Topic: FreeBitco.in Appears Hacked - Monthly Prize Money Stolen From Multiple Users - page 2. (Read 1169 times)
May 05, 2024, 04:53:21 AM
That rogue jquery cdn include is some serious obfuscation. It doesn't look like that one is easy to unobfuscate, It is an enormous function built by lots of mini functions referencing memory addresses, very hard to follow. It would take me hours to decipher all that.
May 05, 2024, 02:34:37 AM
I looked through the malicious JS code. It seems to be targetting user id 31898443 specifically (unless a different ID is loaded based on the url parameters used to load the js from the cashtravel site.
It appears then to hit https://bitwrecken.com/?action=new&id=31898443 to get the new / rogue deposit address. Presumably this is done so the attackers can cycle through various different rogue deposit addresses, or even randomise them.
There is a then a html element called main_deposit_address which is replaced by the value retrieved from the bitwrecken.com site
The script is actually rather simple in how it works, nothing complicated going on.
The worrying part, is how the attackers were able to embed this into the freebitco.in site and whether it has affected all users. It feels like those who clicked the advanced tracking button in the referral page may be the ones who were hit, but not seen any confirmation of this.
Thankyou for your analysis.It appears then to hit https://bitwrecken.com/?action=new&id=31898443 to get the new / rogue deposit address. Presumably this is done so the attackers can cycle through various different rogue deposit addresses, or even randomise them.
There is a then a html element called main_deposit_address which is replaced by the value retrieved from the bitwrecken.com site
The script is actually rather simple in how it works, nothing complicated going on.
The worrying part, is how the attackers were able to embed this into the freebitco.in site and whether it has affected all users. It feels like those who clicked the advanced tracking button in the referral page may be the ones who were hit, but not seen any confirmation of this.
What do you make of this
https://cdn.jsdelivr.net/gh/feleryunfbc/js/jquery.min.js
It looks like something you'd expect to see on https://www.ioccc.org/
May 05, 2024, 02:16:41 AM
I looked through the malicious JS code. It seems to be targetting user id 31898443 specifically (unless a different ID is loaded based on the url parameters used to load the js from the cashtravel site.
It appears then to hit https://bitwrecken.com/?action=new&id=31898443 to get the new / rogue deposit address. Presumably this is done so the attackers can cycle through various different rogue deposit addresses, or even randomise them.
There is a then a html element called main_deposit_address which is replaced by the value retrieved from the bitwrecken.com site
The script is actually rather simple in how it works, nothing complicated going on.
The worrying part, is how the attackers were able to embed this into the freebitco.in site and whether it has affected all users. It feels like those who clicked the advanced tracking button in the referral page may be the ones who were hit, but not seen any confirmation of this.
It appears then to hit https://bitwrecken.com/?action=new&id=31898443 to get the new / rogue deposit address. Presumably this is done so the attackers can cycle through various different rogue deposit addresses, or even randomise them.
There is a then a html element called main_deposit_address which is replaced by the value retrieved from the bitwrecken.com site
The script is actually rather simple in how it works, nothing complicated going on.
The worrying part, is how the attackers were able to embed this into the freebitco.in site and whether it has affected all users. It feels like those who clicked the advanced tracking button in the referral page may be the ones who were hit, but not seen any confirmation of this.
May 05, 2024, 01:21:10 AM
OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://dropmefiles.com/56V5d
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
https://dropmefiles.com/56V5d
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
It appears you do not have 2FA enabled which is why you received a payment request confirmation email and were therefore able to abort the withdrawal by not clicking the confirmation link in the email.
I have disabled 2FA for this reason.
Thankyou for the video. Much appreciated.
I also turned off 2fa for this reason, but! there is one important caveat, if you withdraw funds to an address linked to an fbc account, then an email with a confirmation link will not be sent. Therefore, you need to make a withdrawal to an address that is not linked to the account!
Thanks for the additional information.
It would seem then that the safest course of action is to turn off 2FA and generate a new Bitcoin wallet address. And of course confirming the address before clicking the confirmation link in the email.
May 05, 2024, 01:11:49 AM
OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://dropmefiles.com/56V5d
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
https://dropmefiles.com/56V5d
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
It appears you do not have 2FA enabled which is why you received a payment request confirmation email and were therefore able to abort the withdrawal by not clicking the confirmation link in the email.
I have disabled 2FA for this reason.
Thankyou for the video. Much appreciated.
I also turned off 2fa for this reason, but! there is one important caveat, if you withdraw funds to an address linked to an fbc account, then an email with a confirmation link will not be sent. Therefore, you need to make a withdrawal to an address that is not linked to the account!
May 05, 2024, 01:02:16 AM
OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://dropmefiles.com/56V5d
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
https://dropmefiles.com/56V5d
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
It appears you do not have 2FA enabled which is why you received a payment request confirmation email and were therefore able to abort the withdrawal by not clicking the confirmation link in the email.
I have disabled 2FA for this reason.
Thankyou for the video. Much appreciated.
May 04, 2024, 10:44:15 PM
OK, so that people no longer have doubts about how the address is being changed when withdrawing funds. At the end of the video, watch carefully how my output address was changed!!! I hope no one else will say that we are deceiving you and the site is not hacked!
https://dropmefiles.com/56V5d
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
https://dropmefiles.com/56V5d
https://ibb.co/PtqN3Mw
https://ibb.co/cgCnxQ1
Update!!:
After I posted the video with the substitution of the withdrawal address, an hour later I tried to withdraw funds again and surprisingly my address did not change and the withdrawal went to the correct address! Is it a coincidence??? Or are hackers monitoring this forum topic?
May 04, 2024, 09:56:37 PM
@BayAreaCoins
Someone mentioned in another simular topic that the link to the malicious script was somehow hidden in the advanced tracking using tags button code on the freebitco.in site.
https://bitcointalksearch.org/topic/m.64033700
I actually did click that button days prior to the attack on my account.
Food for thought.
Someone mentioned in another simular topic that the link to the malicious script was somehow hidden in the advanced tracking using tags button code on the freebitco.in site.
https://bitcointalksearch.org/topic/m.64033700
I actually did click that button days prior to the attack on my account.
Food for thought.
May 04, 2024, 06:07:08 PM
That's when I made the mistake of enabling 2FA
Even with 2fa, my default profile address never changed...
Same here, my profile address never changed.
I didn't even attempt a withdrawal.
The hackers triggered the withdrawal seconds after the prize money was credited to my account, and somehow they managed to bypass my profile address.
Ouch, gotcha... Takes the sting out of me at least trying to get process a little less stingy... *sigh*
They must have been able to solve our 2fa "upgrade" for us... how kind.
Initially I didn't make a withdrawal.
I just opened freebitcoin to check my balance just as you did.
Someone has pasted a version of the malicious cash travel js here https://pastebin.ai/eo0q78pbuj
May 04, 2024, 04:53:21 PM
...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.
Shiet. Now we all can panic.
TheQuin where the hell are you man your establishment has caught FIRE!
If you have 2FA enabled you won't get a payment request confirmation email from freebitco.in
What you will get is a payment sent confirmation email.
The attackers targeted the bigger fish. This time...
The OP listed points 1-8 above
My situation and reaction was almost identical. Obviously the amount I won was different. The unknown address was also different.
I didn't say, "the attackers are able to bypass the 2FA security..."
I said they were able to initiate an unauthorised withdrawal, bypass my default profile address and insert an unknown Bitcoin address.
It's important to note that this happened prior to enabling 2FA.
After I enabled 2FA, I initiated an authorised withdrawal. The attackers hijacked this withdrawal.
What I said in relation to 2FA was you won't receive a payment request confirmation if 2FA is enabled.
So, having 2FA enabled therefore does work to the attackers advantage.
Maybe something got lost in the translation.
May 04, 2024, 01:36:57 PM
...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.
Shiet. Now we all can panic.
TheQuin where the hell are you man your establishment has caught FIRE!
If you have 2FA enabled you won't get a payment request confirmation email from freebitco.in
What you will get is a payment sent confirmation email.
The attackers targeted the bigger fish. This time...
May 04, 2024, 10:31:01 AM
...
Yeah.It's not safe to deposit. The attackers can change the destination address.
It's not safe to withdraw. For the same reason.
It's not safe to stand idly by and do nothing. The attackers can initiate a withdrawal and overwrite the profile adress
The attackers know that their attack was successful.
I would expect them to target any user with a balance above the minimum withdrawal threshold next.
The attackers also know that the vulnerability that they are exploiting will sooner or later be patched
If you can get your coins out now before the attackers make their next move...
It is not safe and there is more than one problem. There has been talk of a cashtravel script that those of us affected have had but now it no longer appears and even so, the deposit addresses are fake (and it is not possible to change it) so any withdrawal can go to any unknown address.
This is the address where all my funds were stolen and still is the Deposit address when i click the Deposit button: 144p3SroEwDs1rdMmBqkCKHLpQ2TUCH3Li.
My real Diposit address does not even appear in the old ones inside the window.
I have made my account available to freebitco.in by email for investigation but they do not respond to any email. I hope they are doing something even if it is silent.
By the moment, of couse I cannot do anything in freebitco.in and i am recomending not using the page.
May 04, 2024, 07:01:14 AM
...
Yeah.It's not safe to deposit. The attackers can change the destination address.
It's not safe to withdraw. For the same reason.
It's not safe to stand idly by and do nothing. The attackers can initiate a withdrawal and overwrite the profile adress
The attackers know that their attack was successful.
I would expect them to target any user with a balance above the minimum withdrawal threshold next.
The attackers also know that the vulnerability that they are exploiting will sooner or later be patched
If you can get your coins out now before the attackers make their next move...
May 04, 2024, 06:48:51 AM
...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.
Shiet. Now we all can panic.
TheQuin where the hell are you man your establishment has caught FIRE!
If you have 2FA enabled you won't get a payment request confirmation email from freebitco.in
What you will get is a payment sent confirmation email.
The attackers targeted the bigger fish. This time...
May 04, 2024, 06:38:29 AM
...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.
Shiet. Now we all can panic.
TheQuin where the hell are you man your establishment has caught FIRE!
May 04, 2024, 06:35:16 AM
...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address instead inserting the attackers address.
May 04, 2024, 06:29:00 AM
I didn't do anything. I certainly wasn't tricked into doing anything
I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.
I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.
Then I got an email notification about a pending withdrawal.
I hadn't done anything except open freebitcoin in chrome to check my balance.
After an hour the withdrawal was reversed and the coins returned to my account.
That's when I made the mistake of enabling 2FA
I received an email notification that I had won a place in the wagering contest. I was expecting this email. I didn't click any links.
I opened chrome and clicked my freebitcoin bookmark to check if the prize money was in my account. It was. I was staring right at the balance. It disappeared. Went to zero. Then the referral coins started trickling in again.
Then I got an email notification about a pending withdrawal.
I hadn't done anything except open freebitcoin in chrome to check my balance.
After an hour the withdrawal was reversed and the coins returned to my account.
That's when I made the mistake of enabling 2FA
I think you got a fake email because the attacker already knew that you were going to be one of the winners of that contest. Who is the sender? Did it come from freebitco.in?
As the other victims pointed out, there seems to be a malicious script that’s targeting certain people. However this script loads on your browser. (Client-side) That means it has the ability to show you anything. Who knows what’s in that script… It can probably show a fake deposit address too.
That’s where you were getting tricked.
Just because you saw 0 balance didn’t mean you actually had 0 because your balance’s record kept at the back-end (server-side) of the application.
So till freebitco.in finds a fix, nobody should do anything stupid like sending coins to another wallet or deposit to a fake address. Better stay away for a while.
Some people managed to withdraw their coins successfully, maybe try that
In my case, stolen twice in the last month (one depositing from kraken to a "new" Diposit Address that appeared in the Freebitco.in Deposit window and another one making a widthdrawal introducing the address manually but when clicking the widthdraw button all changed (I have an screenshot just before clicking and the sent movement in the Stats - Profile page naming another address different to the one I wrote).
More than 48 hours later, my Deposit address continue being false and i have the cashtravel script in the developer tools. I have tested in 2 different PCs, 3 different navigators and 1 mobile phone. In all of them the Deposit address is not the mine one.
Then, i cannot recover my address, I cannot use the page. Freebitco.in have some emails but...
May 04, 2024, 06:26:14 AM
I’d like to look when I am home but I am scared to touch that shit too as I also have an acc there.
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
May 04, 2024, 06:22:31 AM
That email looks legit. It is probably not a part of the attacker’s plan. Still though, like I said what you see on your browser isn’t the truth probably as the victims are loading a malicious script. As long as the backend of the app is safe, you shouldn’t worry. Hopefully it is safe 
Yes, understood. Thankyou.
I'd like to know more about this malicious script. Do you know if anyone has posted the script source code to Pastebin or simular.
May 04, 2024, 06:17:27 AM
I advise everyone to refrain from making deposits until further notice, and to be extra careful when making withdrawals - I personally have a nice sum there, but I don't know if it's worse to do nothing for now or to still try to make a withdrawal 
Just cashed out all my satoshis from the platform yesterday after reading all these news. Withdrawal went fine and arrived on my wallet without delays, as usual.~snip~
Thanks for the info, because it means that the entire system is not compromised, but someone obviously has access to a part of the system that they are manipulating for malicious purposes. Given that in some posts it was possible to read that freebitco occasionally has help from the side, it is possible that one of the external collaborators decided to use their access to the system and the apparent current lack of control and supervision from the owner.
Jump to: