API tools faq
paste
Guest User

Cryptsy Hacker

a guest
Sep 18th, 2017
5,064
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.09 KB | None | 0 0
raw download clone embed print report diff
  1. This has been updated with information from BigVern (Updates encapsulated in ***bv***) on 18 Sept 2017
  2.  
  3. _____ _______ ______ _____
  4. * _____\ \_\ | | | _____\ \_ .
  5. / /| || / / /|/ /| |
  6. ./ / /____/||\ \ \ |// / /____/| *
  7. . | | |____|/ \ \ \ | || | |____|/ .
  8. | | _____ \| \| || | _____ *
  9. |\ \|\ \ |\ /||\ \|\ \ '
  10. | \_____\| | | \_______/ || \_____\| | .
  11. '| | /____/| \ | | / | | /____/| *
  12. \|_____| ||2o16 \|_____|/ \|_____| || .
  13. ' |____|/ . * |____|/
  14.  
  15. The CryptoVigilanteCrew Presents.....
  16.  
  17. While Paul Vernon being complicit in the funds stolen from Cryptsy is still in question... another question still remains unanswered... (until now)
  18.  
  19. "Who made lucky7coin that Paul Vernon claims was responsible for hacking Cryptsy?" ...lets find out!
  20.  
  21. Well, we do know, after visiting lucky7coin's github repository, that it was indeed backdoored. A quick search of the malicious code on github, also brings up another coin, called torcoin.
  22.  
  23. https://github.com/alerj78/lucky7coin/
  24. https://github.com/torcoindev/torcoin
  25.  
  26. Well we know these coins were announced on bitcointalk. Let's see if what we can find out about these 2 users on bitcointalk...
  27.  
  28. https://bitcointalk.org/index.php?action=profile;u=333668 (alerj78, owner of lucky7coin repository, initial uploader)
  29. https://bitcointalk.org/index.php?action=profile;u=352008 (torcoin)
  30.  
  31. let's have a look at the bitcointalk user database entries for lucky7coin and torcoin:
  32.  
  33. INSERT INTO `smf_members` VALUES (332957,'aler78',1400503000,0,0,'',1400631882,'aler78',0,0,'','','','','$5$rounds=7500$eZTQt3ihVEN45C13$5ugytyWO68zOr/yO3z8/evZ5ryHoceFlA97.QyV3Br2','johnaler@safe-mail.net','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'81.89.96.113','81.89.96.113','','',0,1,'',6844841,'','',4,833,'',0,NULL,1,2,0,0,94.99,'195.228.45.176');
  34.  
  35. INSERT INTO `smf_members` VALUES (333668,'alerj78',1400633430,2,0,'',1405004034,'alerj78',4,1,'','','','','$5$rounds=7500$iKTbk1zMBf2MC2xe$L8Gs8DJxfE0hcYWvaGB.BPfVlPzvN3Al6HoDAec.n14','alerj78@safe-mail.net','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'77.247.181.162','77.247.181.162','','',0,1,'',7768339,'','',12,7134,'',0,NULL,1,2,2,0,0,'81.89.96.113');
  36.  
  37. INSERT INTO `smf_members` VALUES (352008,'torcoin',1404479253,38,0,'',1407801091,'torcoin',97,3,'','','','','$5$rounds=7500$fpewoiyQ05ACAebp$.EMZ9UgNKut2UrlrXjtvQsach3LvbzTXhpJzIINzKk1','torcoin@hushmail.com','',0,'0001-01-01','','','','','','','',1,1,'','',0,'',1,0,0,'',1,1,0,2,'192.42.116.16','192.42.116.16','','',0,1,'',8303268,'','',5,77896,'',0,NULL,1,2,38,0,0,'81.89.96.113');
  38.  
  39.  
  40. let's see if any other users are registered on bitcointalk with that ip, 81.89.96.113 ...
  41.  
  42. ***bv***
  43.  
  44. Well, first lets find out what we can about that IP.
  45.  
  46. 81.89.96.113 is assigned to a dedicated server / colocation company in Germany. It is likely a proxy. This means that IP alone may not be enough to tie the users together. We need something else to either show that the proxy was a private proxy not generally used by the public, or some kind of data tying the users together other than IP.
  47.  
  48. There are 4 IP's shown above and their current assignments:
  49.  
  50. 81.89.96.113 - German dedicated server / colocation facility (Possible tor exit node or other type of proxy?)
  51. 77.247.181.162 - torservers.net - hosted in Germany
  52. 192.42.116.16 - Tor exit node - Netherlands
  53. 195.228.45.176 - Dedicated server - Hungary - possible tor exit
  54.  
  55. It is possible that all 4 of these nodes where tor exit nodes when they where used. The bottom 3 IPs the most likely candidates for Tor exit nodes.
  56.  
  57. Bitcointalk user creation timeline for these 4 users:
  58.  
  59. aler78 - Mon, 19 May 2014 12:36:40 GMT
  60. alerj78 - Wed, 21 May 2014 00:50:30 GMT
  61. azeteki - Fri, 27 Jun 2014 21:30:02 GMT
  62. torcoin - Fri, 04 Jul 2014 13:07:33 GMT
  63.  
  64. Let's query the Cryptsy DB for these IP's in login histories:
  65.  
  66. 81.89.96.113 - No Results
  67. 77.247.181.162 - 422 different users (Definitely a tor node)
  68. 192.42.116.16 - 145 different users (Definitely a tor node)
  69. 195.228.45.176 - 46 different users (Definitely a tor node)
  70.  
  71. Strange that 81.89.96.113 has no activity at all for logins. If this was a tor exit node, then it is unusual that we have no entries for it.
  72.  
  73. azeteki, aler78, alerj78, and torcoin are not usernames found in the Cryptsy DB.
  74.  
  75. However, there is an entry for a Dan Edgecumbe...
  76. UserID: 35144
  77. Username: Forbearance
  78. Email Domain: danedgecumbe.com
  79. Signup Date: 2013-12-01 05:53:02
  80.  
  81. A quick look at his website shows us that he is in fact azeteki (author of bitcoind-ncurses). Based on the skillset listed on his website, it would appear he would have the necessary skills to implement the malicious code into lucky7coin and torcoin.
  82.  
  83. 6 Logins for this user from IP 129.67.137.66 from 2013-12-01 to 2014-01-25. This was the only IP ever used to login. This was NOT a tor node. IP belongs to Oxford University. No other users have used this IP. This user did not log in after 2014-01-25.
  84.  
  85. The password hash for this user is not used by any other users.
  86.  
  87. How many Cryptsy users logged in from the 3 tor nodes above during the period 2014-05-18 to 2014-07-05 that also used safe-mail.net?
  88.  
  89. Total of 7
  90.  
  91. These are the 3 most suspicious of the bunch:
  92.  
  93. | 260536 | joshsmith999 | kukka999@safe-mail.net | Josh | Smith | 2014-06-05 12:34:13 |
  94. | 265246 | rv9z744 | tz79pr5@safe-mail.net | Jeff | Smith | 2014-07-01 00:34:14 |
  95. | 265609 | xxcdrwxx | xxcdrwxx@safe-mail.net | az | az | 2014-07-02 07:01:41 |
  96.  
  97. Check out the last one, first name "az" and last name "az"... as in azeteki maybe? This user made no deposits or trades. They signed up from IP 77.247.181.162
  98.  
  99. There is another IP in the bitcointalk database for azeteki - 62.210.74.186. What do we know about this IP?
  100. - It's a tor exit node
  101. - 47 distinct Cryptsy users have logged in with this IP
  102. - None of the users use safe-mail
  103. - Nothing unusual stands out for the users created during the period 2014-05-18 to 2014-07-05
  104.  
  105. Conclusion:
  106.  
  107. It is unknown if the IP 81.89.96.113 was a Tor exit node. If it was, then it would seem likely that it would be in the login database at least once. In any case, azeteki lives in London, UK - and the IP is in Germany. So this does appear to be some kind of proxy. It is unknown if this is a shared proxy or a private proxy, but it was only used by these 4 bitcointalk users.
  108.  
  109. We are unable to dispel the association between these 4 users based on that IP address. If anything, the data has shown a stronger association.
  110.  
  111. The user azeteki does have the skillset required to program the malicious code.
  112.  
  113. ***bv***
  114.  
  115.  
  116. INSERT INTO `smf_members` VALUES
  117. (349019,'azeteki',1403904602,93,0,'',1423992881,'azeteki',6,0,'','','','','$5$rounds=7500$Lvy9Z5P+kZdiatAf$ySFjx5daAKnruGXMsc5ONKOKvbTZixr7tSeK9mo8Df/','azeteki@safe-mail.net','Amphibian',0,'0001-01-01','GitHub page','https://azeteki.github.io','Panama','','','','',1,0,'','[url=https://github.com/azeteki/bitcoind-ncurses]bitcoind-ncurses[/url] - [url=https://azeteki.github.io/charts]network charts[/url] - [url=https://azeteki.github.io]azeteki.github.io[/url] - [url=https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE2BD14EC2C7D458F]PGP[/url]',0,'',1,0,0,'',0,0,0,2,'62.210.74.186','62.210.74.186','','',0,1,'',10465724,'11','',19,96372,'cfc9',0,NULL,1,2,93,0,0,'81.89.96.113');
  118.  
  119.  
  120. azeteki uses the same ip/proxy. also safe-mail.net.. interesting. the name azeteki comes from the latin name of a species of frog.
  121.  
  122. so who is https://bitcointalk.org/index.php?action=profile;u=349019 (azeteki) ?
  123.  
  124. https://github.com/azeteki/ (account is now deleted? but you can google it and see it was the author of bitcoind-ncurses.)
  125. https://www.reddit.com/user/Atelopus_zeteki
  126. https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE2BD14EC2C7D458F
  127. https://pgp.mit.edu/pks/lookup?op=vindex&search=0x47DA40099E00994C
  128.  
  129. 17:57.32 *** join/#debian Amphibian (~azeteki@gateway/tor-sasl/amphibian)
  130. 18:17.29 *** part/#debian Amphibian (~azeteki@gateway/tor-sasl/amphibian)
  131.  
  132. bitcointalk profile shows:
  133.  
  134. Gender: Male
  135. Age: N/A
  136. Location: London, UK
  137. Local Time: June 18, 2016, 04:04:49 AM
  138.  
  139. Website: esoteric nonsense
  140. Bitcoin address: 1FrogqMmKWtp1AQSyHNbPUm53NnoGBHaBo <- 1frog
  141.  
  142. well, what can we get from esotericnonsense.com?
  143.  
  144. daniele@esotericnonsense.com
  145. Origin country United Kingdom
  146. Primary IP Address 86.146.198.227
  147.  
  148. https://esotericnonsense.com/contact.html
  149.  
  150. pub rsa4096/0x47DA40099E00994C 2016-04-04 [SC] [expires: 2021-04-03]
  151. Key fingerprint = E82F BFB5 0174 9C46 B440 29B7 47DA 4009 9E00 994C
  152. uid [ultimate] Daniel Edgecumbe <daniele@esotericnonsense.com>
  153. sub rsa4096/0x0D2CCF290CD80BAD 2016-04-04 [E] [expires: 2021-04-03]
  154.  
  155. well, it looks like azeteki's repo has moved here:
  156. https://github.com/esotericnonsense which belongs to a Daniel Edgecumbe. Coincidence? of course not.
  157.  
  158. https://github.com/esotericnonsense/project-euler this page actually shows that azeteki is Daniel Edgecumbe's username on project euler.
  159.  
  160. So, Daniel Edgecumbe created the backdoored lucky7coin, as well as torcoin. Cryptsy had lucky7coin installed on their exchange, we know that. Did Daniel Edgecumbe steal the 13k BTC from Cryptsy?
  161. He certainly could have using his backdoor, however, we do not know yet, but we are working on finding that out.
  162.  
  163. Any proper authority can subpoena the database from bitcointalk, and other various sites he is registered on, and verify these claims. To all those who lost funds on Cryptsy, it sucks, we know,
  164. but maybe this information can help, and maybe one day the coins can be recovered. Maybe they won't, but we can get some sort of closure. Let this be a reminder, that if you hurt/attempt to hurt the crypto community,
  165. people will come looking for you, and they might just find you.
  166.  
  167. donate to the CVC: 1CVCggdNNC9bbpVyxQtqbxWQcEgmj9JtGG
  168.  
  169. There's no masking from us now
  170. We pop Tor nodes around the globe
  171. Track and hunt you down! -Dual Core
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!