Pages:
Author

Topic: YaCoin Investigation - page 2. (Read 5381 times)

sr. member
Activity: 364
Merit: 264
May 11, 2013, 10:11:41 AM
#12
Site bitcoin-ticker.netne.net has been redirected to 127.0.0.1 in my hosts list.

I would suggest doing that, then backing every wallet in your system and transferring to a new wallet if you believe you have been compromised. Common sense.

And yes having an unencrypted bitcoin wallet (or any wallet) with substantial funds is stupid. Double facepalm worthy.
newbie
Activity: 20
Merit: 0
May 11, 2013, 10:05:01 AM
#11
@VelvetLeaf

Just downloaded all three and checked their size and SHA-1:
yacoin-qt-2013-05-08.zip (uploaded during YACoin launch) (8,956,974 bytes)
SHA-1:   19b609e227944287a2c96cfbda79c3bb7459ef5c

yacoin-qt-2013-05-09.zip (updated binary) (8,957,000 bytes)
SHA-1:   b5886f224afed6a5705e080494d03f1789d3dc51

cpuminer-scrypt-jane-win32.zip (cpuminer-scrypt-jane-win32.zip)
SHA-1:   9acacfbb7c5c0861b3b2147d96c9dde35d12b0ae

I would have though it a standard thing for anyone making claims etc. to at least pin point where they got their EXE, its size and checksum. Otherwise everything is a bit hearsay.
full member
Activity: 224
Merit: 100
May 11, 2013, 10:03:13 AM
#10
Totally uninterested in whether it happened or not. The problem here is 10.000 morons downloading pre-compiled code and running it without the developers having a shred of credibility. Even if it's fine THIS time it's bound to happen very soon considering all you have to do is announce a new 'coin' and post a link and BAM, you got 10k people installing your virus and thanking you for it.
legendary
Activity: 2772
Merit: 1028
Duelbits.com
May 11, 2013, 10:01:14 AM
#9
I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks.


could casue everyone panic and sell their at lower price

That or to promote other coin(s) with royalcoin being first on my suspecting list (nothing against the coin, alt as alt, but people).

Was pretty stupid attempt to be honest, executed very amateurish.
newbie
Activity: 28
Merit: 0
May 11, 2013, 09:59:18 AM
#8
if i was a betting man, i'd put my money on the oversized "antivirus free" minerd.
sr. member
Activity: 644
Merit: 250
May 11, 2013, 09:59:08 AM
#7
You missed a binary in your investigation, the minerd 64bit one https://bitcointalksearch.org/topic/yacoin-windows-7-x64-ssse3-and-avx-support-x86-miner-201027

K.
full member
Activity: 196
Merit: 100
May 11, 2013, 09:57:56 AM
#6
I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks.


could casue everyone panic and sell their at lower price
full member
Activity: 196
Merit: 100
May 11, 2013, 09:56:52 AM
#5
Yes its simply FUD I use official QT and its all fine.
legendary
Activity: 2772
Merit: 1028
Duelbits.com
May 11, 2013, 09:54:35 AM
#4
I don't think there is even need for this. To be honest first few post made me bit worried as I hold nice amount of YAC but come on, what sane man would believe in this after 5 people reported it and hundreds or thousands of them have it on their pc's...

It's lame, lame attempt from some low lifes.. maybe even coming from one or max. two persons as posting style and english was pretty similar... line of fuck offs, line of scam, line of steals, line of caps locks coupled with artificial and fake "buying 300k of other alt" thread.
hero member
Activity: 683
Merit: 500
May 11, 2013, 09:52:05 AM
#3
I tried these and they look clean:

yacoin-qt-2013-05-09.zip
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs

minerd_scrypt_jane.ZIP
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc


Installed yesterday on a windows pc to test, had an unencrypted old bitcoin wallet on it with a small amount of bitcoins, no suspicious activity.
legendary
Activity: 1008
Merit: 1000
May 11, 2013, 09:47:11 AM
#2
cpuminer-scrypt-jane-win32.zip
https://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no

If there is indeed a scam my money is on this.

Where can we place bets?
member
Activity: 98
Merit: 10
May 11, 2013, 09:44:46 AM
#1
Claim
There are reports from various people, that YAcoin has built in wallet stealer.

What you can do
It's a common feature for malware to activate its main task on random date, and add a mark to the computer so it doesn't do the same thing twice (like uploading the stolen wallet.dat twice after your wallet is already uploaded, it's a waste of resource).
Since you can't be too safe, if you have run YAcoin's client or modified minerd.exe and don't encrypt your wallet, make sure you install Bitcoin in another clean computer and send your bitcoin there.
Make sure you password protected your wallet on that new computer.

Does YACoin really have malware module in it ?
Who knows, it's possible that it's a joke, someone wants to drop YAC's price on orderbook.
Or, it's the real deal. The attackers want people to believe that all of the various malware report that we receive now is a joke, and further report will be ignored once the real attack is really launched.
Hence, the investigation.

Investigation
I'll list what I found here :

List of YACoin related binary

yacoin-qt-2013-05-08.zip (yacoin's main client, uploaded during YACoin launch)
https://mega.co.nz/#!UowEmZYS!AAK7DVwYoTqy96oTRzUaLCS0UMsAfosJiRQmBn1jzcA
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/7381b3ea8e872d860cf8279b98cb74a01cd21ecebaa1af7e537a040b6c5ad1e7/analysis/1368286925/

yacoin-qt-2013-05-09.zip (yacoin's main client, updated binary)
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRs
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/8c1b9dcc90e163a357b3861c10d8cec67c351a928e0b5e1e0dcf74d65d4a4b76/analysis/

cpuminer-scrypt-jane-win32.zip (modified minerd to mine yacoin on multiple computer)
hxxp://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no
Detection ratio : 6 / 46 https://www.virustotal.com/en/file/2b7e630cfb2d173eb14e4dd88a7879527f5c52cbc77ace0c0742942aad46faec/analysis/1368286565/

"antivirus friendly" version of minerd (don't download this, very suspicious)
hxxp://mega.co.nz/#!shoxkb5b!DjiCAQBQ627TaW0oet1C7mvqM7Q2-2u-g4kDRHbniU4
From : https://bitcointalksearch.org/topic/yac-antivirus-friendly-minerd-for-windows-201050
Detection ratio : 16 / 46 https://www.virustotal.com/en/file/0ffa2116bf1027019ad94e9bf8e2340be427d6efbc9563e185096cf8550b4c3a/analysis/1368287421/

minerd_scrypt_jane.ZIP (another modified minerd to mine yacoin on multiple computer)
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBc
Detection ratio : 0 / 46 https://www.virustotal.com/en/file/01a79a608d33d1db4eb9382db029e89e581f6e0017ddb566e7826b45370596fd/analysis/

All investigation should be done in clean Virtual Machine, otherwise, it's useless since it's possible that your computer is already marked and the malware won't run wallet stealing routine twice.

"Victim" List - Alternate cryptocurrency section

FreeTibet / Jr. Member / Posts: 11 / DO NOT DOWNLOAD YACOIN - SENDS WALLET.DAT TO http://bitcoin-ticker.netne.net/u.p
Don't download yacoin Windows binary.. it sends your bitcoin wallet.dat to this page: http://bitcoin-ticker.netne.net/u.php

I observed it with Fiddler. Stay safe, compile the code yourself!

Lewies Man / Jr Member / Posts: 45 / 2.374 bitcoins stolen after downloading yacoin
2.374 bitcoins stolen .. anyone can help?? the last thing I did on this computer was install yacoin..

i didn't have passphrase set but i do have now. yacoin has virus? stole my coins


Brewins / Jr. Member / Posts: 69 / Yacoin developer stole more than 256 BTC!

D35TR0Y3R / Full Member / Posts: 108 / WARNING: YACOIN HAS A VIRUS BITCOIN STEALER
I HAVE LOST MY BITCOINS IT HAS BEING SENT TO https://blockchain.info/address/1RPrtamTACe1TcqkX2FmWVtRzmQJ6CfRx

UNINSTALL AND DON'T RUN YACOIN

nocompare / Jr. Member / Posts: 14 / yacoin developers are a bunch of crooks, steals 900 BTC
https://blockchain.info/address/1RPrtamTACe1TcqkX2FmWVtRzmQJ6CfRx

I am quitting bitcoin.. Lost bitcoin in bitcoin 24.. lost bitcoin in blockbet.. NOW SOMEONE HACK MY WALLET

"Victim List" - Newbie section

moneytronics / Posts: 1 / YACOIN STEALS YOUR WALLET DO NOT USE
BITCOINS GONE!

TX ID 11b3704b041ebfc8772f43116b69dc70345f1a6c4a873774e6d087a5f6e6691d

DO NOT USE

jebwizoscar /  Posts: 5 / yacoin trojan
yacoin is sending my coins

danieljoseph /  Posts: 1 / yacoin stole my 14.25 btc
What do I do now? I downloaded Yacoin which had a wallet stealer in it. Can I get my coins back? Should I file a police report?

SquishySquish /  Posts: 6 / bitcoin sent from my wallet?
my bitcoins have being sent from my wallet

is it the alt coins I downloaded?

netne.net Whois

Quote
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: NETNE.NET
Created on: 19-Mar-09
Expires on: 19-Mar-14
Last Updated on: 20-Mar-13

Registrant:
Hostinger International Ltd.

61 Lordou Vyronos
Larnaca, 6023
Cyprus

Administrative Contact:
Kyriako, Kyriakos [email protected]
Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130

Technical Contact:
Kyriakos, Kyriako [email protected]
Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130

Domain servers in listed order:
NS1.000WEBHOST.COM
NS2.000WEBHOST.COM


Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited

If you find this is helpful, any donation would be welcome :
YAcj1cSecVtCZkPpcPnb2raXdJfb3vzine
Pages:
Jump to: