There Will Be Tainted Lulz: Bitcoins, Wallets, and Media Manipulation Through Laziness and Reading Comprehension
Last week I wrote a post about “maybe” seeing some fuckery going on with regard to the ShadowBrokers bitcoin transactions and the Silk Road wallet (seized) which was lulzy. The lulz though went fucking PLAID over the weekend as people started to take a tweet from @steveD3 and other posts on Reddit and the like about my post which then culminated in ZDNet writing a piece that even went FURTHER on the supposition that I had placed on my blog!
Now, as time went on people *cough Wesley McGrew cough* countering the story vociferously. Seems some people did not really read the post very carefully and just assumed that I was definitively saying in the white-paper lofty academic setting that is my blog, that “ERMEGERD THIS IS THE ABSOLUTE TRUTH!” when in reality I had said “if I am reading this right” that the wallet in question had some bitcoins in common and maybe connected to the fractions of coins going to the shadowrboker wallet. I also went on to describe how if I were the government I would be trolling them to see what they would do as well as poison the well so to speak if in fact the auction was really a part of the overall scheme regarding the NSA dump.
As the blog post hit over 30k hits and then the news media started in on it I sat back and began to ponder all of this. Just how easy it was to let this ride and watch as the Twitter verse took a tweet link, did not read the post, and then passed it on as truth. Suddenly I felt like Comrade Putin and I had my own army of trolls out there able to shape the media story with a single blog post.
… and I liked it… I am so dirty now.
The schadenfruede of watching it all was like a drug. It also started to dawn on me that we are all just fucked. Look at what happened! Look at the detractors mis-reading the post and then responding, as many do, that “SOME RANDO BLOG ON THE INTERNET IS WRONG!!!” and knee jerk reacting. On the other hand the complacency and lackadaisical investigatory action on the part of some media types as well was astonishing. However, my contention still stands that there be some fuckery going on here with those wallet transactions by the looks of it and that the likely candidate would be the government, the same government that would have access to cutout accounts that have had transactions in the past in places like Silk Road. Government accounts for agents and government purposes.
So Who Are These Astley Loving Bitcoin Owners?
So above is the Maltego map I fleshed out further as the world burned over my last post. As you can see I made it all neat-n-shit with icons now. You can clearly see that the wallet in question with the silk road logo did not send anything directly to ShadowBrokers, and this is something I was also alluding to with the cutouts. I can see how that account and ones like it could be used to send coins, like the others with the nifty Rick Astley icon! If you look carefully you can see that there are six “astley” accounts that rick rolled Shadow with 1337 Never Gonna Give You Up clues in the chains. Now, these accounts, according to Maltego, have done pretty much nothing else. One of them, sent funds to Silk Road or the wallet seized (one in the same unless, and I have not looked, the feds transfered from the old wallet to a new one to auction the coins and do transfers) …
Are you guys following me here or do I need more visual aids?
Anywho… Where was I? Oh yeah, fuckery with bitcoin.
So yeah, these accounts as far as I can tell so far without going and spending way to many fucking hours on bitcoin.ifo or some such site, were created to purposely rick roll and fuck with the ShadowBrokers. Now, they may be fractions of bitcoins but I ask you, who the fuck has bitcoin money to burn here? Any of you out there? I certainly don’t and the way it was done, so tongue in cheek kinda reminds me of the audacity of TAO…
But anyway, back to facty kinds of things that lead to supposition and theories!
That the wallet does not directly send coins to Shadow is immaterial to my argument. My argument was that, once again, if I were the gubment I might fuck with this auction and see what happens. Maybe it isn’t them. Maybe it is just one guy out there, a bitcoin billionaire just having a lark! Maybe it is six guys who created independent wallets and then had an IRC session to create the master plan to fuck with Shadow and create the 1337 Astley attack!
Or maybe if you just occam this shit, the government, with assets at it’s disposal did some funny shit in an effort to chum the waters and fuck with them at the same time. Please people, think like an intelligence agency for a fucking second mmmkay?
It’s just a theory…
PSA: IT’S JUST A THEORY ON A BLOG ON THE INTERNETS WHERE PEOPLE ARE OFTEN WRONG!
Meanwhile Back At The Bitcoin Ranch…
But wait there’s more!!!
If you also look at the wallets that I have marked with the super cool “Invisible Man” logo, you can see how some of those were actually transfering money from wallet to wallet in sequence to then each post transactions to Shadow. Now what is that all about huh? More wallets acting together? As Velma would often say in Scooby Doo, JINKY’S! Something is going on there. I mean these are not just guys off the street putting down cash here in factions right? Are all those wallets owned by the same player? A group of players?
The mind reels… So yeah, there is shit going on as usual with nation state actors fucking with the internets. Go figure eh?
For the un-subtle out there this is all theory and supposition. This is not attribution. Wait.. Fuck, it is attribution! This is what we usually get for attribution! Best guess is ATTRIBUTION people! Once again, I guess you had to be there in the spook world to understand this premise.
Like I said above, I posted the story as a lark and went away. By Sunday the shit had exploded. People were reporting that direct connection between FBI, Bitcoin wallets, and ShadowBrokers! I never went to anyone with the story and attempted to report it as fact. Yet the media picked up on it (fucking reporters, no wonder I block them) and away the story went. Meanwhile butthurt people with nothing else to do started wailing and moaning about the wrongness of it all. I frankly think they need some remedial English lessons, but that is just the old Doc here speaking. Hundreds of comments came in on the blog and suddenly in parallel a metric shit ton of people wanted in on my feed on twitter.
All of them just taking things on face value of a tweet really. 30K hits to the blog post itself, but how many people then understood what I was alluding to, how many took it at face value and did nothing else but believe? How many actually took the time to look further and see what was going on with the accounts and make a judgement themselves I wonder? For myself, I never stopped looking at this and surely upon reflection there were no direct transactions once I began to really dig a lot deeper but there were connections that could not be discounted. When you look at the whole picture you see connections that can lead you to the same conclusion, that bitcoins involved with the Silk Road, accounts thereof that interacted with Silk Road and the seized coins were in fact connected to the ShadowBrokers auction.
What you all took from it and then made it into is all your own faults people. To those who just then went off to go off, and you know who you are, would you please fill out this form and send it to firstname.lastname@example.org Someone will get back to you with some salve.
The rest of ya, JESUS FUCK, take things with a grain of salt. I ain’t fucking Moses and this ain’t no stone tablets.
PS! This internet of shit is not something that is peer reviewed. We are overestimating our importance on a daily basis. Cut it the fuck out.
@flanvel sent me a link to the darknets with what he said “may” be a numbers station. Of course I had to look at that right away and they were absolutely right! The question is is this just a troll of some kind or is there something else at work? The site tutdwuh7mlji5we3.onion is a static page with four very large ogg files of what sounds like a series of what some claim as ten hours of numbers station like audio. I began the wget this morning and it is still going and I have yet to hear the whole thing but what I heard so far sounds like it starts with a Mexican numbers station from the diction/accent of the reader.
As the commentor on the Reddit says, there is no real way to tell what the deal is with this site because if truly a numbers station (one on the darknet at that) then the code will be random and from OTP so virtually uncrackable. However, it is an interesting notion to consider as I have recently, putting a static transient page on the darknet to use for covert communication through such means as OTP or maybe book code. A simple site with a simple block of text would all it would have to be and you are in bidniss right? In this case if this is a real numbers station at all then perhaps they are trying a signal to noise thing with one of those messages being the real one and the rest are just noisy red herrings. Interesting to ponder.
In any case this is worth a listen to those of you interested in spook world.
So I was looking at the bitcoin status of the #ShadowBrokers account and something interesting began to take shape. What I noticed, with the help of my trusty Maltego (@paterva) was that some transactions with “tainted” bitcoins was happening. Of course I am using the word taint in it’s original form here in that there be some funky shit going on. It seems that not only that ShadowBrokers are WAY short of the eleventy billion bitcoins they want (at about $990.00 last night) but that if I am reading this right, some of the bitcoin payments are coming from the seized Silk Road bitcoins and account.
Well now isn’t that an iteresting development eh? So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.
THEN we get into stranger territory…
Once you start really looking at the transactions for ShadowBrokers you get this sense of the l337 -ness you are going up against…
It’s all amusing but one has to wonder just what is going on here. Now, if the Silk Road coins are still in the hands of the US GOV then who is sending ShadowBrokers fractions of them and why? Now, I began to ponder the imponderables last night. What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?
I know, you are probably saying to yourself right about now that Krypt3ia needs to drink some more and chill the fuck out but lemme splain…
If you were the gubment and you wanted to maybe trace these fuckers would you maybe try to chum the bitcoin waters to see what wallets are used for any liquidation of the bitcoins later? I would.. Just a thought and with the hits there to the silk road and the marshall’s service I kinda wonder. In any case this is interesting and I am LOVING the l337 status on those transactions hahaha. You guys take a look and see for yourselves. I just thought this was an interesting development.
Alright, continue your cybers people and PUT ON YOUR HELMETS!!!
We all knew that this shit was going on but now it’s reaching epic cyber douchery levels kids…
Hey someone posted some shit on the Github and the everywhere! LOOK!
Shiiiit this stuff looks kinda real!
FUCK THEY TOOK DOWN ALL THE LINKS!
…EXCEPT MEGA OF COURSE…
LOOK! RC5 and RC6 Implementations match EQUATION GROUP!
SNOWMAN SAYS LAY OFF RUSSIA BECAUSE YOU WAKE DA BEAR! (Uhh hey, can I have my dacha now? I have been a good comrade)
ASS-ANGE FROM HIS EVITA BALCONY: WE HAVE ALL THE SHIT AND WE WILL BE POSTING IT BECAUSE FUCK YOU ALL!
SECRET SQUIRRELS FORMERLY AT NSA SAY HOLY SHIT!
SECRET SQUIRRELS AT TAO SAY OOPS!
SECRET SQUIRRELS AT TAO SAY THIS IS RUSSIA BY GOD!
Fuckery. It’s all fuckery kids. The world is at war already and the populace never got a vote on this one. These scripts and exploits are just the tip of the 2013 iceberg and the reality is that knowing what the likes of J-39 and their ilk were hoping for back in the day we are well and truly fucked if they decide to go all out cyberdouche. Now we have this almost parity with this leak by who? The 2016 cyber equivalent of the Rosenbergs? I haven’t a fucking clue and no one else does as to who did this and why. No really, fuck you if you say you do. And if you attempt to “treat intelligence cyber attribute” this shit you are only trying to get clicks for ads.
But seriously, the biggest issue I have with all of this is that while we are all slobbering over the dump and the potential one to come no one seems to be talking about how fucked up this is. While these guys are making and buying 0days and pwning foreign nations our own infrastructure lays like a burned out whore in the missionary position. We are prosecuting the war but we are not securing the “homeland” for shit and we see it every day. See, the rub of it all is that corporations are the ones that hold the infrastructure and fuck all trying to make them become secure through legislation or any kinds of rules. So here we are with all our shit in the wind to start with, no mass movements to secure the nations everything, and now a dump of just some of our cyber weapons has been spilled online as a big fat fuck you.
Yeah, I feel good about where we are.
Still, the shit is three years old.. Who’s to say that those sploits still work on systems in China let’s say. Anyone checked by the way? Anyone?… Well in any case either someone fucked up and left this shit on a server in 2013 to now OR as some have intoned, this was an insider. Either case still leads to the inevitable fuckery the nations have all been up to and we are not alone, not by a long shot. Some have said that the NSA should be securing things and I just laugh and laugh at that. What the fuck do you think their operational aegis is anyway? It’s to break all the things and own them! So all you who look to Ft. Meade for any solutions are just deluded. Nope, the war is on, it is hot, and it is all under cover. When someone finally decides to go batshit they will unleash all the sploits in tandem with kinetic operations and that will be it. A real hot war will erupt.
It’s still true.. We are the reason we can’t have anything nice.
Oh well, at the end of the day there’s fuck all we can do. The shit is in the wind and now everyone has it. It will be used as a platform of attack until all the things are patched but in between they will be used for whatever ends lone actors or nation states feel like using them for.
IT looks like I may have fucked up on the file I uploaded so I re-uploaded it again and let people who I knew were working this problem. I will give this a couple days. If no one messages me then this will be released….
So here’s the decrypt…
The Templar code was: “seek within” and the file was stegged…
THE FINAL PUZZLE…. “What is my least favorite word?”
I made a concerted attempt to go see this talk at DEFCON 24 especially since like Danny Glover, ” I am too old for this shit” and braved the masses to get a seat. I went into this talk prepared for fun and games but came out of the other end with some constructive criticism and ideas about other talks that could be made and subsequently never given for fear of arrest. Now Chris is an Aussie and those people are generally nuts, I mean come on, it was a penal colony after all right? But aside from being entertaining enough, this guy just incited, or wanted to incite, the hacker community to be higher on the threat list than da’esh and terrorism in general?
Perhaps it was tongue in cheek but upon talking to someone in the know, DEFCON had to talk him off the ledge on a few things and he had to redact the preso because he was actually going to give even more directed info on how to carry off a coup digitally. I mean he came pretty close with what he presented in the end (without real numbers and amounts of planning and time it would take) but suffice to say, someone with the effort could make a pretty good stab at this now. Hell, this was pretty much the playbook that the J39 and other groups used on places like Serbia in the 90’s right? So the data is out there for others to grab I suppose, but to get up on stage at a con like DEFCON and tell the audience, however impressionable they may be, to do more?
What was that line from Dead Poets about the phone call again?
John Keating: Phone call from God. If it had been collect, that would have been daring!
Anyway, I kind of have to wonder at the thought process behind this but meh, likely no one will take heed and try even more grandiose shit just because they can right?
Oh well time will tell I suppose. This preso got me thinking though of other presentations that could be made. I pondered on the plane ride home all the different scenarios that could be carried out by a small group of hackers and suddenly I was feeling like I was in an episode of Mr. Robot. *shudder* Yes, we could carry off these kinds of attacks with the right direction, planning, and OPSEC but really do we want to? Do we want to because this guy says we need to be scarier than terrorists? Is there some kind of psychopathy at play here?
I will leave it to the nation states to play these games. Instead, how about we all maybe concentrate on getting our own shit secured so no one can do the things Rock was showing us all is so easy to do..
Now there’s a novel idea.
Yep, yet another Da’esh darknet site popped up this morning. This one is a rather bare bones effort that relies on free DynDNS, Tor2web and links back to things like WordPress and imgur and Cloudflare. The site came up and then went down after the kids from OpISIS came and went. The cloudflare though seemed to help as well as the tor2web linkage. As of this writing Cloudflare started to act up and the site was losing bits of itself as I was interrogating it for information.
Anyway, this site is pretty sparse design wise but has a lot of content to click. As you can see below it is low tek but the content is brand new. No mention of official ties but it has the flag in the tab as you can see. All of the links go to external clearnet sites for content so much of the work is being placed on the clearnet sites that the daeshbags upload shit to like mega and the like.
Overall, not much to write home about. The site I assume will be down and up for a while but this just shows you that the daeshbags are trying to get content in the darknet but they seem to be unable to host it all themselves on a single server. Until they can do this, then technically they will continue to be taken offline pretty easily by the kids.
I will be pulling all the metadata since I have already archived the site en toto with wget… More when I have it.
I ran an onion scan on this site for all you kids.. Go.. play..
————— OnionScan Report —————
High Risk Issues: 0
Medium Risk Issues: 0
Low Risk Issues: 0
Informational Issues: 4
Info: Missing X-Frame-Options HTTP header discovered!
Why this is bad: Provides Clickjacking protection. Values: deny – no rendering within a frame, sameorigin
– no rendering if origin mismatch, allow-from: DOMAIN – allow rendering if framed by frame loaded from DOMAIN
To fix, use X-Frame-Options: deny
Info: Missing X-XSS-Protection HTTP header discovered!
Why this is bad: This header enables the Cross-site scripting (XSS) filter built
into most recent web browsers. It’s usually enabled by default anyway,
so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
To fix, use X-XSS-Protection: 1; mode=block
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: The only defined value, “nosniff”, prevents browsers
from MIME-sniffing a response away from the declared content-type.
This reduces exposure to drive-by download attacks and sites serving user
uploaded content that, by clever naming, could be treated as executable or dynamic HTML files.
To fix, use X-Content-Type-Options: nosniff
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: Content Security Policy requires careful tuning and precise definition of the policy.
If enabled, CSP has significant impact on the way browser renders pages (e.g., inline
CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
To fix, use Content-Security-Policy: default-src ‘self’