Bitcoin Forum
December 18, 2017, 07:11:44 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: 0.4 BTC stolen by hacker - please return them  (Read 2263 times)
monsterer
Legendary
*
Offline Offline

Activity: 1008


View Profile
February 07, 2014, 10:51:36 PM
 #1

At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.

He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy

Transactions:

288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46

He used the aliases: 1gld,16p,x,y

His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.

I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.

I have covered this loss from my own personal bitcoin wallet, so no users will be affected.

If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.

Cheers, Paul.
1513624304
Hero Member
*
Offline Offline

Posts: 1513624304

View Profile Personal Message (Offline)

Ignore
1513624304
Reply with quote  #2

1513624304
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513624304
Hero Member
*
Offline Offline

Posts: 1513624304

View Profile Personal Message (Offline)

Ignore
1513624304
Reply with quote  #2

1513624304
Report to moderator
1513624304
Hero Member
*
Offline Offline

Posts: 1513624304

View Profile Personal Message (Offline)

Ignore
1513624304
Reply with quote  #2

1513624304
Report to moderator
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
February 07, 2014, 10:59:53 PM
 #2

The hacker won't return the coins.  Consider it a $300 education.   Had the site been popular it might have been a $300,000 loss.

Saying you are really careful and yet failed to do server side validation is an oxymoron.

I would recommend learning some unit testing.  My guess is you are developing the "core" program and consdering error checking as an add on.  For larger and more complex projects this always fails.  Grab a couple books on Test driven Development ( http://en.wikipedia.org/wiki/Test-driven_development ).  The $300 loss could be worth thousands if it makes you a better developer.
Nathonas
Sr. Member
****
Offline Offline

Activity: 280

Knowledge is Power


View Profile WWW
February 08, 2014, 12:26:39 AM
 #3

This post made me lol.

 First of all, what makes you think this "hacker" reads bitcointalk? And secondly, what makes you think that asking him to return the BTC will do anything?

All we have to decide is what to do with the time that is given us - Gandalf
Sonny
Hero Member
*****
Offline Offline

Activity: 868


View Profile
February 08, 2014, 12:43:32 AM
 #4

OP, sorry to hear your loss.
Well, at least you now find the bug and fix it.  Cheesy
whtchocla7e
Full Member
***
Offline Offline

Activity: 210


View Profile
February 08, 2014, 01:13:28 AM
 #5

The hacker did you a favor. You could have lost much more. Consider it a payment for services.
byt411
Hero Member
*****
Offline Offline

Activity: 798


View Profile
February 08, 2014, 01:21:15 AM
 #6

So now you learnt a lesson! Check for loopholes and fix them.
dissident
Full Member
***
Offline Offline

Activity: 238


View Profile
February 08, 2014, 01:47:40 AM
 #7

yep at just .4 BTC I'd consider it payment for services.

▀     DeepOnion  |  TOR Integrated & Secured  [ Facebook  Telegram  Bitcointalk  Twitter  Youtube  Reddit ]     ▀
Your Anonymity Guaranteed  ★  Your Assets Secured by TOR  ★  Guard Your Privacy!   ❱❱❱ JOIN AIRDROP NOW!
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  File Authenticity Guaranteed by DeepVault  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
go4nature
Member
**
Offline Offline

Activity: 70


View Profile
February 08, 2014, 06:05:30 AM
 #8

Once it is hacked you cannot recover it. Next be safe use all precautions.

PBmining
Sr. Member
****
Offline Offline

Activity: 378


View Profile WWW
February 08, 2014, 06:19:38 AM
 #9

The hacker did you a favor. You could have lost much more. Consider it a payment for services.

This is exactly my opinion as well.  My "lesson" was a lot more expensive and we lost a lot more, but in the end it was a much needed wake-up call.  Its best that a breach happens sooner rather than later.  Fix the broken pieces and become stronger -- that's all you can do.

Did you know?: Most of our hash power comes from other sources.  We are now specialized in the resale of cloudmining contracts through our associates!
RGBKey
Hero Member
*****
Offline Offline

Activity: 574


Cypherpunk|Crypto Nerd|Provably Fair Verifier


View Profile WWW
February 08, 2014, 06:41:28 AM
 #10

Really sorry to hear that monsterer, your game is great. Hope you recover from this.

hilariousandco
Gold Member
Global Moderator
Legendary
*
Offline Offline

Activity: 1498


How does one bitcoin?


View Profile WWW
February 08, 2014, 11:36:13 AM
 #11

This post made me lol.

 First of all, what makes you think this "hacker" reads bitcointalk? And secondly, what makes you think that asking him to return the BTC will do anything?

Well sometimes hackers or thieves have given money back. I guess trying to guilt someone into returning funds is a last desperate attempt as it's probably one of the only things you can actually do, although like you said it's almost futile. 0.4 isn't much, so I'd just chalk it up as a loss and a lesson learned.


thecoinjournal
Hero Member
*****
Offline Offline

Activity: 490



View Profile WWW
February 08, 2014, 11:39:00 AM
 #12

I want to play but it says

Quote
We are currently in maintenance mode. Thank you for your patience.

drippx
Sr. Member
****
Offline Offline

Activity: 329



View Profile
February 08, 2014, 11:54:31 AM
 #13

0% chance you get the coins back, thats why bitcoin is good for these type of anonymous things

techguy
Sr. Member
****
Offline Offline

Activity: 378


View Profile
February 08, 2014, 12:32:11 PM
 #14

Sorry to hear that your BTC is stolen.
Your blockchain reaction game has great potential. I wish you will soon recover the losses from game Smiley
monsterer
Legendary
*
Offline Offline

Activity: 1008


View Profile
February 08, 2014, 01:13:34 PM
 #15

We're back up and running now Smiley

Thanks for the support - the general sentiment is right, it could have been a lot worse and the fault is entirely mine for missing that piece of server-side validation. It's particularly galling because I'm a proponent of letting the server do the validation and having none on the client, especially in the early stages of development because it forces you to fix these type of problems before they happen.

Cheers, Paul.
Aswan
Legendary
*
Offline Offline

Activity: 1694



View Profile
February 08, 2014, 01:38:12 PM
 #16

Nice Marketing. Didn't know the game but I love it Tongue
surfer43
Sr. Member
****
Offline Offline

Activity: 420



View Profile
February 08, 2014, 01:49:56 PM
 #17



If I were said "hacker" I would be embarrassed.

.4 btc lulz


~BCX~
I don't understand  Huh
Trance
Hero Member
*****
Offline Offline

Activity: 551


View Profile
February 08, 2014, 02:28:57 PM
 #18

Lemmeee att emm' Leeemee attt em' !!

lol sorry to hear about your loss, but the odds of you getting the coins back are 0 to none.

Some people are so poor ALL they have is money
Trance
Hero Member
*****
Offline Offline

Activity: 551


View Profile
February 08, 2014, 02:30:03 PM
 #19

At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.

He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy

Transactions:

288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46

He used the aliases: 1gld,16p,x,y

His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.

I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.

I have covered this loss from my own personal bitcoin wallet, so no users will be affected.

If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.

Cheers, Paul.

How do you know its a "HE"  Roll Eyes

Some people are so poor ALL they have is money
surfer43
Sr. Member
****
Offline Offline

Activity: 420



View Profile
February 08, 2014, 02:36:22 PM
 #20

At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.

He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy

Transactions:

288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46

He used the aliases: 1gld,16p,x,y

His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.

I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.

I have covered this loss from my own personal bitcoin wallet, so no users will be affected.

If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.

Cheers, Paul.

How do you know its a "HE"  Roll Eyes
How do you know he's an "it"  Roll Eyes
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!