The following is a write up of the stealing of Blitzboom's wallet by a Russian Scammer (goes by Hummer and Tolsi)'s trojan "wallet backup program". It is written here for those who are interested to read, both as an account of the stupidity of the scammer, and as a warning to those who download programs from anywhere without running them.
More information can be found in the #bitcoin-dev logs from Feb 19 starting at 12:40.
Blitzboom downloaded a java program claiming to backup your wallet to a dropbox folder, and to a gmail address (see link 1, posted by Hummer). Really it just sent the wallet.dat file to the gmail account of a russian scammer and deleted it. Blitzboom then asked on #bitcoin-dev why his client was having problems and posted a copy of the program which he used.
As it turns out, the scammer was so kind as to leave the .java source files in the jar of the program. ArtForz found a particularly nice line of code:
return new PasswordAuthentication("safer.mail.ever", "Goran Zvetkovic (22:41:38 17/02/2011)Goran Zvetkovic (22:41:38 17/02/2011)");
Which, as it turns out, was the username and password to our scammer's gmail account. A bit more digging, and we find that it sends its victim's wallets to firstname.lastname@example.org
(which, conveniently, also has the same password). Thus, some of the members logged into his accounts and were able to download all the scammed wallets. In the bitcoin.backup account was Blitzboom's wallet and several which held the same accounts, from different times. The safer.mail.ever account held similar results in the sent mailbox, including more (the oldest of which were sent to email@example.com
,firstname.lastname@example.org, and email@example.com
instead of firstname.lastname@example.org
). As it turns out, the duplicated wallets had recieved the bitcoins which were transferred from Blitzboom's wallet. Most likely, the scammer decided to test his program before releasing it.
The copy in the bitcoin.backup account was an old copy and one member was able to recover 20 BTC from it (it only had 20, as someone had apparently taken 30 about 17 minutes before. The copies on safer.mail.ever, on the other hand, held the full 154.36 which Blitzboom had lost (minus the 50 which had already been withdrawn with the other wallet). The remaining 104.36, as well as the other 20, were returned to Blitzboom at a new address on a new wallet. That left the 30 withdrawn minutes before. This one took a bit of sleuthing.
The 30 was withdrawn to 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD which had, conveniently, also received a payout of 1.1 BTC from slush's pool 30 minutes later. While waiting for slush to get online, Keefe noticed something very interesting. In the scammer's wallet, there was an account which is labeled Forum Donate (starting with 1ABvwv, see screenshot 1). This account just so happens to be one used in the signature of Tolsi (see screenshot 3, link 2). This clearly links the scammer's wallet to Tolsi. Thereafter, slush was able to corroborate this in that the email registered to the 1ABvwv... (see log).
In the end, Tolsi got away with 30 BTC (Blitzboom appears to have been the only one scammed). Remember, never download a program off the internet, especially one that has access to your bitcoin wallet.
I'd like to thank ArtForz, Keefe, slush, and several others who wished to remain nameless.
Also, thanks to Blitzboom for the fun it was to steal from a Russian scammer.
Screenshots:Screenshot 1 (The scammer's Bitcoin wallet)Screenshot 2 (The scammer's Bitcoin wallet)Screenshot 3 (Tolsi's donate address)
Links:Link 1 (The original download post)Link 2 (Google's Cache of Tolsi's donate address)
Log of #bitcoin-scammer (as to not fill -dev with scam-related messages):
<BlueMatt> slush, is the 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD address tolsi's?
<BlueMatt> the remaining 30 are in 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD, dont know who it is, thats why I wanted to ask you.
<BlueMatt> Your pool paid him 1.1 earlier today
<Keefe> paid that addr
<slush> BlueMatt: yes
<slush> He changed his pool address to this today
<BlueMatt> dam, well in that case. Sorry Blitzboom, looks like you lost the last 30
<slush> between 9am and 2pm of UTC