Topic: Bitcoin Bouny Hunter: Bitalo DDOS attacker discussion (Read 11565 times)

Is CloudFlare Free plan strong enough for DDOS protection ? If yes, is there any tuning in settings are required ?

Mail server is not so critical to protect. In worst case scenario, sending/receiving of mails will not work, which is not equal as crippling entire service. For attacker is usually not worth to attack only your mail server, because with such attack he doesn't gain much leverage.

+1 

So, how come someone protect his mail server ? I never heard Gmail to be down due to DDOS. There must be some way to hide the Mail Server IP as well...

Generally mail server IPs remain different from web server IPs. But, I'm not sure whether attacking mail server also affects the web server in some way.

In our case, attacker simply targeted stratum IPs. There is no such service as CloudFlare for stratum and no ISP/provider can do null route of UDP therefore you cannot really fight 300gbps UDP flood.

It is not so hard to protect web server. You can move mail server to another server/IP.

well the cloudflare can be passed when the real IP behind is identified via some tricks like mails etc.

How come those, who are using CloudFlare are vulnerable to this attack ? I think CloudFlare works well against DDOS ...is not it ?

Script kiddies do not know how to code, they only know how to use existing tools to create attacks. If they knew how to code, they would earn money with coding, not extortions.

@DD4BC,

how about earning our bounty of 2 BTC with something CONSTRUCTIVE? Twice as much as the (initial) ransom you tried to extort ;-))

https://bitcointalk.org/index.php?topic=999414.new#new

You can fight this attacker by null routing UDP traffic. Since stratum servers don't need any other traffic but TCP, this is nice solution. If anyone knows a company, ISP or whoever who can set BGP null route rule, let me know.

bitmaintech.com has added an additional 10 BTC to this bounty.
http://coinfire.io/2015/03/12/bitmain-fights-back-against-ddos-group/

110 BTC total currently.  (About $32,000 USD)

I was wrong - he already stopped paying.

But at least, Bitalo is still here. Mainly because they have no members - nobody to scam. Yet.

bump

bump

It's way more awesome how willing you are to fully admit your crimes online. =)
High ^5

Next time though, you might just want to keep your mouth shut after you hack and extort your victims.
Also, avoid twitter.

Oh, and you should also consider photos you put online using different handles which are connected to you.
That exif data is a bitch. Not every website wipes it like Facebook does.

=)

-When he is in the US, I really dont see any problem that conviction would fail. I dont require that he is persecuted in Europe, if he gets a 50 dollar fine in the US thats already a conviction.

No, I think the problem is that I assumed someone with 100btc bounty out would have legally prepared before they invested 100btc on an informants tip.

Considering (from your end) your hacker could be 1 person in billions of people who exist...no lawyer would have told you to expect a conviction in the end because from your end there are way to many unknown variables. If a lawyer had actually sat down with you already, he would have explained that to you during a basic consultation.

So, I think what you actually did was place a simple police report - and since they did not value your case as priority, you decided to put out 100btc bounty hoping that someone would finally get motivated to pay attention to it. Weather that was a friend of the hacker, someone like me who is skilled in locating absconded individuals online, or the Law Enforcement who didn't pursue this from the start.

I'm also confident that the agency you reported to did absolutely no investigation (or a minimal one). If they had, it would have taken them less than 24 hour to identify DD4BC from his outlook address he used to make threats, than connect him to a thousand other things that validate your case and other peoples cases.

If you had an attorney, he would have helped you file a court order with Microsoft to provide you with the inner details of the person using that email address to harass you. Then you could have also court ordered twitter, since he used the same email address to sign up for an account there - and also admitted his crime there. You don't need an informant for that. Your attorney could have done those things, it would have cost drastically less than 100btc.

-When he is in the US, I really dont see any problem that conviction would fail. I dont require that he is persecuted in Europe, if he gets a 50 dollar fine in the US thats already a conviction.

I'm sorry that you don't see any problem where a conviction would fail. Probably because you never spoke to an attorney about it.
I assumed that someone putting out a 100btc bounty would have at minimum spoken to an actual attorney about it, but it's clear you never did. I was told word for word "Since the guy is in America, they probably won't even bother making the long distance call - and vice versa"

You don't require that he is persecuted in Europe? You would settle for a fifty dollar fine in the states?  
I don't think you have a good grasp on how the law works in prosecuting crimes. Or you are being vague again.

1. Are you saying if I get him for any hacking crime in the US, and a fifty dollar fine, you will pay the bounty?
2. or do you mean that if he get's a fifty dollar fine in US for committing a crime with you as a documented victim?
two different things. lets be clear when we say things. and clarity would be important here in terms of the bounty you are offering.

Number 1 is way dooable. But I have a feeling that's not what you were meaning to say.

Number 2 is not going to happen.
The US is not going to spend American tax dollars processing this guy through the system for a fifty dollar fine in reaction to a Victim in Europe. Nor would they spend the time contacting your local agency to transfer your little police report from Europe to America to press charges for you. You would have to report that crime to American law enforcement, not European ones, to have a chance in that context.  


See, I would have asked my lawyer
"Hey lawyer, I am considering to offer 100btc for info on my case. Do you think it would be worth while in my situation to do this?"

Any attorney would have told you to do so at your own risk.
That it would be improbable to convict anyone for this minimal crime outside of your country.
That the probability of the hacker actually being in your own country is small (since from your end you don't know who he is).

There is also the ethical concern here that all informants should uphold. Any informant who gives you this personal information to identify this guy, is also doing this on good faith. Trusting that you will not use it for any unethical purposes. Say, in retaliation.

I don't want to be connected to something like that - and there is no way for me to predict, or know, if that could happen in the future. If I had the impression that you actually prepared for this bounty and had a lawyer involved...I would feel more confident about passing that info along to you directly. But you don't. (actually I wish I would have figured this out prior to working on this, because if I had I probably would have never gone through the time or effort here).

I also question why you would spend 36grand on a bounty instead of just getting a lawyer. Court orders are pretty easy to obtain.
I know someone who got one last week to reveal the private whois of a website. Now he is suing the owner of the website for something.

So yeah, none of this makes sense...its not the discussion. This discussion is completely valid and legit. It's also what seems to be your apprehension about this discussion that also makes no sense.


If and when you can prove that you have an attorney on retainer, I'll send himall of the information directly.

I will require at that point a guarantee that you will use the information ethically, and ONLY for legal purposes.
At that point, your attorney will get all the evidence I have linking everything,
AND all the contact details for the hackers local police agency and local FBI field office.

Afterwards, once you guys verify that I had the right person - with or without the conviction like you said- you can choose to pay me the bounty.

I'll take a portion for my time. The rest can be split amongst certain victims of crimes who might have paid dd4bc already so they can get their money back.  

Otherwise, this concludes my involvement in this situation. I dont want your time wasted, nor do i want mine wasted.

Respectfully.
me

why dont you talk with Roger, i am 100% SURE in these kind of minor cases you will still get the bounty, even without any "real" conviction

The kid is quite obviously in the US (east coast). Thats not the issue, the issue is that even when the kid is found, LE won't be able to do a whole lot with the info, they'll still need to do an independant investigation and find the evidence on their own. It's almost certain we'll find his identity as the kids clearly made a lot of mistakes, but that doesn't mean he'll be convicted of a criminal offense.

This is why I don't see the point wasting my time looking into this, because the chances of a conviction are low and a conviction is required to claim the bounty. Instead of being set on securing a conviction, you could publicly post his information in order to let his friends, family and future potential employers know what he did. That would also be more likely to discourage others from doing the same thing.