Bitcoin Forum
June 21, 2021, 08:27:38 AM *
News: Latest Bitcoin Core release: 0.21.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Hacked - 22 BTC stolen from Bitcoin-QT v0.8.1-beta wallet on OS X 10.7.5  (Read 10675 times)
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
August 03, 2013, 11:34:44 AM
Last edit: August 03, 2013, 12:32:13 PM by Kouye
 #21

The source code on https://github.com/trevory/bitvanity was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/

Edit : Removed a quote which I didn't notice was completely irrelevant to this thread. Thanks for pointing this out, Remember remember the 5th of November

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
1624264058
Hero Member
*
Offline Offline

Posts: 1624264058

View Profile Personal Message (Offline)

Ignore
1624264058
Reply with quote  #2

1624264058
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1624264058
Hero Member
*
Offline Offline

Posts: 1624264058

View Profile Personal Message (Offline)

Ignore
1624264058
Reply with quote  #2

1624264058
Report to moderator
Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1862
Merit: 1002

Reverse engineer from time to time


View Profile
August 03, 2013, 12:22:10 PM
 #22

im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

The code was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/
VanityGen != BitGen. Please quote properly next time to avoid any confusion.

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
August 03, 2013, 12:41:29 PM
 #23

im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

The code was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/
VanityGen != BitGen. Please quote properly next time to avoid any confusion.

Sorry, that was my mistake - I have just edited the TS.
ajk
Donator
Sr. Member
*
Offline Offline

Activity: 447
Merit: 250


View Profile
August 03, 2013, 04:44:10 PM
 #24

thank you vlees and others for clarification,

I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

if you got a BTC address ill send over a donation to you if youll accept it, again sorry to hear about this, blackhat hackers really are some pieces of shit
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
August 03, 2013, 06:41:42 PM
 #25

I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

Unfortunately, this is not a virus in the common accepted sense. It's a malware designed to steal from you, that most likely won't be detected by any standard anti-virus, and that is likely to succeed on linux as well - even though the global security (requiring root access) might help lower the risk.

As Vlees said, the safest way, when using those kind of software, is to have the code reviewed by someone - I'm sure lots of people around would be glad to help, and then to compile those sources yourself. Basic compiling is not that tricky, really, especially using linux.

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
August 05, 2013, 01:46:59 PM
 #26

I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

Unfortunately, this is not a virus in the common accepted sense. It's a malware designed to steal from you, that most likely won't be detected by any standard anti-virus, and that is likely to succeed on linux as well - even though the global security (requiring root access) might help lower the risk.

As Vlees said, the safest way, when using those kind of software, is to have the code reviewed by someone - I'm sure lots of people around would be glad to help, and then to compile those sources yourself. Basic compiling is not that tricky, really, especially using linux.

I can confirm this. Running Mac Sophos anti-virus didn't raise any red flags.

if you got a BTC address ill send over a donation to you if youll accept it, again sorry to hear about this, blackhat hackers really are some pieces of shit

That's very altruist of you ajk, thanks. I accept responsibility for downloading/using an app from an untrusted source, and therefore bear the blame... So it's really nice of you to think I deserve some help to get back on my feet!

1dxkU8qjpZvFBL1uz2EhgaCMbgFTEMbWR


E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
August 15, 2013, 10:56:58 AM
 #27

From Github

Quote
Hi Eric,

We've taken action against the repository. Thanks for reporting this. Let us know if you find any other projects we should be aware of.

Thanks,

-Austin

Rampion
Legendary
*
Offline Offline

Activity: 1120
Merit: 1000


View Profile
August 22, 2013, 03:48:18 PM
 #28

Did Bitvanity ask you to enter your administrator password?

E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 03, 2014, 03:56:32 AM
Last edit: February 27, 2014, 09:55:29 AM by E.Sam
 #29

Thought I would bring this thread back to life for some advice.

Recently, some BTCs from one of the address linked to Bitvanity malware (referred here https://bitcointalk.org/index.php?topic=25804.msg1995725#msg1995725), started moving.

The address: https://blockchain.info/address/1JdfxVY6fsVsZJHeZrKHBzpZNRhr9k6jWV

the transaction in question: https://blockchain.info/tx/2030cfcec6aa0b5c2fad037f8e504f694c46ae7f21a9ab59b03d706c92c2bedc

goes here: https://blockchain.info/address/1Mh37LxdBvbt5GDs4TPGsEiMYyXEZ6mFsY

now, the last transaction of the above address (https://blockchain.info/tx/1f1ed9ffb48939a35e41fd34de7a2d65fd6b20ed1601c8e8fb69323ae395ba35 timestamp: 2013-12-29 18:55:28) sends funds at 1526xfWVCnsbMXT8XKN5J7q53TeKiSqy5Z and 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic

I just found out that 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic belongs to Bitstamp. Would I be right to assume that the person behind Bitvanity sent some stolen funds to Bitstamp?
Malexo
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
February 03, 2014, 04:27:03 AM
 #30

Thought I would bring this thread back to life for some advice.

Recently, some BTCs from one of the address linked to Bitvanity malware (referred here https://bitcointalk.org/index.php?topic=25804.msg1995725#msg1995725), started moving.

The address: https://blockchain.info/address/1JdfxVY6fsVsZJHeZrKHBzpZNRhr9k6jWV

the transaction in question: https://blockchain.info/tx/2030cfcec6aa0b5c2fad037f8e504f694c46ae7f21a9ab59b03d706c92c2bedc

goes here: https://blockchain.info/address/1Mh37LxdBvbt5GDs4TPGsEiMYyXEZ6mFsY

now, the last transaction of the above address (https://blockchain.info/tx/1f1ed9ffb48939a35e41fd34de7a2d65fd6b20ed1601c8e8fb69323ae395ba35) sends funds at 1526xfWVCnsbMXT8XKN5J7q53TeKiSqy5Z and 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic

I just found out that 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic belongs to Bitstamp. Would I be right to assume that the person behind Bitvanity sent some stolen funds to Bitstamp?

this should probably be moved or reposted inthe scam accusations forum?  mightget more aid there.
**** my space bar is tripping balls.
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 03, 2014, 05:08:54 AM
 #31

Yes you're right, I was actually thinking of mentioning this.
When I started this thread, I wasn't sure if this was due to a malware or not. I guess it is quite clear now.
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 05, 2014, 02:40:49 AM
Last edit: February 05, 2014, 03:21:37 AM by E.Sam
 #32

Looks like our man is back and maybe writing another malware. This time as a bitcoin stealth address generator for OSX.

His Reddit post: http://www.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/

Why I believe he's the same person (quoting my comment from above thread link):
Quote from: CptQo @ Reddit
I would recommend extreme caution when using such software.

I just registered to reddit after seeing this post so to warn people.

Last summer, in my infinite wisdom, I downloaded a Mac app call Bitvanity from Github (https://github.com/trevory/bitvanity). It came out to be a malware that empties your Bitcoin wallet. (lost more then 20 BTCs).
Reference: https://bitcointalk.org/index.php?topic=266813.0 - https://bitcointalk.org/index.php?topic=25804.msg1995725#msg1995725 This was discussed on Reddit as well, but can’t seem to be able to find the post now.

The OP of this thread is called trevorscool, his github account https://github.com/thomasrevor/StealthBit under the name Thomasrevor.

Bitvanity github account was under the name Trevory (T.Revor.Y you get the drift). Thomas Revor - Trevorscool - Trevory…. Looks a bit suspect.

Also, looks like trevorscool has been deleting a few posts of his from 7 months ago: http://webcache.googleusercontent.com/search?q=cache:3cbWKz_lDXoJ:webby.hazasite.com/user/trevorscool+&cd=24&hl=en&ct=clnk&gl=uk compared to: https://pay.reddit.com/user/trevorscool?count=25&after=t1_cetbxnn
The 3 deleted post are inciting people to download/use Bitvanity + link to Bitvanity Github: http://webby.hazasite.com/r/Bitcoin/comments/1d0pd2/bitvanity_bitcoin_just_got_more_beautiful/ http://webby.hazasite.com/r/BitcoinBeginners/comments/1d2rhz/super_easytouse_vanity_address_generator_for_mac/ and https://github.com/trevory/bitvanity
fishy
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250


What do you call a fish with no eyes? A Fsh!


View Profile
February 05, 2014, 03:06:06 AM
 #33


Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Was your electrum compromised or were you running bitvanity?

@E.Sam
Sorry about your loss, if you contact bitstamp do you think you will be able to recover your BTC?

\   \  \ \\\\\\\\\\\\\\\\◥◣◢◤//////////////// /  /   /
Win88.me ❖ Fair, Trusted Online BTC Gambling ❖
/   /  / ////////////////◢◤◥◣\\\\\\\\\\\\\\\\ \  \   \
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 05, 2014, 03:16:11 AM
 #34


Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Was your electrum compromised or were you running bitvanity?

@E.Sam
Sorry about your loss, if you contact bitstamp do you think you will be able to recover your BTC?

Bitstamp wouldn't give client's information without a court order. Since they are based in EU, theoretically that shouldn't be too difficult. I would still have to prove a correlation, and since the stolen funds transferred via another address, that could be tricky.
Anyway, I came to term with my loss, just trying to prevent others from falling for it.

Edit: I was running bitvanity in the background (was not using the generated vanity addresses from it. As for Electrum, it was not even installed)
SgtMoth
Hero Member
*****
Offline Offline

Activity: 911
Merit: 1004


buy silver!


View Profile
February 05, 2014, 03:34:15 AM
 #35

srry to about your loss too.  i got hacked on the 30th.  i clicked on a news story in my email, it took me to a site to watch a video, window popped up telling me to update flash, downloaded a trojan and began to get fkd...they went into my bitminter account and took 374 namecoins...but before i noticed that was gone, the bastard kept popping a window up telling me to update my wallet password, it expired, i had 10 btc in it.  ran a scan found the trojan, went around changed every password, good thing, that night they tried to get into all my accounts, sold my btc, lesson learned, i do only my account stuff on one computer now, no surfing.
Sonny
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
February 07, 2014, 04:03:41 PM
 #36

Sorry to hear your loss Sad
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 07, 2014, 04:18:08 PM
 #37

Sorry to hear your loss Sad

Thanks, from now on if I have an offline wallet on 2 raspberry pi (with a few satoshi). Learn and live Smiley

I would really appreciate if any one around has some coding knowledge in OSX to have a look into the (presumed) hacker's new app - Stealthbit (mentioned in previous post - https://github.com/thomasrevor/StealthBit).

I have been in contact with reedit mods, and this is what they said:
Quote
I didn't see any hard-coded bitcoin addresses when I looked through. But, I didn't exactly understand how the code worked either. If you're typing in a private key, it may be transmitting that key to another server that runs code to quickly move funds to a hard coded wallet. So, I can't say we need to take it down, but I say we leave it for others more experienced to test out.

I have also been in contact with Github, but they are always reluctant in taking down an app that is not proven to be a malware. and they din't seem to have the resources (or incentive) to look into it. Github:
Quote
Thanks for reaching out to us again. Can you describe the malicious activity of StealthBit?

My answer:
Quote
I m not a specialist unfortunately (...)
The only thing I m quite positive of, is that ThomasRevor and Trevory are the same person. There are too few coders writing bitcoin OSX applications for this to be a coincidence. Maybe cross check their IP address? although it would seem very amateurish for him no to use VPN or Thor.
Anyway, I posted my concerns as an issue for stealthbit. I have been trying to get in contact with him for 4 days, have been posting warnings in his threads, but no answers up to now. Which is a bit concerning.
Can't some of your team have a look into the code?

Anyone here good/care enough to have a look?
E.Sam
Sr. Member
****
Offline Offline

Activity: 393
Merit: 250



View Profile WWW
February 09, 2014, 04:00:12 PM
 #38

Looks like Stealthbit was a malware.

http://www.reddit.com/r/Bitcoin/comments/1xf2qj/my_wallet_just_emptied_into_this_address/
2double0
Legendary
*
Offline Offline

Activity: 2072
Merit: 1085


BabelFish - FISH Token Sale at Sovryn


View Profile
February 09, 2014, 04:12:52 PM
 #39


Yes, looks like it was. There should have been more coverage on the software when it was released. Undecided

.USD Stablecoin Aggregator.                                              ▄▀▀▀▀▀▀█
                                            ▄▀      ▄
              ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄      █        █
          ▄▄▀▀▀             ▀▀▄▄    ▀▀▄   ▄▀       █
  ▄     ▄▀ ▄▄▄▄         ▀▄      ▀▀▄▄   █  █       ▄
▀ ▀▄ ▄▀  █ ▄▄ █         ▀ ▄        ▀▀▄█▀▀        █
█ █▄ ▀ ▄█ ▀▄▄▄▄▀   █  ▄    ▀▄        ▄          ▄▄
█ ██               █  █     █   ▄▄▀▀▀ ▀▄          █
█ ▀ ▄▄            █   █   ██▀▀▀     ▄ █▀▀▄       █
 ▀▀   ▀▄       ▄▄▀  ▄█▄▄▀▀  ▀▀▄  ▄▀▀ █    █      ▀
         ▀█▄▄▄▄▀ ▄▄▄▀         ▄▀▀▀  ▄▀      ▀▄     █
               ▀▀▀▄▄▄▄▄▄▄▄▄▄▄██▄▄▄▄▀          █    ▀
                                               ▀▀█▄▄▄█
.BabelFish.█▀▀▀▀▀▀
█      ▀
 █        █      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
  █       ▀▄   ▄▀▀    ▄▄▀▀             ▀▀▀▄▄
  ▀▄       █  █   ▄▄▀▀      ▄▀         ▄▄▄▄ ▀▄     ▄
   █        ▀▀█▀▀        ▄ ▀         █ ▄▄ █  ▀▄ ▄▀ ▀
   ▀▄▄          ▄        ▄▀    ▄  █   ▀▄▄▄▄▀ █▄ ▀ ▄█ █
   █          ▄▀ ▀▀▀▄▄   █     █  █               ██ █
   █       ▄▀▀█ ▄     ▀▀▀██   █   █            ▄▀▄ ▀ █
  ▄█      █    █ ▀▀▄  ▄▀▀  ▀▀▄▄█▄  ▀▄▄       ▄▀   ▀
  █     ▄▀      ▀▄  ▀▀▀▄         ▀▄▄▄ ▀▄▄▄▄█▀
 ▄▀    █          ▀▄▄▄▄██▄▄▄▄▄▄▄▄▄▄▄█▀▀
█▄▄▄█▀▀
.FISH token sale at Sovryn.████████████████████████████
████████████████████████████
████████████████████████████
████████▀▀▄██████▄▀▀████████
███████  ▀        ▀  ███████
██████                ██████
█████▌   ███    ███   ▐█████
█████▌   ▀▀▀    ▀▀▀   ▐█████
██████                ██████
███████▄  ▀██████▀  ▄███████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
█████████████████▀▀  ███████
█████████████▀▀      ███████
█████████▀▀   ▄▄     ███████
█████▀▀    ▄█▀▀     ████████
█████████ █▀        ████████
█████████ █ ▄███▄   ████████
██████████████████▄▄████████
████████████████████████████
████████████████████████████
████████████████████████████
Rampion
Legendary
*
Offline Offline

Activity: 1120
Merit: 1000


View Profile
February 10, 2014, 11:09:42 AM
 #40

Good job OP by warning people about this malware.

Making malware for OSX has to be a very profitable niche: virtually no use of AV software among OSX users, and anyhow I don't think that such targeted malware would trigger any alarm.

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!