Wallet Theft by H - BURST-5BGX-C7EA-A6ET-BAQCD

There is a thread over on BN that I have been following but cannot contribute to…

https://www.burstnation.com/wbb/index.php?thread/3822-money-stolen-security-concerns/&pageNo=1

It’s worth a read as this Guy H has been stealing Accounts for a long time now. Best theory seems to be that they have weak passwords, however there are numerous Accounts and I would have thought it highly likely that a lot of them would have used the standard 12 word Passphrase?

I have been looking at the stolen Accounts and although there are a lot of new accounts being stolen shortly after creation there are also a number of older ones.

Anyway apart from the serious side of this take a look at this account, which I came across while testing “Weak Passphrases”.

BURST-XPXD-3353-4DS9-64GXF

You will see that the last transaction was by H taking the last Burst from the Account, however what is more interesting are all the transactions from BurstCasino.com. Just wonder what you make of them?

Finally a little game can you find the Passphrase to this interesting Account which you will see has earlier in it’s life contained Millions of Burst? :smile:

Rich

I too want to think that this is because of weak passwords. I played around with simple passwords awhile back, and found many, many accounts. Looking back on one I remember, the account “H” had transferred one coin from it on April 12. This adds to the theory that wallets with weak passwords are being compromised.

Perhaps, this person is going at the wallets in a variety of ways. I have said this before elsewhere, but I NEVER use any online wallets. Not even the ones I have set up myself, not even if they are SSL. You are trusting too many things. First, you are trusting that the administrator of the wallet isn’t malicious. Secondly, you are also trusting that the server that the wallet is on is not compromised, allowing a hacker access to the wallet.

What I currently do when creating passwords, is use the 12 word generator, then add special characters and other words to it, mixed in everywhere. I also only create new wallets with Burst running locally on my machine. I have several anti-virus programs running, but also try to be careful in what is installed on the machine, and what sites I visit. Lastly, I save that generated password on a couple encrypted USB sticks, off of my computer.

@RichBC I only looked briefly at the account… that is interesting about all of those transactions being exactly the same amount. Perhaps that was the max deposit amount?

Yes I am sure they must have been a Max, however they are all withdrawals from Burst Casino, also the account that a lot of the Burst is then moved to also has a large number of Max withdrawals?

I found it particularly interesting not just because of all those withdrawals but also because an account with Millions of Burst in it had an “Easy” Passphrase. I will leave the Passphrase open to guessing for the moment. :smile:

Rich

Oh, I didn’t even see they were withdrawals,that’s some good winnings if they were won. You would be surprised at the amount of Burst that has gone through accounts with very simple passwords…

To follow up on this, Focus shared his screen with me as he logged into the VPS that the wallet is on for the first time Since July 25th. Time stamps showed that nothing has been tampered with since that date, and no one has logged in since that date. Also while logged in, the whole wallet directory was zipped and moved to the html/ui directory for download - I have downloaded from the wallet server and will be looking at the files. However, there is no reason to believe anything has been compromised.

All of the users whose coins were stolen have passwords generated in different ways…one 12 word, one simple, etc. One of the users was found to be infected with a lot of trojans/malware/etc please see the BN thread for a screenshot, but one in particular was brought up.

Brutus.A is a program that allows hackers to crack remote brute force passwords. This means that the application tries all the possible combinations until it finds the correct one.

Brutus.A supports different user authentication types such as POP3, HTTP, FTP , SMB, etc.

Brutus.A does not pose a risk by itself, but it could be used for cracking passwords illegally.

Further Details  

Brutus.A is written in the programming language Delphi. The file is 679,424 bytes in size.

It could be quite likely that a very large undertaking is underway to be bruteforcing Burst passwords. Just imagine if a botnet was processing this for someone…

1 Like

Yes I agree, from the checking I have done I think there are multiple approaches being taken to steal from Wallets.

There are definitely some weak / easily guessable passphrases, there are accounts where the passphrase is a cut and paste of easily accessible data, there are even accounts where the passphrase has been saved in the description field.

I have also been thinking about the number of new accounts that have been hacked, almost before the user has used them and wonder if this from NXT is part of the reason why?

When sending NXT to a new account using the new account’s address the resulting account is protected only by 64 bit account id which is somewhat weak and not by the 256 public key which provides ultimate protection.

The risk is that someone can brute force a passphrase that maps into the same account id so that both accounts are indistinguishable so that the attacker can spend the funds in this address.

More specifically, the reason why this one-time extra step is necessary is because the 8-byte account ID is much shorter than the 32-byte public key it is derived from. There are many secret passphrase/public key pairs that reduce to the same account ID (2^192 keys). But once a particular public key is associated with an account ID by storing it in the blockchain, no other secret passphrase that generates a different public key can access that account.

I have not done the maths but wonder if someone has some Brute Force code and is using it on Accounts before the Public key has been associated?

Rich

I might not be following this correctly, but I would think that this would only be a problem if people aren’t securing their account after getting it. It basically says that multiple passphrases map to the same public key…but I would think the likelihood of someone not only not securing their account, but also transferring coins into it for storage unlikely.

Many of the Accounts have had Burst stolen before the Account has been secured with an outgoing Transaction. Here is a typical example.

BURST-DHC3-9Y7N-4ZMY-79ETA

5213651760999170638 8 Burst 5BGX-C7EA-A6ET-BAQCD 2017-08-17 12:20:35
6342535251799662311 9 Burst R8SQ-TUEM-DTHQ-7ATA3 2017-08-16 15:26:59

A transfer in of 9 Burst from Polo and the H taking 8 Burst the next Day.

Rich

Interesting…I thought that none of the exchanges would transfer to a non-secured account.

from Poloniex you can send to fresh accounts. Some ppls send from bittrex to polo to new accounts to set name and reward assignments

1 Like

Well I was beginning to think that H was having a Day off. He usually puts in a 12 hour Day and steals form around 10 Wallets, but was scraping the Barrel Today with just one.

1871849445206973523	     0.86 Burst	5BGX-C7EA-A6ET-BAQCD	2017-08-19 21:49:16
1565992003713920857	     1.86 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-19 21:22:16
7581580700087739737	     1.26 Burst	5BGX-C7EA-A6ET-BAQCD	2017-08-18 10:57:21
15263630805689181849	 2.26 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-18 10:49:11
13738225699693398795	 0.45 Burst	GG3A-NTAY-P9FX-HQR3N	2017-08-17 16:02:00
18340993629182924990	 0.39 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-17 10:56:21
4226053399345782474	     0.79 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-16 08:22:24
6530392930506248897	     0.27 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-15 02:32:47
4682239900284195042	     0.73 Burst	5BGX-C7EA-A6ET-BAQCD	2017-08-14 07:24:02
9430263106728071632	     1.73 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-13 20:52:13
3123029269002446697	     3.75 Burst	W3TN-5AHU-XQD6-CRKBF	2017-08-09 17:01:04
12975836472832210794	 4.18 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-09 16:47:53
3820267307844968429	     0.56 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-08 13:59:29
11823297907748440695	 1.99 Burst	W3TN-5AHU-XQD6-CRKBF	2017-08-06 02:01:00
17782606578564408894	 1.52 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-06 01:51:27
17338072525417570654	 0.08 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-05 01:12:40
11916579925609536586	 1.4 Burst	ZDKQ-BK92-67A5-DGENX	2017-08-02 19:16:14
13566683558380579937	 0 Burst	ZDKQ-BK92-67A5-DGENX	2017-07-27 11:53:47
3930335556783825484	     1 Burst	FLFT-MRRF-GKM9-6RRPT	2017-07-27 06:11:39
4138138949520317498	     0 Burst	  /	                    2017-07-26 03:33:04
2967863274547229395	     1 Burst	FLFT-MRRF-GKM9-6RRPT	2017-07-26 03:25:46

So this is Account N2KK-TUUP-2KFX-BX8YH

Account was opened on the 26 July with a deposit from Daforce´s Faucet, followed by naming the Account flowcash he then does a reward Assignment to BurstNation Burst4All Main Pool - A pool for All Miners (Where I happen to be Mining at the moment) and starts Mining.

Earning are not that great, so must be quite a small miner and fortunately he collects the earnings every few Days and sends them to an Account aptly named Hoover which also gathers coins from other exploits.

Everything was going along quite nicely until 5 Days ago when H somehow got hold of the Passphrase. You can see he steals the 0.73 Burst that was in the account at that time.

H then returns again Yesterday taking 1.26 Burst and again Today taking 0.86 Burst.

This is a pretty common tactic for H and there are some accounts that he has systematically raped on a Daily basis over long periods of time.

So flowcash if you read this please let us know, as we need to try and work out all of the techniques that H is employing?

There is more to this than just weak Passphrases, and I have theories on several of them but what would be good is more feedback from people who have had Burst stolen from Accounts?

Rich

2 Likes

Can i just point out for new users that this account has nothing to do with the Burst-Team admin Haitch, thanks :slight_smile:

2 Likes

Yes very good point on haitch & H two different people. My objective here is to share what I am finding from the Blockchain sequence of events from some of the steals in an attempt to understand the techniques that are being used by H to get at these accounts.

Would be nice to reveal who H is or just to share some more things to or not to do with your Wallet. Anyone else that wants to wade in with ideas or research please feel free. Only slight nervousnous I have in doing this is that there is a very narrow line between being another H or a Burst Superhero.

Rich

H stole 200 burst from my account.

Can you give us the account Address and any other info and thoughts you have on how it might have happened. Also if you are willing can you PM me the Passphrase?

Do you mean dash or Burst?

Rich

BURST-5BGX-C7EA-A6ET-BAQCD Is his account, H took 125 and 95 the next day because that day was payout day and burstcoin just told me its because of my weak passphrase. I also meant burstcoin

1 Like

I meant burstcoin

Yes I know his Account :slight_smile: What was your Account, as I can’t find it so this theft must have been a few days ago?

Rich

BURST-J7FV-S34S-QQWH-GWFMT That’s my account

Are you sure that is the right Account. Yes it has been stolen from by H, but there are 7 Steals dating back to the middle of April?