Topic: RarityCheck VIBGYOR gilded #12 swept yesterday. - page 13. (Read 3976 times)

This is what Sol Noctis did with their Bull coins. The redemption process is absolutely ridiculous. It’s in such a way that there’s no other reason than them not wanting people to redeem them. Oh and yeah..one coin was swept and then funded again, a coin owned by someone who came forward with the UNPEELED coin which was sent to a seasoned collector who verified it was not peeled and then was sent to the company who produced the coins ..where no explanation was ever given, and in fact they were extremely shady about the whole thing.

@DaveF - great recommendations , I concur entirely.

RCs most recent ANN thread being locked troubles me, and if you read through the entire thread, lot of head scratching.

Also kinda interesting how he’s trying to get the addresses for all the MrHodl silver “chip” coins..from what I can tell he doesn’t own any of them but keeps requesting a list .. I dunno, just odd to me.




I believe that means they were logged in the last 24 hours. Maybe Cyrus or a mod can chime in on this , but pretty sure that’s the case.

The forum BIP tool that I THINK @Vod created tells you how long ago someone was active more specifically, like to the hour , I think ..gunna have to double check that here after I hit send on this, will update ..

this is why you use an offline airgapped key generation process.


I was able to help rsincognito and deciphered both pks that he sent me - willing to help anyone who needs it at zero cost. you can tip if you want but my motivation is to get the bitcoin to the buyers not back to the maker.

I am very sorry to hear this has happened guys

Hate to say it but from my first interaction with rarity I felt they were an untrustworthy douchebag, so much so that I denied them access into my time traveler loaded canvas contest.

I know that the walletgenerator.net utility was compromised back around 2019 and was found to be relaying addresses that were generated. This should be easy to discover because in the browser details it will show the url call to the ip it is trying to send the generated addresses to. My two satoshis, I don't believe they are compromised from an outside entity.

IMHO I would hazard a guess that if this was some specific tool (key gen) issue, there would be much more screaming about this on Twitter/forum/elsewhere...

Btw. what exactly does it mean "Last Active: (Recently)"?

We need RC to come on here and reveal what key-gen software he used. This would demistify alot of the foggy haze.

Knowing the key-gen software would also help us get the word out to the right people and issue a broader warning to the bitcoin ecosystem.

Until then, it just looks like some RC collectables got caught up in a larger hack of some kind with small time collectors being just collateral damage.

There is at least one more batch of transactions in/around the same block that exhibit the same behaviour.

The funds from the VIBGYOR coins were stole in two txs (so far): 5bef768068c0604ee3dc3dd1fa1b1abef946ea474952a0c471d2bf190dd1368f and 5f3720dd75ea36efed2bffd7bc136dc8556e600d6cc94f2a82c38880e0d02b64, both mined in block 855689.

Subsequently, the outputs from those two addresses were consolidated in another transaction (8bcb78031b29a563268170d22c002a12c6ff4d59996095bbdb792c7607f80bd0) into 113Z6geivgG7WAhHowP6n5fQBYzuTFZmxU.

In block 855689, there are also transactions like 61772db434ea944f77099e4fcc85656eebc58898e02b2716c0b02f9c78a8a7ae and some others, which exhibit the same behaviour: Consolidate BTC from P2PKH addresses a few years old into a P2WPKH, then further consolidate them into a new P2PKH address where the funds sit idle. The transaction sizing and amounts are all in the same ballpark. In the second case, the funds are sent to 16U5Rwm6FMDNGwE7CbFaKV2xQCKzdmqK9Q.

Once again, I can't find any meaningful link to collectibles for the majority of the outputs consumed in these two batches (although there are quite a few 0.01 BTC inputs that I don't have linked to any collectible series). If there is a wallet backdoor somewhere, it has been active for several years - there are outputs dating back to 2019 (there might be older ones, I haven't checked everything yet) that have been consolidated in these batches.

I don't see any news of a known wallet compromise in recent times.

It's getting late for me, so I will continue with this in later once I'm more awake.

My coins are in the bank safe unpeeled.
Just checked and my 0.01 btc RarityCheck VIBGYOR 2022 coin orange #011/140 has been swepped ...  1AMPtQJ3ajQBjZ1JdrtnhBukFgq7MW8749
My 0.001 btc 17rdnQEMe1fj7WX8jPnPrRkTYBYnRQYmg7 seems alright for now...
Here we go again ffs

If the key-gen that RC used was backdoored, this is very bad news and the entire collection is compromised.

The attacker is using scripts to automate batch transactions, so maybe all of them may not be sent to the master wallet yet but they may-be in the future.

If the attacker failed to sweep everyhing at once, he failed. He is only giving time for people to move their coins off and save their funds.

This is the full rough estimate diagram of what I am seeing:

Lots of tiny blue amounts ( Roughly 20 transactions a batch ) being dumped into larger pink group wallets ( 13 group wallets total ) being dumped into the large red circle which is the master wallet.

Some of the blue amounts are RC customer funds that are being swept up into the master wallet over a series of transactions.


_{Eclipse - transaction flowchart - RC attack}

Pretty fucking terrible to have to peel a coin. It’s even worse when you peel and can’t redeem

What I can say and speak on is that I wish he kept a copy of his keys cuz I can’t decipher SHIT from his fucking lost coin series. Holy fuck!! Use some better ink, larger letters… anything cuz this btc is probably lost. Even using a 10x magnifying glass.

Total horseshit

I have been looking at the transaction flows as well - while a full analysis will take a few more days, the majority of the funds that ended up in 113Z6geivgG7WAhHowP6n5fQBYzuTFZmxU do not appear to be from collectibles.

The outputs I've checked so far seem to be overwhelmingly 1-2+ years old, and ultimately originate from p2pkh addresses funded through a very broad variety of sources (exchanges, regular wallets, p2sh wallets, multisig, single sig, etc)

I would float the possibility at this time that raritycheck may have used some key generation method that was backdoored, and everyone who used that is being swept right now.

Whoever is swiping the coins has a decent stack of coin sitting on 113Z6geivgG7WAhHowP6n5fQBYzuTFZmxU / 2.35BTC to be exact.

.2 of this 2.35 is known to be coming from customer swiped funds of the RC attack.

Our flowchart looks like many small amounts being swept together into group wallets and then being pushed through into the master wallet which would be 113Z6geivgG7WAhHowP6n5fQBYzuTFZmxU
 



Here are all of the smaller group wallets being drained into the master wallet:



All of these smaller amounts that drain into the group wallets are small amounts ranging from 0.001 to 0.01BTC, very similar denominations as the RC coins.

I can assure you that I still have my coin and it is NOT peeled. I’ll post a photo later today

Good morning everyone,

I get the pleasure of waking up, logging on and seeing another unfolding crisis.

Can anyone confirm they have heard from RC today about this, he should issue a public statement ASAP.

We already lived through the cold-key disaster, I would say redeem and get your bitcoin off while you still have the chance.

I slept on cold-key and never peeled my two sets that I have and I ended up losing all my bitcoin to Yogg.


_{These private keys are garbage, awful work indeed.}

always happy to help - I am always here to help the community.

do you mind if I share the images of your terrible keys? NVM I see you posted them.



you shared the nice one too - the other one was a bit more blurry? not sure if that is the right word - but the letters were bleeding into one another.

Wtf did they print that with? Jesus!! That's the most janky looking piece of paper. 🤦🏻‍♂️

I've been checking in on this post throughout the day today and man this has me thinking....

I actually have some bids placed on Stacks....watching this unfold I am tempted to just pull my bids. I feel bad doing it but FFS....Am I just suppose to cross my fingers and hope I don't wake up one day to swept coins???

here you go :  https://ibb.co/2Fg4Tm5

you figure it out yet? i had to ask Mopar to help me and he was able to recover 2 coins funds after i could not read the keys, if you cant figure it out and your at your wits end, maybe reach out to him. (and its always nice to leave him a tip if he pull off recovering your funds, even if he says he doesn't want one lol imo) He is here for the community  thank you Mopar !