I just got this email, looks legit, right?

[dexX7]

I analyzed this malware and put together a short blog post on what I found. If you're interested, take a look.
http://blog.logrhythm.com/uncategorized/emerging-bitcoin-theft-campaign-uncovered/

Really nice post! Liquid already came forward, but I still need to ask:

Reviewing the wallet.dat file with strings discloses the phisher’s BTC wallet addresses. A team of 4-people: Liquid, Kaz, Abz, and Frosty.

Why would a reasonable villain do such a thing in the first place? The exact role of the wallet is unknown to me, but I assume it's used as bait, to make users want to open the malicious password.txt.ink file. Using the attackers own wallet file for that seems very unlikely..

The malicious file is probably a wallet stealer and with some luck it might indeed be possible to extract some information about the attacker. Somehow this malware will phone home.

[1715369535]

1715369535

[1715369535]

1715369535

[1715369535]

1715369535

[klenker]

Was the fist to get hacked now everyone thinks im the attacker. The name Liquid and the other names are my contacts in my wallet.

That frosty wallet is my brothers and he has forgotten his password so good luck getting into it lol.

Ooh ooh how many letters were in it, numbers, what did it start with, what was he looking at, does it contain words or rand.... ahhh nurts..



must be slightly annoying having 28k sitting there tho...

[mightyMight]

Can someone please upload the zip file? I would love to check it out!

Thanks!!!
 Might

[xanthar]

Got the email to.

No doubt the password.txt contains malware ect. ect.

Tho the wallet.dat seemssomewhat legit???

By that i mean that i created a virtual machine on a third party device connected through a VPN. That contains nothing but the wallet.dat and a fresh copy of bitcoinqt. Loaded the wallet.dat and the 30 Btc´s are there.

Now correct me if i am wrong.... But the BTC´s seems to be there for tha taking? If ofcourse we could crack the password right?

Disregarding the malware and fake password.txt ect. it would be a fun project to see if we can do something with the coins??

[bitcoinangel]

same here

[Oj0]

Yep, I got the exact same thing. What site do we all have in common?

This one?

Aside this, we can look at other potentials. Strike through those you're not registered on and we may find one in common.

bc-casino.com
bitcoinica.com
bitfinex.com
bitfunder.com
bitmit.net
bitratings.microhosting.com
blockchain.info
btc-play.com
btcguild.com
btclot.com
btcmine.com
bitvps.com
coinworker.com
dollar-trader.com
eclipsemc.com
give-me-coins.com
glbse.com
inputs.io
minethings.com
mtgox.com
ozco.in
pool-x.eu
satoshisquared.com


(I'm pretty sure I received a very similar email a good while ago, too. My memory's crap, though. No longer in email account. Probably deleted or marked as spam and it was automatically pruned.)

I just got the same email, but mine was addressed to Steven.

Someone else already crossed out give-me-coins, so I guess MtGox is the source of the mailing list?

[Oj0]

Wait, mine's slightly different:

Hello Steven…
 
 I just did what you advised me to do but the problem remains the same : importing the private key is not working…. drives me nuts!
 Last time I checked blockchain.info  https://blockchain.info/address/17yFutSCSuUkAWeqMCKRRcr8Go6t98YcoX 
 there was still 30.28020001 BTC ! But no way my bitcoinqt client loads the key so I am stuck with those BTCs.
 
 
 Thanks for offering your help with this. Here is a doc with my private key and the password http://hobbymaster.com.hk/private/PrivateKey.doc If you need anything else let me know.
 If you can load the key please send the BTCs to 1DxFvJ6up9jXAZ9pkUmWVdiMTWvsjgB5Ea
 
 This would help me so much. Thanks Steven!

I get a normal URL instead of a shortened [Suspicious link removed] link, and the URL is also different to the [Suspicious link removed] URL destination. I didn't get any attachments with the email, although I did download PrivateKey.doc on my phone (to be safe) and it wants to run a macro. It seems it's been changed up a bit.

[Anon136]

Scary. Disguised txt.

so does it actually look like a perfectly normal txt file?

[Garryashas]

For sure it's legit. I got the same email!

[God]

Awesome, I just got this mail too. Now I just need to unpack and run that file and I will have access to these coins

Seriously though, they obviously email the mtgox customer base.

[manoamano]

100% legit

[Scamalert]

So was it a scam after all?

[ezreal]

the bitcoin amount just gives it away saying all red flags lol.

[yunkie]

So was it a scam after all?

of course it was

to sum it up

-.txt file is an .exe malware
-.dat is a real file, no password --> no coins

might try to crack it but it's almost impossible!

It probably contain 0 coin lol

[openyourmind]

Be attentive to such emails. I wouldn't opened it

[Mobius7]

So was it a scam after all?

of course it was

to sum it up

-.txt file is an .exe malware
-.dat is a real file, no password --> no coins

might try to crack it but it's almost impossible!

It probably contain 0 coin lol

Even if there really is some bitcoin in the wallet, you won't be able to brute-force the password as long as the password is good enough (say, 10 random characters with special characters).

[Justin00]

Thanks for alerting us to this scamalert.... only 7 months to late :p

So was it a scam after all?

[confirmation120]

So was it a scam after all?

of course it was

to sum it up

-.txt file is an .exe malware
-.dat is a real file, no password --> no coins

might try to crack it but it's almost impossible!

It probably contain 0 coin lol

Even if there really is some bitcoin in the wallet, you won't be able to brute-force the password as long as the password is good enough (say, 10 random characters with special characters).

I doubt that clicking on the link would direct you to a blockchain.info website, but rather it is likely a spoof of blockchain.info trying to get you to input your password.

[Lorenzo]

I got this email too a while ago.

Yep, I got the exact same thing. What site do we all have in common?

This one?

Aside this, we can look at other potentials. Strike through those you're not registered on and we may find one in common.

bc-casino.com
bitcoinica.com
bitfinex.com
bitfunder.com
bitmit.net
bitratings.microhosting.com
blockchain.info
btc-play.com
btcguild.com
btclot.com
btcmine.com
bitvps.com
coinworker.com
dollar-trader.com
eclipsemc.com
give-me-coins.com
glbse.com
inputs.io
minethings.com
mtgox.com
ozco.in
pool-x.eu
satoshisquared.com


(I'm pretty sure I received a very similar email a good while ago, too. My memory's crap, though. No longer in email account. Probably deleted or marked as spam and it was automatically pruned.)

Of those, I've only been registered at Blockchain.info and Mtgox.com. I'm almost certain it's either this forum or Mt. Gox. It could have been from Blockchain.info, but I doubt it.

[forever21]

got the same email before but i didnt waste my time on it besides its obvious its not legit even if you said it looks like one