Cointel investigation of ‘DD4BC’

Remco Bloemen

This is an example investigation of one particular threat made using the moniker DD4BC.

Threats

On Saturday November 15th several emails where sent with the subject mpex.co - DDOS ATTACK! was send from DD4BC TEAM <dd4bc@outlook.com>. The email headers indicate the origin is indeed the webmail service outlook.com. The sender was GMT+1, all times are in GMT.

At 12:45:59:

Hello,

To introduce myself first:
http://cointelegraph.com/news/112606/nitrogensports-goes-public-to-combat-extortion-blackmail-and-slander

:)

Now, to business:

My
attacks are sophisticated and too strong that I can bypass any
protection other then PROLEXIC ( and i will cost you 5-10 K per month).
Google and check how many sites behind CloudFlare and similar shitty
protections I crashed.

Pay me 1 BTC and your site is “protected” for lifetime. Pay to BTC address:
132EdUarcghK2barhkxgaKQ2XqnchPbWSB

Right now I’m running small attack for 1 hour as proof.

After that I expect your payment.

Please not that if I’m not paid within 2 hours, price will increase to 1 BTC to stop
and will keep increasing 0.1 BTC for every hour of attack.

Thank you.

At 14:29:01:

Hello :)

At 16:36:07:

Attack temporarily stopped to give you time to read email and act.

You still have chance to end this for 1 BTC.

If not, attack restarts in 1 hour and price goes to 2 BTC.

At 17:44:26:

Not sure if you are online and reading my emails, so I will be nice and wait a few more hours…

We have not looked for further messages or execution of threats.

The money chain

The threats demand a ransom to be paid to the Bitcoin address:

132EdUarcghK2barhkxgaKQ2XqnchPbWSB

Only two transactions involving this address ever appeared on the Blockchain. The transactions are made on December 4th, nineteen days after the threat. The transaction amount is only 21.7 mBTC, which is roughly € 6 at the time.

The two transactions are part of a larger structure of single-output and zero-confirmation transfers. The money is transfered from Laxo Trade Ltd. to the Satoshi Bones casino. The transfers is indirect and involves 13 intermediary addresses, of which the ransom address is one.

First the money is transfered from Laxo Trade Ltd. with twelve transactions to address 13. About 5% is lost in transactions fees in the process. The transactions are created on 4 December in one and a half hour before midnight. The transactions end up in five blocks:

Most transactions, including the first, use zero-confirmation inputs. The first part of the chain only has a single output with no change. The second part re-uses the same change address. The addresses involved have not been used before or since, with the notable exception of the ransom address.

This leads us to believe the chain was orchestrated by a single individual operating all addresses except the last one. In particular, this individual has the access to both the Laxo Trade Ltd. wallet key and the wallet associated to the ransom address.

The money ultimately ends up in the Satoshi Bones 0.09766% address. This places a bet with a less than one-in-thousand odds of winning. Eighteen bets are placed, constructed using the minimal bet amount of 1 mBTC. The money

Inputs Outputs Amount (mBTC) Fee (μBTC) Block Received From
1, 1 2 21.8 126.56 332896 22:31:57 blockchain.info
2 3 21.7 100.00 332896 22:32:29 54.72.94.231
3 4 21.6 100.00 332896 22:33:03 104.131.128.248
4 5 21.5 100.00 332896 22:33:29 97.107.135.113
5 6 21.4 100.00 332900 22:46:04 162.220.47.184
6 7 21.3 100.00 332900 22:47:43 63.142.215.160
7 8 21.2 100.00 332901 23:01:03 72.191.29.242
8 9 21.1 100.00 332901 23:01:23 185.19.104.122
9 10 21.0 100.00 332901 23:15:29 108.219.80.251
10 11 21.9 100.00 332903 23:19:34 81.30.203.67
11 12 20.8 100.00 332903 23:21:27 88.198.6.235
12 13 20.7 100.00 332903 23:21:47 85.17.238.8
Inputs Outputs Amount (mBTC) Fee (μBTC) Block Received From
13 14, 15 19.6, 1.0 100.00 332903 23:22:44 83.243.255.226
14 14, 15 18.5, 1.0 100.00 332903 23:23:01 85.10.234.22
14 14, 15 17.4, 1.0 100.00 332903 23:23:13 162.220.47.184
14 14, 15 16.3, 1.0 100.00 332903 23:23:28 69.246.9.178
14 14, 15 15.2, 1.0 100.00 332903 23:23:40 95.154.200.216
14 14, 15 14.1, 1.0 100.00 332903 23:23:50 72.228.153.102
14 14, 15 13.0, 1.0 100.00 332903 23:23:59 104.131.247.112
14 14, 15 11.9, 1.0 100.00 332903 23:24:21 162.220.47.184
14 14, 15 10.8, 1.0 100.00 332903 23:24:34 107.170.26.17
14 14, 15 9.7, 1.0 100.00 332903 23:24:53 23.226.70.194
14 14, 15 8.6, 1.0 100.00 332903 23:25:07 104.131.247.112
14 14, 15 7.5, 1.0 100.00 332903 23:25:32 162.220.47.184
14 14, 15 6.4, 1.0 100.00 332903 23:25:48 54.172.163.55
14 14, 15 5.3, 1.0 100.00 332905 23:46:00 208.12.64.254
14 14, 15 4.2, 1.0 100.00 332905 23:46:15 178.79.189.150
14 14, 15 3.1, 1.0 100.00 332905 23:46:25 178.79.189.150
14 14, 15 2.0, 1.0 100.00 332905 23:46:36 162.220.47.184
14 15 1.9 100.00 332905 23:47:02 73.181.23.132

Addresses:

  1. 1LaxoTrQy51LnB289VmoSAgN6J6UrJbfL9 Laxo Trade Ltd.
  2. 1HoKWoK7X7cGJkWNgzjvjRM1G7H3pvNmE9 Single use
  3. 132EdUarcghK2barhkxgaKQ2XqnchPbWSB Single use
  4. 1KzKw6ssAF1THNJHCED5XASnyupELbcrxM Single use
  5. 1MjrL4tq2duUhhdxHYPLBgwH6uc1TokS5v Single use
  6. 1LBod6Gocz2PQRb4yJNuZ9dw52aprmGTdP Single use
  7. 1G7pLf1xcGPkqxFBdUniv6KeaodVFqAHxr Single use
  8. 1CJbRJbcajKcEN4mdTGh1XLPKXBetP2N7q Single use
  9. 1cq5a48DBXAbevcVC9Kaa265wphXboRsQ Single use
  10. 18TinsgCuwtzKw4Z8i4i5iTH1FTGyAv4fJ Single use
  11. 141ntTr3VUHa8i9fA8Ut9eLzhXQjZougTk Single use
  12. 1ErYHkQ7yi1i5a16yJJb27hC1zBsoePUxf Single use
  13. 15yTh12V4YY5Y6YbCetTKad9jbdntsHUph Single use
  14. 16yzpVa3eR7xdXni1PGAW55X92HBkodZda Change address, only used here
  15. 1bonesbTK2GjYasv5yzGPFCMAaQHup4vk Satoshi Bones 0.09766%

Laxo Trade Ltd.

laxotrade.com was registered on 2014-02-13 14:18:07 for Laxo Trade Ltd. It operated an online Ponzi scheme during 2014. Laxo Trade Ltd. is unique in that it is the first company to send bitcoins to bitcoin addresses as a means of advertisement. It did this using the address 1LaxoTrQy51LnB289VmoSAgN6J6UrJbfL9 found above.

WHOIS laxotrade.com on 2014-05-21:

Orville Gibbs
Laxo Trade Ltd
admin@laxotrade.com
+44.2074059813 fax: +44.2074059813
236 Gray’s Inn Road, Floor 7
London England WC1X 8HB

WHOIS laxotrade.com on 2014-05-21:

Ognjen Plameny
Laxo Trade Ltd
plameny@safe-mail.net
+3346534534 fax: +3346534534
15-22 New Inn Yard
London England EC2A 3EA

Catena Finance Ltd.:

A similar Ponzi scheme, Catenda Finance Ltd. was operating in 2013. The scheme operated online on the domain catenafinance.com created on 2013-03-21. According to the archived website the limited incorporated on 15th April 2013 with number 8488673. The WHOIS information has the identity Ognjen Plameny in common. The name Ognjen Plameny is Czech for “Fiery Flames” and possibly a pseudonym.

WHOIS catenafinance.com on 2013-12-26:

Ognjen Plameny
Catena Finance LTD
plameny@safe-mail.net
+86.05922577111 fax: +86.05922577111
15-22 New Inn Yard
London England EC2A 3EA

WHOIS catenafinance.com on 2013-07-28:

Enver Hasanbasic
Catena Finance LTD
domain@catenafinance.com
+86.05922577111 fax: +86.05922577111
15-22 New Inn Yard
London England EC2A 3EA

WHOIS catenafinance.com on 2013-07-01:

Whois Privacy Protection Service
Whois Agent gmvjcxkxhs@whoisservices.cn
+86.05922577888 fax: +86.05922577111
No. 61 Wanghai Road, Xiamen Software Park
Ciamen Fujian China 361008

Sources: