Author

Topic: Some few findings regarding the recent attacks (Read 1383 times)

newbie
Activity: 31
Merit: 0
Your research has been excellent. We were also looking into all these sites, but for other reasons.
All the sites you mention interconnect and can be found on one page.
The design is all too familiar and follow the 'Hyip' designs that are plaguing bitcoin right now.

These sites were taking a lot of our time to delve into.
Following your report, we've cut short our investigations, erred on the side of protecting Bitcoin, and listed them at www.badbitcoin.org

The Hyip's all seem to come from Ukraine and Russia. As do a disproportionate number of other Btc Scams and Ponzi's
No surprise to see a couple of russian names in your findings.

Keep up the great detective work - we all need to do our bit.

ViK
Badbitcoin.org
legendary
Activity: 2380
Merit: 1150
As most ouf you are aware, several mining pools were under DdoS-attacks during the last couple of weeks. Some of these pools still are being attacked.

At the same time, several miners reported in Bitcointalk about a hack which cost them Bitcoins. Here some examples:


Quote
March 31, 2014, 11:36:51 PM
Thanks Frank.  I'm using BAMT from a usb stick and nothing else has ever been installed on this.  Furthermore, because we were on vacation, other computers in the local network were shut down, and my home router is tiered with a second home router, so to get access to this machine someone would have had to have hacked through two routers/firewalls....  My miner is currently resolving us.clevermining.com fine, but its possible that dns was poisoned temporarily at the ISP level to trick my miner into resolving to a different IP.  I found
using netstat that the only connection to an external IP was to 46.28.205.80:3333 from Zurich ( http://www.iplookup.ca/46.28.205.80 ).  Clearly they somehow tricked the miner into connecting to that IP address.  I have tons to catch up on after being out for almost 2 weeks so I haven't read up all the thread on this, but the speculation that it was some malicious software we downloaded is simply not possible.  It had to be either a DNS hijacking, or the BAMT software has a backdoor, or possibly clevermining purposely resolved us to this new IP.   No other possibility in my mind.  Very suspicious of BAMT as well as clevermining... Since the dns is hosted by cloudflare, it could have been someone at cloudflare too.  I may start specifying the IP in my cgminer.conf rather than the us.clevermining.com address.  That should eliminate the DNS hijacking possibility.

Anyways, thanks for pointing me to the beginning of that thread.

Rob



Quote
April 26, 2014, 05:44:40 PM
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...

17 rigs, 3 locations



Quote
April 27, 2014, 10:54:18 AM
Not sure if your issue is the same but if you are redirected to ip 46.28.205.80 it is a "pirate" pool that somehow redirect you to them... It is happening to me too on 4 different pools with 19 rigs 4 locations and 2 ISP (BTCGuild, ScryptGuild, Ghesh and Eligius).


Quote
April 26, 2014, 03:23:53 PM
Pool users should check their connections to Slush. I noticed with two miners that I hadn't submitted a share in the last ten minutes. My miners were showing that they were still connected to pool 0, but 46.28.205.80 instead of the normal address. There is talk on Eligius about a malicious player doing a man in the middle attack, it's worth reading up on.



Quote
May 04, 2014, 03:59:35 PM
My both miners were redirected to 46.28.205.80 again. I hate thieves. I received nothing from last round because of them... Someone should do something about that.


Quote
April 26, 2014, 01:41:12 AM
Redirected clients show "Connected to 46.28.205.80..." in the miner.
This seems to be a scrypt "Worldcoin" mining server, and it seems likely they are just automatically MITM'ing any stratum connections they can inject into, regardless of the destination pool.


Quote
May 05, 2014, 06:38:41 PM
YES! I have a jalapeno and it's happened to me twice this week. I find my miner heads off to IP 46.28.205.80 .



These are only some statements, and it is likely that several miners haven't even realized that they were being pirated.

However: The IP mentioned in these posts and the connection to DdoS-attacks leads me first back into the past.


Dragonara
Some of you may know dragonara.net. Most not.

I stumbled upon this domain many times in the past. First, some comments on them from third parties.

„Spamhouse“, for example, just calls the „Dragonara Alliance“ a „Cybercrime hub“:

If you search for them in connection with DdoS-attacks, you will see that they offer protection against this. However, several users report a bad experience: Instead of protection against this kind of attack, they received such an attack.

Furthermore, Dragonara is known as source for spam.

But who is behind Dragonara? This is not fully known.

Interesting is what you find in the whois-data: While most of the whois-information is fake, they list the following e-mail address as a tech-contact: "Registrant Email: [email protected]"

".ch" is the TDL for Switzerland.

But this is not the single lead to Switzerland. Beside some marketing speak you find - on older versions of their homepage - a text, saying that they are located in Switzerland: „Dedicated server with DdoS-protection, Colocation, DdoS-Protection up to 14 Gbit/s. Datacenter located in Switzerland, Zurich, 99.9% uptime SLA guaranteed.“

On their homepage, they listed three partner-companies:
- prodecor.ch
- init7.net
- cogentco.com



Pecunix
And then there is Pecunix. „Digital currency operator. Pecunix is backed by gold, and offers an advanced and secure API for merchants and users“, as they used to claim on their homepage.

Today, the site looks different. However, Pecunix was often mentioned in connection with illegal activities. This doesn't necessary mean a lot, for Bitcoin, too, is often mentioned. But there is a strong connection between Pecunix and Dragonara: Pecunix was for a long time hosted by Dragonara.

And Swiss authorities should know Dragonara, too, for Dragonara hosts a lot of „High Yield Investment Programs“ - or financial scammer sites. One of these programs was run by a Swiss fraudster, and Finma, the Swiss Financial Market Authority, shut down the company. So Finma should know about them and have them on their radar.

But before I go further, let me take a look at prodecor.ch, one of the listed partners of Dragonara. Prodecor produces and promotes some financial software for small enterprises. The persons behind the company, according to the Swiss registry of corporations:
- Pascal Andre Wenger
- Erich Rieder
- Michael Fuchs

Erich Rieder is listed on the homepage as founder of Prodecor.

One of Rieders other sites is prowebnet.ch. In the past, he promoted on this site web hosting – in Russian.


Solar Communications
Now that you know a bit about Dragonara, let me go back to the hack of Bitcoin-miners.

The IP to which the miners were directed:  46.28.205.80.

This IP is in the range of the Swiss company „Solar Communication“.

They basically offer the same services as Dragonara: Hosting, collocation, DdoS-protection – and are also based in Zurich, Switzerland.

Owner of the company are two Russians:
- Alexey Dengin
- Vitaly Ilin

But manager of the company is Erich Rieder. Right: The guy who's company is a partner of Dragonara.

„Solar Communication“ claims to have a couple of partners:
- server-cloud.com, Switzerland
- incloudibly.com, Switzerland
- cloudc.me, Spain
- coinshost.com, Switzerland
- swisshosters.com, Switzerland
- atomdrive.net, Switzerland
- true-cloud.com, Switzerland
- antiddos.es, Spain

Some of these names may sound familiar, for they are users in Bitcointalk and are even offering rewards if you promote their services on reddit.

Just look at the domain coinshost.com:

coinshost is registered by

Registrant Name: Marcus Schwarzenberg
Registrant Organization:
Registrant Street: Badenerstr. 569
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8048
Registrant Country: Switzerland
Registrant Phone: 41791033365
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]


I could not find any person by this name in Switzerland and especially not at this address.

The same is true for atomdrive.net:

Registrant Name: Tim Keller
Registrant Organization:
Registrant Street: Badenerstr. 569
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8048
Registrant Country: Switzerland
Registrant Phone: +41.41791033365
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]



No Tim Keller at this address.

No wonder, for the address is the one of the data center of Solar Communications.

This company also accepts payments in Litecoin and Nxt – and, of course, Bitcoin.

This is puzzling. Trading with Bitcoins, especially as a company, is tricky in Switzerland. Finacial Market Authority threats to let you arrest if you do not check the identity of every single client. So it is not possible to sell Bitcoin-debit cards, Bitcoin-credit-cards, Bitcoin-vouchers, not even one with a value of 50 Swiss Francs. Just guess what would happen if you run, as a company, a Bitcoin-related service for offering fully anonymous hosting. You would be busted.

But these laws do not seem to work for Solar Communications and its affiliates. Even worse: As a hoster in Switzerland, you have to check who your client is. But Solar Communication's „partner“ atomdrive even writes:

"All information about our clients is kept in the strictest confidence, however, even more anonymity can be achieved by using payment systems such as Bitcoin.
After making an anonymous payment, you will receive a unique key without having to release any personal information."

A simple test showed that it is no problem at all to create an account with totally fake information. This is like a blue print for money laundering. Which should be fought by Finma.

However, let's go back to Pecunix, this alternative money-system of which Dragonara hosted the homepage in the past.

Guess who's hosting Pecunix today? Right: Solar Communication.

If you go to the Pecunix-site, you will see the following text:
"Pecunix will soon be changing! Payments will no longer be possible within the Pecunix system, rather they will be made with the state of the art open source Voucher-Safe System that has been developed and tested over the past 3 years. Please prepare yourself if you are a Pecunix customer or prospective customer. Go to www.voucher-safe.com and set up a voucher-safe for yourself... it's FREE."

In a story about Voucher-Safe, one can read:
Quote
"Voucher-Safe is a secure cloud based system. Unlike Bitcoin, “there is nothing actually on your phone or on your computer. If your phone should get lost or stolen or arrested by authorities, there is nothing for them to find.” All of the information in the system is encrypted, sometimes twice. “What that means is that no one, including the voucher Publisher, can see what value somebody has. They might see that there are so many rows in the table at this hash for that particular safe, but there is no way to know what those rows represent, or whether they are simply payment receipts.”
[...]
The idea behind voucher-safe is that money can be anything that people value and want to exchange.  Money can be national fiat currencies, silver or gold and increasingly, Bitcoin. Bitcoins can be exchanged via the Voucher-Safe system with the creation of Bitcoin backed Vouchers."

So here we go: Payments, but totally anonymous. Something the Swiss Financial Market Authority surely would not accept for it would basically violate every law against money laundering.

But yes, it is the Internet. And the Internet is not in Switzerland. But: Pecunix is hosted in Switzerland. Voucher-Safe is hosted in Switzerland. By Solar Communications. Which offers through an obviously non-existing partner anonymous hosting.

And now, out of the blue, comes an attack against miners from the same network?

Now take a look at thebitcoinaffiliate.com - a site also hosted by Solar Communications.

If you click on the Merchants-link on this site, you land at http://bitcoinsarl.fr/. Also hosted by Solar Communications.

They list a whole range of Bitcoin-related businesses:
TheBitcoinNews.co.uk (hosted by Solar Communications)
Bitcoin Börse (hosted by Solar Communications)
Bitcoin Card (part of Bitcoin Börse)
Cryptobourse.com (hosted by Solar Communications)
(Cryptobourse tries to sell you their shares for 0.001 BTC  and lists a whole lot of other domains which are hosted by.... make an educated guess!)
Cryptotu.be (hosted by Solar Communications)
trustedbitcoinstores.com  (hosted by Solar Communications)
cryptohashingpool.com (hosted by Solar Communications  and currently hashing with amazing 1 Gh/s, but selling shares through Cryptobourse.com – no, the 1 Gh/s is NOT a typo!)
asic-scrypt-mining-hardware.com  (hosted by Solar Communications. Look what they are selling and what prices. 17 Euro for 100 Kh/s cloud mining. 19999 Euro for a scrypt-miner which doesn't even exist. 12999 Euro for a 6 Th/s-miner – which doesn't exist).

So after all, this smells like scam. Like a huge scam.

I still don't know who is behind the hack of the miners. But I do know now a bit about the background of the persons and the domains behind the network. And frankly: I will avoid every service and miner which is being sold by any of the affiliated companies.

However, one journalist contacted the guys in Russia who are behind Solar Communication. They claim that one of their clients is running a mining pool on this IP address and was hacked. So he, basically, is painted as the victim.

Well, if I were running a mining pool and would be hacked and then would have more Bitcoins than before, I wouldn't really call me a victim.

On Blockchain (I know, not the most reliable source) there are a couple of transactions that were relayed first by the ip 46.28.205.80. The records start 2014-04-08 04:04:19 and end 2014-05-14 22:57:16. So in this time, a little bit more than a month, amounts ranging from a view Satoshis up to more than 200 BTC were relayed on this address. But where's the pool? Never heard of it. So if anybody ever has heard of them: Post it here.

Maybe some of you find more information and would like to post. The more that becomes known, the more likely it is that we find out who's behind the attacks.

And especially the guys who are posting here in Bitcointalk representing the partners of Solar Communications are more than welcome to give some explanations...

If this information has been helpful, please don't hesitate to make a donation :-)

17Ab6X6kLDfs5TD353vZN5hQ5W6e79pufp

One of the attacked miners added this information:

Quote
Two days they were using P2Poll node we can see they hijacked average of 130TH and at the max they got over 370TH. In only this two days they got about 9000$. http://p2pool.jir.dk/stats/btc/46.28.205.80/

After that they still were using IP 46.28.205.80 but probably only as a proxy to different address. They are also running Worldcoin pool for scryptmining. http://bitinfocharts.com/worldcoin/nodes/switzerland/unknown.html

Since heartbleed bug was only 2 weeks away it might happened that attacked did find some internet infrastructure that was compromised and used it for Man In The Middle attack. Since attacks stopped it might get patched.

Attacker somehow send correct package over TCP stratum connection that asked miner to reconnect from current stratum server to 46.28.205.80. This is a command in stratum protocol used for load balancing and DDoS protection but was misused when injected into connection as a hijacked function.
Jump to: