200k stolen in dogecoin mining operation

What happened?

Dogecoin is brought up to our attention one again, this time a hacker mined around 500 million dogecoins, equating to $200 thousand. The hackers infiltrated data storage hubs for computer networks. According to SecureWorks, which is an information service and is a subsidiary of Dell, the hacker targeted NAS (network attached storage) boxes which we made by Synology Inc. It used the boxes’ power to mine dogecoins on a private pool. The hacker was running the miners for months and since then customers have been complaining about poor quality of service on Facebook way back in February.

SecureWorks who was compromised said:

“To date, this incident is the single most profitable, illegitimate mining operation.”

the investigation discovered a folder named ‘PWNED’ that ocntained the miner which ran on the boxes. It used CPUMiner in order to mine the coins. The hacker did not choose the standard cgminer which uses GPUs to mine because the boxes seemed to have a strong CPU with minimal GPU performance. This way he was able to use a small amount of the CPU’s power to go unnoticed.

The address that the dogecoins were sent to is

D9cDqmVjYXdeDjMtXSV7Z3LgiHvRZ12bPX

The address shows around 400 million dogecoins, the other wallet contains the rest of the coins that make up roughly 500 million doges.

Who was it?

SecureWorks is set on finding out who the hacker was and so far revealed that “the findings strongly indicate that the threat actor is of German descent.”

The hacker also used a private pool in order to mine the coins this gave the hacker the anonymity he wanted because since the pool is owned by the hacker it will not release his account’s logs. This eliminates evidence that could link the hacker to his identity.

SecureWorks also accessed the data being sent to the NAS boxes and were able to ascertain the dogecoin wallet address holding the fraudulently mined coins.

Inside the configuration file for the CPUminer the string foilo.root3 appears to have a link to an account on GitHub and BitBucket, if charges are going to be filed the police could subpoena the two companies to reveal logs about the account and it’s IP addresses. Then they could link it to the hacker’s identity. If the hacker used a VPN or Proxies or if the hacker simply used that name to divert investigators he could be safe.

Not the first attack

This dogecoin mining attack represents a creative approach to generating cryptocurrency through fraudulent means. The more classic approach is the use of a Botnet and installing miners on the infected computers, however infiltrating powerful corporate computers is a more creative way to approach it.

Another example of such an attack happened last month, where unknown hackers attempted to distribute bitcoin mining malware through the torrent of the popular game Watch Dogs, this attack was targeted at torrent users who thought they could could play the game for free, ironically their computer’s were infected.

Another attempt was aimed at cellphone users who downloaded wallpaper apps, one such app made it to the Google Play app store which installed mining software on the user’s devices.

Don’t forget to follow us on twitter for giveaways @btc_feed

Update

Here is the information that links to the hacker’s public accounts, as stated by b!z from bitcointalk.org

Here’s the original Dell SecureWorks blog post: http://www.secureworks.com/resources/blog/hacker-hijacks-synology-nas-boxes-for-dogecoin-mining-operation-reaping-half-million-dollars-in-two-months/

Github from the blog post: https://foilo.github.io/
Bitbucket from the blog post: https://bitbucket.org/b0hal

A Google search reveals he has posted on this forum: http://back2hack.cc/showthread.php?tid=2554