149.34 BTC and 7397 LTC stolen, assistance appreciated/rewarded

[slepp]

Hi all,

On February 18th at 20:46 UTC, an attacker used the dynamic scripting function of an ElasticSearch instance to steal 149.34 BTC and 7397 LTC from my computer. I'm looking for any assistance in finding/locating the coins/attacker, and also want to inform the community that if they receive coins from 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin, they are likely my stolen coins.

All the Bitcoin was sent to 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin one lump. Since it was stolen on Tuesday, it hasn't moved anywhere else yet. This makes me slightly hopeful it will be returned to me.

The transaction was bf22138b74c3b3528410126ac41f821f71e065a5b0e3a6d819df30f120fda3c4.

The Litecoin was taken in chunks, but it all went to the Litecoin address Li5k5sYdyWD5gDR9TkaU5vk6tDB63XdQRw under a few transactions. There is one other transaction in that Litecoin account (26.846 LTC) which is unrelated to my coins, but may be useful in tracking down the one who stole mine.

The attacker showed up to ElasticSearch from the following IPs:

178.217.187.39
185.27.115.201
188.124.19.114
192.99.8.96
193.37.152.241
194.132.32.42
37.221.161.234
76.104.78.60
77.247.181.165
88.80.187.215
93.114.45.194
94.242.243.166
95.211.167.171
95.211.60.34
96.44.189.100

It seems the 93.114.45.194 IP was fairly central to the attack, since it was the IP the nmap and other intrusion tests were done from, while the actual attack went via the IPs above (mostly seem to be Tor). This may have been a targeted attack, but I'm still investigating all the evidence left behind. The elasticsearch script was using a variable called "counte", which would be found in the exploit software's methods.

It's also clear this was done manually by a human, and not via an automated bot/botnet to do the actual theft.

Any further assistance with this would be appreciated, and anything that leads to a return of coins will be rewarded. Unfortunately, the stolen coins were being used to pay for the ongoing web services like pastebin.ca, so without the return, the group of sites will likely have to shutdown.

Thanks.

[1714751413]

1714751413

[1714751413]

1714751413

[1714751413]

1714751413

[substratum]

I'm a little unclear on what vulnerability was exploited to gain access to your wallet. Please keep us updated with details as you uncover them, you never know what might lead to the perp. The notable IP above appears to be a VPN endpoint for perfect-privacy.org, so it's probably not going to be much help.

[slepp]

It wasn't an exploit, but theft nonetheless. The attacker used the ElasticSearch API to create a 'dynamic script' inside the search software, which is capable of running any shell commands, etc. the attacker wants. This is in fact a feature of ElasticSearch, though one they don't show in the configurations an example of disabling. So, the software ships with a gaping security hole for anyone to walk into (and one has to search for the documentation this feature exists), it looks like.

By using this API, they were able to connect to the Bitcoin and Litecoin daemons and transfer all the coins off the server. Running this dynamic script inside ElasticSearch puts results of the commands into the search index, and the only identifier in there of what the initial request may have been is a field called "counte" (which then has results of the command), and I've looked around to see if this field shows up in any examples, but it doesn't, meaning the code itself is slightly unique (and someone somewhere knows who wrote it and who uses it).

The Perfect Privacy thing I noticed, where they also do state an AUP limiting illegal activities, so I'm trying to contact them for any assistance.

For where I got the information, it's all first hand. All connection flow to/from the servers are logged, so the IPs and so forth were gathered from those connection logs, associated web server logs, etc.

[hostmaster]

whyyou bothering your self? Keep logs go to the police, they work with interpol to dedect hacker.

[escrow.ms]

Why you were even holding that 100+ BTC and 7000+ BTC on a server/PC.
You can do Police report and ask perfect-privacy to provide real ip address of that user.

[slepp]

Why you were even holding that 100+ BTC and 7000+ BTC on a server/PC.
You can do Police report and ask perfect-privacy to provide real ip address of that user.

That's the question I've been asking myself all week. It was only recently I had consolidated it down into a few addresses, preparing to shuffle it off to some cold storage and exchanges. However, other things happened over the last month and I didn't get the chance to do it all, so it left them sitting there. The method they used to steal them all stunned me, though, I had never suspected ElasticSearch would allow full command line access by default, so a development project using that is at the core of the event.

For the police side of it, I'm collecting the last of what evidence I can find for them.

[extraKrispy]

Were the wallets password protected?

[slepp]

Were the wallets password protected?

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

[cindy93]

that sucks

[roslinpl]

Were the wallets password protected?

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

perhaps some malware ...
keylogger

or other stuff like that.

[escrow.ms]

That's the question I've been asking myself all week. It was only recently I had consolidated it down into a few addresses, preparing to shuffle it off to some cold storage and exchanges. However, other things happened over the last month and I didn't get the chance to do it all, so it left them sitting there. The method they used to steal them all stunned me, though, I had never suspected ElasticSearch would allow full command line access by default, so a development project using that is at the core of the event.

For the police side of it, I'm collecting the last of what evidence I can find for them.

Goodluck, btw how did that hacker knew you have funds in that PC, I mean it's not like some genie told him that "Hack this pc and you will get a lot of money",  There must be some kind of leak. (Relay IP or something?), or someone else knew that you have bitcoins in your pc.

Also did you were running JAVA in your pc and browser?

[slepp]

Goodluck, btw how did that hacker knew you have funds in that PC, I mean it's not like some genie told him that "Hack this pc and you will get a lot of money",  There must be some kind of leak. (Relay IP or something?), or someone else knew that you have bitcoins in your pc.

I think they found it via some random port scans, perhaps. There are other indications it may have been scanned as part of a list of Bitcoin daemons that were online or relay nodes, yes, but that's harder to determine. Looking at the attack pattern once they found a way to get through, they were browsing around and seem to have possibly taken all the coins as a sudden opportunity, and maybe not the original goal. It appears they did a little more looking around on the filesystem after they transferred the coins. They never actually stole the wallet itself, as far as I can tell, though I'm still reviewing traffic flows.

I'm hoping the person has some sort of conscience in all this and returns them, which would be ideal, but in reality, the traces left behind seem very amateur.

And no, not running Java as a browser plugin or anything. The compromised system isn't used as a desktop.

[DeathAndTaxes]

Were the wallets password protected?

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

Wait you had 100 BTC on a server with public access and you didn't even know if the wallet was encrypted or not?

[slepp]

Wait you had 100 BTC on a server with public access and you didn't even know if the wallet was encrypted or not?

It isn't and wasn't a public server, but as part of development of an application, ElasticSearch was open to the Internet for a time. Apparently just long enough. The wallet was encrypted, but it looks like there may have been unencrypted backups used. The bitcoin/litecoin daemons were restarted and the debug logs wiped.

[roslinpl]

Wait you had 100 BTC on a server with public access and you didn't even know if the wallet was encrypted or not?

It isn't and wasn't a public server, but as part of development of an application, ElasticSearch was open to the Internet for a time. Apparently just long enough. The wallet was encrypted, but it looks like there may have been unencrypted backups used. The bitcoin/litecoin daemons were restarted and the debug logs wiped.

keeping Bitcoin backups without a password is like setting pin number in your credit card to null

[boumalo]

This convince me again that cold storage is really important when dealing with important stash of BTC

Good luck to find the thief, try everything you can; do you have any left somewhere else?

Buy back some BTC if you don't

[slepp]

This convince me again that cold storage is really important when dealing with important stash of BTC

Good luck to find the thief, try everything you can; do you have any left somewhere else?

Buy back some BTC if you don't

Cold storage was my plan for those, it just hadn't happened yet. The only coins I have left are elsewhere, but it isn't a very large sum compared to what they took. A total of about $7 worth of BTC and LTC was returned to my wallet a change on the transactions.

The problem with replacing them is the size of them is a bit more than I could ever afford again. I started working with Bitcoin and Litecoin years ago, and a short gap of insecurity cost me them all. Part of what's difficult to deal with is that I can't afford to keep pastebin.ca and filebin.ca and such running without the Bitcoins I had (they used to run on ads, but those haven't paid their way in a long time), so after a decade I'll be shutting those down, I imagine. It's been a bit of a rough week, reworking the future.

Hopefully, the attacker will reconsider their actions and return some or all of them to me.

[micro23]

So let me get this straight... You just had a wallet sitting on a dev server running test code with $100k on it?

There is no possible way you could be that stupid. Why on EARTH would you EVER store you wallet on there? Thats just beyond dumb..... You also kept unencrypted backups? I just cant comprehend this. I have very few bitcoin all stored in offline computers. It just makes no sense.

[trentdk]

So let me get this straight... You just had a wallet sitting on a dev server running test code with $100k on it?

There is no possible way you could be that stupid. Why on EARTH would you EVER store you wallet on there? Thats just beyond dumb..... You also kept unencrypted backups? I just cant comprehend this. I have very few bitcoin all stored in offline computers. It just makes no sense.

Maybe he/they were developing an app that used and transacted bitcoins, and that was their hot wallet.

[Sydboy]

I'm still confused  about the wallet password.
It either had one or it didn't ?

It sounds like their is more to this story.

I get the impression bitcoin-qt was open and  running without a password on wallet.

Feel sorry for you for the loss