An OSINT Dojo Challenge Write-up
As stated in the OSINT challenge post, this is a beginner level cryptocurrency question which isn’t too hard to solve if you can find some relevant resources. While I am very familiar with cryptocurrencies in general, I don’t find myself investigating digital wallet addresses often. I viewed this challenge as a great opportunity to establish some personal OSINT crypto “go-to’s” and offer anyone else in the same position a time saving shortcut.
Skip to “Part One” if you’ve got the crypto basics down.
First lets try to cover a few basics for the crypto newcomers, but this will not be a Bitcoin-101. If you know absolutely nothing about Bitcoin or digital currencies in general, there are A LOT of videos on YouTube you can familiarize you with the concepts of cryptocurrency. Some concepts to know for the purposes of this challenge include, digital wallets and types of cryptocurrencies.
The one type of cryptocurrency you likely have heard of is Bitcoin. It is the most popular in that its name is the most recognizable and the most closely associated with the cryptocurrency system. However at this point there are hundreds of other “coins” or tokens that make up the vast world of cryptocurrency trading. “Alt-coins” (or alternatives to Bitcoin) include currencies such as Ethereum, Litecoin, Ripple, and Stellar.
What is a wallet? As explained by Coinbase:
‘Crypto wallets keep your private keys — the passwords that give you access to your cryptocurrencies — safe and accessible, allowing you to send and receive cryptocurrencies like Bitcoin and Ethereum.
For a deeper and more competent explanation of digital wallets and addresses, check this article out.
Each currency utilizes unique technological protocols and systems, improving on previous designs, and aiming to solve implementation issues. Delving into the differences would take a long time, but the key point is that each of these cryptocurrencies utilizes its own protocol for generating a wallet address. As a consequence, wallet addresses for differing coins appear different, just as an MD5 hash value appears differently from a SHA256 hash value, or a PBKDF2-SHA256 hash value.
Part One — Solve It.
The first question in the challenge asks the solver to determine a specific cryptocurrency based on the wallet address. The wallet address is the string of characters starting with “1KxCvtgg…” Luckily as crypto popularity has exploded in recent years, so have crypto-related online resources. An unbelievable collection of links can be found here.
Lets use a few of them to solve our challenge.
If we search the wallet address over at Blockchain.com we are presented with two options of cryptocurrencies, BTC (Bitcoin) and BCH (Bitcoin Cash). Only the BTC wallet shows records of actual transactions. Searching this wallet on several of the other linked resources also confirm this address has made transactions on the Bitcoin blockchain. This answers our first question.
1. Bitcoin
The second answer is just as easy to determine using the links; a few quick searches show that between September 11, 2018 and September 14, 2018, 11 transactions were completed by this wallet address. Between that time the transactions totaled in almost $21,000 total received, however the current balance is $0.00. Though many of the resources confirmed this information, I preferred data as presented by Bitcoinwhoswho.com.
2. 11 transactions
Finally, we must determine if there is a botnet associated with the wallet.
Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term “botnet” is formed from the word’s “robot” and “network.”…The bots serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution.
— Kaspersky
Because Bitcoin’s blockchain technology is public by design, transactions between wallets, and wallets addresses are publicly visible. Many websites now include donation wallet addresses at the bottom of their webpages. These wallets presumably can be attributed to the admins of their particular site. By the same token, it is possible to warn other users of a wallet address tied to criminal activity. For example, if a ransomware attacker requests a ransom be paid to a specific wallet address, that address information can be shared with the public and law enforcement.
By simply using Google to search the address “1KxCvtggcPd7c9UtUxYkJW2AwCQMknJkth” we very quickly find a few articles surrounding the Necurs botnet. According to the articles, the wallet address was one of 500 wallets the botnet used in a massive phishing scheme.
Article 1
Article 2
3. Necurs botnet
The last resource I wanted to highlight is Bitcoinabuse.com. This looks like a very useful public tool, and revealed interesting results about the challenge wallet address.
Part 2 — Blockchain Bookmarklet
As a student of OSINT methods and practitioners, I recently learned about the efficiency of bookmarklets. Basically a bookmarklet is a custom javascript code which you can execute from a browser bookmark. Part one and part two of @sinwindie’s tutorial on creating bookmarklets helped me understand that I need them in my OSINT life. It is a must read if you are looking to step up your OSINT tactics.
So, given the crypto links discussed above (and my previous lack of crypto investigating “go-to’s”), I created a bookmarklet to query several of the sites simultaneously. You can use it by copying the javascript code below, and pasting it into the “URL” box of a newly created, blank bookmark. Save the bookmark and execute. You will likely need to give the browser permission to open 9 new tabs. These tabs will load the results automatically.
I hope you find it useful!
Until next time…
javascript:(function()%7Bjavascript%3Avar%20input%20%3D%20prompt(%22Crypto%20Wallet%20Address%3A%20%22)%3Bvar%20blockchain1%20%3D%20%22https%3A%2F%2Fwww.blockchain.com%2Fsearch%3Fsearch%3D%22%20%2B%20input%3Bvar%20walletexplorer%20%3D%20%22https%3A%2F%2Fwww.walletexplorer.com%2Faddress%2F%22%20%2B%20input%3Bvar%20blockcypher1%3D%20%20%22https%3A%2F%2Fapi.blockcypher.com%2Fv1%2Fbtc%2Fmain%2Faddrs%2F%22%20%2B%20input%3Bvar%20bitcoinabuse%20%3D%20%20%22https%3A%2F%2Fwww.bitcoinabuse.com%2Freports%2F%22%20%2B%20input%3Bvar%20bitcoinwhoswho%20%3D%20%20%22https%3A%2F%2Fbitcoinwhoswho.com%2Faddress%2F%22%20%2B%20input%3Bvar%20bitref%20%3D%20%20%22https%3A%2F%2Fbitref.com%2F%22%20%2B%20input%3Bvar%20blockonomics%20%3D%20%20%22https%3A%2F%2Fwww.blockonomics.co%2F%23%2Fsearch%3Fq%3D%22%20%2B%20input%3Bvar%20learnmeabitcoin%20%3D%20%20%22https%3A%2F%2Flearnmeabitcoin.com%2Fexplorer%2Faddress%2F%22%20%2B%20input%3Bvar%20googl%20%3D%20'https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D'%3Bblockchain1Function()%3BwalletexplorerFunction()%3Bblockcypher1Function()%3BbitcoinabuseFunction()%3BbitcoinwhoswhoFunction()%3BbitrefFunction()%3BblockonomicsFunction()%3BlearnmeabitcoinFunction()%3BgooglFunction()%3Bfunction%20googlFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(googl%20%2B%20'%22'%20%2B%20input%20%2B%20'%22')%3B%20%7D%2C%201000)%3B%20%7Dfunction%20blockchain1Function()%20%7B%20%20setTimeout(function()%7B%20window.open(blockchain1%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20walletexplorerFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(walletexplorer%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20blockcypher1Function()%20%7B%20%20setTimeout(function()%7B%20window.open(blockcypher1%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20bitcoinabuseFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(bitcoinabuse%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20bitcoinwhoswhoFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(bitcoinwhoswho%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20bitrefFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(bitref%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20blockonomicsFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(blockonomics%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7Dfunction%20learnmeabitcoinFunction()%20%7B%20%20setTimeout(function()%7B%20window.open(learnmeabitcoin%2C%20%22_blank%22)%3B%20%7D%2C%201000)%3B%20%7D%7D)()
