Tweet
By bitcomsec
The Philippine Connection
and the Truth behind CryptoRush.in
We are BITCOMSEC, please see final pages of this document for more information about us, and how we can help you!
PDF Available Here: http://s000.tinyupload.com/?file_id=00012725220068358517
Images, Log files and assorted research available here: https://github.com/bitcomsecdev/Research/
For the last two years the crypto currency scene had exploded in size as people began learning about and participating in Bitcoin and its alternate currencies. Altcoins as people call them are smaller projects that can be mined and often traded directly for Bitcoin by miners who can not afford to mine Bitcoin directly. With this uprising of alternate currencies came the rise of many Exchanges; sites that provided a platform and medium for supporters, miners and traders of these projects to buy/sell/trade these currencies.
One of these altcoin exchanges was CryptoRush.in; a site dedicated to providing a fast paced medium for users to trade brand new crypto currencies which were traded at exchanges sometimes less than an hour after they were released. Unfortunately CryptoRush suffered a series of break-ins that crushed many members of the community but also provided an opportunity for us at BITCOMSEC to research, analyse evidence and track down the perpetrators. This article details over 7 months of logs, evidence and research that we have looked at to pinpoint exactly what happened at CryptoRush, its owners and who did walk away with all that money...
jbluey
It is mid-September 2013 when a contractor decides to accept a job request from an employer on Elance.com. Elance is an international freelance job platform which connects businesses with freelance workers through the site as a medium with a staggering 2 million companies and 8 million freelance workers exchanging jobs, and information on a day by day basis. This job seeker turned out to be Jimmy Bluey Amatong - jbluey for short, and this is his tale.
Where it begins:
Shortly after being accepted for the job JBA, as we will call him from now on, got into the world of crypto currency thanks in part to another previous client:
With his quick introduction to mining and crypto currency came the creation of an infamous scam site called xtrapool.com. On December 12th 2013 xtrapool was created as JBA’s foray into the altcoin world; it was setup on 85.25.152.63 (which JBA still uses to host AmtechCebu.com an Amatong family owned business) and began being advertised on December 29th 2013:
Ref: http://otaku-streamers.com/community...22701-My-Stand
bitcointalk ANNouncement for xtrapool
The First Scam:
Whether or not it was JBA’s intention to scam the altcoin community is not clear. What IS clear is that soon after the creation of xtrapool.com, people all around the community began calling the site out for scamming:
A Scam accusation on xtrapool Ref url: http://dcaz.net/show/1390147200
You may notice from the first screenshot where JBA discusses how he was able to become so rich thanks due in part to 42coin and the early market. BTC-e user @btczen confirmed the connection between 42coin and scampool xtrapool.com - a site run by Jimmy Bluey Amatong.
As time went on other miners from coins such as Catcoin, Monacoin, Cagecoin, UFOCoin, 42coin, KlondikeCoin, Lennycoin and lastly (and most importantly) CoinyeCoin began posting through forums, shoutboxes and IRC warning other members of the community to steer clear of xtrapool.com. By then it was too late as stated by user @btczen on BTC-e shoutbox February 5th 2014:
Another accusation on xtrapool
Scam accusation references:
https://bitcointalk.org/index.php?topic=420121.0
https://bitcointalk.org/index.php?topic=418849.0
https://bitcointalk.org/index.php?topic=432006.0
https://bitcointalk.org/index.php?topic=416771.0
It appears that at this point xtrapool.com was taken down for ‘maintenance’ having never to return to the community and pay back its users their hard earned coins. People created posts on bitcointalk.org and made statements around the community pleading for the return of their coins but unfortunately what they didn’t expect was something much more sinister.
The Misuse of Stolen User Passwords:
JBA created several php scripts with the intention of brute-forcing pools using the email/usernames/passwords he had stolen from xtrapool.com miners using a backdoor he engineered especially for the MPOS interface. Within this backdoor contained a jQuery payload that would sniff the password form and forward it to the Elance customer site. Collecting serialized form data as email/username/password and feeding it into a database stored on the xtrapool.com server.
Fortunately, we were able to recover the FTP logs off of the Elance customer server. This allowed us to pinpoint his activity from the moment he was hired through the freelance site all the way until we discovered his stash (at this time he went into rage mode).
Unfortunately for him, it was too late.
https://github.com/bitcomsecdev/Incidents
These three scripts were responsible for the intrusion of hundreds of mining accounts across dozens of mining pools all across the crypto world. From multipool.us, to countless other random MPOS-based pools. The whole point of these escapades was to distinguish which of these miners used universal passwords across multiple pools ultimately leading to the chance they use same logins on exchanges, as well as finding working logins to pools which coins can be withdrawn from. The list of pools JBA intended to attack was uploaded January 17th:
Stealing Coins from Across the Web:
At this point JBA goes on a cracking spree - exfiltrating coins from countless exchanges, dropboxes, email addresses, online wallets, mining pools - you name it he was there. It is hard to say how many altcoins and Bitcoins he was able to steal in this process. However It is safe to assume it was far more than enough:
Recovered screenshots of amounts w/ facebook boasts
You would think stealing over $14,000 USD was enough, right? Wrong. This was just the beginning. JBA was able to help his family move into a nicer home in Cebu, Philippines; taking them out of their financial struggle and mishaps with an overzealous landlord enforcing their eviction. This is where the story takes a turn for the worst.
Coinye, formerly Coinye West, was a scrypt-basedcryptocurrency that became embroiled in a trademark infringement lawsuit for using the Americanhip hop artistKanye West as its mascot, despite West having no affiliation with the project.
[1][2]
The project was abandoned by the original developers following West's filing of a trademark infringement lawsuit against them.
http://en.wikipedia.org/wiki/Coinye
Enter, Coinye and Cryptorush:
One of the crypto currencies that JBA began to scam was Coinye West. A coin that gained a lot of attention quickly for its ironic project, funny logo and quick rising community. It was squashed by the Kanye West legal department early on because its original developers abandoned ship once they realized creating a coin after the famous rapper would have meant legal repercussions. With their abandonment came a massive tide of support for the project and many people tried in vain to bring the coin back to life. And it did, for a little while.
Little did anyone know this coin would lead to the rise and downfall of CryptoRush.in - a new, up and coming altcoin exchange dedicated to hosting the exchange of new, up and coming altcoins no other exchange at the time would trade.
LinkandZelda was one of the early miners and traders of Coinye because of the coin’s potential and strong community. The massive response toward the coin especially after Kanye West’s legal battle with the original developers had inspired those involved to keep the project and community going.
No exchange would accept the coin for trading until LinkandZelda and a pal decided: “Let us put up our own exchange!” and they did. Thus, the world was introduced to CryptoRush.in.
A fast paced, highly anticipated and needed exchange that would focus not only on the bigger crypto currencies but altcoins like Coinye as well - giving miners a chance to trade their obscure coins to a broader audience. CryptoRush changed the market and took the scene by surprise at the sheer speed of its adaption of new coins to the market.
Little did LinkandZelda know that by mining Coinye on pools such as xtrapool.com would his universal password be exposed to a very determined attacker. Armed with LinkandZelda’s password JBA began logging into accounts discretely eventually finding himself on CryptoRush.in backup servers. His first action was to access the Bitcoin wallet and taking what he needed without raising a red flag that the popular exchange was, in fact, compromised.
How Cryptorush was owned via their backups:
He began to slowly trickle bits of Bitcoin out at a time from the exchanges hotwallet; masking his arbitrary withdrawals with the rest of highly active transactions going on. Unfortunately for him, around March, another completely unrelated attacker came by and swooped more than 800 Bitcoins as well 2,400 Litecoins. Fearing the potential of losing all of his newfound riches he went on a full scale assault; exfiltrating all available altcoin wallets from the server via a dormant backup server which unfortunately still had LinkandZelda’s universal password in place:
https://github.com/bitcomsecdev/Incidents
At which point he began uploading the altcoin wallets, including backup Bitcoin wallets, to the Elance customer site through a custom backdoor using the following url:
http://[redacted].com/upload.php
By Analyzing the FTP logs further we notice that hours before the smash-and-grab of altcoin wallets he had in a seemingly premeditated manner uploaded his tools:
His cache of tools included an html upload form, a backend upload.php script to take in uploads from remote hosts. Modified local php.ini configuration to broaden the maximum upload limit considering some of these wallets were huge in size. He also enabled error logging to error_log which ironically allowed us to track errors in his scripts and figure out exactly where he was storing the stolen data without even accessing the server.
After exfiltrating all of the wallets from CryptoRush.in backup server via curl -> http://[redacted]/upload.php we see he begins to download all of the newly uploaded wallets from the server via FTP, using the same login credentials Elance customer provided for work several months earlier:
https://github.com/bitcomsecdev/Incidents
ZeusCoin:
VampireCoin:
UnionCoin:
UltraCoin:
BitBar:
CryptoEagle:
DeltaCoin:
EuroCoin:
FCKBankCoin:
FedoraCoin:
FryCoin:
GreeceCoin:
H2OCoin:
HeroCoin:
HunterCoin:
LeafCoin:
LycanCoin:
VertCoin:
BlackCoin:
BitcoinScrypt:
GrumpyCoin:
GenesisCoin:
BeeCoin:
RubyCoin:
Credits:
TeslaCoin:
GPUCoin:
Heisenberg:
KarmaCoin:
eCoin:
EmotiCoin:
TopCoin:
DNotes:
UnoCoin:
CryptoRush hotwallet recovery backups:
ThePandaCoin:
RabbitCoin:
MyriadCoin:
MaxCoin:
CarbonCoin:
LiteBar:
BattleCoin:
DarkCoin:
PenguinCoin:
ReddCoin:
Between his last wallet downloads on April 15th-16th he presumably went to work on emptying out and selling off his treasure trove of stolen coins. He was not done however as he came back for more on June 25th 2014:
BoschiCoin:
ChikunCoin:
eKrona:
IncaKoin:
NameCoin:
OctoCoin:
OrgCoin:
PawnCoin:
PetroDollar:
WorldCoin:
PiggyCoin:
PopCoin:
POTCoin:
QubitCoin:
RainbowCoin:
StackCoin:
sCoin:
SpainCoin:
TenFiveCoin:
TitaniumCoin:
WorldCoin:
YangCoing:
YinCoin:
ZedCoin:
ZenithCoin:
BeliCoin:
BellaCoin:
Benjamins:
BlackCoin:
WeAreSatoshi:
BurbuCoin:
CatCoin:
ColaCoin:
KittehCoin:
Frozen:
OctoCoin:
OrgCoin:
PawnCoin:
VaultCoin:
KarmaCoin:
ContinuumCoin:
Cryptonium:
CypherFunk:
DuckDuckCoin:
eToken:
FastCoin:
LemonCoin
PiggyCoin:
KakaCoin:
InfiniteCoin:
Cryptorush Falls:
By this point CryptoRush.in was going through a tug-o-war between multiple people interested in taking over the site (fyrstikken, moolah and a myriad of seemingly bad actors, likely more interested in the remaining coins than anything else). I won’t go into details as to what ended up happenning with CryptoRush.in as you can watch the following video by the new legally-signed owner of the site and get a better picture:
JBA was able to capitalize and essentially wipe out hundreds of Bitcoins worth of altcoins with little no notice or red flags because of all the confusion between original owners, the second hack and finally the takeover of the exchange where many people had access to the wallets and no one knew for sure who was taking them. We began investigating the hack of CryptoRush.in soon after it happened and have been tracking the attackers whereabouts on our free time hoping that eventually we would get the evidence we needed to expose his actions to the community, and most importantly, bring security awareness to a community that still is very young in the game.
More evidence provided by the perpetrator:
So to conclude, lets go over what we have learned about Jimmy Bluey Amatong and put an entire picture together to better understand the situation:
42coins stolen
42coins stolen
With his fresh new truck
Keys papers and a screenshot
Stealing Their Last 2 BTC via Dropbox
Part II: Midascoin/Midaspool Hacked
The story with CryptoRush and JBA is relatively over, but I will be presenting a part II to this series of incident reports detailing how Jimmy Bluey Amatong also robbed and essentially killed the Midascoin/Midaspool projects by executing similar tactics to the ones he executed against CryptoRush.in.
Jimmy Bluey Amatong contacts:
And finally if you would like to communicate with authorities, or JBA himself and request where your coins have gone and bring up potential charges against him for loss of coins (if possible) you can find further information about him below that may help you in that endeavor:
Jimmy Bluey Amatong hosts the following sites:
Jimmy Bluey Amatong, servers he pays for via Bitcoin + PayPal account [email protected]:
BITCOMSEC
About The Researchers:
BITCOMSEC, or Bitcoin Community Security Project is a security research organization comprised of web vulnerability researchers and web service developers.
We provide public internet communities with wide ranging security consultation and notification free of charge, for the betterment of the community, and for the deeper understanding of security issues that affect all users. Our members are individuals who have been notified of vulnerabilities by us, and who in turn volunteer their time to further the project’s purpose.
Our goal is to positively influence the perception of bitcoin and the internet by providing these services on a donation and volunteer basis, allowing us to assist communities which other organizations cannot or will not help. We rely heavily upon donations via Bitcoin to continue our practice, BTC @ 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9.
Our Successes and Donors Include:
Bitcoin.de
OpenLibrary.org
CoinSetter.com
MTGox.com
deals.EBay.com
Unisend.com
Ecash.io
Bitcoin-Cigarettes.com
BTCVacations.com
BitcoinsinBerlin.com
BTCx.se
Central.com
labs.EBay.com
blog.Microsoft.com.tk
Los Alamos National Laboratories
NTP.org
UTDallas
CloudFlare.com
Archive.org
BitcoinFoundation.org
Circle.com
CoinJar.com
BTCInstant.com
PrimeCoinVPS.com
BahtCoin.com
ECurrencyZone.com
BitcoinMalaysia.com
EBay.cn
Coinmkt.com
Microsoft.fr
merchant.Paypal.com
CERN
Webmin/Virtualmin
Telekom.de
and many more...
BITCOMSEC Contact Information
Message us via BitMessage: BM-2cW3Vziujs3zLfFqunF2jeUw6R7djJuk8w
Twitter: @bitcomsec
Security posts: [email protected]
To donate to us: BTC: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9
Email: [email protected]
Full Incident Logs - https://github.com/bitcomsecdev/Research/
PDF Available Here: http://s000.tinyupload.com/index.php...50193869038713
The Philippine Connection
and the Truth behind CryptoRush.in
We are BITCOMSEC, please see final pages of this document for more information about us, and how we can help you!
PDF Available Here: http://s000.tinyupload.com/?file_id=00012725220068358517
Images, Log files and assorted research available here: https://github.com/bitcomsecdev/Research/
For the last two years the crypto currency scene had exploded in size as people began learning about and participating in Bitcoin and its alternate currencies. Altcoins as people call them are smaller projects that can be mined and often traded directly for Bitcoin by miners who can not afford to mine Bitcoin directly. With this uprising of alternate currencies came the rise of many Exchanges; sites that provided a platform and medium for supporters, miners and traders of these projects to buy/sell/trade these currencies.
One of these altcoin exchanges was CryptoRush.in; a site dedicated to providing a fast paced medium for users to trade brand new crypto currencies which were traded at exchanges sometimes less than an hour after they were released. Unfortunately CryptoRush suffered a series of break-ins that crushed many members of the community but also provided an opportunity for us at BITCOMSEC to research, analyse evidence and track down the perpetrators. This article details over 7 months of logs, evidence and research that we have looked at to pinpoint exactly what happened at CryptoRush, its owners and who did walk away with all that money...
jbluey
It is mid-September 2013 when a contractor decides to accept a job request from an employer on Elance.com. Elance is an international freelance job platform which connects businesses with freelance workers through the site as a medium with a staggering 2 million companies and 8 million freelance workers exchanging jobs, and information on a day by day basis. This job seeker turned out to be Jimmy Bluey Amatong - jbluey for short, and this is his tale.
Where it begins:
Shortly after being accepted for the job JBA, as we will call him from now on, got into the world of crypto currency thanks in part to another previous client:
With his quick introduction to mining and crypto currency came the creation of an infamous scam site called xtrapool.com. On December 12th 2013 xtrapool was created as JBA’s foray into the altcoin world; it was setup on 85.25.152.63 (which JBA still uses to host AmtechCebu.com an Amatong family owned business) and began being advertised on December 29th 2013:
Ref: http://otaku-streamers.com/community...22701-My-Stand
bitcointalk ANNouncement for xtrapool
The First Scam:
Whether or not it was JBA’s intention to scam the altcoin community is not clear. What IS clear is that soon after the creation of xtrapool.com, people all around the community began calling the site out for scamming:
A Scam accusation on xtrapool Ref url: http://dcaz.net/show/1390147200
You may notice from the first screenshot where JBA discusses how he was able to become so rich thanks due in part to 42coin and the early market. BTC-e user @btczen confirmed the connection between 42coin and scampool xtrapool.com - a site run by Jimmy Bluey Amatong.
As time went on other miners from coins such as Catcoin, Monacoin, Cagecoin, UFOCoin, 42coin, KlondikeCoin, Lennycoin and lastly (and most importantly) CoinyeCoin began posting through forums, shoutboxes and IRC warning other members of the community to steer clear of xtrapool.com. By then it was too late as stated by user @btczen on BTC-e shoutbox February 5th 2014:
Another accusation on xtrapool
Scam accusation references:
https://bitcointalk.org/index.php?topic=420121.0
https://bitcointalk.org/index.php?topic=418849.0
https://bitcointalk.org/index.php?topic=432006.0
https://bitcointalk.org/index.php?topic=416771.0
It appears that at this point xtrapool.com was taken down for ‘maintenance’ having never to return to the community and pay back its users their hard earned coins. People created posts on bitcointalk.org and made statements around the community pleading for the return of their coins but unfortunately what they didn’t expect was something much more sinister.
The Misuse of Stolen User Passwords:
JBA created several php scripts with the intention of brute-forcing pools using the email/usernames/passwords he had stolen from xtrapool.com miners using a backdoor he engineered especially for the MPOS interface. Within this backdoor contained a jQuery payload that would sniff the password form and forward it to the Elance customer site. Collecting serialized form data as email/username/password and feeding it into a database stored on the xtrapool.com server.
Fortunately, we were able to recover the FTP logs off of the Elance customer server. This allowed us to pinpoint his activity from the moment he was hired through the freelance site all the way until we discovered his stash (at this time he went into rage mode).
Unfortunately for him, it was too late.
https://github.com/bitcomsecdev/Incidents
Code:
Sat Jan 11 05:07:10 2014 3 120.28.232.24 6045 /home3/[redacted]/public_html/gg.php a _ i r [redacted] ftp 1 * c
Code:
Sat Jan 11 05:07:14 2014 2 120.28.232.24 6403 /home3/[redacted]/public_html/getdata.php a _ i r [redacted] ftp 1 * c
Code:
The ‘gg.php’ and ‘getdata.php’ scripts collected xtrapool.com logins everytime a miner would log into their accounts to check balances, or execute withdrawals. They would save the login credentials into a database and would be fed into:
Code:
Fri Jan 17 04:26:35 2014 1 180.190.243.169 12210 /home3/[redacted]/public_html/cookie/autobf.php a _ i r [redacted] ftp 1 * c
Code:
Fri Jan 17 04:26:37 2014 1 180.190.243.169 7552 /home3/[redacted]/public_html/cookie/bf.php a _ i r [redacted] ftp 1 * c
Code:
Fri Jan 17 04:26:41 2014 2 180.190.243.169 7599 /home3/[redacted]/public_html/cookie/bf2.php a _ i r [redacted] ftp 1 * c
Code:
Fri Jan 17 04:28:59 2014 1 180.190.243.169 21452 /home3/[redacted]/public_html/poolist.txt a _ i r [redacted] ftp 1 * c
At this point JBA goes on a cracking spree - exfiltrating coins from countless exchanges, dropboxes, email addresses, online wallets, mining pools - you name it he was there. It is hard to say how many altcoins and Bitcoins he was able to steal in this process. However It is safe to assume it was far more than enough:
Recovered screenshots of amounts w/ facebook boasts
You would think stealing over $14,000 USD was enough, right? Wrong. This was just the beginning. JBA was able to help his family move into a nicer home in Cebu, Philippines; taking them out of their financial struggle and mishaps with an overzealous landlord enforcing their eviction. This is where the story takes a turn for the worst.
Coinye, formerly Coinye West, was a scrypt-basedcryptocurrency that became embroiled in a trademark infringement lawsuit for using the Americanhip hop artistKanye West as its mascot, despite West having no affiliation with the project.
[1][2]
The project was abandoned by the original developers following West's filing of a trademark infringement lawsuit against them.
http://en.wikipedia.org/wiki/Coinye
Enter, Coinye and Cryptorush:
One of the crypto currencies that JBA began to scam was Coinye West. A coin that gained a lot of attention quickly for its ironic project, funny logo and quick rising community. It was squashed by the Kanye West legal department early on because its original developers abandoned ship once they realized creating a coin after the famous rapper would have meant legal repercussions. With their abandonment came a massive tide of support for the project and many people tried in vain to bring the coin back to life. And it did, for a little while.
Little did anyone know this coin would lead to the rise and downfall of CryptoRush.in - a new, up and coming altcoin exchange dedicated to hosting the exchange of new, up and coming altcoins no other exchange at the time would trade.
LinkandZelda was one of the early miners and traders of Coinye because of the coin’s potential and strong community. The massive response toward the coin especially after Kanye West’s legal battle with the original developers had inspired those involved to keep the project and community going.
No exchange would accept the coin for trading until LinkandZelda and a pal decided: “Let us put up our own exchange!” and they did. Thus, the world was introduced to CryptoRush.in.
A fast paced, highly anticipated and needed exchange that would focus not only on the bigger crypto currencies but altcoins like Coinye as well - giving miners a chance to trade their obscure coins to a broader audience. CryptoRush changed the market and took the scene by surprise at the sheer speed of its adaption of new coins to the market.
Little did LinkandZelda know that by mining Coinye on pools such as xtrapool.com would his universal password be exposed to a very determined attacker. Armed with LinkandZelda’s password JBA began logging into accounts discretely eventually finding himself on CryptoRush.in backup servers. His first action was to access the Bitcoin wallet and taking what he needed without raising a red flag that the popular exchange was, in fact, compromised.
How Cryptorush was owned via their backups:
He began to slowly trickle bits of Bitcoin out at a time from the exchanges hotwallet; masking his arbitrary withdrawals with the rest of highly active transactions going on. Unfortunately for him, around March, another completely unrelated attacker came by and swooped more than 800 Bitcoins as well 2,400 Litecoins. Fearing the potential of losing all of his newfound riches he went on a full scale assault; exfiltrating all available altcoin wallets from the server via a dormant backup server which unfortunately still had LinkandZelda’s universal password in place:
https://github.com/bitcomsecdev/Incidents
Code:
kristian pts/29 66.172.33.33 Wed Apr 16 20:27 - 21:14 (00:46)
Code:
root pts/0 66.172.33.33 Wed Apr 16 20:24 - 03:02 (06:37)
Code:
root pts/52 66.172.33.33 Sun Apr 13 11:54 - 19:07 (2+07:12)
Code:
root pts/52 66.172.33.33 Sun Apr 13 11:50 - 11:54 (00:04)
Code:
kristian pts/29 66.172.33.33 Sun Apr 13 11:45 - 19:07 (2+07:21)
Code:
root pts/53 66.172.33.33 Sun Apr 13 11:26 - 13:43 (02:16)
Code:
root pts/52 66.172.33.33 Sun Apr 13 11:20 - 11:27 (00:06)
Code:
kristian pts/29 66.172.33.33 Sun Apr 13 11:12 - 11:27 (00:14)
Code:
root pts/0 66.172.33.33 Sun Apr 13 10:41 - 13:12 (02:30)
Code:
root pts/0 66.172.33.33 Sun Apr 13 10:39 - 10:41 (00:02)
Code:
root pts/0 66.172.33.33 Sun Apr 13 10:22 - 10:38 (00:15)
http://[redacted].com/upload.php
By Analyzing the FTP logs further we notice that hours before the smash-and-grab of altcoin wallets he had in a seemingly premeditated manner uploaded his tools:
Code:
Sat Apr 12 01:22:44 2014 0 180.190.227.66 289 /home3/[redacted]/public_html/
Code:
uploadform.html a _ i r [redacted] ftp 1 * c
Code:
Sat Apr 12 01:22:45 2014 0 180.190.227.66 284 /home3/[redacted]/public_html/upload.php a _ i r [redacted] ftp 1 * c
Code:
Sat Apr 12 02:34:10 2014 0 180.190.227.66 398 /home3/[redacted]/public_html/error_log b _ o r [redacted] ftp 1 * c
Code:
Sat Apr 12 02:34:19 2014 0 180.190.227.66 300 /home3/[redacted]/public_html/upload.php a _ o r [redacted] ftp 1 * c
Code:
Sat Apr 12 02:35:03 2014 0 180.190.227.66 318 /home3/[redacted]/public_html/upload.php a _ i r [redacted] ftp 1 * c
Code:
Sat Apr 12 02:36:01 2014 0 180.190.227.66 317 /home3/[redacted]/public_html/upload.php a _ i r [redacted] ftp 1 * c
Code:
Sat Apr 12 02:37:17 2014 46 180.190.227.66 33595 /home3/[redacted]/public_html/php.ini a _ o r [redacted] ftp 1 * c
After exfiltrating all of the wallets from CryptoRush.in backup server via curl -> http://[redacted]/upload.php we see he begins to download all of the newly uploaded wallets from the server via FTP, using the same login credentials Elance customer provided for work several months earlier:
https://github.com/bitcomsecdev/Incidents
ZeusCoin:
VampireCoin:
UnionCoin:
UltraCoin:
BitBar:
CryptoEagle:
DeltaCoin:
EuroCoin:
FCKBankCoin:
FedoraCoin:
FryCoin:
GreeceCoin:
H2OCoin:
HeroCoin:
HunterCoin:
LeafCoin:
LycanCoin:
VertCoin:
BlackCoin:
BitcoinScrypt:
GrumpyCoin:
GenesisCoin:
BeeCoin:
RubyCoin:
Credits:
TeslaCoin:
GPUCoin:
Heisenberg:
KarmaCoin:
eCoin:
EmotiCoin:
TopCoin:
DNotes:
UnoCoin:
CryptoRush hotwallet recovery backups:
Code:
Mon Apr 14 23:44:16 2014 0 222.127.174.18 16384 /home3/[redacted]/public_html/fonts/wall2/btcrec_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Mon Apr 14 23:44:19 2014 0 222.127.174.18 16384 /home3/[redacted]/public_html/fonts/wall2/btcrec2_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Mon Apr 14 23:44:40 2014 19 222.127.174.18 359301 /home3/[redacted]/public_html/fonts/wall2/btcrec3_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Mon Apr 14 23:44:45 2014 2 222.127.174.18 161103 /home3/[redacted]/public_html/fonts/wall2/btcrec4_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Tue Apr 15 00:30:25 2014 2738 222.127.174.18 80236544 /home3/[redacted]/public_html/fonts/wall2/btc77_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Tue Apr 15 00:48:34 2014 1055 222.127.174.18 80236544 /home3/[redacted]/public_html/fonts/wall2/btc2_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Tue Apr 15 08:54:56 2014 673 222.127.174.18 7946240 /home3/[redacted]/public_html/fonts/wall/btc_wallet.dat b _ o r [redacted] ftp 1 * c
Code:
Tue Apr 15 08:56:32 2014 0 222.127.174.18 38960 /home3/[redacted]/public_html/fonts/wall/btc_wallet.dat b _ o r [redacted] ftp 1 * c
RabbitCoin:
MyriadCoin:
MaxCoin:
CarbonCoin:
LiteBar:
BattleCoin:
DarkCoin:
PenguinCoin:
ReddCoin:
Between his last wallet downloads on April 15th-16th he presumably went to work on emptying out and selling off his treasure trove of stolen coins. He was not done however as he came back for more on June 25th 2014:
BoschiCoin:
ChikunCoin:
eKrona:
IncaKoin:
NameCoin:
OctoCoin:
OrgCoin:
PawnCoin:
PetroDollar:
WorldCoin:
PiggyCoin:
PopCoin:
POTCoin:
QubitCoin:
RainbowCoin:
StackCoin:
sCoin:
SpainCoin:
TenFiveCoin:
TitaniumCoin:
WorldCoin:
YangCoing:
YinCoin:
ZedCoin:
ZenithCoin:
BeliCoin:
BellaCoin:
Benjamins:
BlackCoin:
WeAreSatoshi:
BurbuCoin:
CatCoin:
ColaCoin:
KittehCoin:
Frozen:
OctoCoin:
OrgCoin:
PawnCoin:
VaultCoin:
KarmaCoin:
ContinuumCoin:
Cryptonium:
CypherFunk:
DuckDuckCoin:
eToken:
FastCoin:
LemonCoin
PiggyCoin:
KakaCoin:
InfiniteCoin:
Cryptorush Falls:
By this point CryptoRush.in was going through a tug-o-war between multiple people interested in taking over the site (fyrstikken, moolah and a myriad of seemingly bad actors, likely more interested in the remaining coins than anything else). I won’t go into details as to what ended up happenning with CryptoRush.in as you can watch the following video by the new legally-signed owner of the site and get a better picture:
JBA was able to capitalize and essentially wipe out hundreds of Bitcoins worth of altcoins with little no notice or red flags because of all the confusion between original owners, the second hack and finally the takeover of the exchange where many people had access to the wallets and no one knew for sure who was taking them. We began investigating the hack of CryptoRush.in soon after it happened and have been tracking the attackers whereabouts on our free time hoping that eventually we would get the evidence we needed to expose his actions to the community, and most importantly, bring security awareness to a community that still is very young in the game.
More evidence provided by the perpetrator:
So to conclude, lets go over what we have learned about Jimmy Bluey Amatong and put an entire picture together to better understand the situation:
- JBA was financially struggling in the real world and dealing with eviction, his fathers health and low income
- He was introduced to the idea of digital currencies towards the end of 2013
- By December 10-12th 2013 he had already setup the platform for scamming people out of coins by providing the community a 0% fee mining pool: xtrapool.com
- He began dumping 42coins stolen from backdoored users of xtrapool.com:
42coins stolen
42coins stolen
- By January 17th 2014 he had at least 12+ Bitcoins on BTC-e from 42coin dumps:
Facebook Boasting - Around this time he had begun to infiltrate the emails, exchanges, pool accounts, dropboxes and skypes of miners who would have the misfortune of using his arbitrary pool. His intent was to spread and find more log ins, more access, more wallets and more money to satisfy his new hunger for Bitcoins.
- By February 4th 2014 as noted in previous screenshots he had begun selling Bitcoins to members of his Otaku-Streamers.com community and Facebook friends at a discounted price.
- By April 12th 2014 when he began stealing all of CryptoRush.in’s remaining Altcoin wallets he had also pilfered over 100BTC from CryptoRush.in’s wallets. This is excluding the coins he stole from xtrapool.com users.
- Only days later on April 15th he took another pop at LinkandZelda’s dropbox, where he found a large stash of 30 Bitcoins which he stole.
- Soon after in June he’s seen toting a brand new truck out of the docks:
With his fresh new truck
Keys papers and a screenshot
- By August 7-8th 2014 he was still moving Bitcoins around using his BTC-e account as an in-between. Taking and uploading a screenshot of his current balance (At the time) onto his server http://otaku-streamers.com/jb/btc2.png (which he has deleted 10-20-2014 after realizing we had found the image):
Balance Screenshot - By now, CryptoRush.in is relatively dead. No one seems to be on the hunt for him. He feels confident he has left no evidence behind.
- He begins his second assault on LinkandZelda over 8 months later by logging into his personal dropbox account and linking his computer to steal LinkandZelda’s backup private key to his current wallet taking the poor guys last 2 Bitcoins. Below is an email from LinkandZelda showing JBA logging right into his dropbox account and linking his machine “Jimbluey”.
Stealing Their Last 2 BTC via Dropbox
Part II: Midascoin/Midaspool Hacked
The story with CryptoRush and JBA is relatively over, but I will be presenting a part II to this series of incident reports detailing how Jimmy Bluey Amatong also robbed and essentially killed the Midascoin/Midaspool projects by executing similar tactics to the ones he executed against CryptoRush.in.
Jimmy Bluey Amatong contacts:
And finally if you would like to communicate with authorities, or JBA himself and request where your coins have gone and bring up potential charges against him for loss of coins (if possible) you can find further information about him below that may help you in that endeavor:
- [email protected] - Used on crypto exchanges (Mintpal.com, and others)
- Username: jmacky11 - Used on exchanges during thefts, and pools.
- [email protected] - Used all across the Internet for various personal uses (Skype, Elance, PayPal, etc)
- [email protected] - Used by him to handle donations for Otaku-Streamers.com, Elance payments and other invoices.
- parasen20**@yahoo.com/gmail.com - Used as backup email to [email protected]
- [email protected] - Personal email for OS community
Jimmy Bluey Amatong hosts the following sites:
- http://osddl.com - Host for Anime images, movies and files
- http://os-tan.com - Community dedicated to Anime images
- http://AmtechCebu.com (also on Facebook, elance) - Family owned business in Cebu
- http://xtrapool.com - Now dormant, after reported scams and thefts.
- http://pokemonseed.com - Now defunct site. Once a Pokemon community.
- http://gearwoodland.com - Customer site? Spam site?
- http://otaku-streamers.com - The site has he has run for over 6 years. Backdoored users and has stolen over 35,000 passwords. This is your best way to see him in action.
Jimmy Bluey Amatong, servers he pays for via Bitcoin + PayPal account [email protected]:
-
Code:
188.138.11.104
-
Code:
85.25.116.13
-
Code:
85.25.152.63
-
Code:
85.25.100.54
-
Code:
85.25.95.37
-
Code:
85.25.116.41
-
Code:
85.25.14.247 - mysql -h 85.25.14.247 -u xtrapool_ffc -pjbajba1498
-
Code:
85.25.100.54
-
Code:
85.25.159.255
-
Code:
66.172.33.140 - Read-only (no logging) VPS he rented from Chunkhost for logging into CryptoRush.in backup server. Used it on Midascoin hack as well.
-
Code:
85.25.116.37
-
Code:
85.25.116.46
-
https://github.com/bitcomsecdev/Incidents/Code:
85.25.116.45
BITCOMSEC
About The Researchers:
BITCOMSEC, or Bitcoin Community Security Project is a security research organization comprised of web vulnerability researchers and web service developers.
We provide public internet communities with wide ranging security consultation and notification free of charge, for the betterment of the community, and for the deeper understanding of security issues that affect all users. Our members are individuals who have been notified of vulnerabilities by us, and who in turn volunteer their time to further the project’s purpose.
Our goal is to positively influence the perception of bitcoin and the internet by providing these services on a donation and volunteer basis, allowing us to assist communities which other organizations cannot or will not help. We rely heavily upon donations via Bitcoin to continue our practice, BTC @ 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9.
Our Successes and Donors Include:
Bitcoin.de
OpenLibrary.org
CoinSetter.com
MTGox.com
deals.EBay.com
Unisend.com
Ecash.io
Bitcoin-Cigarettes.com
BTCVacations.com
BitcoinsinBerlin.com
BTCx.se
Central.com
labs.EBay.com
blog.Microsoft.com.tk
Los Alamos National Laboratories
NTP.org
UTDallas
CloudFlare.com
Archive.org
BitcoinFoundation.org
Circle.com
CoinJar.com
BTCInstant.com
PrimeCoinVPS.com
BahtCoin.com
ECurrencyZone.com
BitcoinMalaysia.com
EBay.cn
Coinmkt.com
Microsoft.fr
merchant.Paypal.com
CERN
Webmin/Virtualmin
Telekom.de
and many more...
BITCOMSEC Contact Information
Message us via BitMessage: BM-2cW3Vziujs3zLfFqunF2jeUw6R7djJuk8w
Twitter: @bitcomsec
Security posts: [email protected]
To donate to us: BTC: 1SEC1BS5wFDSToi1v3RubV9PjCSSPa6s9
Email: [email protected]
Full Incident Logs - https://github.com/bitcomsecdev/Research/
PDF Available Here: http://s000.tinyupload.com/index.php...50193869038713