Bitcoin Forum
November 10, 2024, 02:13:46 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Bitcoin thief techniques  (Read 3007 times)
BrogulT (OP)
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
November 08, 2013, 03:42:22 AM
 #1

I just had a minor theft (0.11BTC, I'll live) and while I understand ways I can positively prevent this (offline wallet, etc), I'm quite curious how the thief did this.

I'm just running the client 0.82/Win7 with my wallet encrypted with a short but unusual password.  I have not opened the client for about two weeks, but I did today just to check the balance.  As soon as I opened it, the balance was .10996851, but after it downloaded the blockchain, it was 0.00000000000000, nada, zilch.  There were two transactions:

First, 11/3/2013, from address 1NpovwBu8RdXYZUHHd4ZWEEnGNgAu3QfWy, tx # 95054f44018eda3be92f3274cc31d56dc7e84c8a6d0f5919da09a8b9e01aadd2 , there is a .00006BTC payment to my address.

Then, 11/6/2013, to address 1NTcSTt3MEW4Mw8SRy9xXmMstk8Pimcjqn, tx # 7c348e83cb9bbabfb567770e322384b37712fcaf704bb17b09e4ca6c3232b71b,  my BTC goes out the door--.11BTC to the thief, then 2851 satoshis as a tx fee.

The 1Npov address was used for a number of these .00006 payments, and a lot (but  not all) of the addresses that received these payments got cleaned out at about the same time I did.  Some of the payments were substantial.  THe 1NTcS address was used to clean out a few accounts, but other addresses were used as well.  One guy got cleaned out of over 300BTC, here is his link from the explorer.

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

So if anyone can tell me, how is this done?  My computer is not particularly secure--Windows firewall, Avast antivirus, but I've downloaded and tried a pile of miners, altminers, etc, including the now infamous "tradercoin" that had a built in keylogger.  I'd be surprised if that one worked, as I caught it and the keylog files didn't have any relevant info.  If you had my whole computer and were smart, you might guess my wallet.dat encryption password.  I'm especially curious about this--what is the significance of the .00006 BTC payment three days prior.

Any insight appreciated.
xkeyscore89
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
November 08, 2013, 04:57:33 AM
 #2

You should download Malwarebytes and do a scan, I bet you'll be surprised by all the things picked up that your current AV client hasn't detected.  Given your risky download habits, it's not a stretch to predict that you have been infected by multiple trojans and keyloggers.
BrogulT (OP)
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
November 08, 2013, 06:20:48 AM
 #3

I cleaned up pretty good after the TraderCoin debacle.  I just rescanned and checked for rootkits, nothing exciting came out.  My old, unused, miningware downloads did have various junk in them (a lot of Crypt-OSW) but nothing active.  I'm OK, I just would like to know how these things are perpetrated and especially why the .00006 payment?   
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
November 08, 2013, 06:30:32 AM
 #4

To decrypt an encrypted wallet.dat two possibilities:
a) keylogger

or

b) you claim short but unique.  Short = worthless password.  If it was short enough it may have simply been brute forced.  If it had been long and unique that would have been more interesting.  Care to share the password?  Hopefully you are not using it anywhere else, you should assume the attacker knows it.
BitTrade
Full Member
***
Offline Offline

Activity: 173
Merit: 100



View Profile
November 08, 2013, 08:21:32 AM
 #5

Care to share the password?  Hopefully you are not using it anywhere else, you should assume the attacker knows it.

Or at least tell us the number of characters and the type of characters (upper / lower case letters, numbers) you used.  Interested in this as well.
PrintMule
Hero Member
*****
Offline Offline

Activity: 980
Merit: 500


FREE $50 BONUS - STAKE - [click signature]


View Profile
November 08, 2013, 09:37:28 AM
 #6

#2~          if that's your "short but unique" then everything is clear

UPD: also this


██████████████████████████████████████████████████████████████████████
████████▀▀▀        ▀▀█████████████████████████████████████████████████
██████▀    ▄▄▄▄▄▄▄▄    ███████████████████████████████████████████████
█████    ▄█████████▌   ▐█████▀  ▐███████████████▌  ▀██████████████████
████▌   ▐██████████    █████    ████████████████    ██████████████████
████▌   ▐█████████▄▄▄▄█████▌   ▐███████████████▌   ▐███▀▀█████████████
█████    ▀███████████████▀▀        ▄███████████    ██▀   ▐████████████
██████▄     ▀▀███████▀▀         ▄▄███▀▀▀▀█████▌   ▐▀   ▄███▀▀   ▀█████
█████████▄▄     ▀▀███▄  ▄▄    ████▀    ▄   ███       ▄███▀   ▄█  ▐████
█████████████▄▄     ▀████▌   ▐███▀   ███   ██▌      ████    ██▀  █████
██████▀▀   ▀█████▄    ███    ████   ███▌  ▐██    ▌  ▐██▌      ▄▄██████
█████    ▄████████    ▐██    ██▀▀   ██▀   ▐▀    ▐█   ██▌   ▀██▀▀  ████
████▌   ▐████████▀    ███▄     ▄▄▄     ▄    ▄   ▐██   ██▄      ▄▄█████
████▌   ███████▀    ▄███████████████████████████████▄  ▀▀██████▀▀ ████
█████    ▀▀▀▀     ▄█████████▀    ▀█▀    ▀█       ▀████▄▄         ▄████
██████▄▄    ▄▄▄▄████████████  █████  ██  █  █  █  ████████████████████
█████████████████████████  █▄    ▄█▄    ▄█  █  █  ████████████████████
██████████████████████████████████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀▐▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄█▀▀▀█████████▀▀▀█▄
▄█▀    ▄▀█████▀     ▀█▄
▄█▄    █        ▀▄   ███▄
▄████▀▀▀▀▄       ▄▀▀▀▀▀███▄
████      ▀▄▄▄▄▄▀       ███
███     ▄▄███████▄▄     ▄▀█
█  ▀▄ ▄▀ ▀███████▀ ▀▄ ▄▀  █
▀█   █     ▀███▀     ▀▄  █▀
▀█▄▄█▄      █        █▄█▀
▀█████▄ ▄▀▀ ▀▀▄▄ ▄▄███▀
▀█████        ████▀
▀▀█▄▄▄▄▄▄▄█▀▀
● OVER 1000 GAMES
● DAILY RACES AND BONUSES
● 24/7 LIVE SUPPORT
Birdy
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250



View Profile
November 08, 2013, 10:31:27 AM
 #7

#2~         if that's your "short but unique" then everything is clear
<picture>

And then dictionary attack became a thing...
4 random english words aren't very strong as password.
superresistant
Legendary
*
Offline Offline

Activity: 2156
Merit: 1131



View Profile
November 08, 2013, 10:36:56 AM
 #8

I though the brute force do not work if the password is long enough.
mrm0
Member
**
Offline Offline

Activity: 89
Merit: 10


View Profile
November 08, 2013, 10:39:30 AM
Last edit: November 08, 2013, 02:36:59 PM by mrm0
 #9

What happens with a locked wallet, when incoming tx is seen by running bitcoind?
Isn't it automatically unlocked for a brief period? Would it be of use to a memory scanning malware?
Just thinking aloud..

1BUcKJVz5n34VwuiyiLtPud1PGn3BLkcPb  :-)
PrintMule
Hero Member
*****
Offline Offline

Activity: 980
Merit: 500


FREE $50 BONUS - STAKE - [click signature]


View Profile
November 08, 2013, 11:04:31 AM
 #10

#2~         if that's your "short but unique" then everything is clear
<picture>

And then dictionary attack became a thing...
4 random english words aren't very strong as password.

Noone expects you to have a string of multiple words this long

Everyone's using Xxxxxxx* these days

Also good luck guessing my wallet's pass with dictionary

hint: it's 6 meaningful words  ~28 chars total, plus one word is used in possessive case


██████████████████████████████████████████████████████████████████████
████████▀▀▀        ▀▀█████████████████████████████████████████████████
██████▀    ▄▄▄▄▄▄▄▄    ███████████████████████████████████████████████
█████    ▄█████████▌   ▐█████▀  ▐███████████████▌  ▀██████████████████
████▌   ▐██████████    █████    ████████████████    ██████████████████
████▌   ▐█████████▄▄▄▄█████▌   ▐███████████████▌   ▐███▀▀█████████████
█████    ▀███████████████▀▀        ▄███████████    ██▀   ▐████████████
██████▄     ▀▀███████▀▀         ▄▄███▀▀▀▀█████▌   ▐▀   ▄███▀▀   ▀█████
█████████▄▄     ▀▀███▄  ▄▄    ████▀    ▄   ███       ▄███▀   ▄█  ▐████
█████████████▄▄     ▀████▌   ▐███▀   ███   ██▌      ████    ██▀  █████
██████▀▀   ▀█████▄    ███    ████   ███▌  ▐██    ▌  ▐██▌      ▄▄██████
█████    ▄████████    ▐██    ██▀▀   ██▀   ▐▀    ▐█   ██▌   ▀██▀▀  ████
████▌   ▐████████▀    ███▄     ▄▄▄     ▄    ▄   ▐██   ██▄      ▄▄█████
████▌   ███████▀    ▄███████████████████████████████▄  ▀▀██████▀▀ ████
█████    ▀▀▀▀     ▄█████████▀    ▀█▀    ▀█       ▀████▄▄         ▄████
██████▄▄    ▄▄▄▄████████████  █████  ██  █  █  █  ████████████████████
█████████████████████████  █▄    ▄█▄    ▄█  █  █  ████████████████████
██████████████████████████████████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀▐▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄█▀▀▀█████████▀▀▀█▄
▄█▀    ▄▀█████▀     ▀█▄
▄█▄    █        ▀▄   ███▄
▄████▀▀▀▀▄       ▄▀▀▀▀▀███▄
████      ▀▄▄▄▄▄▀       ███
███     ▄▄███████▄▄     ▄▀█
█  ▀▄ ▄▀ ▀███████▀ ▀▄ ▄▀  █
▀█   █     ▀███▀     ▀▄  █▀
▀█▄▄█▄      █        █▄█▀
▀█████▄ ▄▀▀ ▀▀▄▄ ▄▄███▀
▀█████        ████▀
▀▀█▄▄▄▄▄▄▄█▀▀
● OVER 1000 GAMES
● DAILY RACES AND BONUSES
● 24/7 LIVE SUPPORT
BrogulT (OP)
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
November 08, 2013, 04:55:18 PM
 #11

@PrintMule et al:

I suppose my password could be brute forced, I hadn't intended any great level of security here.  That is why there was only .11BTC to be had.  My own previous attempts at cracking a wallet (my own, of course) weren't all that successful, but the program I had only did a few attempts per second.  I had to seed it with some pretty good guesses or have a 2-character password to get in.

I don't want to reveal the password, but it was on the order of "malleus4" or "centrifugal9" or "rhapsody3".  Oddly enough, PrintMule, the phrase "correct horse battery staple" appears in the address of the guy who got ripped for 300BTC.   

This leaves the questions of:

1.  What malware finds and sends wallet.dat files?  I suppose a decoy wallet might be the thing?  And then rename  your actual wallet  "familyvacation.jpg"?

2.  (the one bugging me the most)  What is the .00006BTC for?

3.  Why wait?  I realized TraderCoin was a virus/keylogger (if that is the source of this theft) and cleaned it up, but if I was more concerned or had more BTC, I would have transferred them out immediately.  The TraderCoin keylogger thing was 10/24/13, almost two weeks earlier.
Damnsammit
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile
November 08, 2013, 05:11:17 PM
 #12

As far as passwords concerned, is using leetspeak generally a good idea? 

For example:  For a while my password was "monkeyshit" but I typed it in leetspeak so it was "M0nK3y$h17"

Seems pretty secure to me.
BrogulT (OP)
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
November 08, 2013, 05:12:45 PM
 #13

And one other thing--if you look at the transaction 95054f44018eda3be92f3274cc31d56dc7e84c8a6d0f5919da09a8b9e01aadd2  you'll see that a lot of the addresses involved are related to HHTT Mining Pool, so perhaps someone quite a bit more sophisticated is trying to rip off HHTT?  It would hardly seem worth any significant effort to get my .11BTC, but for 300BTC or more from a pool, I suppose the game changes.
sublime5447
Legendary
*
Offline Offline

Activity: 966
Merit: 1000



View Profile
November 08, 2013, 05:14:52 PM
 #14

To decrypt an encrypted wallet.dat two possibilities:
a) keylogger

or

b) you claim short but unique.  Short = worthless password.  If it was short enough it may have simply been brute forced.  If it had been long and unique that would have been more interesting.  Care to share the password?  Hopefully you are not using it anywhere else, you should assume the attacker knows it.

Or

C) Someone has a list of of passwords.

maybe btc-e, coinbase, this forum, blockchain.org?
RodeoX
Legendary
*
Offline Offline

Activity: 3066
Merit: 1147


The revolution will be monetized!


View Profile
November 08, 2013, 05:20:25 PM
 #15

Hjwdi%3?hiuqofC9ybsyq!YFrdEDe

A password should look like the example above. Long, random and using caps, numbers, special chars, etc. Never use a word or anything remotely connected to you, such as a pet's name or a child's birthday.

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf
Free bitcoin in ? - Stay tuned for this years Bitcoin hunt!
LiteCoinGuy
Legendary
*
Offline Offline

Activity: 1148
Merit: 1014


In Satoshi I Trust


View Profile WWW
November 08, 2013, 05:23:00 PM
 #16

I just had a minor theft (0.11BTC, I'll live) and while I understand ways I can positively prevent this (offline wallet, etc), I'm quite curious how the thief did this.

 I've downloaded and tried a pile of miners, altminers, etc, including the now infamous "tradercoin" that had a built in keylogger.   



thats it.



MaxBTC1
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
November 08, 2013, 05:25:07 PM
 #17

In the chat I'm in now there is a guy who openly accepts that he steals bitcoins and he has an exploit on blockchain according to those he stole from
plasticAiredale
Full Member
***
Offline Offline

Activity: 207
Merit: 120



View Profile
November 08, 2013, 06:44:13 PM
 #18

As far as passwords concerned, is using leetspeak generally a good idea? 

For example:  For a while my password was "monkeyshit" but I typed it in leetspeak so it was "M0nK3y$h17"

Seems pretty secure to me.

Not really. http://optimwise.com/passwords-with-simple-character-substitution-are-weak/.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
November 08, 2013, 06:47:50 PM
 #19

And then dictionary attack became a thing...
4 random english words aren't very strong as password.

4 RANDOM words is a very strong password (assumming the rest of the system is secure, random large number salt, multi-round key hardening, secure algorithm).   Dictionary attacks aren't looking for random words, they are looking for common words, phrases, known used passwords, variations of words (p@ssw0rd), phrases from books/movies/etc.

A dictionary of all 4 combinations of english words is well useless.
sublime5447
Legendary
*
Offline Offline

Activity: 966
Merit: 1000



View Profile
November 08, 2013, 06:50:17 PM
 #20

In the chat I'm in now there is a guy who openly accepts that he steals bitcoins and he has an exploit on blockchain according to those he stole from


I strongly suspect this to be the case. I had an excellent password and got hacked. I did a virus scan and didnt come up with anything that looked malicious.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!