upupup
|
|
December 08, 2018, 04:53:18 PM |
|
Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158)
|
|
|
|
jackg
Copper Member
Legendary
Offline
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
|
|
December 08, 2018, 05:04:03 PM |
|
Please ask www.vpn.ac provider as they might own the range as its known that 46.166.161.227 is their VPN server in Siauliai. (and the hackers IP is 46.166.160.158) I was thinking that surely someone couldn't be dumb enough to use their own IP for a hacking attempt. I know people are dumb but that'd be a new level... It's likely it's owned by a vpn or someone providing a hidden service such as tor or open vpn also (less lists will be kept of these too).
|
|
|
|
|
Initscri
|
|
December 08, 2018, 06:46:16 PM |
|
The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.net
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
Valerian77 (OP)
|
|
December 09, 2018, 01:49:31 AM |
|
... So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action. Lithuania is also member country of Interpol, maybe they can do something to help you track hackers. yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do. I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily.
|
|
|
|
Valerian77 (OP)
|
|
December 09, 2018, 02:00:31 AM |
|
The IP was released by Ripe, have you tried emailing their Abuse email address: abuse@ripe.netok thanks - I will
|
|
|
|
Initscri
|
|
December 09, 2018, 03:46:26 AM |
|
... So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action. Lithuania is also member country of Interpol, maybe they can do something to help you track hackers. yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do. I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily. Based on the amount of outputs, I wouldn't be surprised if they mixed them to be completely honest. That's a hard road to follow, I'd say your best piece of information at this point would be the attempted Gmail access by far (ie: the ip address you have)
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
Lucius
Legendary
Offline
Activity: 3290
Merit: 5746
Donate to a noble cause🚑 - Link in profile
|
|
December 09, 2018, 11:20:36 AM |
|
... So it's your best chance to do something to report you case directly to Lithuania police, in a way to get some good lawyer maybe. Lithuania is also member of EU, so if you are also from EU there may be some legal mechanisms through which you could also take legal action. Lithuania is also member country of Interpol, maybe they can do something to help you track hackers. yes right - the case is now in the hands of the police. I trust in them that they use the international investigation methods that they have. Due to the amount of money it is likely that they really follow the traces. Let's see what they can do. I'm interested did you trying to track stolen coins on block expolorers? In some cases they can be tracked to exchanges, and in some cases they can freeze such coins if there is any doubt about corrupt actions.
I put the addresses into the public because many different coins are stolen and I do not have the capacity to trace all of them. I am quite sure the hackers do not use them in a way that it can be traced easily. I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered. Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way. I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
|
|
|
|
Valerian77 (OP)
|
|
December 09, 2018, 11:58:10 AM |
|
...
I think that police international investigation is the best chance for you, and no matter how well-hidden hacker traces are - if there is a will and determination the hackers can be found. At the present time even most careful hacker leave some digital footprint, so I'm therefore confident that something will be discovered.
Did you maybe try to get out to the public (except forums) with your story, maybe only to crypto-related media? Maybe someone has a similar experience which can help in the investigation, or you case may serve as a warning to others, in a way to prevent someone else from being the victim in the same way.
I understand regarding monitoring stolen coins, it is good that you give them in public - maybe someone find some trace.
there was another case in 2011: https://bitcointalk.org/index.php?topic=16457.0back then they were not able to identify the hacker. This time there are some more traces and at least one responsible company who hosted the computer which was used for the hack.
|
|
|
|
TheShillBilly
Newbie
Offline
Activity: 19
Merit: 1
|
|
December 09, 2018, 05:22:22 PM |
|
I'm sorry to hear this OP. Did you by chance download your BTCD wallet from electrumdiamond dot com?
In May of this year (2018), I too was hacked by this malware wallet. :-(
DM, if you would like to discuss.
|
|
|
|
logfiles
Copper Member
Legendary
Offline
Activity: 2030
Merit: 1724
Top Crypto Casino
|
|
December 11, 2018, 07:54:07 AM Last edit: July 19, 2023, 09:51:54 PM by logfiles |
|
Sorry about what happened to you. This really hurts so much even for me to see someone loose their hard earned money. I tried to do some small digging as to what may have led to you loosing all you coins and the fact is that BTC D wallet you download was the malware: According to the wallet name you said you found in your download folder ( Electrum-BCD-3.1.2-portable.exe). You definitely downloaded a Fake Electrum BCD wallet. Genuine BCD wallet App - Electrum-BCD-3.0.5.3-Windows-X86-64-portable.exeFake/Hacker's BCD Wallet App - Electrum-BCD-3.1.2-portable.exeIt's now clear that you downloaded the app from the hacker's website; https://www.electrumdiamond.org/ instead of downloading from the official website of Bitcoin Diamond; https://www.bitcoindiamond.org/ [http://btcd.io] Fake Bitcoin diamond's Certificate has even expired since 12/6/2018 I also noted that the Github user ElectrumBTCD from whom you downloaded the wallet file joined Github only 22 days ago and has only one repository. This is a complete redflag Finally i decided to scan the said wallet on virus total; https://www.virustotal.com/#/file/2d91fc6e2102ff0464ba43a1a956ed7854cb45cac8a18c354a8346f71a68dd6d/detectionMy conclusion is this is the malware that got you funds stolen, whoever is behind it has your funds. Am not so technical in tracing people using ip addresses so i will just leave these here in hope that the info might help someone who is able to track back to the evil hacker or hackers.
|
|
|
|
Valerian77 (OP)
|
|
December 11, 2018, 09:32:38 AM |
|
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate.
|
|
|
|
marciks
Jr. Member
Offline
Activity: 108
Merit: 1
|
|
December 11, 2018, 11:48:47 AM |
|
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate. they must have obfuscated the code.. only after the hack their signature was added to virus total db and such.. the probablity that other people got hacked from this same wallet is high! Hope you don't leave crypto after this.. as other member said, you are healthy and still can make money!
|
|
|
|
Initscri
|
|
December 11, 2018, 01:05:38 PM |
|
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate. It leaves another company to contact for information. See https://github.com/contact/report-abuseGithub may be more willing to give more information regarding the wallet repo & the account it's under.
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
npole2000
Newbie
Offline
Activity: 5
Merit: 3
|
|
December 11, 2018, 01:07:17 PM |
|
Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges. I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious. The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session. The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.
- They couldn't steal them while I was offline (2FA); - They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC); - They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn; - They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;
Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack. I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158 The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing. Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft). It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).
Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!
|
|
|
|
Get-Paid.com
|
|
December 11, 2018, 01:08:44 PM |
|
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate. It leaves another company to contact for information. See https://github.com/contact/report-abuseGithub may be more willing to give more information regarding the wallet repo & the account it's under. The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful.
|
|
|
|
Initscri
|
|
December 11, 2018, 01:12:24 PM |
|
this is surprising - when I checked the wallet with virustotal it did not show me any backdoors or viruses. Since I deleted the files (in panic) I only have the download links now. But I think your check is accurate. It leaves another company to contact for information. See https://github.com/contact/report-abuseGithub may be more willing to give more information regarding the wallet repo & the account it's under. The hacker(s) probably provided fake info to Github when signed up, but perhaps IP addresses might be helpful. Oh there's no doubt they faked info. But an IP may correlate to one of the attacks. Doing a quick WhoIS pulls up NameCheap as their registrar. https://who.is/whois/electrumdiamond.orgI'd contact their abuse email as well to see if they can assist at all. It seems the domain was registered more than a year ago: you may be able to find cached versions of their DNS. http://research.domaintools.com/research/whois-history/search/?q=electrumdiamond.org
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
Bitcoin_Arena
Copper Member
Legendary
Offline
Activity: 2072
Merit: 1809
฿itcoin for all, All for ฿itcoin.
|
|
December 11, 2018, 03:19:48 PM |
|
Feel so sorry for OP. A few days ago, i made an article of how Not all crypto apps in App stores are safe. I didn't give much on other wallets and apps in Github but reading through your story, this is even more serious than phishing attempts through fake apps. Am going to update my thread using this experience (i hope it's okay) with major focus on the app in question so that new users can know how grave this matter can be. I wish you all the best in an attempt to try and net that/those culprit(s)
|
|
|
|
Valerian77 (OP)
|
|
December 11, 2018, 03:34:27 PM |
|
Feel so sorry for OP. A few days ago, i made an article of how Not all crypto apps in App stores are safe. I didn't give much on other wallets and apps in Github but reading through your story, this is even more serious than phishing attempts through fake apps. Am going to update my thread using this experience (i hope it's okay) with major focus on the app in question so that new users can know how grave this matter can be. I wish you all the best in an attempt to try and net that/those culprit(s) ok - do not forget all the other scam wallet like fake BTCP etc. Nothing is safe before you are 100% sure about the source of an executable. And in case its possible that no virus protector shows an indication
|
|
|
|
Lucius
Legendary
Offline
Activity: 3290
Merit: 5746
Donate to a noble cause🚑 - Link in profile
|
|
December 12, 2018, 11:49:16 AM |
|
Yup, I got fooled by it as well. I have all my crypto in cold wallets but have "small" amounts for trading on exchanges. I checked the wallet with several AV's and scans before trying anything and I also monitored the network activity while running it, I didn't found anything suspicious. The next day I was trading on Kraken, went for the dinner (I left it open, coz I believed it was a fast one...!), they noticed my absence and used the session. The same day I monetized most of the crypto in that account and transferred everything to the bank, I have been very lucky or I would have lost a much bigger amount, they still managed to get the equivalent of 1.7BTC before I returned.
- They couldn't steal them while I was offline (2FA); - They were obviously monitoring my activity to figure when I went away (they started about 30 minutes after I left my PC); - They did everything "using" my PC (RD), including accessing to the email to confirm the address and the withdrawn; - They promptly deleted the above emails (or I would have figured it on my mobile), I found them later in my trash folder;
Then I started to investigate the vector. Whenever I was confident that it was the wallet.. I was almost sure after have read this thread, that I found by searching the IP address used for the hack. I found the IP address by looking at the raw processes running on my PC, and I found a notepad instance (that was only apparently legit) with network activity to the IP address reported in this thread: 46.166.160.158 The odd part is: even by knowing that I had a backdoor on my PC, and knowing exactly where it was, all the scan tools I tested (to figure why the virus/trojan wasn't caught in the first instance) failed. For the AV's (AVG, Avira, etc.) everything was fine, Antimalware found nothing. Even by looking at the compromised app (notepad) everything appeared legit (and signed by Microsoft). It's still unknown to me what kind of exploit or obfuscation they used, neither I know which kind or RD app they used (however this isn't much relevant).
Again, I was very lucky to have moved the money away from it, they must have noticed me moving the funds away and "risked" their move being worried that I would have emptied the whole thing, after all 1.7BTC is better than nothing for a robber!
Which wallet you download before an attack happened? Also some AV certainly are not top level protection and you mention AVG, Avira which in my opinion are very low on my trusted list. You probably installed remote access trojan ( RAT) on your PC, and with that hackers can do almost everything. You do not mention using of firewall which is very important, most people think that only AV is sufficient protection. When it comes to cryptocurrency I always use only the best security software+hardware wallets. I know you are trader, so you should be more careful in future. My recommendation would be to use one PC only for cryptocurrency, with top security software and without any torrent/suspicious files downloads. Maybe it would be good to read : 5 Ways to Catch a RATNotice : Both links posted in this post are scanned with https://www.virustotal.com and they are safe to visit.
|
|
|
|
|