How I hacked hundreds of Bitcoins! AMA

It all begins 3 years and a 3 month ago.

Beginning 2013:

I was a hacker who focused on phishing victims bank details and selling them. I was working full time in a company and doing this black market stuff in my free time. It was not really lucrative. I was earning around 2000$/month with it. Till May/2013 i sold the bank data in underground forums for Liberty Reserve. An anonymous payment system which mostly cybercrime hackers used to get paid. I sent the money in Liberty Reserve to other people in underground forums and they sent me hard cash to a drop-off point. As a hacker i need of course a non-logging VPN and a truecrypt crypted computer.

And then this happened:

http://www.telegraph.co.uk/finance/10085600/Liberty-Reserve-shut-down-in-6bn-money-laundering-case.html

Luckily enough i cashed out my whole balance in Liberty Reserve some days ago. But i had to choose something else since i didnt want to shut off my business. This was the day i became a Bitcoin user.

So i opened a Blockchain.info Account and continued to get paid in BTC instead. On that time Bitcoin was around 80$-100$/Coin.

I continued my business and got myself anonymous Bitcoin debit cards (to cash out my bitcoins).

Part of my business was also to get e-mail addresses of customers to send out phishing mails. I got the e-mails from Websites with SQL-Injection. I dumped their databases and sent the phishing attacks.

In June 2013 i got an idea. Why not search for SQL-Injections in Bitcoin related websites?

I was lucky and hacked a small bitcoin website with around 100 users. To my surprise the database saved e-mails, usernames and passwords in plain. Thats like a lucky moment for hackers because they dont have to go through cracking to get the passwords.

So what to do with these data. Phishing wasnt a good idea for bitcoin. So the first thing i tried was to check if some of these e-mail password combos would work for the email inbox. Around 5 people used the same password for their mail inboxes. One of those had an email which looked familiar to me. He had the same welcome e-mail from blockchain.info that i received also when i opened there an account. So the first thing i tried was to login in blockchain.info with the victims username and password. And look there - 5BTC. I felt like a lucky person. Around 400$ instant. I had to work nearly one week with my old business for that amount. This doing i realized back in the days you could login with username and password only on blockchain.info!

No e-mail confirmations - No silly GUIDs.

It was clear what i had to do! I checked the whole 100 username and password list i dumped on blockchain.info.

A few accounts with nothing interesting in it and then: 92BTC - Wow. Around 100BTC on my first day! 

I registered on localbitcoins.com and made a meeting a few days later to sell that bitcoins. It was around 8000$ hard cash earned on my first day! I felt like im in heaven. Money which i earned in at least 4 month with my old business now in one day.

Back with the hard money it was obvious for me that i need to forget about my old business and concentrate on this Bitcoin stuff!

So i tried to hack more websites. And i was lucky. Hacked several Bitcoin related websites, dumped their databases and tried to check if the users were also registered on blockchain.info, later also on localbitcoins.com, MTGox, BIPS and other bitcoin wallet websites. It was quite lucrative

After some time i found a SQL-Injection in a website named bitcoinbuilder.com

It looked like the founder had his MTGox API details entered in the database. So i checked the balance and i couldnt believe my eyes. 400 Bitcoins were in his MTGox Account. But i only had the MTGox API details and no access to his email inbox because he used a different password for his email inbox than the password which was in the database. So i tried to withdraw these 400 Bitcoins. Denied. The limit on MTGox only allowed to withdraw 100BTC each month. And as i didnt have email access i couldnt try to lift the limit. So i ended withdrawing 100BTC from his MTGox Account using the API and another 40BTC which he has on Coinbase (as these API details were also saved in the database) from his Shirtoshi webshop. On that time Bitcoin was 100$/Coin so it was another highlight "earning" 14000$ on a single hacked website. But what i had to see was way too much for me. He saved his Blockchain.info details also in the backend. There was no BTC in it but there was 10000BTC (Yes nowadays worth 5.7 million $) on his bitcoin address: 

Address: 122p9VdTQdxgpN8aw1VF85dZJgG6tP8jUF 

Message: hacker0 on steemit

Signature: G9ZJuy4QSN2JGYRVcURmGiLSMbXCFHwTTgzm3AaMB36UWmjtf3YYILe15P8Wm2j0sM+rUwZbXUVA6vYZpNB7lGA=

nearly 1 year ago on that time.

After some lucrative time i decided to try something new. Because as time passed people started using stuff like 2 Factor authentification and blockchain.info decided to use GUIDs instead of just usernames and stuff like e-mail confirmations as i try to login into users wallets from a "new pc". Why not try to infect users with trojans.

But the question was how. I searched for vulnerabilities in bitcoin related websites which had software to download. I found some websites as example:

I packed the software with my trojan in it. Most of the users were sadly only people who were hanging most of the time on Bitcoin faucet sites and had not much balance in it. But there was also people like this:

A guy who dealt with ~60k $ worth of bitcoins everyday!

For my bad he used 2 Factor authentification the right way so i ended only getting some BTC when he copied a 12000$ BTC-E Code which i could steal by retrieving his clipboard.

Then one person downloaded the infected software who worked on a russian payment exchange. And while he was surfing i saw his BTC-E balance. 33000$. I knew i had to get it. But how? I saw he also used 2-Factor Authentification. So i waited until he was still logged into BTC-E but was afk (toilet i guess). So i blocked his computer access to btc-e servers with hosts file and set up a fake btc-e website where the only window was opened was the 2 Factor Authentification code he could enter. On my side i opened his BTC-E Account with using the cookies he had and using his machine as a socks5 (As BTC-E would terminate the session if they detect the same cookie is used on 2 different IPS). Then i converted the 33000$ into 78BTC and clicked on the withdraw button where i only had to enter the 2 Factor Authentification. When he came back he saw the 2-Factor Authentification Fake website opened on his window, he grabbed his phone and entered the 2FA Code, i copied it and entered it on my side, quickly confirmed the BTC-E Confirmation mail and deleted it. 5 Minutes later:

Coming to an end i can say some stuff regarding security.

Not using 2 Factor Authentification, Saving passwords in clear text in databases, Using same passwords on different websites - All this stuff made my "carreer" much easier