GRAND THEFT BITCOIN
: The Quest for the Lost Satoshis.
(based on a true story)
It was just an ordinary day, apart from the fact of being the day when catholics celebrate the light of the coming of Christ. It was almost past midday and I was just leaving home to get some things going for the weekend; while I was finishing with my shoes being fitted, something got my attention back to my tablet: I was browsing in a well known BTC faucet web-app
, that I was just exploring out of pure curiosity -- since I had already stopped using it, many months ago, because I realized the poor app interface and its many inefficiencies and security issues --, when an unintended click on one of the many links provided by the app -- one never knows which element actually pertains to the app code and which is a sponsored ad -- took me to some website
, out of the faucet.<!--- WARNING: DO NOT GO TO THIS WEBSITE! ITS EXTREMELY MALICIOUS CODE WILL HARM YOUR BITCOIN WEALTH! (THAT IS A FACT.)
"FREE BITCOIN MINING!", it read all over the webpage my browser had just opened. Then, a surprisingly clever message stated that 'they' (a team of crackers) had discovered a major security flaw on the bitcoin client and wish for the bitcoin core developers to fix it a.s.a.p., meanwhile all of us (their own fools) could just benefit, for free, from that issue and help their legitimate cause (i.e.
, to fix the security flaw on the bitcoin client). In other words: they are supposedly giving away free bitcoins retrieved from mining pools bugs.
Lower in the webpage, there is a live forum ("Message Box") where we ('the fools') were supposed to post our own impressions about the online tool and the results on how many bitcoins where sent to the public address we had previously given away to do so. There, you could find comments like: -"Thanks! =D This site is amazing.
"- and -"YESSS. i do not actually believe that this is the best! I won 2.98 bitcoins. :3 This site is fcking the best..
"-. So, the obvious question was: why not?
Then, one can actually slide a golden button to tell the web api "How Many Bitcoins Would You Like To Get? (More takes longer time)" afterward the computing process is over. I then asked myself: -"how many would be reasonable?"-, and proceeded to slide the golden button to "3" (based on what I had read on the bogus forum located in the lower part of the webpage), and thought to myself: -"I would be very surprised if, suddenly, my COINBASE wallet sends me a notification reading: 'You have received 3.00000000 BTC'; that would be awsome!"-.
Somehow, I seemed to thought that all those satoshis I had legitimately earned before, by clicking over many different faucets apps downloaded to my tablet -- and never collected, because they had never been paid by the app developers (obviously, because their apps were just scams) --, like Moon Bitcoin, were going to suddenly appear into my wallet, out of divine justice. I was a fool.
In a matter of seconds, just after clicking on the "Get Bitcoins" button -- just above the "Message Box" headline --, the webpage displays some "loading..." type of messages to calm the anxiety and make you think that you are actually making it happen; in a matter of 30 to 45 seconds, the message stalls. It is the last thing you want to realize, that something just went wrong, just seconds away from receiving your free bitcoins, mined through this incredible web api. It's imminent: you have to click the button again! -- or, may be, ask for less coins? --. So, anyhow, you just click the button again..., and again, and again. Nothing seems to get the thing going for you. It's time to sound the retreat and say goodbye to those "free" bitcoins, forever.
After that, I powered off my tablet, closed my room, secured my house and hit the road! I went to spend the rest of the day with some friends that were going to celebrate the above mentioned day.
Now it's nine o'clock in the night. I power my tablet back on and, just after it had logged into the OS, copious error messages start to pop-up at the center of the screen, just like if it were a machine-gun effect. I have to do as I do with any tapping-style game app, to get rid of them all, but it only takes 2 or 5 seconds for them to appear again. It's useless: my tablet is officialy malfunctioning since that day. I've been hacked.
Nevertheless, I took full responsibility for my foolishness: I didn't immediately complaint, I didn't send an error report, I didn't tell bad words to the crackers. All I did was a factory reset to my tablet and, with it, I lost some pictures, videos, screenshots, music, documents...but nothing impossible to repair in the near future. But, when my tablet was back on, it lasted just a few minutes before it started again with the machine-gunned-pop-ups of error messages. Now I am mentally exhausted. I don't know what's happening, for sure.
I finally deactivated some core network functions from the OS and managed to stop the error messages, at the cost of not being able to use almost any of the apps installed in my tablet. To me, it's a little cost, since I have another mobile device and computers to access the internet and get my job done.
A week after, I opened a long-time-no-see app whose main function is to have a closer look at my bitcoin account transactions, called SENTINEL. It was then when I realized, not with little anger or surprise, that I had been robbed. The "crackers" had stolen exactly 120,010 satoshis from one of my COINBASE automatically generated wallet addresses (coincidentally, the one I had entered in the "Enter Bitcoin Wallet Address:" form, at the incredible webpage described at the beggining of this article).
At the beggining, I couldn't believe it. How was it possible for someone to steal my coins, without having COINBASE's notification service to send me an expressedly requested message to my inbox, regarding the four different transactions that took place the same day, between 12:40 and 14:18 hours? I mean: I even had to take various security measures to activate my account with COINBASE, in the first place; I had to create a password; I even got two-factor authentication activated. Again: how was it possible for someone to know my private key and, regardless of COINBASE's digital hosted wallet security measures (that means: server's-side).
I may sound redundant, but nevertheless, again: HOW IS IT POSSIBLE FOR A STRANGER TO KNOW MY PRIVATE KEY IN JUST A FEW SECONDS? And even worse: HOW DOES THIS ATTACKER GOT TO STEAL COINS AT WILL FROM MY BTC ADDRESS IN A FEW MINUTES?
I am now sure that it wasn't a keylogger, because of the fact that I didn't access my wallet through the COINBASE app, nor from its web api (http://www.coinbase.com/
). Nor did I had my private key or phrase stored at my tablet, or anywhere else, at all (as with the rest of BTC addresses I use, on which I'd rather use a piece of plain bond paper that I'm used to carry with me, all the time).
It is clear to me now, that bitcoin has a tremendously important security flaw
, NOT because it is unsafe, per se, but in the way online DH wallet services are being delivered to the mainstream population. Given my research foundings, a major breach has been going on since approximately 3 years ago (2014). It could even be possible that these allegedly 'crackers' were the ones behind the MtGox and BitFin hacked.
I want to state, just for the record, that I'm actually well accquainted with cryptographic algorithms and protocols, like the ones used in bitcoin, as well as with its fundamentals, but I'm still not a cryptologist, nor a skilled programmer (hacker) to know how to effectively defend against a 'live' attack (i.e.
, virus infection, keylogger, spyware, malware, sniffing, etc.), nor how to store my sensitive information, apart from encrypting it with a PGP ('Pretty Good Privacy') key pair, in a USB drive, offline.
What does a common 'John Doe' has to do, to protect his digital assets (i.e., satoshis) from being stolen, the way it happened to me (and to other hundreds, or even thousands, of persons around the world)? I think that's the principal issue about cryptocurrency adoption by mainstream users of financial services (i.e., fiat currencies). There have to exist better security protocols, easy to use, for the vast majority of world population that actually use the internet as a means of work, or banking, or shopping, and so on.
So, I opened my web browser into some internet based blockchain service, like BLOCKR, and entered my COINBASE wallet address (yes, the hacked one!), to confirm what SENTINEL displayed in its app. Sadly, it was all true! 120,010 satoshis had just been stolen from my wallet, in about 1.5 hours. This is how I begun the quest for my lost satoshis.
At first, I found myself lost in a labirynth of bitcoin addresses and 'hashes', confirmations, spent and unspent outputs, inputs and 'coinbases'. After an hour of wandering, it all started to make sense. My 'petty cash' (120,010 satoshis) was mixed with that of many others, similarly (transactions of about 30,000 satoshis per address). Soon, at some point of the trail, it all amounted more than 2 BTCs (200,000,000 satoshis).
A couple dozens of addresses afterwards (going forward on the trail), the amounts per address were of the order of 100 BTCs (10,000,000,000 satoshis). Finally, after an hour or so, I found myself at an address who had just received more than 1,500 BTCs (150,000,000,000 satoshis) in the same window of time (approximately, 1/2 an hour later from the time they stole my satoshis).
I was oblivious: it's more than USD$1.5 millions, in 30 minutes! I mean, these guys (the 'crackers') are quite something. It's not a simple thing nor an easy one to steal this amount of money in such a short period of time.
Days after, continuing my daily basis of research (trailback), I managed to find addresses with 2,000 BTCs, 100,000 BTCs and even 1 million BTCs (that's, 100,000,000,000,000 satoshis), just in a week time (168 hours). One day, I found a trail back to an address with more than 2 million BTCs balance. But that's not all. Last week I got myself into an address where the trail seems to be pit-stopping; it has a balance of nearly 10 million BTCs.
This I just wouldn't believe, if it weren't because I saw it with my own eyes -- and took snapshots of it, to prove it --; that's about 50% of the total amount available of BTC -- mathematically programmed to be topped at 21 million BTCs --, ever! And this is coming from the same network of fraud, scams and deception, carefully planned and structured by these "crackers".
At a couple of points at the trail I've been following ever since, I found myself at mining addresses, with no transfered coins, but newly minted ones. One of those addresses even stated the name of the mining pool (V I A B T C). Of course, the relaying IP addresses were proxied around some VPN like TOR -- and that's the reason why some of the appeared to be at Germany, the Netherlands, France, U.S.A., Austria, Switzerland, Croatia, etc. --, so it is practically impossible to make some individual company or person guilty of any crime, because they only functioned as bridges between the origin and the endpoints of those -- and other -- transactions.
So, weighting the amount of BTCs involved into this gigantic, huge fraud operation
, it sums up to around USD$10 billion dollars
. I think this can be officialy named: GRAND THEFT BITCOIN
I don't know how many persons nor when they where hacked -- like I was -- by the same network of "crackers", miners and scammers; but one thing is for sure: there's a trail to be followed by whomsoever wants to do it. Beware: the mixing of your coins with others coming from thousand different addresses (sources) could've even ended being paid to someone, somewhere, clicking on some 'legit' BTC faucet or as a prize for supposedly mining a block by cooperating at some 'legit' pool or cloud mining operation. The range of this operation is so huge, that you may even have some or many stolen satoshis yourself.
So, here are my after-shock recommendations to anyone having a bitcoin address:
1).- Don't ever trust any faucet app, whatsoever, with your bitcoin address(es) before doing a simple security check-up of the developer and the legitimacy of its source code. In this case, Google Play Store and Mac App Store usually deliver by filtering those apps which have keyloggers inside of them, for example; nevertheless, that's not enough. Even though bitcoin faucets find their main reason to exist into the very same mathematical reason by which an advanced CPU can't mine a single bitcoin -- even if you leave it on and mining for more than a year -- going solo, it's safer to just go and buy your satoshis from somebody that's also registered at an online service like localbitcoins.com.
2).- Try to avoid digitally hosted wallet services, regardless of whom it is or how it claims to safeguard your satoshis. Always perform security checks upon the actual bitcoin address(es) you posess, not the wallet (such as the one COINBASE hosted for me, from where my satoshis were stolen). The problem with these companies is that they issue bitcoin addresses as they seem fit, but by automatizing this delicate process (it's the moment when you create your password and generate your private and public keys), they're missing the most important issue: security.
3).- Download and install apps like SENTINEL, whose main function is to look after the actual transactions made from and to your bitcoin address(es), not your wallet. This is the reason why I don't trust COINBASE anymore: they failed to warn me. As a matter of fact, they even forcefully closed my account, afterwards -- but not before I were able to move my satoshis to other wallet, at least --.
4).- Leak this kind of stuff, always. The bitcoin community benefits from every active and ligitimate node running in each and everyone of your computers (e.g., laptops, desktops, notebooks, netbooks, microcomputers, servers, mobile devices, etc.), as well as from the information about security breaches and relevant news responsibly leaked and backed with their respective sources.
5).- If you are a hacker or a programmer or an engineer or just an amateur 'digisapiens', help others by analyzing malicious code like the one appearing at the webpage described in the beginning of this article ("Bitcoin Generator Hack") and, if possible, reverse-engineer it to understand how this GRAND THEFT BITCOIN
is made possible.
One final statement: I believe that Satoshi Nakamoto
(whomsoever 'he' is or was, or 'they' are or were) never intentionaly wanted to change the world with bitcoin, but as long as it's making the imporvements that are already patent with its mere existence, we, 'the people', have to procure its wellbeing and healthy life, so we all get to benefit from it. Bitcoin is, apart from what it says to be, an instrument of abundance, privacy and freedom, above all. I choose to stand by it, as long as I can, getting away, as far as possible, from the fiat banking system that had only purported inequality, debt, inflation, hunger and injustice to the world.