Great work, Mike.
I have a few questions, if you don't mind.
1: In your report, you stated the following:
We also learned that the compromise began sometime around early September, and was enabled through a common trend of universal passwords. Unfortunately we can not track down exactly whose password was compromised but it points to one of the owners of MidasCoin who probably shared sensitive login details via Skype or email.
From our point of view the attacker simply logged into the servers using user accounts he had access to. No exploits. No vulnerabilities or backdoors in third party software. He simply logged in. Another reason we assume access was gained through the misuse of universal passwords is because the attacker did indeed fail to log into the servers multiple times:
1.1: Why did you assume the password/s was/were compromised via Skype/email? Was there evidence pointing to that fact? Couldn't the 'hack' be a smokescreen, and the owners were
involved all along, especially in light of the subsequent dump at Bittrex?
1.2: You used the phrase "one of the owners". Aside from Alessandro Soldati, was anyone else identified?
2: The owner of Coin Source, the organization which conducted the '
Proof of Developer',
claimed to have been contacted by "authority agencies". Have you been in contact or contacted with/by said agencies and/or Coin Source? If no contact has been made, are you planning on approaching Coin Source to initiate contact with the "authority agencies" in question?
3. The owner of Coin Source identified the developer as 'Guiseppe'. Is that an alter ego of Soldati or someone else entirely?
Hey!
1.1: If you read our previous report on the CryptoRush hack (
https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/) you would come away from the thoroughly investigated report with the sense that the original attacker (Identified as Jimmy Bluey Amatong of Philippines) had an apparent modus operandi which started towards the end of 2013/January 2014 which consisted of:
a) (initially started with) setting up pools to utilize mining power towards personal gain and logging their usernames/emails/passwords
b) traverse email accounts for further login information
c) traverse exchanges for email/password or username/password combinations until he was able to log into accounts and exfiltrate coins
d) log into skype/dropbox/emails/other third party services looking for sensitive information he can use to further his attacks
By following this MO he was able to infiltrate CryptoRush.in servers via universal passwords. Locating administrative communications on the victims Skype account. Locating login information in emails from ISPs and Skype conversations and eventually finding access onto a backup server for CryptoRush.in.
In the case of JBA's attack on multipool.us he utilized a combination of Cookie brute forcing and CSRF attacks (this was the only attack that did not fit his MO from the evidence and logs we have seen - it is also evidence that it was failed attack on the pool).
Now finally to MidasCoin - the logs we were able to recover from the Elance customer server showcased JBA's activity regarding all of these attacks ending with the MidasCoin project - at this point we were able to communicate with the Elance customer, and remove his stash and access.
If you read our MidasCoin server audit (the PDF link above) you will see the entry points of the attacker which used the same IP addresses (the 66.*.*.* chunkhost server) to infiltrate CR months back.
In comparing our logs and evidence from JBA's hack of MidasCoin, and the complete theft of the coins by MidasCoin founder - you see extreme differences. Using deduction and logic we determined that JBA more than likely obtained access to these servers the very same way he had access CR - by having access to a leaked password list belonging to miners/traders/users and logging into all of their accounts looking for treasures.
1.2: The second person who was part of the staff was accessible to me over IRC and I was not able to identify him. From what I can see / tell he, and the coin developer were robbed of what was owed to them for working on the projects. Shortly after the founder stole the rest of the coins - everyone pretty much left and I no longer received responses from anyone.
2: I have had no contact with anyone involved in investigating this case, or Coin Source. I will try to reach out to them. As for LEAs I can provide my research to anyone who requests it - although I've published everything I have in the links above.
3: The information regarding the persons name we discovered during the process of our research by looking at who has been using those email addresses publicly, and the information we were able to see from the user accounts in the database. We do not know if the name is a pseudonym, or actual. We threw it out there in case the community can make sense of it.
Thanks for the questions!
