Tracking A Bitcoin Thief, Part I exposed a mountain of evidence that Amatong was responsible for intentional, organized, long running fraud and computer intrusion aimed specifically at altcoin projects. Amatong’s Xtrapool was nothing but a honeypot, drawing people to sign up, hoping to learn their email addresses and passwords. The stolen credentials were routed to an Elance customer server and their later recovery was a key component in the BitComSec efforts to sort out what happened. Once Amatong had an email and a password he’d work his way across the crypto coin universe, looking for openings.
Tracking A Bitcoin Thief, Part II opens with BitComSec employing advanced forensics, literally watching Amatong work in real time.
While monitoring the server used to store stolen crypto wallets from cryptorush by Jimmy Bluey Amatong, we discovered evidence that he was proactive in attacking other online pools, exchanges, and sites. This provided us an opportunity to document his attack methodologies and take note of his potential victims. Thanks to his carelessness we were also able to figure out who was next under his hacking crosshairs: The MidasCoin Project.
And this is where things take a turn. BitComSec contacted MidasCoin:
Once we realized the implications of the compromise we contacted the appropriate members of staff via their public IRC channel on Freenode: #MidasCoin. After a couple of days of discussion they proposed for us to audit their systems with the intention of helping them understand exactly how he got in, what he was able to access and finally: how to get rid of him.
And MidasCoin appears to have been their own worst enemy:
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.
The Owner and Founder of the MidasCoin Project Decided to Cut and Run
Then things get strange and complex, with several logs and network captures, a couple of IP addresses, and quite a bit of inference regarding what was happening. BitComSec came to this conclusion:
Rather than cleaning up the mess of the disclosure to the MidasCoin community now that not only were the MidasCoin servers compromised, but that service providers were now severely short on MIDs, the owner and founder of the MidasCoin project decided to cut and run, taking the coins left in the system with him.
While the duration and depth of the investigation are impressive, showing that Amatong is clearly a rat in the cryptocoin woodpile, I am not as certain about what was happening with MidasCoin. The company displayed a shocking lack of operational security for an entity that intended to handle large amounts of money. If the operator was an intentional scammer, they must have been an old school grifter, wise to the ways of earning and exploiting trust, but they had no sense of how to keep their own operation safe in the face of someone like Amatong.
BitSecCom offered tips on how to avoid situations like this and I’m going to expand on them a bit.
- Any service that is not protected by two-factor authentication should be seen as pre-release. Do create a login to see if they have any real innovation in the works, but don’t assume they can keep your coins safe.
- Make a new password for each service that you use or investigate, do not have some simple pattern that involves the name of the domain, and store these passwords in a secure fashion.
- Your email provider should also offer two-factor authentication for your account. Gmail does this and the associated Google Authenticator smartphone application is the two-factor method of choice for most sites. If you need a two-factor authentication capable email provider Gmail is the simplest place to start.
- Even with these precautions a whole site intrusion can get into your accounts at a lower level than these protections. If you are evaluating many new services, you can get a virtual Android smartphone including a new Gmail account and the Google Authenticator by installing Genymotion. This software is free; you have no excuse to not firewall your real assets from your exploratory budget.
What do you think of the Bitcoin Thief saga? Comment below!
Images from BitComSec and Shutterstock.
Last modified: March 4, 2021 4:41 PM