altcoin movements...it will be 250

all the exchanges that i have seen so far (even exchanges like btc-e that are too flexible and anonymous themselves) have a line in their terms of services that says if any law enforcement asks them, they will give your information to them (full cooperation) and in case of such a big scam like this, i am sure a lot of agencies are watching where the coins are going to go and will find them if use an exchange.

Yeah and what info will they give? The addresses of those altcoins?
Then they will have to check again where those altcoins went? By the time they finally get a bit closer to their target they will stumble on a shady exchange that is already gone )).

Trust me, those guys will not get caught because of the bitcoin trail they leave behind.
And that is a good thing.
Otherwise the so called anonymity of btc would be considered a joke.

maybe only email address and some IPs that they use to log in because i have 1 experience ask exchanger legally when got problem with my acc they only give log in IP and not much information

[youdamushi]

It's $300 per computer, not per company.

Yeah and as it's supposed to spread in the whole company it can goes reaaaaaaaally fast

[BillyBobZorton]

How do you even know those addresses? Also, aren't like 200,000 computers infected already? in my evil mind, if I was a smart hacker, I would use a different address per computer. Im not sure how this works, but if this is the case, then there's 200,000 addresses you would need to keep track off which is nuts.

It's in any case surprising that companies are storing important info in windows machines... what a bunch of idiots.

[deisik]

How do you even know those addresses? Also, aren't like 200,000 computers infected already? in my evil mind, if I was a smart hacker, I would use a different address per computer. Im not sure how this works, but if this is the case, then there's 200,000 addresses you would need to keep track off which is nuts.

It's in any case surprising that companies are storing important info in windows machines... what a bunch of idiots

Let's hope that at least some of them will learn the lesson

And finally switch to using a decent operating system with no backdoors and open by default ports. Regarding 200k addresses, the virus is obviously calculating some checksum which the victim should then send to the hacker (otherwise it would be impossible to generate the key to decrypt the files), so the process can be easily automated via a database and a simple script linking together a Bitcoin address and a checksum provided

[NeuroticFish]

How do you even know those addresses? Also, aren't like 200,000 computers infected already? in my evil mind, if I was a smart hacker, I would use a different address per computer.

I would do the same. But for some reasons the hackers seem to use only a handful of Bitcoin addresses.
Maybe they don't even care who pays and who doesn't (did you hear of successful data recover after this ransomware, after paying the price?). Or maybe they don't know enough about Bitcoin?

[arimamib]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

In the presence of this. Will have many positive and negative impacts that will occur to bitcoin. We can only hope the best lol

[cellard]

How do you even know those addresses? Also, aren't like 200,000 computers infected already? in my evil mind, if I was a smart hacker, I would use a different address per computer.

I would do the same. But for some reasons the hackers seem to use only a handful of Bitcoin addresses.
Maybe they don't even care who pays and who doesn't (did you hear of successful data recover after this ransomware, after paying the price?). Or maybe they don't know enough about Bitcoin?

My take is that they don't care if the hacked bitcoins get easily detected by curious people (basically the entire bitcoin community is monitoring how this evolves so im sure they knew they would get traced carefully by community members).

Even if they used thousands of addresses, that would be just more of an headache when trying to mix them.

All these criminals have to do once they got all the money they wanted, is to send it all at some mixing site over tor and that's it, you lose track of it all, and that's where unfortunately all the people that got infected will never see their money back.

But let this be an useful lesson for people to take more seriously their jobs.

[gordoh]

What if this whole thing is a conspiracy by Microsoft to scare people into downloading the latest update... Think about it!

[cellard]

What if this whole thing is a conspiracy by Microsoft to scare people into downloading the latest update... Think about it!

It makes no sense. The amount of bad publicity Microsoft is getting outplays any benefits of a supposed conspiracy inside job to download the latest update. I mean what's the point? And as far as I know WannaCry 2.0 is already out there infecting computers so Microsoft is getting exposed as unsafe software.

[vapourminer]

Port 445 is open by default in Windows. At least, on versions prior to Windows 7 (Windows XP is the last version that I am more or less familiar with). This port is required for Windows local networking (for file and printer sharing), so if it is open and computer is connected to Internet, it will be exposed as well. Personally, I think that here we have a case with a backdoor intentionally left by Microsoft and information of which (how to use it) got stolen from an Alphabet agency

port 445 may be open in internal networks. it is not open to the internet, at least with a properly set up router/firewall.

go to grc.com and let it scan your ports. 445 is stealthed on mine. thats with 6 computers behind a router, and windows firewall on plus whatever firewalls freenas, ubuntu and the rpi use. and i have file/printer sharing on.

[GetClams.com]

That's funny, they made a global attack in my company.

To be fair you've got to be a bit stupid to actually fall for it...
Added to that the fact athat big companies all have data save of important files.

Exactly, you are telling me banks and hospitals do not have backups? Then somebody should lose their job.

[Qartada]

Do people really not back up their files regularly?

No they don't. Especially in public services where users call the IT for everything because they don't know or they don't like to do anything related to computers even though is a very stupid thing. So the most part of the day IT do lesser important tasks than it has to do. As an example ' local printer has a stuck piece of paper ' and so on.
 

I would assume that a huge part of the reason the thieves aren't getting as much money as we'd expect is because most people back up their files at least every month or so.  Institutions should back up their files much more regularly than that.

No most people are too lazy to do a regular back say after a month or more. I believe hackers they didn't target whom computer would infected from virus.  

Unless there's very significant new sensitive information that needs decrypting, there's not much reason for people to pay such a big ransom.  If it was $20 instead, I would probably pay it anyway, but there's really no point.

I believe that $300 as a ransom is not a big amount of money for many services or institutions especially if these are located in Europe or USA or some rich countries in Asia. I don't know for the rest countries in the world.

It's $300 per computer, not per company.

Exactly.  The hackers need to choose the ideal amount of money to steal if they want to keep their operations profitable. 

Clearly the prices they're charging have been considered to be worth just slightly less than the amount of effort it would take to buy a new computer and create new information.  In the cases of whole institutions, it should be worth it as they'll have a lot of sensitive information (like data about patient health in hospitals).

This should get everyone working in IT who had their company's computers infected fired.  It was very easy to avoid by just updating for critical patches.