Jump to content

Exchange Blog Cryptocurrency Blog


All Pips



AdvisorBM

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by AdvisorBM

  1. In this article, I would like to talk about information that needs to be protected from attackers planning to harm your business. Please note that we will not be talking about the technical part of companies' operations, but about social engineering aimed at the vulnerabilities of your employees. You can read the checklist at the end of the article. Email More often than not, email is the main entry point into the secrets of your company and its personal staff. Every official company website contains contact information that includes an email address with the company domain. For example, info@nameoforganization.com or hr@nameoforganization.com. This is consistent with business ethics, but in today's Internet there are a huge number of tools (e.g. Google Dorks, phonebook.cz, hunter.io etc) that, using the domain, collect other addresses that the organization may not have wanted to publish to the general public. This might reveal something like ciso@nameoforganization.com, andreypetrov@nameoforganization.com, SolyuVseSekretyKontory@nameoforganization.com. The mere presence of a work e-mail not only gives the opportunity to establish direct contact with the employee bypassing the public relations department, but also allows colleagues to misuse it, namely to register accounts in social networks, order deliveries and so on, so on, so on. All of this subsequently gets ducked. With such email addresses, we can find a lot of interesting personal information that is useful for hackers and cyber blackmailers. Employee photos on the company website Yes, photos on a company's website can help find your employees' social media accounts. In most cases, this information has no commercial value, but it is a great opportunity to gather information about an employee's private life, which can result in such a well-built social engineering campaign that the attacker will not even notice the catch. By the way, there are quite a few tools for searching social media accounts by face. For example, FindClone, SearchForFace, and even simple google.pictures. Public activity In reality, photos and public activity are not as critical vulnerabilities as personal data that can be gleaned from email addresses. To exclude a company's public activity is to cut off 80% of marketing. Some things are worth publicizing and some are not. An example of a social engineering attack would be a text like this: "Good afternoon, I saw you at the conference "Legends of SOC - 2023". We liked your presentation very much. We would like to propose cooperation. Terms and conditions and a detailed offer are in the attachment". Agree, tempting! Especially if your company slightly underpays a sysadmin, and he is in search of a more favorable offer. There is a high probability that even an experienced IT specialist will first open the attachment and only then think about it. Files on the company website You may think that you have hidden all the unnecessary files, but Google search robots have indexed everything carefully. It is very easy to check this. For example, your website is: rogaikopyta.site. Type in the search bar google: filetype: (here without a space file format -- pdf, doc, docx, xls, txt) site:rogaikopyta.site. Next, we check that nothing unnecessary is suddenly not in the public domain. There are a number of documents that a legal entity cannot not publish, but what is not included in this list, it is better to clean, because unnecessary information about your employees, counterparties, financial assets - all this is excellent food for a potential attack. We also want to pay attention to which employees pose the greatest threat to the information security of companies. Most information security studies indicate that the weakest link in security measures is the employees, as they are the ones who have full access to all the resources and documents of the organizations. New IT employee A new IT employee can inadvertently cause huge damage to a company's security. Today, hackers are using more and more sophisticated methods to infiltrate internal company resources, such as social engineering. A newly hired IT employee is unfamiliar with the protocols and processes responsible for the secure transfer of files over a network, and is therefore an extremely attractive target for cybercriminals looking to gain full access to corporate information. System administrator In many companies, system administrators handle the main information security issues. A sysadmin doesn't just handle the technical aspects, but has a huge responsibility for the tangible and intangible assets and reputation of the organization. Moreover, he knows almost everything about the company, has access to all confidential data, so under certain circumstances he can be subjected to pressure from cybercriminals. Top management Rather oddly, a company's CEO is actually often a huge threat to the company's information security. According to the Ponemon Institute, more than half of the leaks involving employees are caused by top management. Such losses are clear proof that hackers see not only middle managers but also top management as their targets. Executive assistants are also the carriers of very valuable corporate information. They have access to all credentials, passwords, financial reports and internal documentation. This is what makes them a particularly attractive target for hackers. Security Consultant If your organization needs a complex, multi-stage security system, be prepared to partner with a variety of service providers from this field. Remember, however, that an external security consultant brought in to determine the current level of security and set goals for the organization's IS direction has full access to all internal company resources and sensitive data, which hackers are well aware of. External vendor Large companies often utilize multiple external vendors at once. Daily hacker attacks confirm that once vendors gain access to a company's internal systems and networks, those systems and networks are particularly vulnerable to cyber threats. To protect themselves, companies must give vendors limited, controlled access. Fired employee A fatal mistake many companies make is neglecting to close access to internal resources and networks to former employees. By making this mistake, organizations become even more susceptible to cyberattacks. The only true solution is to immediately delete all accounts of employees who are no longer with the company. Moreover, former employees can easily take databases of potential and current customers and other confidential information with them and put it freely available online. Temporary employee Temporary employment is a very common phenomenon, especially in the service and sales industry. The IT sector is no exception, as very often employees are needed here on a temporary basis to help close some tasks. These employees are given access to various corporate portals and systems where the company's most important information and data is stored. Moreover, temporary employees are given the use of corporate laptops, tablets and smartphones. This is why these employees should be considered full-fledged in the organization and protected from information security threats. I would like to finish this article with a quote from Bruce Schneier: "In terms of security, the mathematical apparatus is flawless, computers are vulnerable, networks are lousy, and people are disgusting." Remember that it is employees and their negligence towards security measures that pose a huge threat to a company's IT security. ADDITIONAL INFORMATION THAT MAY HELP YOU. ✅ CHECKLIST FOR INSPECTION ORGANIZATIONS. ✅ 600 INSTRUMENTS FOR OSINT AND RESEARCH. ✅ TOOLS FOR OSINT IN BLOCKCHAIN. ✅ ALL OPTIONS IN ONE PLACE. ✅ TOOLS FOR SECURING SMART CONTRACTS.
  2. BLOCKCHAIN REVIEWERS: BITCOIN #1(BTC) BITCOIN #2(BTC) ETHERIUM (ETH) RIPPLE (XRP) BITCOIN CASH (BCH) LITECOIN (LTC) STELLAR (XLM) DASH (DASH) ZCASH (ZEC) MONERO (XMR) TON (TON) UNIVERSAL REVIEWERS: BLOCKCHAIR (most cryptocurrencies + API) BLOCKCHAIR (extension for CHROME) BREADCRUMBS (extension for CHROME) BLOCKCHAIN.COM BLOCK EXPLORER BITAPS BLOCKCYPHER VISUALIZATION OF CRYPTOCURRENCY TRANSACTIONS: BREADCRUMBS SHARD ETHTECTIVE (ETH Free) MALTEGO (external sofware) SPIDERFOOT (external sofware) BLOCKPATH OXT (after registration) GRAPHSENSE (after registration) GitHub SICP (after registration) CRYPTO HOUND ORBIT (open source) WALLET TRACKER (open source) CRYPTO WALLET IDENTIFICATION: WALLET EXPLORER BITINFOCHARTS OXT (after registration) ANTINALYSIS (TOR) REVIEWS OF CRYPTO WALLETS: BITCOIN ABUSE RANSOMWHERE BITCOIN WHOS WHO CHECK BITCOIN ADDRESS SCAM ALERT Badbitcoin.org BitcoinAIS.com CRYPTSCAM ETHEREUM BLACKLIST ADVANCED QUERY OPERATORS IN GOOGLE: Clearing search results at the request of a crypto wallet Clearing search results at the request of some crypto wallets Search for a crypto wallet on a specific site Search for lists of identified wallets BLOCK ANALYSIS: KYCP LOCKSTREAM CRYPTOCURRENCY STORAGE FILE TYPES: Armory: %appdata%\Armory (.wallet)Bitcoin Unlimited/Classic/XT/Core: %appdata%\Bitcoin (wallet.dat)Bither: ‘%appdata%\Bither’ (address.db)Blockchain: (wallet.aes.json)MultiBit HD: %appdata%\MultiBitHD (mbhd.wallet.aes)Electrum: %appdata%\Electrum\walletsmSIGNA: %homedrive%%homepath% (.vault) OTHER USEFUL PROGRAMS FOR INVESTIGATIONS AND OSINT IN BLOCKCHAIN: MONITORING THE ACTIVITY OF A CRYPTO WALLET #1 MONITORING THE ACTIVITY OF A CRYPTO WALLET #2 CHECKING THE COMMUNICATION BETWEEN CRYPTO WALLETS SOURCE COMPILATION FROM BLOCKSHERLOCK CRYPTO WALLET SCORING (BTC, ETH, ERC20) CRYPTO WALLET SCORING (BTC, BCH, ETH, LTC) BRUTEFORCE WALLET'S PASSWORD find-my-btc-wallet (BTC Recover) Btcrecover (BTC Recover) Findbtc (BTC Recover) EtherClue (ETH smart contract forensics) OTHER TOOLS AND INFORMATION: OSINT 2022 TOOLS (Part 1) more than 6000 tools. OSINT 2022 TOOLS (Part 2). Research Bitcoin wallets OSINT BTC 2023.
  3. In today's world, most cybercrimes are committed with the use of Bitcoin wallets. Laundering, Hacking, Blackmail, etc. That's why I decided to write an article on identifying the owner of a BTC Wallet. It's trivial, but it's important. The easiest thing you can do when trying to figure out the owner of such a wallet is to look at its transactions thanks to blockchain. A blockchain is a database with transactions consisting of a sequential chain of digital blocks, each block storing information about the previous block and the next block. To view transactions, we can use a simple blockchain explorer WalletExplorer. Transaction Visualization and Analysis To visualize Bitcoin-Wallet transactions I can recommend you the service OXT.ME, as the service I used before for the same purpose (Crystal Explorer) has been disabled for several weeks now. OXT is only available to PC users, with a minimum screen extension of 1280*520 pixels, which to me seems justified. Sometimes, the graphics get so big that it will be difficult to understand something from a phone or tablet. Service will be available to you immediately after registration. There is also an analogue of the aforementioned service, Blockpath. Personally for me, it is not as convenient as OXT, but as they say to taste and color there is no comrade, so a little talk about this service. Here, too, certainly has its advantages, the tab "Accounts", for example, which shows a detailed report on the last transaction. Blockpath has no screen resolution limitations and registration is not required. Looking for linked wallets Analyzing transactions, it is possible to find certain patterns in user's transfers, for example, we can notice that a person once a month sends money to a certain address, this is the same pattern. Let's analyze different patterns: - Subscription payment. The user sends a fixed amount of money every month/year/day etc. Perhaps he is paying for a subscription on some service. This can be checked by googling the wallet to which the funds are sent, most likely, as a result you will get a link to pay for a web resource. - Payment for work, or blackmail If you see a fixed amount of money being sent each month/year/day, we can assume that this is payment for work, especially if the recipient's bitcoin wallet is similar to a personal one. It could also be blackmail, it's hard to tell the difference. If the amount is not fixed and $150 is sent in one month and $200 in the second, it could be blackmail, of course, it is impossible to say for sure. - Distribution of funds If we see that the owner of a wallet irregularly and chaotically sends large amounts of money to another wallet, we can assume that he is distributing funds between his wallets. - Bitcoin Mixer applied Bitcoin Mixer is an anonymizing service that makes it much more difficult to track Bitcoin transactions. When a user sends a transaction through it, the mixer breaks it down into many small pieces and then mixes it with other people's transactions so that not a single "piece" of the original transaction remains in a particular user's transfer. If you see that a certain amount of money has been sent to different wallets over a period of time, a mixer has probably been used. By using a bitcoin mixer, the user is trying to hide something from the public, usually money laundering. Tracing such a transaction is extremely difficult and will take you some time. Feedback sites There are special sites that contain a database of complaints about Bitcoin-Wallets scammers, hackers, blackmailers, etc. Bitcoin Abuse This is the most popular complaint service for Bitcoin-Wallets, the service allows you to leave a tag and write your own review. Checkbitcoinadress Shows the balance in euros, dollars and BTC, finds the possible owner, mentions on the Internet and on forums, as well as other information. And, of course, it shows complaints, tags and countries of the person who complained. Traceer In principle, the service is no different from the first, but there may be complaints that are not in the other reviews I will not go on to list the other reviews, because there are so many of them. You can find them by searching on Google Check the wallet for suspicious activity and "dirty money". Services showing bitcoin wallet scoring will help us. Scoring is a system of evaluation, which helps financial institutions to predict payment discipline of people, who applied for a loan. The service I use most actively AMLBot. The service shows trust score and describes cryptocurrency activity in a detailed report, based on its own algorithms. The pluses are that it is all in the form of Telegram-Bot, and the minuses are that the service is paid. Well, if you are not ready to pay money for scoring, then BitRank for you. This service will show you trust score without registration and payment. Of course, there will not be a detailed description of cryptocurrency activity, but there will be a score from 0%-100%. Search the Internet What is the first thing you will do when faced with the task of figuring out the owner of a BTC-Purse? That's right - google him. As a result, you can get mentions on forums, mentions on websites, maybe someone left a wallet as payment details, or a donation. It is better to use different search engines, especially the ones listed below. Яндeкc , Google , DuckDuckGo (Resources with the .onion domain zone will be available.) You can also access Bing, Yahoo, Swisscows, etc. You can use Google-Dorking for a more efficient search. Google Dorking involves using advanced operators in the Google search engine to search for specific strings of text in search results. You can use banal "BTC-wallet" to sift out unnecessary results, or more advanced, but still banal "BTC-wallet" site:Interesting site, it will help determine the involvement of your site to the wallet. Or, you can use more advanced search methods and use with this cheat sheet. By following this link you can observe 15 thousand Google Dorks designed for BTC-Wallets. Of course, it will take a lot of time to try them all, so you can use only those that interest you. Monitoring cryptocurrency wallets It is possible to track the activity of purses through specialized services. One of these services is, Cryptocurrencyalerting. The service will send you a message about decreasing, increasing amount of money in this crypto-wallet. So there is a function that will notify about any crypto-wallet activity. The service allows you to notify about the action in any way you want. With a message in Telegram, phone call, push notification, etc. There is also a service cryptotxalert, with similar functionality. Of the pluses here, the fact that you can set the amount of money, and when you top up your wallet to this amount of money, you will receive a notification. The message comes in the form of push notification and no more, if in the previous service, you can get a notification in ten convenient ways, then there is only one way. Well, if you are too lazy to do the investigation yourself, or at this point you do not have enough experience, just turn to the professionals, and evil will be punished! Original article>>> #Osint_Cryptocurrency #Osint2023 #osint-scammer #example-osint #osint-exploration #AdvisorBM-osint
  4. Original text and other information on OSINT is available at>>>> His nostrils were permanently flared, as though he sniffed invisible winds of art and commerce. William Gibson, "Count Zero" In this article I will show: How, using the basics of financial investigation and OSINT, we can prove the affiliation of cryptocurrency addresses How by analyzing the transactions of two or more ETH addresses, we can aggregate them into a cluster (i.e. multiple addresses controlled by the same entity) How the attacker's economic activity dataset changes once the addresses are clustered together Let's get started! The most popular onchain detective ZachXBT once posted the following tweet For those unfamiliar with English, let me explain. Using a phishing site, a hacker gained access to the victim's address and stole 3 ERC-721 tokens (NFT). Immediately after the theft (i.e. after sending the tokens from the victim's address to his address, 0x864875aef79B107221bEE89C8ff393BD2B666d96) the hacker sold the NFT on the marketplace Opensea.io. The criminal profits were then laundered through the Tornado.Cash mixer. While our hands are itching to get the target address into https://etherscan.io sooner rather than later, we'll stop on the shore and turn to the theory. The criminal first stole and then sold tokens that use the Ethereum blockchain infrastructure. In order to operate the tokens, you need some amount of cryptocurrency to pay transaction fees. In our case it is the Ethereum blockchain, which means you need some ETH to send tokens or sell them. Let's try to find out where the hacker's address 0x8648... ETH he needed to pay commissions came from. This line of enquiry is called a source search Open Etherscan, insert the address, see the first transactions. They will be right at the bottom of the page. And here are the ones we need: 1, 2. The sender of the funds in the transaction table is always shown on the left of the IN (incoming transaction) or OUT (outgoing transaction) bar So, we have identified the source of the funds, which is address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. What can we extract from this information? In our case, the first address of the hacker, 0x8648... (aka Fake_Phishing5435 in the picture above) never received any funds before the transactions we detected. So address 0xa474... is the sponsor address (or funding address) with respect to the hacker address, or 0x8648..., or Fake_Phishing5435. Most often the sponsor address is affiliated with a target address. The owner of the sponsor address could be, for example, some customer who has paid for services with crypto. Or, for example, the sponsor address is operated by a cryptocurrency exchange whose services are used by the owner of the target address. But even more often, both the target address and the sponsor address have the same owner. Let's analyze the transactions of the sponsor address and try to figure out which option would be correct in our case. The most interesting direction in the case of the sponsoring address is to try to detect suspicious transactions (such as the theft of NFT). To do this, open the address in Etherscan.io and go to "ERC-721 token Txns", which is the section responsible for NFT transfers. We see four transactions, two incoming, two outgoing. The first NFT, Mutant Ape Yacht Club (MAYC), was sold half an hour after receipt. The second, Azuki, 9 (!) minutes later. Seems suspicious to me! But how do we prove that these transactions are not a normal sale, but a real theft? By the consequences! In order to sell MAYC, you have to contact the Opensea marketplace's smart contracts. When you interact with them, the marketplace will automatically generate a profile for you, accessible via a link like "https://opensea.io/ETH_Address". I should also add that Opensea.io actively cooperates with law enforcers and also actively assists victims. In case of hacking, the stolen tokens are blocked and the hacker's account is banned, making his profile inaccessible. Let's try to open the profile of address 0xa474... and examine the transaction history. To do so, go to https://opensea.io/0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. oops! the address was banned....... We now know two facts about the sponsor address: it transferred money to the hacker's address, which was then used as a commission, and also made questionable transactions with NFT, for which it was banned from Opensea.io. The target address also made questionable transactions with NFT and was banned from Opensea.io. Now let's find out where the criminally obtained coins were sent to. To do this, let's examine the transactions in chronological order and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. In this way, we will determine the amount of criminally acquired funds. The transactions we are looking for are found in the Internal Txns section: The hacker received a total of 23.8 ETH. To do this, let's examine the transactions in chronological form and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. Who else sent the stolen coins to address 0x945b...? Target address! Withdrawal transactions of stolen funds highlighted in yellow Let's find out what address 0x945b was used for... To do that, we again study the transactions in chronological order, we are interested in all incoming and outgoing transactions after the address received the stolen funds. Target email address (13 ETH) was the first one to receive the stolen funds. Next, address 0x945b accumulated presumably stolen funds from several other addresses, including the target address. The money was then, as ZachXBT wrote, withdrawn to the Tornado.Cash mixer The money sent to the mixer was grouped into two payments of 100 ETH, of which 125 ETH originally belonged to the target address, 13 ETH to the sponsoring address, and the remaining 62 ETH to other addresses. It turns out that either the hacker owns all five addresses and uses 0x945b as an intermediate point before money laundering, or the owner of 0x945b is a separate criminal (money launderer) whose services are used by several criminals at the same time. Let's briefly examine the other hacker addresses: as you can see from the graph, they too have interacted with NFT on Opensea. Let's use the old vetting method and... one of the addresses is in a ban on Opensea! The second address is not in the ban, but appears in the ZachXBT investigation. Here you can see the names and faces of our heroes, the dangerous cybercriminals. Mathys and Camille together Well here comes our friends Mathys and Camille from romantic France shitting themselves hard by posting a screenshot of one of their profiles on Opensea with previously stolen NFTs on their personal Twitter. This profile appears in our investigation, on the graph is address 0x5bb51... Admittedly, I even got a little upset at this stage. How is it, we've only just started and they've already found everyone for us! But I decided not to dwell on Mathis and Kamila and go a bit further and try to add new factors to my investigation. Back to the sponsor address. The sponsor address, like most addresses on the Ethereum network, has its own sponsor address (pardon the recursion). Let's find it! This time the sponsor address is signed in the block browser as Fake_Phsihing5099. Comments about the affiliation of all the addresses appearing in the investigation seem to me to be redundant with: Having discovered the new sponsor address I decided to go towards the final destination of the funds and figure out exactly where Fake_phishing5099 was sending the dirty money. After looking through all the transactions, I found an interesting address 0x27429f480a3E2a69D7E4D738EBc54AeB4096eb43. The owner of this address, according to a thread on epicnpc.com, is spamming in Discord (Discord is where many of the victims received the phishing links). Diwan Nuri (judging by the content of the thread, that's the name of the address owner) was so far-sighted and wise that he registered the forum account with his personal email. This wasn't enough, so he decided to screw one of his potential clients by sending them his ETH address in addition to the email. According to the record we found, Diwan graduated from German Aletta-Haniel-Gesamtschule and now earns his living by spamming and scamming. So, after studying 6 cryptocurrency addresses and their transactions, we found out that: 5-6 of the addresses in question were communicating with NFT. 4 six analyzed addresses were involved in illegal activity and got banned at Opensea 4 six investigated addresses were "skimming" for the withdrawal of funds to the Tornado.Cash mixer 2/six of the addresses have been implicated in existing investigations 6 addresses have close economic ties The couch is not as simple as it looks! In my opinion, the discovered facts are enough to merge the addresses into a cluster. Which addresses do we merge: Target address 0x864875aef79B107221bEE89C8ff393BD2B66d96 Target Address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6 Hackers' complementary address #1 0x38dB16DA44A61560e04E94DCb71c3E64Aa94d318 Hackers secondary address #2 0x5bb5180D8b84d754F56e2BC47Dc742d0f5Ac37FE The laundering address 0x945b4a77649Ebe89eABAf03F78A0C8993f99bd41 Fake_Phishing5099 0xdE09020653cA303CFC143d23A18183299558065F What can we learn after clustering the addresses together? First, our 'friends made about $1.7M on such a scam. One million was sent to the Tornado.Cash mixer. Second, just over $300k went to centralised exchanges (those with KYC procedures, cooperating with law enforcement, etc.). $285k went to Coinbase. Thirdly, we will get a much more detailed list of counterparties of this criminal group, which (as in the case of Couch, for example) can lead to interesting findings. And it could help law enforcement to trace the stolen money back to exchanges and exchanges. Conclusions As you can see from the material above, cryptocurrency is far from always anonymous. By properly applying OSINT and financial investigation techniques and methods, as well as knowing the theory of cryptocurrency, even large thefts can be successfully investigated, let alone small ones like the one we discussed today. What can we do concretely? Look for the source of the funds (sponsor address) and the final destination of the funds. Analyse in detail the transactions of each address in question. We can cluster the addresses based on this data. This may be done either within the software you are using, e.g. Cheynalisis, or logically. If the software you have available does not support clustering, I recommend exporting the transactions of the addresses you want from Etherscan.io and then merging multiple tables into one. After aggregating the addresses into a cluster, in our case we were able to understand the approximate volume of the thefts committed and also find out information about which exchanges the money from those thefts was being withdrawn to. We also learned that around a million dollars had been withdrawn to Tornado.Cash, which is a ready-made money laundering charge in some jurisdictions! Original text and other information on OSINT is available at>>>>
×
×
  • Create New...