Bitcoin Forum
November 01, 2024, 11:18:11 AM *
News: Bitcoin Pumpkin Carving Contest
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 [12] 13 14 15 16 »  All
  Print  
Author Topic: TEMP: Investigation into scotaloo  (Read 13807 times)
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 04:28:09 AM
 #221

I don't see why I should Smiley
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
July 19, 2013, 04:30:36 AM
 #222

I don't see why I should Smiley

there's more smoke and mirrors in here than a whore house on the French Riviera

My negative trust rating is reflective of a personal vendetta by someone on default trust.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 05:12:53 AM
Last edit: July 19, 2013, 08:13:44 AM by TradeFortress
 #223

I actually don't give a fuck about the IP 49.176.67.225 Smiley

Yes, I've used it before. I've been doing some digging on a RAT file that has the phone home set to my IP:

BTCTalkAccs pointed me to this virustotal analysis of a DarkComet/DarkKomet RAT with the name 'minecraft.exe':

https://www.virustotal.com/en/file/9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262/analysis/

This RAT is set to phone home to: 58.111.143.105:200, which is my IP and on the port 200. However, this is quite meaningless as anyone can do that - it's no different than linking to another webpage. This is the first time I became aware of 'minecraft.exe', and a search on 9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262 doesn't turn up anything.

It also has the file name MSRSAAP.EXE, which turns up on virustotal here:

https://www.virustotal.com/en/file/4589cc7f0791e87906da850d27306637d01a71fb6aca9cee74be84c5bfff65c2/analysis/

The SHA hash doesn't also turn up anything other than virustotal on Google, but there are a lot of info on the name MSRSAAP.EXE.

http://answers.yahoo.com/question/index?qid=20120219155647AAN5JIV
http://softwaredownloadpro.com/question14580.html
http://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=/search%3Fq%3DMSRSAAP.EXE%26safe%3Doff%26client%3Dfirefox-a%26hs%3DFi4%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1920%26bih%3D940&rurl=translate.google.com&sl=ru&u=http://otvet.mail.ru/question/76611000&usg=ALkJrhiiM8v8n5hHgMTrWiy8ZWjVQYIGJg

This malware has been posted by the user "manolz" as some anti-anticheat or something:
http://www.gamersoul.com/forums/showthread.php?185177-Hackshield-AntiHook-NoShield-0-1-beta/page3

Also on youtube by "iCrack Trainers" (shell youtube account):
http://www.youtube.com/watch?v=VaKLmM40428

So, there's two possibilities:

1) I've been spreading malware disguised as anticheat bypasses and trainers for games that has been documented in English, Chinese and Russian while using my own IP address and have been doing it from 2012 or earlier decides to make a new RAT and upload it to virustotal and do nothing with it.

2) Someone who wants to frame me / plant false evidence and has a history of making game-related malware makes a new RAT that connects to my IP and port 200 (which isn't even open), uploads it to virustotal and does nothing with it.

If you look at the date (2013-06-09), you'll see that exactly a week earlier MoneyPakTrader got butthurt that I penetrated his website (which deals with currency exchange) - without doing any malicious damage - and found my IP address:

https://bitcointalk.org/index.php?topic=223665
June 02, 2013, 05:36:28 PM

(I also have some other info on MoneyPakTrader, in relation to some of his other suspicious activites).

Given by the dates of MSRSAAP.EXE, I think it's also possible that it back when I was running a tor exit node on this IP and someone wanted to cloak their identity and tried to use Tor to do that. Obviously it didn't connect (not only is the port not open, but also you can't use tor to do this AFAIK as the command server packets will not be tunneled back), so they did nothing with minecraft.exe and somehow this was uploaded on June 09th (maybe because they got arrested, had HDD seized and had all the files analyzed)? I'm still leaning towards MoneyPakTrader.

You decide. Thanks for digging that out, BTCTalkAccounts!
scotaloo
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
July 19, 2013, 05:29:17 AM
 #224

I actually don't give a fuck about the IP 49.176.67.225 Smiley

So is that a refusal to answer? Are you giving theymos permission to check the logs and disclose if its your IP or not?

It's best that you just choose an answer now and stick to it, there is a lot the community does not know...
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 05:36:26 AM
 #225

I actually don't give a fuck about the IP 49.176.67.225 Smiley

So is that a refusal to answer? Are you giving theymos permission to check the logs and disclose if its your IP or not?

It's best that you just choose an answer now and stick to it, there is a lot the community does not know...
If by "your IP" you are asking if I used it or not, then yes Smiley

I'd actually like to thank you for bringing minecraft.exe to my attention.
scotaloo
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
July 19, 2013, 05:38:23 AM
 #226

If by "your IP" you are asking if I used it or not, then yes Smiley

Great that's all I needed to know thank you and good night.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 05:39:04 AM
 #227

Don't you already know it's not night where I am from?

 Roll Eyes
scotaloo
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
July 19, 2013, 05:40:35 AM
 #228

I actually don't give a fuck about the IP 49.176.67.225 Smiley

Yes, I've used it before. I've been doing some digging on a RAT file that has the phone home set to my IP:

BTCTalkAccs pointed me to this virustotal analysis of a DarkComet/DarkKomet RAT with the name 'minecraft.exe':

https://www.virustotal.com/en/file/9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262/analysis/

This RAT is set to phone home to: 58.111.143.105:200, which is my IP and on the port 200. However, this is quite meaningless as anyone can do that - it's no different than linking to another webpage. This is the first time I became aware of 'minecraft.exe', and a search on 9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262 doesn't turn up anything.

It also has the file name MSRSAAP.EXE, which turns up on virustotal here:

https://www.virustotal.com/en/file/4589cc7f0791e87906da850d27306637d01a71fb6aca9cee74be84c5bfff65c2/analysis/

The SHA hash doesn't also turn up anything other than virustotal on Google, but there are a lot of info on the name MSRSAAP.EXE.

http://answers.yahoo.com/question/index?qid=20120219155647AAN5JIV
http://softwaredownloadpro.com/question14580.html
http://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=/search%3Fq%3DMSRSAAP.EXE%26safe%3Doff%26client%3Dfirefox-a%26hs%3DFi4%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1920%26bih%3D940&rurl=translate.google.com&sl=ru&u=http://otvet.mail.ru/question/76611000&usg=ALkJrhiiM8v8n5hHgMTrWiy8ZWjVQYIGJg

This malware has been posted by the user "manolz" as some anti-anticheat or something:
http://www.gamersoul.com/forums/showthread.php?185177-Hackshield-AntiHook-NoShield-0-1-beta/page3

Also on youtube by "iCrack Trainers" (shell youtube account):
http://www.youtube.com/watch?v=VaKLmM40428

So, there's two possibilities:

1) I've been spreading malware disguised as anticheat bypasses and trainers for games that has been documented in English, Chinese and Russian while using my own IP address and have been doing it from 2012 or earlier decides to make a new RAT and upload it to virustotal and do nothing with it.

2) Someone who wants to frame me / plant false evidence and has a history of making game-related malware makes a new RAT that connects to my IP and port 200 (which isn't even open), uploads it to virustotal and does nothing with it.

If you look at the date (2013-06-09), you'll see that exactly a week earlier MoneyPakTrader got butthurt that I penetrated his website (which deals with currency exchange) - without doing any malicious damage - and found my IP address:

https://bitcointalk.org/index.php?topic=223665
June 02, 2013, 05:36:28 PM

You decide. Thanks for digging that out, BTCTalkAccounts!

Quoted for future reference. I am not BTCTalkAccounts btw, that wasn't even my nick on IRC pay attention. Wink
scotaloo
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
July 19, 2013, 05:41:56 AM
 #229

Don't you already know it's not night where I am from?

 Roll Eyes

Lol! G'day mate!
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 05:45:07 AM
 #230

Quote
Quoted for future reference. I am not BTCTalkAccounts btw, that wasn't even my nick on IRC pay attention.

Yes you are, BTCTalkAccs !== BTCTalkAccounts but BTCTalkAccs == BTCTalkAccounts.

Also, I am going to laugh so hard when you go off 49.176.67.225 for a reason I'm not about to tell you yet.
scotaloo
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
July 19, 2013, 05:46:36 AM
 #231

Quote
Quoted for future reference. I am not BTCTalkAccounts btw, that wasn't even my nick on IRC pay attention.

Yes you are, BTCTalkAccs !== BTCTalkAccounts but BTCTalkAccs == BTCTalkAccounts.

My nick was BTCTalkAcc, that doesn't imply I am an alt of BTCTalkAccounts or something, thats all I was trying to say lol!
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 05:48:27 AM
Last edit: July 19, 2013, 12:27:48 PM by TradeFortress
 #232

My nick was BTCTalkAcc, that doesn't imply I am an alt of BTCTalkAccounts or something, thats all I was trying to say lol!

I've got some pretty hard evidence, and also have information on the other phishing operations (like furrycoat - not saying that's directly related to you).

Also, I'm not sure if you understand but I didn't want BTCTalkAccounts banned (yet) for a reason. Should become more clear with the mega thread but I'm waiting for info (no, not the fake ones you get people to send to me) from a few people.

Btw, re scotaloo:

Quote
And morally I see nothing wrong with phishing, people gave me their passwords so they deserve to learn the lesson the hard way
DiamondCardz (OP)
Legendary
*
Offline Offline

Activity: 1134
Merit: 1118



View Profile WWW
July 19, 2013, 06:30:07 PM
 #233

TF, do you have a current list of all known BTCAccs alts?

BA Computer Science, University of Oxford
Dissertation was about threat modelling on distributed ledgers.
greyhawk
Hero Member
*****
Offline Offline

Activity: 952
Merit: 1009


View Profile
July 19, 2013, 06:45:09 PM
 #234

TF, do you have a current list of all known BTCAccs alts?

I don't think they have invented hard drives that large yet.
DiamondCardz (OP)
Legendary
*
Offline Offline

Activity: 1134
Merit: 1118



View Profile WWW
July 19, 2013, 06:55:50 PM
 #235

TF, do you have a current list of all known BTCAccs alts?

I don't think they have invented hard drives that large yet.

Oh god, win

BA Computer Science, University of Oxford
Dissertation was about threat modelling on distributed ledgers.
krudkeeper
Full Member
***
Offline Offline

Activity: 182
Merit: 100


Hodl regularly and often!


View Profile
July 19, 2013, 11:13:22 PM
 #236

if i were you id stop using a certain vpn

If I were you I'd know to shut up about now. You think I already didn't know about that? you think I'm actually still using that VPN? lolplz
if i was cayce franklin id.

Hi,
My account was hacked by this guy. I am the real Cayce Franklin. The guy said on other recent posts (scams) that his name is Mark. I have since changed my password. My apologies if this has caused you any trouble. I have never even been to Minneapolois or anywhere else in Minnesota.

All I am doing is running a website called rainingbitcoin.com . I don't want anyone's money or Bitcoin, I don't mine, use asics, build them, or want to start an ipo. (these were some of the idiot's posts using my account). I am also not 13. I am 33. Hope you find him. Sorry for any inconvenience this may have caused you (Lord knows it has caused me a lot today)

🆙
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
July 19, 2013, 11:30:10 PM
 #237

Hi,
My account was hacked by this guy. I am the real Cayce Franklin. The guy said on other recent posts (scams) that his name is Mark. I have since changed my password. My apologies if this has caused you any trouble. I have never even been to Minneapolois or anywhere else in Minnesota.

All I am doing is running a website called rainingbitcoin.com . I don't want anyone's money or Bitcoin, I don't mine, use asics, build them, or want to start an ipo. (these were some of the idiot's posts using my account). I am also not 13. I am 33. Hope you find him. Sorry for any inconvenience this may have caused you (Lord knows it has caused me a lot today)

Then you were hacked by someone in scotaloo's ennemies team.
Which would mean they both play dirty. But have you been hacked, really ?

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
krudkeeper
Full Member
***
Offline Offline

Activity: 182
Merit: 100


Hodl regularly and often!


View Profile
July 19, 2013, 11:34:22 PM
 #238

Hi,
My account was hacked by this guy. I am the real Cayce Franklin. The guy said on other recent posts (scams) that his name is Mark. I have since changed my password. My apologies if this has caused you any trouble. I have never even been to Minneapolois or anywhere else in Minnesota.

All I am doing is running a website called rainingbitcoin.com . I don't want anyone's money or Bitcoin, I don't mine, use asics, build them, or want to start an ipo. (these were some of the idiot's posts using my account). I am also not 13. I am 33. Hope you find him. Sorry for any inconvenience this may have caused you (Lord knows it has caused me a lot today)

Then you were hacked by someone in scotaloo's ennemies team.
Which would mean they both play dirty. But have you been hacked, really ?

Yes. I actually haven't been on here in a few days. They got my password somehow and changed it but I changed it back. I chat with you on coinchat i believe for the past few months. I don't know who scotaloo is or his enemies. I just run the website shown on my avatar. That's all. Plain and simple.

🆙
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 11:35:24 PM
 #239

Have you entered anything into bitcoin - talk.org?
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 19, 2013, 11:37:49 PM
 #240

Hi,
My account was hacked by this guy. I am the real Cayce Franklin. The guy said on other recent posts (scams) that his name is Mark. I have since changed my password. My apologies if this has caused you any trouble. I have never even been to Minneapolois or anywhere else in Minnesota.

All I am doing is running a website called rainingbitcoin.com . I don't want anyone's money or Bitcoin, I don't mine, use asics, build them, or want to start an ipo. (these were some of the idiot's posts using my account). I am also not 13. I am 33. Hope you find him. Sorry for any inconvenience this may have caused you (Lord knows it has caused me a lot today)

Then you were hacked by someone in scotaloo's ennemies team.
Which would mean they both play dirty. But have you been hacked, really ?

Or hacked by scotaloo or hacked by the other phisher..
Pages: « 1 2 3 4 5 6 7 8 9 10 11 [12] 13 14 15 16 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!