Bitcoin Wallets: The Marketplace of Stolen Wallets

Bitcoin Wallets –  Swascan’s Cyber Threat Intelligence Team has identified – through OSINT and CLOSINT research – the most popular repositories for the illegal trade in wallet.dat files, gathering evidence that this activity is still widespread and very active, even outside the Dark Web.

Bitcoin wallets: why .dat files?

To trade in Bitcoin, a potential investor has to establish a digital wallet. A Bitcoin wallet is analogous to a physical wallet. However, instead of storing the physical currency, the wallet stores relevant information such as the secure private key used to access Bitcoin addresses and perform transactions.

Technically, when we buy such a cryptocurrency and transfer it into our wallet, the original Bitcoin client stores the private key information in a file called wallet.dat.

The wallet.dat file contains our private keys, public keys, scripts (which correspond to addresses), key metadata and transactions relating to our wallet.

There are various types of Bitcoin wallets: desktop, mobile, web and hardware.

Bitcoin wallets: The illigal trade in .dat files

All these types of wallets have one thing in common, therefore: they store .dat files, the passkey to access Bitcoins.

Obviously, the incredible attention and – above all – the incredible value of bitcoin has attracted a large number of criminal hackers and aggressive ‘scammers’ trying to get their hands on bitcoin wallets.

There are two ways in which criminal hackers manage to get their hands on these files: through the use of Botnets – in particular those carrying the Azorult malware – or simply by buying from various file databases that have already been stolen in the past.

Through an OSINT analysis, Swascan was able to collect a lot of evidence of forums and sites where this trade takes place.

Portafogli Bitcoin

Portafogli Bitcoin

In this post, for example, the user sponsors a “collection” of stolen wallet.dat, on sale for 0.00147174 BTC or about 70 euros.

But there are also those who go further, selling wallets containing large sums of Bitcoin, thereby raising the price of the stolen ‘goods’.

Portafogli Bitcoin
Some wallets date back as far as 2010-2011. A “collection” known as Satoshi’s Treasure or even more commonly as Satoshi’s Box. It dates back to a time when Bitcoin cost nothing and you could mine it for free on your laptop.

The latter case is even more refined as a method of illegal trade, fully equipped with guides and how-tos, as well as warnings – ironically – on how to avoid being scammed!

Portafogli Bitcoin

Of course, the process is not that simple; criminal hackers are selling encrypted archives anyway, which are almost useless if you are unable to extract the stolen .dat files.

And here is the second stage of hacking stolen wallets: decryption.

Once the scammers get hold of the .dat files, they have to go in search of specialised decryptors capable of ‘opening’ these wallets. By doing a simple search on the ever-popular GitHub, we were able to isolate some (obviously dated) examples of such software.

Portafogli Bitcoin

Called Brute Force wallet, the programme promises to:

The purpose of this program is to try to find the password of an encrypted Peercoin (or Bitcoin, Litecoin, etc…) wallet file (i.e. wallet.dat).

It can be used in two ways:

  • try all the possible passwords given a charset
  • try all the passwords in a file

There is a command line option to specify the number of threads to use.

Sending a USR1 signal to a running bruteforce-wallet process makes it print progress and continue.

Another similar tool we have tracked down is Walletool.

Portafogli Bitcoin

This simply states that it is able to:

Extracting private keys from Bitcoin-QT/Litecoin-QT wallets

  • Have your wallet.dat handy.
  • For Bitcoin, run python -d wallet.dat -v 0
  • For Litecoin, run python -d wallet.dat -v 48

A list of addresses / private keys is printed.

Alongside the newfound boom in Bitcoin and on the wings of the enthusiasm typical of the initiatives created by Elon Musk – promoter of the latest surge in value, we can nevertheless note that the Cyber Crime market linked to the illegal trade in stolen Bitcoins is still strong and more dangerous than ever.

Security Advisory: Libnmap <= 0.7.2
BitLocker Ransomware : malware analysis

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.