Research

The 440+ BTC stolen by MyBtgWallet.com

Neutrino Research Team - 2017-11-27, 00:35

Intro

After Bitcoin Cash fork on Aug. 1st, Bitcoin was involved in two other forks between October and November: before the so disputed Segwit2x announced fork, on Oct. 24th a new crypto was launched.

Bitcoin Gold was a new greedy chance for Bitcoin owners to earn some free money: importing mnemonic seeds or private keys belonging to a BTC wallet in a BTG one they had the opportunity to redeem their free BTG.

This was possible through local BTG clients or through some web services such as MyBTGWallet.com, a website listed directly on BTG official webpage. This particular case turned in a scam that stole an impressive number of Bitcoin from "unexperienced" users.

How it worked

MyBTGWallet scam worked in a very simple way: users imported the mnemonic seed of their BTC wallet on the scam page providing in this way the scammer with the private keys needed to steal the balance of bitcoin still on the wallet and any other cryptocurrencies stored on the same wallet (e.g. Ethereum or Litecoin in case it was a multi currency wallet).

MyBTGWallet page

The site used a clever trick to save the mnemonic seed into the cookies of the browser and then siphoned the cookies via a google tracking javascript having this way access to all seeds checked on the website.

The numbers

The website was used by many bitcoin holders after the fork happened. The scammers progressively moved the stolen funds to other bitcoin addresses. Thanks to open source intelligence activities, we were able to create the clusters of the stolen bitcoin and determine that the number of compromised addresses is almost 4500. The aggregated balance of those addresses is almost 440 Bitcoins (equal to 3.5 million Euros at current change rate).

It is not easy to determine the number of victims since the mnemonic seed give you access to all the addresses in the wallet. With some analysis on the patterns we found that the modus operandi of the stealer changed over time.

During the first days, he imported all the private keys in a single wallet and created some transactions with high number of inputs (the stolen keys) such as:

He mixed all the stolen keys to avoid paying too much fees creating a huge number of transactions.

Then he started stealing directly from the mnemonic seed of each stolen wallet performing a transaction to empty the wallet without mixing it with other keys. The number of wallet emptied with the second method is roughly 70.

The number of addresses compromised with the first method (key mixing) is 3500. Given the average number of addresses per wallet and some analysis on the transaction history of the grouped addresses, we can estimate that the number of compromised wallet is 345.

Our final estimation is that the number of scammed victims is roughly 415.

The list of addresses used by the attacker is:

As of Nov. 24th, 49 BTC have not been spent by the scammers but we have been able to recreate the spending patterns following all the other moved bitcoins.

ChipMixer

So far, we have been able to determine that about 289 BTC have been moved to a notorious bitcoin mixer named ChipMixer[1].

In the graph below we can see the fraudster’s wallets (the two big interacting orange boxes) sending all the bitcoins to ChipMixer (the box at the bottom).

ShapeShift

On the Nov. 25th, 1.81 BTC were moved to ShapeShift shifting BTC to DASH (a privacy oriented crypto-currency). A total of 3 transactions were performed, one of them is depicted below:

The receiving address on the DASH blockchain is:

XpnqpQSDexV2msyowdPE1GY5PYTthABvng

The address received a total of 25 DASH from the three ShapeShift swaps.

Wex

On Nov. 26th, 67 BTC were moved from the stealer wallet to Wex[2] with three transactions (7, 30, 30 BTC).

This exchange platform has a really poor KYC policy and, between other cryptos pair, it allows also to trade between BTC and DASH. It was easy to suppose how it was used by the scammer to swap again from these cryptos, so we performed a crossed-chain check and saw that the address used to receive ShapeShift transactions received three additional transactions:

Given the Wex exchange rate at that time (between 0.066 and 0.067 DASH/BTC), it is clear how the received amounts match the 67 BTC moved on the exchange. So, the fraudster cashed out on the same DASH address used to previously receive from ShapeShift.

Final Remarks

Since the mnemonic seed is the key derivation for all the past and future keys created by the wallet, the attacker still has full control of those wallets. Some of them are still receiving and spending bitcoins thinking that the new addresses are safe. We suggest to the victim of the scam to stop using the old seed and start from a completely new one.

This is just a first update on our research on the topic. Identifying the mixing service used by the attacker is just a preliminary step for tracking the bitcoin flows. Investigations regarding the output of mixed transaction are still in progress at the current date. The address on the DASH blockchain could also be tracked for further movements.

[1] ChipMixer became one of the leading mixing services after BitMixer shut down its operations. It appears to be online since May 2017 and one of the peculiarity is that ChipMixer is offering the users the possibility to mix bitcoins splitting them in many chips.

[2] https://wex.nz, it is the new exchange born after the BTC-e seizure.