BREAKING: Pony Trojan steals $220,000 From Wallets

Journalist:
February 25, 2014
Trojan Pony Botnet stole $220,000 from online wallets

A trojan named “Pony” has been blamed for stealing more than $220,000 worth of cryptocurrencies from users’ online wallets. Many of those users may still be unaware of their loss.

Please note that a client wallet hosted on your PC or phone is not affected by this security alert.

Not Only Bitcoin

The trojan Pony, which operated as an advanced botnet between September 2013 and mid-January 2014, stole approximately 700,000 online credentials and successfully compromised 85 online wallets containing a range of cryptocoins – including Bitcoin.

At the time of writing, Trustwave’s Spiderlabs, has found evidence of the following amounts being transferred out of online wallets by the trojan:

~ 355 BitCoins

~ 280 LiteCoins

~ 33 PrimeCoins

~ 46 FeatherCoin

Other cryptocurrency wallets believed to have been vulnerable to Pony theft are:

Anoncoin BBQcoin Bytecoin Craftcoin Devcoin Digitalcoin
Fastcoin Feathercoin Florincoin Franko Freicoin GoldCoin
I0coin Infinitecoin Ixcoin Junkcoin Litecoin Luckycoin
Mincoin Namecoin NovaCoin Phoenixcoin PPCoin Primecoin
Quarkcoin Tagcoin Terracoin Worldcoin Yacoin Zetacoin

Online Wallet Checker

Since cryptocurrency addresses and wallets are anonymous, there is no way to contact the owners of affected wallets. Hence, Trustwave have created a webpage where you can enter your wallet’s public key to check whether it is in the list of compromised accounts: Trustwave Account Checker

Note to readers: Your public key is, by definition, public and revealing it does not compromise your wallet security. However, take care to NOT enter any private keys!

Pony was first identified in December, by McAfee, for using keystroke logging to steal “approximately 2 million passwords” from popular social media sites:

Using a system of compromised computers, hackers were able to capture login credentials for a variety of accounts from social networking sites such as Facebook, Twitter, and LinkedIn, email providers Google and Yahoo, and payroll provider ADP.

Botnet Inactive

The number of credentials quoted by McAfee is far greater than the figure of 700,000 now declared by Trustwave, who have also determined that the operators of the botnet ceased all activity in mid-January:

Trustwave determined that Pony botnet activity ceased in mid-January (image courtesy of Trustwave Spiderlabs)

Last modified (UTC): April 24, 2014 16:08

Venzen Khaosan @venzen

Market analyst and Open source developer with a keen interest in blockchain technology, consensus mechanisms and the decentralizing effect. He has found a solution to the PKI mechanism. Email me to discuss.