NXT :: descendant of Bitcoin - Updated Information

[opticalcarrier]

I have just read the last 50 pages of this topic and wow this is crazy.

First of all yes the client was posted by me and I added some code that would send the secrets to my server.
A week ago there were all the ddos issues and billions created which led to a lot of client updates.
During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated.
So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour.
The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.

Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked.
The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it.
To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.

Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength.
That point has been made very clear now in an unfortunate way.

To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.

I know there are other modified clients around whether they use the same type of attack I don't know.
Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account.
Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know. 

People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.

wow and so now you take us for idiots?

[1714807508]

1714807508

[1714807508]

1714807508

[1714807508]

1714807508

[EvilDave]

Now this is gonna get interesting....

[Jimmy2011]

Let's see... 0.4.8 was more stable than 0.4.7e, even on 512 Mb. If 0.4.9e is even better, then we're getting where it should be.

The goal is to run NRS on 64 KiB devices.

Yeah, Bill Gates said he will join in Nxt.

[plasticAiredale]

I have just read the last 50 pages of this topic and wow this is crazy.

First of all yes the client was posted by me and I added some code that would send the secrets to my server.
A week ago there were all the ddos issues and billions created which led to a lot of client updates.
During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated.
So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour.
The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.

Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked.
The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it.
To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.

Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength.
That point has been made very clear now in an unfortunate way.

To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.

I know there are other modified clients around whether they use the same type of attack I don't know.
Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account.
Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know. 

People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.

Wow. Just Wow.

[Kodoka]

The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex.   That ain't gonna happen.

This is a major crime in the tens of thousands of dollars range and we know who did it.  People go to prison for years for this kind of crap.
  
(Are you reading this, EpicThomas?  I know you are.)  

You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city.

Do you feel lucky, punk?

A MESSAGE TO EPIC THOMAS:


Dude, I'm coming for you.  You had better put back the NXT where it belongs before I find out who you are and go to the police.  I will stop if you repay the NXT you have taken from others.  Once I find out a name and address and turn it over to law enforcement, things are out of my hands.  Until that time you can save yourself.  Do it.

My email to customer service at Digital Ocean:

Can you identify the real name, email address, mailing address, and telephone number of the user renting a cloud server from you at 162.243.246.233 for the past several days?  This person is involved in illegal activities and has stolen over $23,000 that we know of so far through  unauthorized transfers of assets.  When you have obtained this information, please let me know the name and location of the representative who may be contacted by local law enforcement.  

This is not a prank or joke.   My name is X.  I am a resident of X and you can contact me at my cell number of X if needed.  Thank you, and I look forward to your prompt response.

I understand your enthusiasm. I'd be pissed if my Nxt was stolen, too. Theft of crypto-currency is tricky, though.

[rickyjames]

The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex.   That ain't gonna happen.

This is a major crime in the tens of thousands of dollars range and we know who did it.  People go to prison for years for this kind of crap.
  
(Are you reading this, EpicThomas?  I know you are.)  

You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city.

Do you feel lucky, punk?

A MESSAGE TO EPIC THOMAS:


Dude, I'm coming for you.  You had better put back the NXT where it belongs before I find out who you are and go to the police.  I will stop if you repay the NXT you have taken from others.  Once I find out a name and address and turn it over to law enforcement, things are out of my hands.  Until that time you can save yourself.  Do it.

My email to customer service at Digital Ocean:

Can you identify the real name, email address, mailing address, and telephone number of the user renting a cloud server from you at 162.243.246.233 for the past several days?  This person is involved in illegal activities and has stolen over $23,000 that we know of so far through  unauthorized transfers of assets.  When you have obtained this information, please let me know the name and location of the representative who may be contacted by local law enforcement.  

This is not a prank or joke.   My name is X.  I am a resident of X and you can contact me at my cell number of X if needed.  Thank you, and I look forward to your prompt response.

I understand your enthusiasm. I'd be pissed if my Nxt was stolen, too. Theft of crypto-currency is tricky, though.

Hell, I'm not out to convict him.  I'm out to bankrupt him through lawyer fees to defend his sorry ass.  A conviction would just be icing on the cake.

[wesleyh]

I have just read the last 50 pages of this topic and wow this is crazy.

First of all yes the client was posted by me and I added some code that would send the secrets to my server.
A week ago there were all the ddos issues and billions created which led to a lot of client updates.
During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated.
So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour.
The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.

Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked.
The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it.
To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.

Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength.
That point has been made very clear now in an unfortunate way.

To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.

I know there are other modified clients around whether they use the same type of attack I don't know.
Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account.
Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know. 

People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.

Heh..

Assuming this were true, where are the clients you've noticed that have different hashes? Please post them here.

[gbeirn]

If anyone else wants to contribute anything to helping reimburse those who were affected my account is: 7692313866255280204

I just received 35K NXT from neer.g. Once we get some confirmations on that I will begin sending it out.

I think this is a great effort but I urge you to hold off for a day or two and see if we can get EpicThomas to rethink the wisdom of keeping his ill-gotten gains and put the money back that he stole.

Worth a shot.  And I am 99.99% sure I will have the law on his tail if he doesn't.  I am a persistent fellow once I take up a cause.

You keep up work on that side. I will give this a couple of hours and then distribute what I have. If by some chance we get those coins back we can worry about that then.



Thanks, xyzzyx, for the 1K contribution!

[instacalm]

EpicThomas, that was a very stupid move of yours

[Buratino]

Thus, is it happy end with the theft story?

[salsacz]

First identified Nxt hacker

Robbed announcements:
PaulyC
01-01-2014, 14:03:40
https://bitcointalk.org/index.php?topic=345619.msg4253372#msg4253372

sparta_cuss
01-01-2014, 17:05:58
https://bitcointalk.org/index.php?topic=345619.msg4255475#msg4255475

newcn
01:40:33 AM (CET)
https://bitcointalk.org/index.php?topic=345619.msg4262475#msg4262475

plasticAiredale on Today at 13:31:39
https://bitcointalk.org/index.php?topic=345619.msg4269412#msg4269412

Hacker was still posting to the Nxt topic:

EpicThomas
01-01-2014, 19:18:39
Both bitcoin and nxt generate your address from a 256bit key. The only problem is that bitcoin generates your private key while nxt uses sha256(pass) to get your private key.
https://bitcointalk.org/index.php?topic=345619.msg4257117#msg4257117

Good points:
Come-from-Beyond on 01-01-2014, 20:43:09

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

Patel: 01-01-2014, 20:48:22

Another possibility is that the global mod that went rogue from the nxtforum, he could have changed the download link to a infected copy of NRS and people who used that link from the forum were using a compromised version

BloodyRookie: 01-01-2014, 21:04:11

He should calculate the SHA256 Hash of the class files, no need to decompile.

opticalcarrier: 01-01-2014, 21:15:36

its unforunate that one of the links there is a mega.co server. paulyc please tell us if you downloaded from the mega.co link or not.
in fact, can you please look on your HD and get the zipfile and post it somewhere for us to look at.

Finale:
PaulyC
Today at 01:43:01

Has anyone else noticed the 4.8 download zip from nextcoin.org vs. the one from this exact link Nxt 0.4.8 - https://mega.co.nz/#!yV5A1BTR!oi33K7WovgccuEHvP05nzggTnxrkZHJbwFmv5tGeXNI
Are 5 Kb in difference? is that anything to be concerned about?

S3MKi
Today at 01:55:38

Where did you download your client 0.4.8?

utopianfuture
Today at 02:04:18

Looks like you downloaded a bogus client.

newcn found the hack:
newcn
Today at 02:21:33

the 0.4.8 client I used, I forgot where I downloaded it, but from chrome history,  the link was http://162.243.246.223/n...

Salsacz found the hacker's Bitcointalk account:
Salsacz, 02:38:10 AM (CET)
https://bitcointalk.org/index.php?topic=345619.msg4263111#msg4263111

LiQio found a proof in googlecache:
LiQio
Today at 14:16:48

Thanks for the additional info, seems to point again to EpicThomas
He quoted the original message, but modified the link! And later modified it back!
Check:
https://bitcointalk.org/index.php?topic=345619.msg4237883#msg4237883
BUT in Google cache (Do not use the link found in cache!):
http://webcache.googleusercontent.com/search?q=

+ then I pointed out other posts where could be modified links

---

I am glad so we could find the wrong client and now we exactly know how it happened and how many people got robbed:
https://bitcointalk.org/index.php?topic=345619.msg4271189#msg4271189
- We can still check some other blocks during the time of the hacks, but it looks like we can relax now

[plasticAiredale]

I have just read the last 50 pages of this topic and wow this is crazy.

First of all yes the client was posted by me and I added some code that would send the secrets to my server.
A week ago there were all the ddos issues and billions created which led to a lot of client updates.
During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated.
So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour.
The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.

Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked.
The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it.
To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.

Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength.
That point has been made very clear now in an unfortunate way.

To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.

I know there are other modified clients around whether they use the same type of attack I don't know.
Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account.
Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know. 

People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.

So you admit to stealing account information, but not taking the funds. You admit to creating a hacked client, and poisoning a link from a developer. But coincidentally also say your VPS account was hacked into and someone else used your account to actually do the stealing? So they had about an hour to figure out you poisoned a link, hack your VPS, and replace your hacked client with their hacked client?  Just admit it, you stole the NXT, return it before you dig yourself in deeper. I have in my history the time and path to your VPS server, which "hour" did you have your hacked client on your VPS?

[landomata]

WHAT TIME (GMT) WILL THE SOURCE CODE BE RELEASED?....ITS ALREADY JAN 3rd IN JAPAN/AUSTRALIA......CHINA IS COMING UP IN 10 MINUTES.

[EpicThomas]

I realize my story sounds rediculous but it is what it is.

After the dropbox shutdown and the ddos issues a lot of mirrors were created on different sites I am trying to find out if any of these links still exist and if they could have also been infected.
That moment of chaos would have been a perfect time to circulate a client without people noticing it.

[EpicThomas]

So you admit to stealing account information, but not taking the funds. You admit to creating a hacked client, and poisoning a link from a developer. But coincidentally also say your VPS account was hacked into and someone else used your account to actually do the stealing? So they had about an hour to figure out you poisoned a link, hack your VPS, and replace your hacked client with their hacked client?  Just admit it, you stole the NXT, return it before you dig yourself in deeper. I have in my history the time and path to your VPS server, which "hour" did you have your hacked client on your VPS?

I do not claim I got hacked. The only thing I know is that digitalocean asked me if I knew about this because there are different ip logins on my digitalocean account.

[coolfish]

http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=9433259657262176905
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=10105875265190846103

Shit...! Why are these account balance is negative?

http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4747512364439223888

Why this account was created blocks so fast?

[plasticAiredale]

So you admit to stealing account information, but not taking the funds. You admit to creating a hacked client, and poisoning a link from a developer. But coincidentally also say your VPS account was hacked into and someone else used your account to actually do the stealing? So they had about an hour to figure out you poisoned a link, hack your VPS, and replace your hacked client with their hacked client?  Just admit it, you stole the NXT, return it before you dig yourself in deeper. I have in my history the time and path to your VPS server, which "hour" did you have your hacked client on your VPS?

I do not claim I got hacked. The only thing I know is that digitalocean asked me if I knew about this because there are different ip logins on my digitalocean account.

Your story sounds ridiculous because it is! I hope you believe your story is enough to keep you safe. I have a timestamp to your VPS along with the file that does the stealing. It should be easy enough to verify which IP put that zip file there. Just do yourself a favor and start sending the NXT back. 

[Jimmy2011]

Thomas, suggest you return back what don't belong to you and shut up!

[xyzzyx]

http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=9433259657262176905
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=10105875265190846103

Shit...! Why are these account balance is negative?

It's ok.

http://localhost:7874/nxt?requestType=getBalance&account=9433259657262176905
returns:
{"balance":2592169000,"effectiveBalance":2592169000,"unconfirmedBalance":2592169000}

http://localhost:7874/nxt?requestType=getBalance&account=10105875265190846103
returns:
{"balance":543252400,"effectiveBalance":543252400,"unconfirmedBalance":543252400}

Just a little bug in the explorer.  It'll be fine in a while.

[EvilDave]

So to paraphrase EpicThomas:

U admit that u modifed and uploaded the client, but then some bad people took it over and stole the money.

Forgive me for not believing u very much.