SHOW:
|
|
- or go back to the newest paste.
1 | This has been updated with information from BigVern (Updates encapsulated in ***bv***) on 18 Sept 2017 | |
2 | ||
3 | _____ _______ ______ _____ | |
4 | * _____\ \_\ | | | _____\ \_ . | |
5 | / /| || / / /|/ /| | | |
6 | ./ / /____/||\ \ \ |// / /____/| * | |
7 | . | | |____|/ \ \ \ | || | |____|/ . | |
8 | | | _____ \| \| || | _____ * | |
9 | |\ \|\ \ |\ /||\ \|\ \ ' | |
10 | | \_____\| | | \_______/ || \_____\| | . | |
11 | '| | /____/| \ | | / | | /____/| * | |
12 | \|_____| ||2o16 \|_____|/ \|_____| || . | |
13 | ' |____|/ . * |____|/ | |
14 | ||
15 | The CryptoVigilanteCrew Presents..... | |
16 | ||
17 | While Paul Vernon being complicit in the funds stolen from Cryptsy is still in question... another question still remains unanswered... (until now) | |
18 | ||
19 | "Who made lucky7coin that Paul Vernon claims was responsible for hacking Cryptsy?" ...lets find out! | |
20 | ||
21 | Well, we do know, after visiting lucky7coin's github repository, that it was indeed backdoored. A quick search of the malicious code on github, also brings up another coin, called torcoin. | |
22 | ||
23 | https://github.com/alerj78/lucky7coin/ | |
24 | https://github.com/torcoindev/torcoin | |
25 | ||
26 | Well we know these coins were announced on bitcointalk. Let's see if what we can find out about these 2 users on bitcointalk... | |
27 | ||
28 | https://bitcointalk.org/index.php?action=profile;u=333668 (alerj78, owner of lucky7coin repository, initial uploader) | |
29 | https://bitcointalk.org/index.php?action=profile;u=352008 (torcoin) | |
30 | ||
31 | let's have a look at the bitcointalk user database entries for lucky7coin and torcoin: | |
32 | ||
33 | INSERT INTO `smf_members` VALUES (332957,'aler78',1400503000,0,0,'',1400631882,'aler78',0,0,'','','','','$5$rounds=7500$eZTQt3ihVEN45C13$5ugytyWO68zOr/yO3z8/evZ5ryHoceFlA97.QyV3Br2','johnaler@safe-mail.net','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'81.89.96.113','81.89.96.113','','',0,1,'',6844841,'','',4,833,'',0,NULL,1,2,0,0,94.99,'195.228.45.176'); | |
34 | ||
35 | INSERT INTO `smf_members` VALUES (333668,'alerj78',1400633430,2,0,'',1405004034,'alerj78',4,1,'','','','','$5$rounds=7500$iKTbk1zMBf2MC2xe$L8Gs8DJxfE0hcYWvaGB.BPfVlPzvN3Al6HoDAec.n14','alerj78@safe-mail.net','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'77.247.181.162','77.247.181.162','','',0,1,'',7768339,'','',12,7134,'',0,NULL,1,2,2,0,0,'81.89.96.113'); | |
36 | ||
37 | INSERT INTO `smf_members` VALUES (352008,'torcoin',1404479253,38,0,'',1407801091,'torcoin',97,3,'','','','','$5$rounds=7500$fpewoiyQ05ACAebp$.EMZ9UgNKut2UrlrXjtvQsach3LvbzTXhpJzIINzKk1','torcoin@hushmail.com','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'192.42.116.16','192.42.116.16','','',0,1,'',8303268,'','',5,77896,'',0,NULL,1,2,38,0,0,'81.89.96.113'); | |
38 | ||
39 | ||
40 | let's see if any other users are registered on bitcointalk with that ip, 81.89.96.113 ... | |
41 | ||
42 | ***bv*** | |
43 | ||
44 | Well, first lets find out what we can about that IP. | |
45 | ||
46 | 81.89.96.113 is assigned to a dedicated server / colocation company in Germany. It is likely a proxy. This means that IP alone may not be enough to tie the users together. We need something else to either show that the proxy was a private proxy not generally used by the public, or some kind of data tying the users together other than IP. | |
47 | ||
48 | There are 4 IP's shown above and their current assignments: | |
49 | ||
50 | 81.89.96.113 - German dedicated server / colocation facility (Possible tor exit node or other type of proxy?) | |
51 | 77.247.181.162 - torservers.net - hosted in Germany | |
52 | 192.42.116.16 - Tor exit node - Netherlands | |
53 | 195.228.45.176 - Dedicated server - Hungary - possible tor exit | |
54 | ||
55 | It is possible that all 4 of these nodes where tor exit nodes when they where used. The bottom 3 IPs the most likely candidates for Tor exit nodes. | |
56 | ||
57 | Bitcointalk user creation timeline for these 4 users: | |
58 | ||
59 | aler78 - Mon, 19 May 2014 12:36:40 GMT | |
60 | alerj78 - Wed, 21 May 2014 00:50:30 GMT | |
61 | azeteki - Fri, 27 Jun 2014 21:30:02 GMT | |
62 | torcoin - Fri, 04 Jul 2014 13:07:33 GMT | |
63 | ||
64 | Let's query the Cryptsy DB for these IP's in login histories: | |
65 | ||
66 | 81.89.96.113 - No Results | |
67 | 77.247.181.162 - 422 different users (Definitely a tor node) | |
68 | 192.42.116.16 - 145 different users (Definitely a tor node) | |
69 | 195.228.45.176 - 46 different users (Definitely a tor node) | |
70 | ||
71 | Strange that 81.89.96.113 has no activity at all for logins. If this was a tor exit node, then it is unusual that we have no entries for it. | |
72 | ||
73 | azeteki, aler78, alerj78, and torcoin are not usernames found in the Cryptsy DB. | |
74 | ||
75 | However, there is an entry for a Dan Edgecumbe... | |
76 | UserID: 35144 | |
77 | Username: Forbearance | |
78 | Email Domain: danedgecumbe.com | |
79 | Signup Date: 2013-12-01 05:53:02 | |
80 | ||
81 | A quick look at his website shows us that he is in fact azeteki (author of bitcoind-ncurses). Based on the skillset listed on his website, it would appear he would have the necessary skills to implement the malicious code into lucky7coin and torcoin. | |
82 | ||
83 | 6 Logins for this user from IP 129.67.137.66 from 2013-12-01 to 2014-01-25. This was the only IP ever used to login. This was NOT a tor node. IP belongs to Oxford University. No other users have used this IP. This user did not log in after 2014-01-25. | |
84 | ||
85 | The password hash for this user is not used by any other users. | |
86 | ||
87 | How many Cryptsy users logged in from the 3 tor nodes above during the period 2014-05-18 to 2014-07-05 that also used safe-mail.net? | |
88 | ||
89 | Total of 7 | |
90 | ||
91 | These are the 3 most suspicious of the bunch: | |
92 | ||
93 | | 260536 | joshsmith999 | kukka999@safe-mail.net | Josh | Smith | 2014-06-05 12:34:13 | | |
94 | | 265246 | rv9z744 | tz79pr5@safe-mail.net | Jeff | Smith | 2014-07-01 00:34:14 | | |
95 | | 265609 | xxcdrwxx | xxcdrwxx@safe-mail.net | az | az | 2014-07-02 07:01:41 | | |
96 | ||
97 | Check out the last one, first name "az" and last name "az"... as in azeteki maybe? This user made no deposits or trades. They signed up from IP 77.247.181.162 | |
98 | ||
99 | There is another IP in the bitcointalk database for azeteki - 62.210.74.186. What do we know about this IP? | |
100 | - It's a tor exit node | |
101 | - 47 distinct Cryptsy users have logged in with this IP | |
102 | - None of the users use safe-mail | |
103 | - Nothing unusual stands out for the users created during the period 2014-05-18 to 2014-07-05 | |
104 | ||
105 | Conclusion: | |
106 | ||
107 | It is unknown if the IP 81.89.96.113 was a Tor exit node. If it was, then it would seem likely that it would be in the login database at least once. In any case, azeteki lives in London, UK - and the IP is in Germany. So this does appear to be some kind of proxy. It is unknown if this is a shared proxy or a private proxy, but it was only used by these 4 bitcointalk users. | |
108 | ||
109 | We are unable to dispel the association between these 4 users based on that IP address. If anything, the data has shown a stronger association. | |
110 | ||
111 | The user azeteki does have the skillset required to program the malicious code. | |
112 | ||
113 | ***bv*** | |
114 | ||
115 | ||
116 | INSERT INTO `smf_members` VALUES | |
117 | (349019,'azeteki',1403904602,93,0,'',1423992881,'azeteki',6,0,'','','','','$5$rounds=7500$Lvy9Z5P+kZdiatAf$ySFjx5daAKnruGXMsc5ONKOKvbTZixr7tSeK9mo8Df/','azeteki@safe-mail.net','Amphibian',0,'0001-01-01','GitHub page','https://azeteki.github.io','Panama','','','','',1,0,'','[url=https://github.com/azeteki/bitcoind-ncurses]bitcoind-ncurses[/url] - [url=https://azeteki.github.io/charts]network charts[/url] - [url=https://azeteki.github.io]azeteki.github.io[/url] - [url=https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE2BD14EC2C7D458F]PGP[/url]',0,'',1,0,0,'',0,0,0,2,'62.210.74.186','62.210.74.186','','',0,1,'',10465724,'11','',19,96372,'cfc9',0,NULL,1,2,93,0,0,'81.89.96.113'); | |
118 | ||
119 | ||
120 | azeteki uses the same ip/proxy. also safe-mail.net.. interesting. the name azeteki comes from the latin name of a species of frog. | |
121 | ||
122 | so who is https://bitcointalk.org/index.php?action=profile;u=349019 (azeteki) ? | |
123 | ||
124 | https://github.com/azeteki/ (account is now deleted? but you can google it and see it was the author of bitcoind-ncurses.) | |
125 | https://www.reddit.com/user/Atelopus_zeteki | |
126 | https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE2BD14EC2C7D458F | |
127 | https://pgp.mit.edu/pks/lookup?op=vindex&search=0x47DA40099E00994C | |
128 | ||
129 | 17:57.32 *** join/#debian Amphibian (~azeteki@gateway/tor-sasl/amphibian) | |
130 | 18:17.29 *** part/#debian Amphibian (~azeteki@gateway/tor-sasl/amphibian) | |
131 | ||
132 | bitcointalk profile shows: | |
133 | ||
134 | Gender: Male | |
135 | Age: N/A | |
136 | Location: London, UK | |
137 | Local Time: June 18, 2016, 04:04:49 AM | |
138 | ||
139 | Website: esoteric nonsense | |
140 | Bitcoin address: 1FrogqMmKWtp1AQSyHNbPUm53NnoGBHaBo <- 1frog | |
141 | ||
142 | well, what can we get from esotericnonsense.com? | |
143 | ||
144 | daniele@esotericnonsense.com | |
145 | Origin country United Kingdom | |
146 | Primary IP Address 86.146.198.227 | |
147 | ||
148 | https://esotericnonsense.com/contact.html | |
149 | ||
150 | pub rsa4096/0x47DA40099E00994C 2016-04-04 [SC] [expires: 2021-04-03] | |
151 | Key fingerprint = E82F BFB5 0174 9C46 B440 29B7 47DA 4009 9E00 994C | |
152 | uid [ultimate] Daniel Edgecumbe <daniele@esotericnonsense.com> | |
153 | sub rsa4096/0x0D2CCF290CD80BAD 2016-04-04 [E] [expires: 2021-04-03] | |
154 | ||
155 | well, it looks like azeteki's repo has moved here: | |
156 | https://github.com/esotericnonsense which belongs to a Daniel Edgecumbe. Coincidence? of course not. | |
157 | ||
158 | https://github.com/esotericnonsense/project-euler this page actually shows that azeteki is Daniel Edgecumbe's username on project euler. | |
159 | ||
160 | So, Daniel Edgecumbe created the backdoored lucky7coin, as well as torcoin. Cryptsy had lucky7coin installed on their exchange, we know that. Did Daniel Edgecumbe steal the 13k BTC from Cryptsy? | |
161 | He certainly could have using his backdoor, however, we do not know yet, but we are working on finding that out. | |
162 | ||
163 | Any proper authority can subpoena the database from bitcointalk, and other various sites he is registered on, and verify these claims. To all those who lost funds on Cryptsy, it sucks, we know, | |
164 | but maybe this information can help, and maybe one day the coins can be recovered. Maybe they won't, but we can get some sort of closure. Let this be a reminder, that if you hurt/attempt to hurt the crypto community, | |
165 | people will come looking for you, and they might just find you. | |
166 | ||
167 | donate to the CVC: 1CVCggdNNC9bbpVyxQtqbxWQcEgmj9JtGG | |
168 | ||
169 | There's no masking from us now | |
170 | We pop Tor nodes around the globe | |
171 | Track and hunt you down! -Dual Core |