Author

Topic: Hacked - 22 BTC stolen from Bitcoin-QT v0.8.1-beta wallet on OS X 10.7.5 (Read 10807 times)

sr. member
Activity: 393
Merit: 250
I have started a thread in the Scam section: https://bitcointalksearch.org/topic/m.5011741

Refer to there for updates regarding Stealthbit and Bitvanity.
legendary
Activity: 1148
Merit: 1018
Good job OP by warning people about this malware.

Making malware for OSX has to be a very profitable niche: virtually no use of AV software among OSX users, and anyhow I don't think that such targeted malware would trigger any alarm.
legendary
Activity: 2618
Merit: 1105

Yes, looks like it was. There should have been more coverage on the software when it was released. Undecided
sr. member
Activity: 393
Merit: 250
Sorry to hear your loss Sad

Thanks, from now on if I have an offline wallet on 2 raspberry pi (with a few satoshi). Learn and live Smiley

I would really appreciate if any one around has some coding knowledge in OSX to have a look into the (presumed) hacker's new app - Stealthbit (mentioned in previous post - https://github.com/thomasrevor/StealthBit).

I have been in contact with reedit mods, and this is what they said:
Quote
I didn't see any hard-coded bitcoin addresses when I looked through. But, I didn't exactly understand how the code worked either. If you're typing in a private key, it may be transmitting that key to another server that runs code to quickly move funds to a hard coded wallet. So, I can't say we need to take it down, but I say we leave it for others more experienced to test out.

I have also been in contact with Github, but they are always reluctant in taking down an app that is not proven to be a malware. and they din't seem to have the resources (or incentive) to look into it. Github:
Quote
Thanks for reaching out to us again. Can you describe the malicious activity of StealthBit?

My answer:
Quote
I m not a specialist unfortunately (...)
The only thing I m quite positive of, is that ThomasRevor and Trevory are the same person. There are too few coders writing bitcoin OSX applications for this to be a coincidence. Maybe cross check their IP address? although it would seem very amateurish for him no to use VPN or Thor.
Anyway, I posted my concerns as an issue for stealthbit. I have been trying to get in contact with him for 4 days, have been posting warnings in his threads, but no answers up to now. Which is a bit concerning.
Can't some of your team have a look into the code?

Anyone here good/care enough to have a look?
hero member
Activity: 868
Merit: 1000
Sorry to hear your loss Sad
hero member
Activity: 910
Merit: 1004
buy silver!
srry to about your loss too.  i got hacked on the 30th.  i clicked on a news story in my email, it took me to a site to watch a video, window popped up telling me to update flash, downloaded a trojan and began to get fkd...they went into my bitminter account and took 374 namecoins...but before i noticed that was gone, the bastard kept popping a window up telling me to update my wallet password, it expired, i had 10 btc in it.  ran a scan found the trojan, went around changed every password, good thing, that night they tried to get into all my accounts, sold my btc, lesson learned, i do only my account stuff on one computer now, no surfing.
sr. member
Activity: 393
Merit: 250

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Was your electrum compromised or were you running bitvanity?

@E.Sam
Sorry about your loss, if you contact bitstamp do you think you will be able to recover your BTC?

Bitstamp wouldn't give client's information without a court order. Since they are based in EU, theoretically that shouldn't be too difficult. I would still have to prove a correlation, and since the stolen funds transferred via another address, that could be tricky.
Anyway, I came to term with my loss, just trying to prevent others from falling for it.

Edit: I was running bitvanity in the background (was not using the generated vanity addresses from it. As for Electrum, it was not even installed)
sr. member
Activity: 476
Merit: 250
What do you call a fish with no eyes? A Fsh!

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Was your electrum compromised or were you running bitvanity?

@E.Sam
Sorry about your loss, if you contact bitstamp do you think you will be able to recover your BTC?
sr. member
Activity: 393
Merit: 250
Looks like our man is back and maybe writing another malware. This time as a bitcoin stealth address generator for OSX.

His Reddit post: http://www.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/

Why I believe he's the same person (quoting my comment from above thread link):
Quote from: CptQo @ Reddit
I would recommend extreme caution when using such software.

I just registered to reddit after seeing this post so to warn people.

Last summer, in my infinite wisdom, I downloaded a Mac app call Bitvanity from Github (https://github.com/trevory/bitvanity). It came out to be a malware that empties your Bitcoin wallet. (lost more then 20 BTCs).
Reference: https://bitcointalksearch.org/topic/hacked-22-btc-stolen-from-bitcoin-qt-v081-beta-wallet-on-os-x-1075-266813 - https://bitcointalksearch.org/topic/m.1995725 This was discussed on Reddit as well, but can’t seem to be able to find the post now.

The OP of this thread is called trevorscool, his github account https://github.com/thomasrevor/StealthBit under the name Thomasrevor.

Bitvanity github account was under the name Trevory (T.Revor.Y you get the drift). Thomas Revor - Trevorscool - Trevory…. Looks a bit suspect.

Also, looks like trevorscool has been deleting a few posts of his from 7 months ago: http://webcache.googleusercontent.com/search?q=cache:3cbWKz_lDXoJ:webby.hazasite.com/user/trevorscool+&cd=24&hl=en&ct=clnk&gl=uk compared to: https://pay.reddit.com/user/trevorscool?count=25&after=t1_cetbxnn
The 3 deleted post are inciting people to download/use Bitvanity + link to Bitvanity Github: http://webby.hazasite.com/r/Bitcoin/comments/1d0pd2/bitvanity_bitcoin_just_got_more_beautiful/ http://webby.hazasite.com/r/BitcoinBeginners/comments/1d2rhz/super_easytouse_vanity_address_generator_for_mac/ and https://github.com/trevory/bitvanity
sr. member
Activity: 393
Merit: 250
Yes you're right, I was actually thinking of mentioning this.
When I started this thread, I wasn't sure if this was due to a malware or not. I guess it is quite clear now.
newbie
Activity: 56
Merit: 0
Thought I would bring this thread back to life for some advice.

Recently, some BTCs from one of the address linked to Bitvanity malware (referred here https://bitcointalksearch.org/topic/m.1995725), started moving.

The address: https://blockchain.info/address/1JdfxVY6fsVsZJHeZrKHBzpZNRhr9k6jWV

the transaction in question: https://blockchain.info/tx/2030cfcec6aa0b5c2fad037f8e504f694c46ae7f21a9ab59b03d706c92c2bedc

goes here: https://blockchain.info/address/1Mh37LxdBvbt5GDs4TPGsEiMYyXEZ6mFsY

now, the last transaction of the above address (https://blockchain.info/tx/1f1ed9ffb48939a35e41fd34de7a2d65fd6b20ed1601c8e8fb69323ae395ba35) sends funds at 1526xfWVCnsbMXT8XKN5J7q53TeKiSqy5Z and 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic

I just found out that 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic belongs to Bitstamp. Would I be right to assume that the person behind Bitvanity sent some stolen funds to Bitstamp?

this should probably be moved or reposted inthe scam accusations forum?  mightget more aid there.
**** my space bar is tripping balls.
sr. member
Activity: 393
Merit: 250
Thought I would bring this thread back to life for some advice.

Recently, some BTCs from one of the address linked to Bitvanity malware (referred here https://bitcointalksearch.org/topic/m.1995725), started moving.

The address: https://blockchain.info/address/1JdfxVY6fsVsZJHeZrKHBzpZNRhr9k6jWV

the transaction in question: https://blockchain.info/tx/2030cfcec6aa0b5c2fad037f8e504f694c46ae7f21a9ab59b03d706c92c2bedc

goes here: https://blockchain.info/address/1Mh37LxdBvbt5GDs4TPGsEiMYyXEZ6mFsY

now, the last transaction of the above address (https://blockchain.info/tx/1f1ed9ffb48939a35e41fd34de7a2d65fd6b20ed1601c8e8fb69323ae395ba35 timestamp: 2013-12-29 18:55:28) sends funds at 1526xfWVCnsbMXT8XKN5J7q53TeKiSqy5Z and 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic

I just found out that 13p4zncq6m3Ax7tvKhEG2k49hgwfS5g7ic belongs to Bitstamp. Would I be right to assume that the person behind Bitvanity sent some stolen funds to Bitstamp?
legendary
Activity: 1148
Merit: 1018
Did Bitvanity ask you to enter your administrator password?
sr. member
Activity: 393
Merit: 250
From Github

Quote
Hi Eric,

We've taken action against the repository. Thanks for reporting this. Let us know if you find any other projects we should be aware of.

Thanks,

-Austin

sr. member
Activity: 393
Merit: 250
I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

Unfortunately, this is not a virus in the common accepted sense. It's a malware designed to steal from you, that most likely won't be detected by any standard anti-virus, and that is likely to succeed on linux as well - even though the global security (requiring root access) might help lower the risk.

As Vlees said, the safest way, when using those kind of software, is to have the code reviewed by someone - I'm sure lots of people around would be glad to help, and then to compile those sources yourself. Basic compiling is not that tricky, really, especially using linux.

I can confirm this. Running Mac Sophos anti-virus didn't raise any red flags.

if you got a BTC address ill send over a donation to you if youll accept it, again sorry to hear about this, blackhat hackers really are some pieces of shit

That's very altruist of you ajk, thanks. I accept responsibility for downloading/using an app from an untrusted source, and therefore bear the blame... So it's really nice of you to think I deserve some help to get back on my feet!

1dxkU8qjpZvFBL1uz2EhgaCMbgFTEMbWR


sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

Unfortunately, this is not a virus in the common accepted sense. It's a malware designed to steal from you, that most likely won't be detected by any standard anti-virus, and that is likely to succeed on linux as well - even though the global security (requiring root access) might help lower the risk.

As Vlees said, the safest way, when using those kind of software, is to have the code reviewed by someone - I'm sure lots of people around would be glad to help, and then to compile those sources yourself. Basic compiling is not that tricky, really, especially using linux.
ajk
donator
Activity: 447
Merit: 250
thank you vlees and others for clarification,

I am still extremely sorry to hear about the loss, I think that in order to prevent the situation from happening next time it would be best to use Linux based operating systems as to my knowledge there are far few workable viruses for it since it is a OS that not many use,

if you got a BTC address ill send over a donation to you if youll accept it, again sorry to hear about this, blackhat hackers really are some pieces of shit
sr. member
Activity: 393
Merit: 250
im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

The code was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/
VanityGen != BitGen. Please quote properly next time to avoid any confusion.

Sorry, that was my mistake - I have just edited the TS.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

The code was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/
VanityGen != BitGen. Please quote properly next time to avoid any confusion.
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
The source code on https://github.com/trevory/bitvanity was a perfectly legit vanity generator. The pre-compiled one included a malware.

Edit: The source code version is clean and has nothing scary. I was hoping to find something in the compiled binary and found this, so it's very clearly malware:
/Users/satoshinakamoto/Desktop/BitVanity Hacked/BitVanity/main.m/

Edit : Removed a quote which I didn't notice was completely irrelevant to this thread. Thanks for pointing this out, Remember remember the 5th of November
full member
Activity: 196
Merit: 100
Just read through this entire thread, Extremely sorry to hear about your loss

is this only for Mac computers? I have a linux machine with vanity gen on it and this machine has not all but a fair amount of coins on it, is this only bad if your a Mac user?

This is about the tool "BitVanity" which exists for Mac OS X only.

VanityGen (many platforms) is completely safe as far as I know. If you want to be sure, download the source code, review it and compile the tool yourself (VERY IMPORTANT; don't code review and then use the precompiled version).
ajk
donator
Activity: 447
Merit: 250
Just read through this entire thread, Extremely sorry to hear about your loss

is this only for Mac computers? I have a linux machine with vanity gen on it and this machine has not all but a fair amount of coins on it, is this only bad if your a Mac user?
member
Activity: 116
Merit: 10
Oh, dont interpret my post as some form of 'pro-bitvanity'.  just reports of the issue are enough to make me avoid it like the plague.

That being said, I think vanitygen is a different author, different program.  I dont keep any btc on the machine I use to generate vanity addresses, but I do have a wallet on it, and havent had any issues.

as always, always a good idea to review something yourself (like source) to evaluate the risks.
sr. member
Activity: 393
Merit: 250
im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.

I would seems strange that 2 of us got all our BTCs stolen in a similar fashion while using Bitvanity. This said, I m scouting around the web trying to find similar cases and see it they were using bitvanity.
Would be great if someone knowledgeable could have a look at the code.
member
Activity: 116
Merit: 10
im definitely not an 'expert' in code review, but https://github.com/samr7/vanitygen seems ok.
sr. member
Activity: 393
Merit: 250
Just found out where I first read about bitvanity: http://www.btcpedia.com/generate-bitcoin-vanity-address/

Also, seems like this "Trevor Muller" (his Github pseudonym) has done other interesting things https://discussions.apple.com/thread/5045842?start=0&tstart=0
legendary
Activity: 3472
Merit: 4801
It looks like Github took down the app:

Glad to hear it. Thanks for the update.
sr. member
Activity: 393
Merit: 250

I gave it a try as well.  Here's what I sent them:

Quote
After testing the executable binaries distributed through github in the following location:
https://github.com/trevory/bitvanity

It has been determined that these executable binaries are falsely advertised as providing a specific purpose, while in reality being intentionally designed to maliciously steal account information and destroy contents on the user's computer.

Multiple users have reported having valuable content stolen from their computer by this software.

This would appear to be in direct violation of the github Terms Of Service.  Specifically:

A.8. You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

G.7. We may, but have no obligation to, remove Content and Accounts containing Content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service.

and

G.11. You must not transmit any worms or viruses or any code of a destructive nature.

As such I expect you to immediately terminate the user's access to GitHub and remove their hosted content before any other users are unknowingly duped into installing this illegal malware.

I'll update with whatever feedback I receive.

Very nicely handled - Thanks for getting involved.

It looks like Github took down the app:

Quote
This repository has been disabled.
Access to this repository has been disabled by GitHub staff due to excessive use of resources. Contact support to restore access to this repository. Read here to learn more about decreasing the size of your repository.

I suppose stating the truth would have been bad publicity.
legendary
Activity: 3472
Merit: 4801
Just got an answer from Github:
Quote
Hi Eric,

If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.

Cheers,
Steven!

I m not sure if I should laugh or cry at this point.....

I gave it a try as well.  Here's what I sent them:

Quote
After testing the executable binaries distributed through github in the following location:
https://github.com/trevory/bitvanity

It has been determined that these executable binaries are falsely advertised as providing a specific purpose, while in reality being intentionally designed to maliciously steal account information and destroy contents on the user's computer.

Multiple users have reported having valuable content stolen from their computer by this software.

This would appear to be in direct violation of the github Terms Of Service.  Specifically:

A.8. You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

G.7. We may, but have no obligation to, remove Content and Accounts containing Content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service.

and

G.11. You must not transmit any worms or viruses or any code of a destructive nature.

As such I expect you to immediately terminate the user's access to GitHub and remove their hosted content before any other users are unknowingly duped into installing this illegal malware.

I'll update with whatever feedback I receive.
sr. member
Activity: 393
Merit: 250
There is a chance the malware just took advantage of your wallet unlocking to push a TX, and not steal your private keys along.
I would keep the wallet just in case, since you might receive payments on one of his addresses, but start a fresh one anyway, too.

That might be it since the all wallet was emptied as soon as I entered my passphrase.
I don't think I will receive any more payments, will empty the remaining 0.0095 BTC and delete the all thing.

I m not using Time Machine, but I will keep this terminal offline until I m sure the threat is taken care of.

Just got an answer from Github:
Quote
Hi Eric,

If the project in question doesn't behave as expected, I'd suggest opening an issue and discussing it with the maintainer.

Cheers,
Steven!

I m not sure if I should laugh or cry at this point.....
hero member
Activity: 770
Merit: 500
I was just made aware of this: https://bitcointalksearch.org/topic/m.1995725

Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Thanks, good to know. I will from now on become way more paranoid.

I suppose my all wallet is now compromised. The best thing is just to delete the all thing since I have no BTCs left, no?
Also, any suggestions on how to be sure I fully delete the app from my system?

You should format or use Time Machine? I am not sure about the second.
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
There is a chance the malware just took advantage of your wallet unlocking to push a TX, and not steal your private keys along.
I would keep the wallet just in case, since you might receive payments on one of his addresses, but start a fresh one anyway, too.
sr. member
Activity: 393
Merit: 250
I was just made aware of this: https://bitcointalksearch.org/topic/m.1995725

Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.

Thanks, good to know. I will from now on become way more paranoid.

I suppose my all wallet is now compromised. The best thing is just to delete the all thing since I have no BTCs left, no?
Also, any suggestions on how to be sure I fully delete the app from my system?
hero member
Activity: 770
Merit: 500
I was just made aware of this: https://bitcointalksearch.org/topic/m.1995725

Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.

Sorry to hear that. I experienced the same thing using the Mac OS app of Electrum.
sr. member
Activity: 393
Merit: 250
I was just made aware of this: https://bitcointalksearch.org/topic/m.1995725

Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?

It was protected (25 random characters) - I think it waited for me to enter my password. As soon as that happened, it just sent the all wallet content.

I have now contacted Github and asked for this "app" to be taken down.

Hard lesson.
legendary
Activity: 3472
Merit: 4801
I was just made aware of this: https://bitcointalksearch.org/topic/m.1995725

Yep, sounds like the Vanity Generator that you installed was a trojan.  I assume your Bitcoin-Qt wallet wasn't password protected either?  Or did the vanity generator manage to capture your keyboard input and get your password that way?
sr. member
Activity: 393
Merit: 250
sr. member
Activity: 393
Merit: 250
Was the 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf address generated with a vanity gen program, imported after receiving the private key from someone, or imported after being created as a brain wallet of some sort?

No, it was an address generated by Bitoin-QT wallet. I only generated a few vanity address so to experiment, and imported a couple in my wallet. I used an OSX application found on the net https://github.com/trevory/bitvanity - I scanned it and it came clean. This said, I wasn't going to trust the source and didn't intend to use generated address for any transaction.

Now that I look at this app, it does look a bit suspicious.
legendary
Activity: 3472
Merit: 4801
Was the 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf address generated with a vanity gen program, imported after receiving the private key from someone, or imported after being created as a brain wallet of some sort?
sr. member
Activity: 393
Merit: 250
So here is what happened. Yesterday night, I withdrew BTCs from BTCT.co

Transferred: 22.65118847 BTC
  Payment Address: 1936Ej4GZeJ4LBsjHQ6U8v2tooTTa1jDFf
  Transaction ID: 248fefca0bae07642a39830d6f86a436c18f33855ec86e18794577f16421f5e7
  Site Fee: 0 BTC
  bitcoind Fee: 0.0005 BTC

Received them into my wallet and decided to send them to BTC-e (couldn't do it directly from BTCT.co as I had a locked withdrawal address).
Entered the all amount for transaction (previous to this, my wallet was empty as I rarely use it), entered my passphrase (around 25 random characters) and proceeded to send.
At this point Bitcoin-QT became unresponsive. I forced quit and restarted the application, and I got the message: "wallet.dat corrupt, salvage failed".
I retrieve the dat file from my daily backup and replace the corrupted one.
The wallet starts to sync, and my 22.65118847 BTC are still there.
I start again the process to send BTC to BTC-e, enter the passphrase, and at this point the app tells me I don't have enough funds.
I go to transaction and can see that the entire wallet is being transferred to 12YabLfo4W51EqU6amYNtopPJZjRJfU46U

I really don't want anyone to go through what I went in the last 14 hours. I therefore would very much appreciate any input from the community so as to understand where I messed up.

When that happened, I had Vanitygen Bitvanity running in the background. I also had Chrome running (gmail, btct,  btc-e, coindesk, etc. No dodgy websites). I m just trying to give any relevant info - let me know if I can provide anything more.

I m scanning the entire system with SOPHOS - it has done around 95% and found nothing.

Thank you all in advance for your input.


E.


[EDIT: Sorry, due to lack of sleep I just realised I had written Vanitygen instead of Bitvanity. Apology for the confusion to samr7, author of Vanitygen on Github]
Jump to: