How I hacked hundreds of Bitcoins! AMA

in bitcoin •  2 years ago

It all begins 3 years and a 3 month ago.

Beginning 2013:

I was a hacker who focused on phishing victims bank details and selling them. I was working full time in a company and doing this black market stuff in my free time. It was not really lucrative. I was earning around 2000$/month with it. Till May/2013 i sold the bank data in underground forums for Liberty Reserve. An anonymous payment system which mostly cybercrime hackers used to get paid. I sent the money in Liberty Reserve to other people in underground forums and they sent me hard cash to a drop-off point. As a hacker i need of course a non-logging VPN and a truecrypt crypted computer.

And then this happened:

http://www.telegraph.co.uk/finance/10085600/Liberty-Reserve-shut-down-in-6bn-money-laundering-case.html

Luckily enough i cashed out my whole balance in Liberty Reserve some days ago. But i had to choose something else since i didnt want to shut off my business. This was the day i became a Bitcoin user.

So i opened a Blockchain.info Account and continued to get paid in BTC instead. On that time Bitcoin was around 80$-100$/Coin.

I continued my business and got myself anonymous Bitcoin debit cards (to cash out my bitcoins).

Part of my business was also to get e-mail addresses of customers to send out phishing mails. I got the e-mails from Websites with SQL-Injection. I dumped their databases and sent the phishing attacks.

In June 2013 i got an idea. Why not search for SQL-Injections in Bitcoin related websites?

I was lucky and hacked a small bitcoin website with around 100 users. To my surprise the database saved e-mails, usernames and passwords in plain. Thats like a lucky moment for hackers because they dont have to go through cracking to get the passwords.

So what to do with these data. Phishing wasnt a good idea for bitcoin. So the first thing i tried was to check if some of these e-mail password combos would work for the email inbox. Around 5 people used the same password for their mail inboxes. One of those had an email which looked familiar to me. He had the same welcome e-mail from blockchain.info that i received also when i opened there an account. So the first thing i tried was to login in blockchain.info with the victims username and password. And look there - 5BTC. I felt like a lucky person. Around 400$ instant. I had to work nearly one week with my old business for that amount. This doing i realized back in the days you could login with username and password only on blockchain.info!

No e-mail confirmations - No silly GUIDs.

It was clear what i had to do! I checked the whole 100 username and password list i dumped on blockchain.info.

A few accounts with nothing interesting in it and then: 92BTC - Wow. Around 100BTC on my first day! 

I registered on localbitcoins.com and made a meeting a few days later to sell that bitcoins. It was around 8000$ hard cash earned on my first day! I felt like im in heaven. Money which i earned in at least 4 month with my old business now in one day.

Back with the hard money it was obvious for me that i need to forget about my old business and concentrate on this Bitcoin stuff!

So i tried to hack more websites. And i was lucky. Hacked several Bitcoin related websites, dumped their databases and tried to check if the users were also registered on blockchain.info, later also on localbitcoins.com, MTGox, BIPS and other bitcoin wallet websites. It was quite lucrative

After some time i found a SQL-Injection in a website named bitcoinbuilder.com

It looked like the founder had his MTGox API details entered in the database. So i checked the balance and i couldnt believe my eyes. 400 Bitcoins were in his MTGox Account. But i only had the MTGox API details and no access to his email inbox because he used a different password for his email inbox than the password which was in the database. So i tried to withdraw these 400 Bitcoins. Denied. The limit on MTGox only allowed to withdraw 100BTC each month. And as i didnt have email access i couldnt try to lift the limit. So i ended withdrawing 100BTC from his MTGox Account using the API and another 40BTC which he has on Coinbase (as these API details were also saved in the database) from his Shirtoshi webshop. On that time Bitcoin was 100$/Coin so it was another highlight "earning" 14000$ on a single hacked website. But what i had to see was way too much for me. He saved his Blockchain.info details also in the backend. There was no BTC in it but there was 10000BTC (Yes nowadays worth 5.7 million $) on his bitcoin address: 

Address: 122p9VdTQdxgpN8aw1VF85dZJgG6tP8jUF 

Message: hacker0 on steemit

Signature: G9ZJuy4QSN2JGYRVcURmGiLSMbXCFHwTTgzm3AaMB36UWmjtf3YYILe15P8Wm2j0sM+rUwZbXUVA6vYZpNB7lGA=

nearly 1 year ago on that time.

After some lucrative time i decided to try something new. Because as time passed people started using stuff like 2 Factor authentification and blockchain.info decided to use GUIDs instead of just usernames and stuff like e-mail confirmations as i try to login into users wallets from a "new pc". Why not try to infect users with trojans.

But the question was how. I searched for vulnerabilities in bitcoin related websites which had software to download. I found some websites as example:

I packed the software with my trojan in it. Most of the users were sadly only people who were hanging most of the time on Bitcoin faucet sites and had not much balance in it. But there was also people like this:

A guy who dealt with ~60k $ worth of bitcoins everyday!

For my bad he used 2 Factor authentification the right way so i ended only getting some BTC when he copied a 12000$ BTC-E Code which i could steal by retrieving his clipboard.

Then one person downloaded the infected software who worked on a russian payment exchange. And while he was surfing i saw his BTC-E balance. 33000$. I knew i had to get it. But how? I saw he also used 2-Factor Authentification. So i waited until he was still logged into BTC-E but was afk (toilet i guess). So i blocked his computer access to btc-e servers with hosts file and set up a fake btc-e website where the only window was opened was the 2 Factor Authentification code he could enter. On my side i opened his BTC-E Account with using the cookies he had and using his machine as a socks5 (As BTC-E would terminate the session if they detect the same cookie is used on 2 different IPS). Then i converted the 33000$ into 78BTC and clicked on the withdraw button where i only had to enter the 2 Factor Authentification. When he came back he saw the 2-Factor Authentification Fake website opened on his window, he grabbed his phone and entered the 2FA Code, i copied it and entered it on my side, quickly confirmed the BTC-E Confirmation mail and deleted it. 5 Minutes later:

Coming to an end i can say some stuff regarding security.

Not using 2 Factor Authentification, Saving passwords in clear text in databases, Using same passwords on different websites - All this stuff made my "carreer" much easier

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

You can send some bitcoin to me being generous theif or robin hood, here is my address
13EAdpiewWrHo2GhhsVUTHaHmWGfNNwEsE

·

Hi Hacker0, i need your help pls. This is my BTC address: 19C3JvzfTEpCQNfwETntRTymsuw8Cr2CH7
Thanks F.

hacker0, please see my post and provide some insight into my issue. I got hacked REAL bad and its been tough seeing through the mayem. https://steemit.com/deephacking/@entr0py4all/the-worst-hacking-story-ive-ever-heard-is-my-own

hacker0 I am dirt poor but long holding bitcoins (I just hope I'm not too late) can you give me any at all? Even 100$ is worthwhile for my financial situation. I got a family to support and I'm failing at it pretty bad because I'm "too nice" to get ahead in life. 1AoeFZR9cn3DRH8EgZSk6tfomRwdczP5jN

Congratulations @hacker0! You have received a personal award!

2 Years on Steemit
Click on the badge to view your Board of Honor.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

God damn bro what a true story ... i only got some coins out of this type of work sadly that was years ago... doing bug bounty hunting rewards were high

I don't know hard you worked but since you said you felt lucky that's how I am feeling today so here's my address. Any amount will be highly appreciated.

1F2xcedHWsqwrQnFwywBDS2wnzX2ZV9KC

Congratulations @hacker0! You have received a personal award!

Happy Birthday - 1 Year on Steemit Happy Birthday - 1 Year on Steemit
Click on the badge to view your own Board of Honor on SteemitBoard.

For more information about this award, click here

By upvoting this notification, you can help all Steemit users. Learn how here!

·

I have a btc address I want you to hack. Up for the challenge? I only have an email address and btc adress for him

Please how can i be your apprentice ? You really inspire me.

well i am a computer science student.................i want to be a hacker so can you help me with that?............well i want to be a ethical one though so that i can perform pentesting to earn some bucks. I would love to learn from an experienced hacker like you :)

Shame on you, stealing from hard working people and it seems to make you happy.

·

I am just honest and wanted to write everything down

·
·

hacker0 I am dirt poor but long holding bitcoins (I just hope I'm not too late) can you give me any at all? Even 100$ is worthwhile for my financial situation. I got a family to support and I'm failing at it pretty bad because I'm "too nice" to get ahead in life. 1AoeFZR9cn3DRH8EgZSk6tfomRwdczP5jN

·
·

You were honest.Is there a way,where you can help in getting back my stolen bitcoins by another Hacker :(

·
·
·

How do i contact u

I know a hacker who flips BTC and has made a shit load of money for himself,he now offers this as a service and i've been able to benefit from it too,seemed unreal initially but it was the easiest bucks i ever made,you can contact him at hacklordwiz@gmail.com for other ethical/unethical hacks also..you will thank me later

Thanks for shearing your story, really interesting how people like you hack others. followed for more!

please hacker0...
help me with bitcoins....
Please
this is my address
1A1P4fGCg8EZXp6zyGkqKY4HpsoWG4cHjM

people like this are everywhere. that was how one stole my coins, thanks to some friends though. once you see you lost your wallet or someone stole your bitcoin. you can use this tor help link https://venomthreads.com

how about doing the same job of around 10000 btc? wanna try again?

If you're still alive, you should consider helium and a bag. You suck.

f*** you, because of you (this kind of people) hack other's wallet, my hardly earned Bitcoin from faucets.

Some bitcoin and binary option scheme are mostly real while some of them are platforms to rip people of their funds. Most of these platforms that are not real are the ones that are created on some media platforms like telegram, whatsapp, twitter and so on...they are mostly used to lure people into a group in order to convince them to invest their funds and they'd later stop giving them their profits or stop the groups activities. There are websites that are used for the bitcoin and binary options schemes too in order to rip people off. About three months ago, my friend was caught up in the same scheme on telegram but he was lucky because he opened up early enough, seek help and solution before he later got help on https://assetflashback.com to get his funds back. So i think people should be very careful and take there time to examine and conduct a research before they invest their funds. Best Regards.