Pages:
Author

Topic: 100 BTC was stolen from my Primedice account. Please see thread. (Read 15948 times)

legendary
Activity: 1068
Merit: 1020
so was it confirmed that 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL was hot storage for BTC-e?
full member
Activity: 182
Merit: 100
Has there been a conclusion to this yet?

This is likely what happened: https://bitcointalksearch.org/topic/m.9086516

TL;DR: OP set a very weak password and deposited 100 btc. Someone guessed his password and sent the 100 btc to btc-e for mixing or selling it.

Sucks to lose 100 BTC to keep it on a site without 2FA.
hero member
Activity: 619
Merit: 500
Has there been a conclusion to this yet?

This is likely what happened: https://bitcointalksearch.org/topic/m.9086516

TL;DR: OP set a very weak password and deposited 100 btc. Someone guessed his password and sent the 100 btc to btc-e for mixing or selling it.
full member
Activity: 182
Merit: 100
Has there been a conclusion to this yet?
full member
Activity: 140
Merit: 100
YOU"RE LIKE A TIMEBOMB!
*sigh* I really hope this will end in good terms.
member
Activity: 70
Merit: 10
★Bitin.io★ - Instant Exchange
Stunna - word of advice - allow usernames and chatnames to be different. A lot of sites offer this so that no one knows what username is actually the account holders. Allow people to have different names between the two for an extra level of security.

KOS.

Will consider offering this for new accounts, ultimately if the user enables 2FA it should act as a pretty significant shield from unwanted access though.
I dont like 2fa but the chat idea seems good
newbie
Activity: 56
Merit: 0
Could this be a site's hot wallet (or is it a single user's wallet?!) https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It's only been around since the end of July and has already received over 220,000BTC.

doubt it's a gambling site, way too big the trans

unless it's a middle account

say SWC sweeps into it then outs to a vault

so a gambling site with volume could do a bunch of minor trans and then use something like this to 'sweep' into

can anyone figure out where all the in money is then outed too?

they probably have a bunch of off line vaults

so the trans accounts taking the low trans sweeps to a monster step account which then vaults to a bunch of addy's

that's what it looks like to me

but I"m not a pro at reading the block yet

newbie
Activity: 14
Merit: 0
Thanks guys. I appreciate the BTC-e lead. Emailed their support last night, asking if "1FsVc..." belonged to them. Unfortunately, they said they can not give that type info unless the police are involved.

Not saying I would go that far, but just thinking out loud-
Does anyone know who I would go to if I were to get the police involved? I really can't imagine going to the local substation and trying to explain to them was a Bitcoin is, let alone having them get involved. Also, what jurisdiction does this fall under?

full member
Activity: 210
Merit: 100
Especially since my stolen coins all eventually ended up at the infamous "1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL", I am inclined to think that this is more than just some thief working on his own. Whoever is behind this has many "irons-in-the-fire" and is scamming on many levels. Also, he could possibly own millions of USD worth of coins. If that is truly the case, he may not be that anonymous after all.
Just FYI, that address seems to be a hot-wallet of BTC-E. So frequently hackers send the BTC to their BTC-E deposit address (probably as a simple mixer) and after that BTC-E moves it to "1FsVcdeH.." (and after that uses it for withdrawals etc.) For example it's mentioned here after a BTC-E deposit: http://www.reddit.com/r/Bitcoin/comments/2hv0jd/i_think_someone_just_tried_to_steal_my_coins_but/

Sorry for your loss btw.
Based on this, we can assume 1 of the 2 following:

1) 1PrZQH8L7aU9qyhbgLvm4zNjfoC1wGevAs is a BTC-e deposit address

OR

2) 1A1GYrx2qvPBr1PyqHJ5ibG6ECnJBcqey5
    1AB5fAh4eUT3vLcYnzss5dAfuDznEbXRmT     >>>> are all BTC-e deposit addresses.
    1DbURCqnqNiykqs6j4f1xvRYCqrE2rsHYM
 

Either way if you are trying to find more info on who stole your coins contacting BTC-e might be beneficial. Don't know how helpful they'll be, the scammer obviously sent the coins to one of the most rogue trading sites (communication-wise) out there. Probably not the first time hes done something of this nature but I doubt as big as this score.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Especially since my stolen coins all eventually ended up at the infamous "1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL", I am inclined to think that this is more than just some thief working on his own. Whoever is behind this has many "irons-in-the-fire" and is scamming on many levels. Also, he could possibly own millions of USD worth of coins. If that is truly the case, he may not be that anonymous after all.
Just FYI, that address seems to be a hot-wallet of BTC-E. So frequently hackers send the BTC to their BTC-E deposit address (probably as a simple mixer) and after that BTC-E moves it to "1FsVcdeH.." (and after that uses it for withdrawals etc.) For example it's mentioned here after a BTC-E deposit: http://www.reddit.com/r/Bitcoin/comments/2hv0jd/i_think_someone_just_tried_to_steal_my_coins_but/

Sorry for your loss btw.
newbie
Activity: 14
Merit: 0
OP here.
That's pretty much the gist of it...  Let me just add a few details from my end:

It's also important to note that diceminer had completed several other 100 coin deposits and numerous cashouts prior without issue and since the incident there have been a significant increase in 100+ coin deposits/cashouts and no issues.

With my "DiceMiner2" account on PD, I had deposited 100 BTC twice. The first time, I won 20 BTC, the second time, the theft occurred. Also, I recently found a post while browsing, about my other PD account at the time:

https://bitcointalksearch.org/topic/m.8896057

So, with 2 different PD accounts, I had won a total of 40 BTC and successfully deposited and withdrew my 100 BTC principal 2 out of 3 times. I guess the new 2-factor that was added as a result of this theft has brought more whales.


The Investigation
I was secretive about what had happened as I ended up setting up logs on diceminer's account to try and find out who was accessing it as this was a serious theft. I attempted to bait out the person by putting coins on the account and then blocking it from cashing out, only one person ended up cashing out the "trap" cashout and that was diceminer himself unfortunately.

When Stunna and I started discussing privately, he was incredibly gracious in helping me attempt to find this guy. Initially, the plan was the send 100 BTC to my PD account, while an "anti-cashout" feature was implemented so no coins could leave the account, in the event the thief came back and tried it again.

On September 24th, Stunna informed me that the trap was in place and to not login (so as to not cause any confusion). A few days passed with no activity, which was not really unusual, but what puzzled me was that there was absolutely no sign of any deposit into my PD account, when viewed through the blockchain. To me, this was the entire point, because how else would the thief know there was any bait? I logged into the account to see for myself and when I got it, 5 BTC was added to the balance in PD, but none of those 5 coins showed up in the blockchain. I tried withdrawing the dust that I had left over (approx. 0.00101 BTC, I believe) and the "anti-cashout" feature was definitely in effect. Also, Stunna informed me that my entry had been logged, so that was all in working order as well.

He told me that he had credited the account from the back-end and when I explained why I thought that may be ineffective as bait, he finally credited 4 BTC to the account, using actual coins, on September 28th. Unfortunately he withdrew the bait only a day after, on the 29th:

https://blockchain.info/address/12UrtgL7XWbM6mMfZyzSgfEoVMFMDXdFta


If the user ran a script though then there is no way for us to defend against that, I had some concern that this was the case here as this occurred a day or two after someone started spamming chat with the "PD Exploit" script and his video contained the greasemonkey add-on but I'll trust diceminer's word that no scripts were involved.

Thank you Stunna. I really have no need to any cheats or exploits, as I bet very conservatively, over a long period of time. Many people that were active on Just-Dice may remember me from this:

https://bitcointalksearch.org/topic/m.6319022

All I need is a secure site that is run in an honest way, to make my coins. Sometimes I wonder if using the same "DiceMiner" name may have tipped off the thief (or thieves) to my whereabouts. It's moot now, but that type of thing is always in the back of my head now. Needless to say, I will be using new, unfamiliar names from now on.


Conclusion
I conclude that the 100 coin loss was most likely  a result of the weak password matching the username of the account which allowed a thief to successfully commit a simple password guessing attack which could only have been prevented by us banning weak passwords, providing 2fa at the time or by the user setting a more secure password. It's important to note that we had sufficiently strong brute-force/guessing limits in place which is why I feel that this attack was not automated and was simply a random person manually plugging in a few password attempts on the account and getting lucky.

I believe this is part of the story, but there must be something else we are not seeing or considering. My sleep and gambling schedule is fairly erratic and hard to predict. It just seems implausible that somebody was squatting on my PD account and repeatedly refreshing his browser, in the hope that I would login and deposit.

Especially since my stolen coins all eventually ended up at the infamous "1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL", I am inclined to think that this is more than just some thief working on his own. Whoever is behind this has many "irons-in-the-fire" and is scamming on many levels. Also, he could possibly own millions of USD worth of coins. If that is truly the case, he may not be that anonymous after all.


Many of diceminer's coins appear to have been sent here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL  . Anyone with any information regarding this should shoot me a PM as I'll continue to do what I can to help him recover his lost coins. I thank diceminer for his cooperation and understand throughout all of this, I'll keep my eyes and ears open to see if anyone has any information.

Again, I would like to thank Stunna for all his past help during this ordeal and his continued help, should any new information arise. After the implementation of 2-factor, Primedice is even safer than before. One can deposit and play there with confidence. Of course, this does not bring MY coins back, so I will welcome any leads any time. So, if anyone has any new info, or even a hunch, please chime in. Even if it is only concerning the "1FsVcd..." address. Whoever is behind my theft has burned many, many others on Bitcointalk.


DiceMiner
full member
Activity: 182
Merit: 100
Could this be a site's hot wallet (or is it a single user's wallet?!) https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It's only been around since the end of July and has already received over 220,000BTC.

That address was mentioned in the TimeToBit scam (post link: https://bitcointalksearch.org/topic/m.8460225) and the Dicebitcoin latest incident (post link: https://bitcointalksearch.org/topic/m.9063148) as well.

So, it seems to me that the address belongs to a big site.

It could probably be an exchange site address.
sr. member
Activity: 350
Merit: 250
Could this be a site's hot wallet (or is it a single user's wallet?!) https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It's only been around since the end of July and has already received over 220,000BTC.

That address was mentioned in the TimeToBit scam (post link: https://bitcointalksearch.org/topic/m.8460225) and the Dicebitcoin latest incident (post link: https://bitcointalksearch.org/topic/m.9063148) as well.

So, it seems to me that the address belongs to a big site.
I'll do more research on this address, I'm sure there are a lot more connections than just those to but yet again it could just be that the user is gambling all the runs he makes, and this is just the sites hot wallet from his gambling accounts address(es)
hero member
Activity: 896
Merit: 1000
Could this be a site's hot wallet (or is it a single user's wallet?!) https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It's only been around since the end of July and has already received over 220,000BTC.

That address was mentioned in the TimeToBit scam (post link: https://bitcointalksearch.org/topic/m.8460225) and the Dicebitcoin latest incident (post link: https://bitcointalksearch.org/topic/m.9063148) as well.

So, it seems to me that the address belongs to a big site.
hero member
Activity: 896
Merit: 1000
Looks like it is a case closed now. Sorry for your huge loss, DiceMiner.

Guys, please enable 2FA NOW if you want an extra level of security on your PD balance.
legendary
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
Could this be a site's hot wallet (or is it a single user's wallet?!) https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It's only been around since the end of July and has already received over 220,000BTC.
sr. member
Activity: 252
Merit: 250
Ace of ♠♠♠♠
yeah thats a nice idea that would prevents a bored person trying brute forcing someones account

Theres a lot of people like that around here.
hero member
Activity: 700
Merit: 500
I'd say force people to add an entirely different chat name than their username. People that had registered before this would have to change their login.
hero member
Activity: 602
Merit: 500
yeah thats a nice idea that would prevents a bored person trying brute forcing someones account
legendary
Activity: 1022
Merit: 1000
That is a very sad conclusion to the story.  I'm sorry you lost your coins and that some will blame you for "not protecting them well enough."

I agree that it would be nice to separate ones log in username from your "handle" on the site but only a few sites do that and I can see how it could add further confusion.
Pages:
Jump to: