Bitcoin Forum
November 18, 2017, 08:05:51 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: [BITCOMSEC] Tracking a Bitcoin Thief pt. II: Disclosure of MidasCoin collapse  (Read 830 times)
bitcomsec
Newbie
*
Offline Offline

Activity: 24

Security Researcher


View Profile WWW
November 20, 2014, 06:39:20 AM
 #1

Hi all,

As some of you may know we have been releasing reports discussing security incidents within the Bitcoin/Altcoin/Crypto Currency communities for some time now and we unveil to the community our latest report:

https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-part-ii/

It discloses what happened to MidasCoin, who was involved in the original hack of its servers, and ultimately who stole the rest of the MIDs to collapse the market (its founder).

You can also read our post-hack audit report of their servers at:

https://pdf.yt/d/frMzLRBnwbna725z

The story in a gist:

- The guy responsible for the CryptoRush hack was also involved in attacking MultiPool.us accounts back in early January (CSRF attacks)
- He hacked CryptoRush.in and stole most of users BTC and altcoins
- We tracked down his stash server where he stored most of his stolen goods (wallets, login databases of miners/traders/users)
- We discovered he was actively attacking MidasCoin.io/Pool and was able to stop him
- We were hired by MidasCoin to do an audit of the compromise
- Owner of MidasCoin spooks and instead of dealing with consequences of disclosure to community simply runs off with 200k+ MIDs and crashes market

Unfortunately he stole from the community, its miners and traders and simply vanished. We put together a good report with logs and evidence to back it all up.

If you'd like to show us support for our work you can:

Donate to: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9
twitter.com/bitcomsec and RT: https://twitter.com/bitcomsec/status/535308255158083584
reddit: http://www.reddit.com/r/Bitcoin/comments/2murh2/tracking_a_bitcoin_thief_pt_ii_disclosure_as_to/ Discuss and upvote!

Thanks,
Mike @ BITCOMSEC

BITCOMSEC | Contact:  *Link Removed*
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
rugrats
Sr. Member
****
Offline Offline

Activity: 294


View Profile
November 20, 2014, 07:28:14 AM
 #2

Great work, Mike.

I have a few questions, if you don't mind.

1: In your report, you stated the following:

Quote
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.

From our point of view the attacker simply logged into the servers using user accounts he had access to. No exploits. No vulnerabilities or backdoors in third party software. He simply logged in. Another reason we assume access was gained through the misuse of universal passwords is because the attacker did indeed fail to log into the servers multiple times:

     1.1: Why did you assume the password/s was/were compromised via Skype/email? Was there evidence pointing to that fact? Couldn't the 'hack' be a smokescreen, and the owners were
            involved all along, especially in light of the subsequent dump at Bittrex?
     1.2: You used the phrase "one of the owners". Aside from Alessandro Soldati, was anyone else identified?

2: The owner of Coin Source, the organization which conducted the 'Proof of Developer', claimed to have been contacted by "authority agencies". Have you been in contact or contacted with/by said agencies and/or Coin Source? If no contact has been made, are you planning on approaching Coin Source to initiate contact with the "authority agencies" in question?

3. The owner of Coin Source identified the developer as 'Guiseppe'. Is that an alter ego of Soldati or someone else entirely?
bitcomsec
Newbie
*
Offline Offline

Activity: 24

Security Researcher


View Profile WWW
November 20, 2014, 08:00:33 AM
 #3

Great work, Mike.

I have a few questions, if you don't mind.

1: In your report, you stated the following:

Quote
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.

From our point of view the attacker simply logged into the servers using user accounts he had access to. No exploits. No vulnerabilities or backdoors in third party software. He simply logged in. Another reason we assume access was gained through the misuse of universal passwords is because the attacker did indeed fail to log into the servers multiple times:

     1.1: Why did you assume the password/s was/were compromised via Skype/email? Was there evidence pointing to that fact? Couldn't the 'hack' be a smokescreen, and the owners were
            involved all along, especially in light of the subsequent dump at Bittrex?
     1.2: You used the phrase "one of the owners". Aside from Alessandro Soldati, was anyone else identified?

2: The owner of Coin Source, the organization which conducted the 'Proof of Developer', claimed to have been contacted by "authority agencies". Have you been in contact or contacted with/by said agencies and/or Coin Source? If no contact has been made, are you planning on approaching Coin Source to initiate contact with the "authority agencies" in question?

3. The owner of Coin Source identified the developer as 'Guiseppe'. Is that an alter ego of Soldati or someone else entirely?


Hey!

1.1: If you read our previous report on the CryptoRush hack (https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/) you would come away from the thoroughly investigated report with the sense that the original attacker (Identified as Jimmy Bluey Amatong of Philippines) had an apparent modus operandi which started towards the end of 2013/January 2014 which consisted of:

a) (initially started with) setting up pools to utilize mining power towards personal gain and logging their usernames/emails/passwords
b) traverse email accounts for further login information
c) traverse exchanges for email/password or username/password combinations until he was able to log into accounts and exfiltrate coins
d) log into skype/dropbox/emails/other third party services looking for sensitive information he can use to further his attacks

By following this MO he was able to infiltrate CryptoRush.in servers via universal passwords. Locating administrative communications on the victims Skype account. Locating login information in emails from ISPs and Skype conversations and eventually finding access onto a backup server for CryptoRush.in.

In the case of JBA's attack on multipool.us he utilized a combination of Cookie brute forcing and CSRF attacks (this was the only attack that did not fit his MO from the evidence and logs we have seen - it is also evidence that it was failed attack on the pool).

Now finally to MidasCoin - the logs we were able to recover from the Elance customer server showcased JBA's activity regarding all of these attacks ending with the MidasCoin project - at this point we were able to communicate with the Elance customer, and remove his stash and access.

If you read our MidasCoin server audit (the PDF link above) you will see the entry points of the attacker which used the same IP addresses (the 66.*.*.* chunkhost server) to infiltrate CR months back.

In comparing our logs and evidence from JBA's hack of MidasCoin, and the complete theft of the coins by MidasCoin founder - you see extreme differences. Using deduction and logic we determined that JBA more than likely obtained access to these servers the very same way he had access CR - by having access to a leaked password list belonging to miners/traders/users and logging into all of their accounts looking for treasures.

1.2: The second person who was part of the staff was accessible to me over IRC and I was not able to identify him. From what I can see / tell he, and the coin developer were robbed of what was owed to them for working on the projects. Shortly after the founder stole the rest of the coins - everyone pretty much left and I no longer received responses from anyone.

2: I have had no contact with anyone involved in investigating this case, or Coin Source. I will try to reach out to them. As for LEAs I can provide my research to anyone who requests it - although I've published everything I have in the links above.

3: The information regarding the persons name we discovered during the process of our research by looking at who has been using those email addresses publicly, and the information we were able to see from the user accounts in the database. We do not know if the name is a pseudonym, or actual. We threw it out there in case the community can make sense of it.

Thanks for the questions!

BITCOMSEC | Contact:  *Link Removed*
rugrats
Sr. Member
****
Offline Offline

Activity: 294


View Profile
November 20, 2014, 08:10:26 AM
 #4

Great work, Mike.

I have a few questions, if you don't mind.

1: In your report, you stated the following:

Quote
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.

From our point of view the attacker simply logged into the servers using user accounts he had access to. No exploits. No vulnerabilities or backdoors in third party software. He simply logged in. Another reason we assume access was gained through the misuse of universal passwords is because the attacker did indeed fail to log into the servers multiple times:

     1.1: Why did you assume the password/s was/were compromised via Skype/email? Was there evidence pointing to that fact? Couldn't the 'hack' be a smokescreen, and the owners were
            involved all along, especially in light of the subsequent dump at Bittrex?
     1.2: You used the phrase "one of the owners". Aside from Alessandro Soldati, was anyone else identified?

2: The owner of Coin Source, the organization which conducted the 'Proof of Developer', claimed to have been contacted by "authority agencies". Have you been in contact or contacted with/by said agencies and/or Coin Source? If no contact has been made, are you planning on approaching Coin Source to initiate contact with the "authority agencies" in question?

3. The owner of Coin Source identified the developer as 'Guiseppe'. Is that an alter ego of Soldati or someone else entirely?


Hey!

1.1: If you read our previous report on the CryptoRush hack (https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/) you would come away from the thoroughly investigated report with the sense that the original attacker (Identified as Jimmy Bluey Amatong of Philippines) had an apparent modus operandi which started towards the end of 2013/January 2014 which consisted of:

a) (initially started with) setting up pools to utilize mining power towards personal gain and logging their usernames/emails/passwords
b) traverse email accounts for further login information
c) traverse exchanges for email/password or username/password combinations until he was able to log into accounts and exfiltrate coins
d) log into skype/dropbox/emails/other third party services looking for sensitive information he can use to further his attacks

By following this MO he was able to infiltrate CryptoRush.in servers via universal passwords. Locating administrative communications on the victims Skype account. Locating login information in emails from ISPs and Skype conversations and eventually finding access onto a backup server for CryptoRush.in.

In the case of JBA's attack on multipool.us he utilized a combination of Cookie brute forcing and CSRF attacks (this was the only attack that did not fit his MO from the evidence and logs we have seen - it is also evidence that it was failed attack on the pool).

Now finally to MidasCoin - the logs we were able to recover from the Elance customer server showcased JBA's activity regarding all of these attacks ending with the MidasCoin project - at this point we were able to communicate with the Elance customer, and remove his stash and access.

If you read our MidasCoin server audit (the PDF link above) you will see the entry points of the attacker which used the same IP addresses (the 66.*.*.* chunkhost server) to infiltrate CR months back.

In comparing our logs and evidence from JBA's hack of MidasCoin, and the complete theft of the coins by MidasCoin founder - you see extreme differences. Using deduction and logic we determined that JBA more than likely obtained access to these servers the very same way he had access CR - by having access to a leaked password list belonging to miners/traders/users and logging into all of their accounts looking for treasures.

1.2: The second person who was part of the staff was accessible to me over IRC and I was not able to identify him. From what I can see / tell he, and the coin developer were robbed of what was owed to them for working on the projects. Shortly after the founder stole the rest of the coins - everyone pretty much left and I no longer received responses from anyone.

2: I have had no contact with anyone involved in investigating this case, or Coin Source. I will try to reach out to them. As for LEAs I can provide my research to anyone who requests it - although I've published everything I have in the links above.

3: The information regarding the persons name we discovered during the process of our research by looking at who has been using those email addresses publicly, and the information we were able to see from the user accounts in the database. We do not know if the name is a pseudonym, or actual. We threw it out there in case the community can make sense of it.

Thanks for the questions!

Thank you for the thorough response, Mike. Much appreciated.
I will read through your earlier reports first and revert back tomorrow if I have further questions.
Too tired now.

ps: An asset to the community, you guys are.
bitcomsec
Newbie
*
Offline Offline

Activity: 24

Security Researcher


View Profile WWW
November 20, 2014, 08:20:32 AM
 #5

Thank you for the kind comment! We appreciate it. It's a small team, and we're really passionate about Bitcoin, crypto currencies and Security. So why not combine them all and at the same time? also we feel the community is too lax when it comes to these incidents and it is mostly because people have lost so many Bitcoins, or have been hacked so many times - and very little has been done about it until now. We hope to change that. And at the same time bring security awareness to the community we hope can grow and change the world.

Thanks again!
Mike

BITCOMSEC | Contact:  *Link Removed*
djm34
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
November 20, 2014, 04:08:17 PM
 #6

why tracking scammer when they run away, when there are so many to track here while they are acting ?

djm34 facebook page
BTC: 1NENYmxwZGHsKFmyjTc5WferTn5VTFb7Ze
Pledge for neoscrypt ccminer to that address: 16UoC4DmTz2pvhFvcfTQrzkPTrXkWijzXw
bitcomsec
Newbie
*
Offline Offline

Activity: 24

Security Researcher


View Profile WWW
November 20, 2014, 05:20:06 PM
 #7

djm34,

We are working with victims as other scams as well. Unfortunately we are a small team of researchers so it requires time and evidence to put these kind of reports together.

Thanks for the read!

BITCOMSEC | Contact:  *Link Removed*
bitcomsec
Newbie
*
Offline Offline

Activity: 24

Security Researcher


View Profile WWW
November 20, 2014, 05:51:58 PM
 #8

LoL Hack. I call this a inside job.

If you read my report you would see that:

- Its servers were compromised
- Owner ends up fleeing with remaining coins

So in this case it was both. The hacker walked away with a tiny fraction of MIDs. And the owner basically ran off with the rest. Dealing with disclosing compromise to the community was probably too much for him.

Cheers

BITCOMSEC | Contact:  *Link Removed*
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!