BITCOMSEC and the Tracking of a Hacker

This is the story about how one hacker was able to infiltrate an up-and-coming exchange, steal its coins, and essentially leave it in ruins.

No, it’s not Mt. Gox, unfortunately.

This is the story of the demise of CyrptoRush.in as told by BITCOMSEC (Bitcoin Community Security Project), a group of developers who seek to improve the reputation of Bitcoin by improving security across the community. During the spring of 2014, CryptoRush was thrown into disarray as the result of a hack (actually two) and the good people at BITCOMSEC decided to do what they could to figure out what happened and expose the perpetrator. We thought it would be helpful to give what BITCOMSEC found out to show that there are people out there working for better security in Bitcoin and to publicize the lessons of what they discovered.

The Founding of CryptoRush.in

In 2013 there was a rush to create altcoins to mimic the success that Bitcoin was experiencing. Some of these were serious attempts to find better ways to do things that Bitcoin was attempting, some were frankly pump-and-dump operations that crypto-enthusiasts still need to be aware of and avoid, and some were tongue-in-cheek attempts to have a bit of fun and which gained some measure of success due to the fun-loving nature of the communities that grew up around them. One of these was CoinyeCoin, named after the noted rapper Kanye West.

Kanye, unfortunately, didn’t see the humor in having his face used as the emblem for the coin. Admittedly, the image, his head merged with a fish tail, was not very attractive. Kanye issued a cease-and-desist order and, after a short time, the creators of the coin abandoned it rather than face legal action. The creators might have abandoned it, but the community didn’t, and a number of members of the community tried to keep it alive. Finding no place to exchange the coin, CoinyeCoin enthusiast LinkandZelda decided to create an exchange to handle the sale of this and a slew of other less-than-prime altcoins in addition to Bitcoin and Litecoin. Opening its doors in early 2014, the new exchange gained some popularity and trading volumes began to rise.

The Hacker Begins

The hacker didn’t start by targeting CryptoRush, but about the same time as LinkandZelda were mining CoinyeCoin and starting to plan their new exchange, the hacker was setting up an altcoin mining pool called extrapool.com. In the altcoin mania of the time, this site, like many others, got a number of users wanting to maximize their mining returns. Unfortunately, the owner of the site was a Pilipino from Cebu island named Jimmy Bluey Amatong. The site soon amassed a score of accusations of being a scam for non-payment. When the accusations hit critical mass, the site went off line, taking all the coins mined by its customers with it.

**Get started with Bitcoin at Coinbase.**

It would have been bad enough if this had been the end of the story, but unfortunately Amatong was not finished. All the time that his mining site was running, a script he had installed was collecting the login credentials of all his customers. After the demise of his site, Amatong set scouring exchanges, email accounts, Dropbox accounts, etc. for anyone who was lax enough to use the same password across their accounts. One would think that people savvy enough to be using Bitcoin in 2013, or technically skilled enough to start an altcoin exchange, would know enough to use good password hygiene, Amatong apparently found a lot of good coins just lying around to be picked up.

The Hacker Strikes

One of people whose password was exposed on extrapool.com was LinkandZelda and Amatong soon found himself with access to CryptoRush’s backup servers. Amatong began a very crafty slow-leech of coins from the CryptoRush wallets. He probably would have been able to get away with this for much longer than he did, but only a month or two after his initial breech, another hacker cracked into CryptoRush and swept more than 800 BTC from their wallets. Amatong, panicked that his golden goose was about to expire began a mass sweep of all the altcoin wallets on the CryptoRush servers.

According to BITCOMSEC, Amatong was able to use his ill-gotten gains to move his family out of an apartment that had been threatening his family with eviction into a much nicer place on Cebu and posts a very nice white Ford truck Amatong bought. I won’t go into the specifics of how BITCOMSEC discovered all this here, but if you are interested, and especially if you want to see the logs that BITCOMSEC was able to follow, you can read their original post here.

The Aftermath at CryptoRush

This part of the story is documented on BitcoinTalk.org and Reddit. After the loss of the exchange’s coins, the management decided that they would try to issue CryptoRush shares which would pay out a percentage of fees to holders. Their story was that one of the CryptoRush staff, a person who went by the name Fyrstikken, would hold 60$ of the shares, building trust in their value because of his significant stake. In reality, he would hold only 10%, meaning that the exchange would be trying to recapitalize with this sale and would (initially, they probably though) make payouts with sales.

I’ve heard it said that most Ponzi schemes do not start as Ponzis, but rather are legitimate businesses that find themselves in trouble for one reason or another, try to make good on the back of increased investment, and them find themselves in a vicious cycle wherein they pay off old investors on the proceeds of new. Before this nascent Ponzi really got its chance to get off the ground, infighting within Cryptocoin and a very public battle between the developers of Darkcoin and Fyrstikken brought the exchange down.

CryptoRush Reborn

If you go looking for any of the sites associated with Jimmy Amatong, you’ll find them down – probably due to the negative exposure given them by BITCOMSEC. If you go looking for CryptoRush, you’ll find that it’s still up and running, now under the management of King Dragon. They have been posting on their blog since December of last year, and as of January 12 were posting the addition of 2FA for withdrawals. From what we can tell, volumes are low, but given that we are still at the early stages of the cryptocurrency revolution, there’s nothing to say that it couldn’t build a reputation for honesty and security despite (and perhaps even because of) its troubled start.

The Takeaway

As BITCOMSEC note in the conclusion of their own posting on this, people need to take responsibility for their own security:

  • Do not use the same password for multiple sites, especially login credentials to servers.
  • Pay attention to your account on third party services, and never leave extra funds in online accounts.
  • Even if the SSL certificate looks and seems legit – click on the Lock icon next to the domain and confirm the domain, name and contact information of your destined company.

To this we’ll add a couple more:

  • Never trust a site that is run with a pseudonym. Bitcoin Warrior learned this lesson the hard way when we trusted TradeFortress at CoinLenders. CoinLenders used lent depositors coins to exchanges or other businesses that needed Bitcoin liquidity and paid handsome interest rates. This site is another one that was probably honest at the start and that would have likely turned Ponzi had it not been for a hack. Due to the rising price of Bitcoin (November 2013) and the reduced value of the ‘mining shares’ that TradeFortress used as collateral, the economics had turned against the business model. It may be that TradeFortress, seeing the trend, decided to hack himself, or it may be that he legitimately got hacked. In either case, after the hack, there was no holding TradeFortress accountable, or even getting reliable information from him. Eventually he ran away to China.
  • Never invest in businesses that offer returns that seem too good to be true. Again, CoinLenders falls in this category, but we are also seeing various crypto-investment opportunities advertised – arbitrage, cloud mining, etc. What really strikes us about many of these opportunities is that even casual research will turn up many people calling out these opportunities as scams. This research will often also turn up people who invest knowing that these business are scams. The rationale is that if you get in early, you can get big returns that the sites pay as ‘proof’ of their legitimacy to pull in even more suckers. The trick is simply getting out before the site disappears. There are several problems with this rationale: First, you are feeding the beast and allowing it to grow instead of starving it as should be done. Second, you are an accessory to the crime since you are knowingly accepting profits you know are intended to be stolen from the bag holders when the site disappears. And finally, these sites disappear quickly, so you may very well be the one holding the bag.

Our thanks to the good people of BITCOMSEC for their good work.