BitComSec, the Bitcoin Community Security Project, have just released the second installment in the saga of Jimmy Bluey Amatong, entitled Tracking A Bitcoin Thief, Part II. This began as a true crime cyberthriller, then evolved into a lesson in what not to do with your hard earned Bitcoin, and ended with a plot twist worthy of Quentin Tarantino.
Tracking A Bitcoin Thief, Part I exposed a mountain of evidence that Amatong was responsible for intentional, organized, long running fraud and computer intrusion aimed specifically at altcoin projects. Amatong’s Xtrapool was nothing but a honeypot, drawing people to sign up, hoping to learn their email addresses and passwords. The stolen credentials were routed to an Elance customer server and their later recovery was a key component in the BitComSec efforts to sort out what happened. Once Amatong had an email and a password he’d work his way across the crypto coin universe, looking for openings.
Tracking A Bitcoin Thief, Part II opens with BitComSec employing advanced forensics, literally watching Amatong work in real time.
While monitoring the server used to store stolen crypto wallets from cryptorush by Jimmy Bluey Amatong, we discovered evidence that he was proactive in attacking other online pools, exchanges, and sites. This provided us an opportunity to document his attack methodologies and take note of his potential victims. Thanks to his carelessness we were also able to figure out who was next under his hacking crosshairs: The MidasCoin Project.
And this is where things take a turn. BitComSec contacted MidasCoin:
Once we realized the implications of the compromise we contacted the appropriate members of staff via their public IRC channel on Freenode: #MidasCoin. After a couple of days of discussion they proposed for us to audit their systems with the intention of helping them understand exactly how he got in, what he was able to access and finally: how to get rid of him.
And MidasCoin appears to have been their own worst enemy:
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.
Then things get strange and complex, with several logs and network captures, a couple of IP addresses, and quite a bit of inference regarding what was happening. BitComSec came to this conclusion:
Rather than cleaning up the mess of the disclosure to the MidasCoin community now that not only were the MidasCoin servers compromised, but that service providers were now severely short on MIDs, the owner and founder of the MidasCoin project decided to cut and run, taking the coins left in the system with him.
While the duration and depth of the investigation are impressive, showing that Amatong is clearly a rat in the cryptocoin woodpile, I am not as certain about what was happening with MidasCoin. The company displayed a shocking lack of operational security for an entity that intended to handle large amounts of money. If the operator was an intentional scammer, they must have been an old school grifter, wise to the ways of earning and exploiting trust, but they had no sense of how to keep their own operation safe in the face of someone like Amatong.
BitSecCom offered tips on how to avoid situations like this and I’m going to expand on them a bit.
What do you think of the Bitcoin Thief saga? Comment below!
Images from BitComSec and Shutterstock.