Внимание, мошенник и вымогатель!

[pendalf2008]

Репост https://forum.btcsec.com/index.php?/topic/6640-vnimanie-moshennik-i-vymogatel/, если кого-то смущает число моих сообщений на этом форуме.

День добрый товарищи. Хочу сообщить о преступном элементе скрывающимся под видом "security" биткойна. В общем...
Захожу сегодня с утра на почту, вижу пару писем от "bitcomsecresearch@gmail.com" следующего содержания:
 

    Hi,
    I'm a security researcher for a site you frequent.I think it is wise to respond back to me so we can discuss returning the stolen bitcoins. If you do not return them I will dox you, forward to your authorities and you will get to enjoy prison for some time.

    So, what do you want to do?
    I have your IP addresses, contact to Everest. And am waiting on you.
    Return the bitcoins to: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9

    As for the Litecoins I think we can talk about that.
    Email me back ASAP.
    Thanks.

    --
    [bitcomsec]
    founder und lead security researcher
    reddit: https://reddit.com/r/bitcoinsec
    twitter: https://twitter.com/bitcomsec
    about: http://blog.bitcomse...on-to-bitcomsec
    BTC: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    xo0EUrsmqQED/2uxmE6D/HG057/OTy3Pdxlip5F92byq3/v1TN9HUcI9fEPt
    vKj1c6QNYIAJAW4vBKobvQnTVig1z8G1cwJo8dJz5irCnXbVbNif3saE32qE
    ImJC7B8EaWAxCnpxiWyjcg2aiA0mJBDLC2e0a67BRnb4i0oYJ0IYLkIfmW1g
    8YmXABEBAAHNMmJpdGNvbXNlYyByZXNlYXJjaGVyIDxiaXRjb21zZWNyZXNl
    YXJjaEBnbWFpbC5jb20+wpwEEAEIABAFAlK7JsMJEOw5JoZLxtEcAADKSQP/
    QNsiAjmj08qSpC1Dym20OjraZLI1n35A3EYTmaB1pOShPb0iUwkn2uQ9q1nU
    d0IBHK46tK8k2/mXwFzOOou474lvKY3O1mw+rzmKo1v+MeJJbBces0p1Sy3o
    pwK3jf6zAVbxlEdchcsGj4CnE7qwDAbTpXMsrdxaZu5LwCrV3ZM=
    =/OA9
    -----END PGP PUBLIC KEY BLOCK-----
     

Ну понятно я даже толком смотреть не стал этот бред и отправил его в спам. Так данный мошенник не остановился и пишет мне биткоинтолке меседж
 

    Hi Anton,
    I suggest you check your email.
    We need to talk.
    Time to return the bitcoins you have stolen.

от https://bitcointalk.org/index.php?action=profile;u=251055 . Тут мне уже стало интересно, что ж за неугомонный то такой. И перешел я по ссылкам которые в письме были. Оказалось что данный вымогатель позиционирует себя как "сила добра" которая "защитит всех обделенных и обварованных". Этакий мега Робин Гудище мира криптовалют. Мало того, этот .... нашел мой акк в кентакле и вычислил ір-шник с которого сижу. И так собственно говоря теперь признаки мошенничества:

1. Откуда он узнал мою почту изначально? На профильных форумах она закрыта, получить ее можно было бы только путем взлома сайта (что кстати наблюдалося осенью на btcsec, тогда благодаря моей беспечности и jдинаковости паролей тут и на коинотроне я потерял немного лайтов). Т.е. данный товарищ может быть причастен к взлому форума. Еще вариант получения почты - он мог ее отловить ломанув пул форков, я много где ее юзал. Там же в принципе мог подловить и айпишник. То есть все равно мошенник.

2. С чего он взял что именно я "украл" деньги? Что в системе криптовалют переводы теперь делаются по почте?   Т.е. просто тупой вымагатель...

К чему я все это пишу - к тому чтобы такие упыри не могли развивать свои ресурсы "поддержки" сети, сами при этом попросту дурача людей. И прошу администрацию форума как-то наказать пользователя se[c]. А то как-то некрасиво получается... Кстати на этих письмах он не успоколился, и на форуме сообщения также шлет (я даже на какие-то жалобу писал администрации)...

P.S. Хотелось бы сообщить еще и в английской ветке, для этого надо делать перепост на английском?

[miner7788]

+ спс, будем знать

[pendalf2008]

Итак. Данный товарищ не успокоился. Откопал мой домашний, видимо с сайтов с резюме или из научных статей. Не суть важно. Позвонил полудурок, разбудил. Ясень пень трубку я бросил. Успел только услышать что он Андрей и из "США". Еще говорить пытался таким "американским" акцентом. Правда ежели это он - накой на своем твиттере искал вчера человека говорящего по русски/украински?

В общем думаю, раз уже проснулся - гляну чо там этот гений понаписывал. Вот кароче, поулыбайтесь на бикоинтолке:

    109.108.237.17 - - [11/Mar/2014:03:53:19 +0100] "GET /.git/config HTTP/1.1" 200 294 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1)
                  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
    You made the mistake of accessing /.git/ from your real IP address.
    If you do not return the bitcoins you stole we will contact the authorities. We will expose you to the internet. And you will lose whatever anonimity you thought you had.
    Return the bitcoins and we will provide you cash reward.
    Do not be a thief. It will not pay off.
    I see you logged in. I see you read our messages.
    Now it is time to do the right thing.

Судя по всему посищение гита теперь ужасное уголовное преступление . Хотя честно говоря на гите качал только исходники apecoins, stratum-proxy да cgminer-а... А нет еще пула mpos...

Дальше:

    I read your posts on btcsec.com and although amusing I find it offensive you're putting me in the same bracket as you.
    Perhaps it is hard for you to understand. But SOMEONE be it you, or your neighbor, or someone in your home, USED your IP address to attack an exchange. I was hired by the exchange to do forensic work.
    In my research I discovered your IP address initiating the attack, and switching to a german VPS/VPN/PROXY.
    Your same IP lead to your username pendalf2008.
    And hence how I got the rest of your information.
    So, where do we go from here? Do you admit you stole the coins? Do you tell me who did in fact steal the coins FROM YOUR IP ADDRESS?
    Or do we contact authorities?
    Your move.

Ну все та же песня. VPS/VPN/PROXY - это насколько я понимаю технологии обеспечивающие анонимность. И как же он получил "мой" ip-шник? Наванговал наверное... Тут уж я ему ответил:

    First at all, I will tell you why you a spammer:
    1. You dont telling the sum of "stolen" bitcoins
    2. You forgetting to tell adress on which thay was "stoled"
    3. Intersting, how could you "get the IP", if it switch VPS/VPN/PROXY, by your worlds? Lie again
    4. Etc...

    Dy Ukrainian laws your process of collecting my personal information is a hard crime. I will repost all this massages in themes, that I created on this forum and btcsec. And will create new theme in English branch. People must know about that you are crime...

Может мой английский и не идеален, но суть ясна... На что в ответ получил я два сообщения:

   

Anton,
    BTC: 13RdgpA5Tx24wgVran2xQ1ptm59ThZZpDC
    LTC: Lgo5u3FDnpZeBoZHQgb9Fud5QkKE7kbe4E
    Return stolen Bitcoin and Litecoins to the above addresses. And we will reward you for returning stolen coins.
    Stealing is never good.

и

   

You are trying really hard to sound convincing but here is the problem:
    We literally have logs of you attacking an exchange, stealing the money and logging back into the exchange to check random balances.
    Had you fucking responded to me from my first email we would have discussed the situation instead of you ignoring me and posting on BTCSEC. If you aren't involved in the hack, then clearly someone on YOUR IP ADDRESS did.
    So, with that being said your response is complete and utterly idiocy.

Ну в общем агрессия уже пошла. Ну я ему опять ответил - мол чо ж ты забываешь указать кошелек на который я якобы украл койны. Щас вот глянем чем разродится...

[se[c]]

Anton (pendalf2008),

I think your strategy of trying to deflect guilt onto someone else (who has tracked you) is not a good strategy for you. I've given you plenty of chances to do the right thing but if you want to make the situation worse for yourself, then by all means.

For those reading this: Essentially what happened here was an exchange was robbed of a high number of BTC. I was hired by the exchange to do post-hack forensic work and track down the attacker. Unfortunately for our Ukrainian friend pendalf2008 he left his IP address in Apache's logs when he initially discovered the attack vector. Once he realized he had found the attack vector, and also realized he was connected via his home IP he then went ahead and jumped onto a VPN/Proxy/VPS from Germany to finish the steal.

For respect of the Exchange, I left attack vector, exchange url and other requests out of the logs.

109.108.237.17 - - [11/Mar/2014:03:47:00 +0100] "GET /favicon.ico HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:48:11 +0100] "GET [attack vector] HTTP/1.1" 200 23 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:48:20 +0100] "GET [attack vector] HTTP/1.1" 200 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:48:33 +0100] "GET [attack vector] HTTP/1.1" 200 41 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:48:43 +0100] "GET [attack vector] HTTP/1.1" 200 708 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:48:59 +0100] "GET [attack vector] HTTP/1.1" 200 201 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:51:28 +0100] "GET / HTTP/1.1" 200 59770 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:51:40 +0100] "GET [attack vector] HTTP/1.1" 200 57467 "https://www.[exchange]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:51:42 +0100] "GET [attack vector] HTTP/1.1" 200 367738 "https://www.[exchange]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:52:28 +0100] "GET [attack vector] HTTP/1.1" 200 59770 "https://www.[exchange]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:52:58 +0100] "GET [attack vector] HTTP/1.1" 200 60053 "https://www.[exchange]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
109.108.237.17 - - [11/Mar/2014:03:53:19 +0100] "GET [attack vector] HTTP/1.1" 200 294 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"

After he discovered the attack vector he waited some time and came back from his new connection:

78.47.55.70 - - [11/Mar/2014:06:22:19 +0100] "GET [attack vector] HTTP/1.1" 206 28532736 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
78.47.55.70 - - [11/Mar/2014:06:23:27 +0100] "GET [attack vector] HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
78.47.55.70 - - [11/Mar/2014:06:28:00 +0100] "GET [attack vector] HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"

Notice the same exact UserAgent? Hitting the same attack vector as no one else did in the logs.

Once he got the access to what he needed, he transferred funds out to two wallets which I can not name as of yet. After BTC was stolen, he connected back to his exchange account to check his balances from: 109.108.238.71 with an Opera User-Agent. The same IP also listed as accessing his 'pendalf2008' user account on the exchange. In total he has connected to his same account using 3 IP addresses: 109.108.238.71, 109.108.238.161 and 109.108.237.17 all hosted by Everest ISP in Ukraine, Vinnitsa.

Once we confirmed it was his IP that attacked the server initially, and confirmed all three IP addresses from the same ISP to the same town in UA logged into the 'pendalf2008' account we then began finding personal information on who he was. We doxed him. Contacted him. And instead of admitting the fault, and simply returning BTC he has resulted to deflecting the situation.

Like I said in prior messages Anton, I'm a security researcher tracking a Bitcoin thief. Apparently you are that thief. Now unless you allow someone to use your IP addresses to get on to the Internet then everything points to you. If you know who stole the BTC then contact me privately and we can easily resolve the issue. If you do not comply, then all of this information with full unredacted logs will be sent to the authorities and they will have to handle you.

So tell me what you want to do.

If you don't want to deal with me, fine so be it. Contact the exchange you robbed and return their BTC.

Good day.

[Hedgemon]

Zdrastvuy Pendalf2008.

Ti sprashival kak mi dobilis tvoego IP? Tak ti je sam ego nam ostavil kogda ukral U nas 600 BTC i 2700 LTC s nashego exchange.
Ili to mojet zabil shto u nas dosihpor vse tvoyi logi i danniye.

Net, Anton, eta ti nas izvini, Varovat s sayta eto esho adno delo, no prikidovatsa nevinim eto uje ne vinosimo!
"мошенник" eto ne mi Anton. мошенник eto ti.

Mi uje podali na Subpoenu v CWA shtobi preobresti nujniy documenti no orrest po Cyber Security / Cyber Terrorism.
Posle suda i turmi, tebya uje ne odin universitet ne primet.

Hochesh dakozatilstva? tak mi tebe ego uje prislali i na etojem saiti i Vistovili.

[m0Ray]

Мндя, неужели вы думаете, что если б человек реально атаковал биржу, он делал бы это со своего домашнего айпишника?

[pendalf2008]

Ну в общем вы сами видите - на данных спамеров не действуют никакие аргументы. Говорю выложить кошелек на который увели битки - в ответ "ты увел битки". Говорю назвать обменник с которого увели - в ответ "ты увел битки". Теперь еще меня на испуг пытаются взять) Клоуны . По ip-шнику они вычислили . Да я сам, не сильно шарящий в инет технологиях могу назвать как минимум 3 путя использования моего ip как промежуточній пункт или точку атаки. Идиоты...

[se[c]]

So now you're telling me we're idiots for assuming you didnt do it because you could have been hacked, your wifi could have been cracked or your mother did the attack. Well first off your mother sounded nice on the phone so I don't think she could have done it.

If your systems are indeed hacked/infected with trojans don't you think the logical thing to do is log offline, separate your machines off the Internet and begin auditing your system for infection? Perhaps even being helpful and providing the trojan itself that you are infected by? And what are the odds that someone is going to log into the exchange as you to check on your coin balances, then exploit a hole in the system at the same time? And what are the odds that someone would hack your piece of shit computer, on your piece of shit slow connection to commit this hack and frame you? You must be special. Or hated.

If your wifi was cracked, then perhaps don't you think that instead of being smug and calling people idiots perhaps you should log into your router and look into your authentication logs to see if anyone has logged into your router? Maybe even producing screen shots and MAC logs of the actual incident?

Another thing you're not taking into account here is that the UserAgent/IP that attacked the site, matches the same logs of every single time you logged into the exchange? So, let me guess - someone infected you with a trojan, installed and configured RemoteDesktop and used your system and your slow connection to break into the site while you were checking your coin balances? And you do not notice this?

Your arguments are simply bad. And instead of being stubborn and holding onto stolen BTC you should return them. You may even get a nice reward in cash for it. So I guess you need to really evaluate who the real idiot here is.

[Format.C^]

Не, ну а что, вычислить по IP и чего то там требовать этож высший пилотаж )))
Школьники, мля...

[m0Ray]

Please give us the URL of your exchange. I want to do kinda security audit.

[pendalf2008]

Увидел его пост с логами. До этого не видел, ибо поставил его в игнор...

Так что он тут пишет. Ну про логи молчу, такую хрень я и сам в блоноте набрать могу. Адреса обменника там нет, вот что главное...

Ага, вот:

Once we confirmed it was his IP that attacked the server initially, and confirmed all three IP addresses from the same ISP to the same town in UA logged into the 'pendalf2008' account we then began finding personal information on who he was. We doxed him. Contacted him. And instead of admitting the fault, and simply returning BTC he has resulted to deflecting the situation.

Че-то я не видел где я такое подтверждал? Опять клевещем так? Мне предоставен один мой ip. Текущий 109.108.238.161. Остальные возможно вообще взяты с потолка, я за своим динамическим ip не слежу. А с какого перепугу я должен общатся с недоумками обвиняющими меня в воровстве? Напишите сюда обменник с которого я якобы что-то увел... Ну и адреса на которые увел...

[pendalf2008]

Так я и не оправдываюсь. Это в воображении спамера мои слова выглядят как оправдание.

from: se[c] on Today at 09:58:04
Clearly someone used your IP to steal BTC. Either it was you, or your girlfriend, or your mother, or your neighbor. Someone FROM YOUR IP stole BTC.

Is this hard to understand? I posted logs of the attack into your thread since you seem so sure that I'm a spammer/scammer. How about you research who I am first. I run a security project for Bitcoin exchanges. I help exchanges recover stolen Bitcoins. I help exchanges fix security problems.

You're looking like a real idiot by claiming I am a scammer/spammer/whatever. I didn't ask you for your personal measily BTC. I asked for the BTC that was stolen FROM YOUR IP.

If you did not do it fine. Tell me who did it. Obviously you must know the person.

Check the attack logs. Check the IPs. It all POINTS TO YOU Anton.

So either work with me, or answer to authorities.

It points to anywhere. That fact that you know my ip telling nothing. My PC could be hacked by tracking cookie, by troyan or other virus. My wi-fi thone could be hacked. Your arguments so funny, that I even will answer on this your message

Я ему ответил, что наличный у него ip ни о чем. И привожу варианты (одни из многих) почему это ни о чем. А он выставляет это как оправдание. Ну да адекватностью с его стороны как бы и не пахнет.

[kennyss]

Так какую же биржу\обменник поломал наш ТС?))

[PrintMule]

Так какую же биржу\обменник поломал наш ТС?))

воображаемую

[Grigorjevi4]

Может его подставили. А он здесь распинается. Антивирус не поможет - такие трои штучные, нужно систему и окружение менять.

Больше похоже на скам.

[se[c]]

Lira,

If you are so sure your friend didn't commit the crime why aren't you helping him audit his system to figure out if he was backdoored, or that his router was or wasn't compromised?

Like I said in the other English thread - I could care less for the Satoshis he's stashing in his wallet, I only confronted him privately for the BTC he stole. If he didn't steal it then who did? It clearly came from his IP address. The truth of the matter is the logs point to him. If it didn't point to him I wouldn't have been messaging him to return the stolen BTC in the first place.

Instead of trying to be a white knight and defend your friend you probably should be trying to figure out the answers to the questions surrounding this situation.

Either way, I did my end of the the deal - and find the attacker - pendalf2008. If he doesn't return the BTC he stole then he will have to answer to authorities. That's pretty much the end of it.

Cheers!

[m0Ray]

Still no answer about your exchange's URL?

[pendalf2008]

ну что тут сказать... Видно чувак понял что ничего не добьется и решил "красиво" свалить. Скамер, спамер и т.д. Уже успел обвинить lira в том что я "заплатил" за поддержку.  Видимо и всем остальным я "заплатил" .

Эх, мне бы хотя бы 1/100-ю часть той суммы о которой он говорил... Я б фермочек прикупил....

[renodaret]

too bad i cant read russian   putin!

[Cloudpost]

Ну что же, я чутка изучил вопрос и обнаружил, что se[c] как минимум врет в своей подписи, что он разраб foxcoin. Пост в теме о фокс коине аж на 50+ странице + он сам был зареган почти спустя месяц после запуска монеты.

Вообще если посмотреть его посты, то становиться понятно, что это какой-то школьник, строящий из себя крутого спеца: абсолютно пустые посты, никакой конкретики.

se[c], how can you be a foxcoin dev if you registered almost after month from the start of the coin and you simply have no posts about foxcoin? Maybe you lie about that? And also calling a person without proof is not good. You didn't post the exchange. If the exchange has any kind of problems with somebody, exchange owner must contact that person DIRECTLY and not use strange 3rd party members like you with fresh reg date and few posts.

Most important thing: if you call a person a thief (or you state that his computer was used to do a hack), you MUST post all proof info.

Exchange that has got bad protection and hides the fact that they were hacked is shit exhcange. Post all proof info including wallets and other detais or apologize and GTFO!