Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

BTC Pickpockets

Published: 2017-11-18
Last Updated: 2017-11-18 11:15:54 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I observed requests to my webserver to retrieve Bitcoin wallet files:

The files they are looking for are:

wallet - Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip

I've seen a couple of such request a couple of years ago, but it's the first time I see that many. The first time I observed this was late 2013, in the middle of the first big BTC price rally.

Please post a comment if you observed similar requests.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: BTC
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Top-100 Malicious IP STIX Feed
Nov 17th 2017
2 days ago by Xme (1 comment)

Suspicious Domains Tracking Dashboard
Nov 16th 2017
3 days ago by Xme (5 comments)

If you want something done right, do it yourself!
Nov 15th 2017
4 days ago by Xme (0 comments)

VBE Embeded Script (info.zip)
Nov 13th 2017
5 days ago by Guy (0 comments)

jsonrpc Scanning for root account
Nov 13th 2017
5 days ago by Guy (0 comments)

View All Diaries →

Latest Discussions

Suspicious traffic to unusual site names in the .info TLD
created Nov 16th 2017
3 days ago by jauntysankey (0 replies)

Advice for setting up an inexpensive lab
created Nov 10th 2017
1 week ago by Anonymous (1 reply)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

iPhone 6s hacked
created Nov 7th 2017
1 week ago by billy (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
4 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 months ago by Johannes (12 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
3 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
6 months ago by Bojan (6 comments)