Pullin’ a Rabbit out of a Black Hat

Posted on Mar 13, 2012 by rasengan

Smoking PuppetStep 1 – Hack a computer.
Step 2 – ?
Step 3 – Profit.

In the past, step 2 generally consisted of several intricate steps that required a significant amount of effort and skill.  Even if a system was filled with valuable data, it was highly unlikely that any of said data was actually valuable to the hacker.

Therefore, at this point, one generally had to undergo several steps to turn a profit:

1. Find a buyer who was interested in the data.
2. Sell the data.
3. Seller had to make sure buyer sent funds.
4. Buyer had to make sure seller sent data.
5. All steps needed to be conducted anonymously.

This meant that hackers had to create fake bank accounts, which meant they had to create fake identities, which meant they needed to purchase these from yet another untrusted source in order to conduct the anonymous transaction.  As one can see, these were quite daunting tasks.  Of course, there were (and still are) major criminal organizations, as well as highly entrepreneurial hackers, that have solved these problems.  But, overall, these persons and organizations represented a minority percentage of the people who wished to hack for profit.  For everyone else, the difficulties and risks involved in obtaining bank accounts with false identities or receiving payments in some other anonymous manner just wasn’t worth it.

For most hackers, there was little opportunity to profit from hacking, and therefore, most hacking was conducted for purely non financial reasons.  Many of the most talented hackers were not criminal by nature, and as such, were unwilling to take the dangerous risks required to financially gain from a hack.  As such, much hacking was conducted for seemingly altruistic reasons (e.g., showing the site they infiltrated it, how they did it, and how to fix it).  Many hackers did this to obtain a job, or merely to feel good about themselves after helping someone out (as well as internet fame).

However, everything changed when a new money was created out of thin air.  Bitcoin solves all of the above problems for hackers entirely and, moreover, quite elegantly.  Suddenly, hackers are able to profit with minimal effort:

1. Hack.
2. Grab Bitcoin Private Keys.
3. Transfer Bitcoins to oneself.

At this point the hacker has already profited.  They can go further and put the Bitcoins through a mixing service to anonymize them and then cash them out at an exchange for USD.  Furthermore, this can all be done over Tor to remain fully untraceable.

When compared to the previous monetization schemes associated with hacking, this is several orders of magnitude easier.  All one needs to do is simply find a system with Bitcoins on them.  While this is scarce now, it is highly likely that Bitcoins will become much more prevalent over time.  Additionally, it is fairly simple to find servers who are holding Bitcoins (see Linode) as well as monitor the Bitcoin P2P network for IPs associated with Bitcoin transactions.

Even script-kiddies who distribute applications to create botnets which can be used for mining or DDoS attacks no longer need to DDoS sites and hold them ransom.  Instead, they can simply steal Bitcoins off any computer they control.

Hacking has changed.  And while money can be generated with a computer, it can now  also be stolen through black hat hacking even faster.  It’s not Houdini; but rather, Who dun’ it?  And, today, it looks like we’ll never know.

Some tips on staying safe:

1. Use a VPN or Tor to mask your IP on the Bitcoin P2P network.
2. Keep all of your Bitcoins in an offline wallet.
3. Use a BrainWallet.

If you have other suggestions, please feel free to leave them in the comments!


VPN Service

Comments are closed.


  1. anti love

    sorry but this is bullshit
    there was tons of different way to make money and dont even need to setup a fake account
    porn site and affiliate stealing was a fucking good one who made billions
    dont need fake identity for sellings emails of traders to someone in the micro stocks.
    in one line. you knew shit about real underground haha  real hacker  always made money and continue to do so 
    they are making millions. dont need mafia or whatevers. damn have you see how easy it is to open a bank account in thailand ?

    9 years ago
    1. realrasengan

      anti love – i can agree to this, and you’re absolutely right.  i should have been more specific but i was speaking within a very specific niche.


      9 years ago
  2. Maxpanic

    Encryption on the wallet only goes so far. For the kind of automation needed for a big site like an exchange the wallet file might be crypted but the key stored in a startup script.

    Also, the private keys could be yanked out of memory.

    Only you have root on the box, any stored encryption isn’t useful when the system is running.

    9 years ago
  3. Anon

    You’ve raised a good point – bitcoin theft is just theft. Forget white/blackhat or any other ethical or entertainment value hacking might have – it’s a direct equivalent to burglary. Except the thief is far less likely to be caught. So:

    4. Get insurance.
    Obviously it’s going to be hard right now to find an insurer that will cover you, let alone one that has the technical nous to provide a affordable premium vs risk, but expect to see such products on offer soon.

    9 years ago
    1. realrasengan

      That’s a really good point – that I didn’t consider.  Insurance will definitely play a big role in the future of Bitcoin and other online currencies.  Of course, the premium might be quite high as well. ;)

      9 years ago
  4. Anony Mouse

    For the past several months has been a release of the bitcoin software that allows you to encrypt the keys in the wallet.  This means the black hat attacker needs to not just obtain the file but must also learn the passphase that is typed in.  Not all users have encrypted their local wallet — which is why the Linode hacking was successful for the attacker.

    9 years ago
    1. realrasengan

      Hi Anony Mouse.  This is true that you can encrypt keys in your wallet, and I strongly recommend doing this.

      9 years ago