Coinbase Ethereum Stolen via Minecraft Mod

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Skyblock Coinbase Mash-Up

On January 15th, 2022, a 19 year old Minecraft player on the HyPixels server downloaded a malicious JAR file which was able to capture Coinbase and email account credentials. These were then used to access his Coinbase account and attempt a withdrawal. It appears that the attempt was not successful, instead resulting in the account being frozen for 2 weeks, and the funds were ultimately returned. The Minecraft items, however, were permanently lost.

The country for this case study is not yet known.[1][2][3][4]

About Skyblock

"SkyBlock is the biggest MMORPG in Minecraft." "[Late in the evening o]n the [15th] of January, 2022, a 19 year old student [who] plays HyPixel's SkyBlock" "was sent a SkyBlock mod by an old high school friend that had recently moved from the country. The friend told him that this mod is a QoL mod for SkyBlock that's definitely worth using, as it makes some aspects of the game easier, like fishing or auction flipping."

"He did not question it much, and simply downloaded the mod, dragged it into his mods folder, and logged on. He was a bit suspicious because this QoL mod changed nothing in his game, but assumed it simply isn't working or out of date. And forgot about it. He moved it from his mods folder and went to sleep."

About Coinbase

The Reality

"But, of course, this was no QoL mod. It was a virus designed to give somebody access to his entire computer." "It's common for the programmers to simply take existing mods like [SkyblockAddons] or other niche mods, and simply add their own sections of code that [perform] malicious actions when the mod is first loaded. The victim may not even know they are hacked until later on." "This community doesn't call these fake mods malware or viruses. They call them RATs, short for remote access trojan(s), as they can sometimes give a hacker full control over a victim's computer. But, mostly because it's a shorter term to use."

"[W]hat makes this different from any other virus is that it is included within a .jar file instead of a usual .exe file. Most people read everywhere online that you should not run suspicious .exe files because those can harm your PC. But what the majority of people don't know is that a JAR file is an EXE file. If you put it inside your Minecraft mods folder and press Launch, your PC runs all the code inside that file, which means the virus mod could do anything the hackers want, like take your Minecraft session ID, and in some cases, all the passwords that you've saved on Google Chrome."

"[T]he friend who sent the victim the fake mod wasn't actually hacked. Instead, he had made a deal with the programmer of the fake mod to split all the earnings he gets 50/50 with him if he helps him steal his friend's money and SkyBlock items. And sadly, that kind of operation seems to be something very common in the SkyBlock community nowadays. So, let me explain to you the structure of this entire operation."

"The whole thing works sort of like a pyramid scheme. At the very top will be a very small group of malware programmers who actually make the malicious mods that are sent out to people. Then, these malware programmers will sell their mod or agree to split profits with a larger group of people, who usually are their friends or their server admins, which I'll refer to as ring leaders."

"An interesting thing to note about the people doing all of this, especially the ones at the very top, is how things usually don't start as serious as described earlier. It's common to see people who started as low level scammers, meet other scammers, and eventually get coerced into doing bigger and bigger things, to scam more and more coins, and eventually real life money. There's almost a sense of entitlement with these people, as if they deserve to keep earning more because they are somehow better than everyone else."

What Happened

A Minecraft player downloaded a malicious JAR file and installed it as a mod for his Minecraft game. His Ethereum started to be withdrawn from his Coinbase account.

Key Event Timeline - Coinbase Ethereum Stolen via Minecraft Mod
Date Event Description
January 16th, 2022 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
July 17th, 2022 3:43:05 PM MDT YouTube Video Published HellCastle & Tylerrrr publishes a YouTube video about how on January 16, 2022, a 19-year-old student who played Hypixel Skyblock woke up to find that 22,000 of his in-game coins were missing from his virtual wallet account[5]. He realized that he had been hacked when he discovered that his valuable items were also gone. The hack was a result of downloading a mod from an old high school friend, who turned out to be involved in the scheme. The mod was actually a virus designed to give the hacker access to the victim's computer. The virus could steal session IDs, passwords, and other personal information. This type of attack is prevalent in the gaming community, with a hierarchy involving malware programmers, ring leaders, and minions who spread the malicious mods. The victims are often young and impressionable, tricked into downloading the mods and unknowingly participating in cyber crimes. The consequences can include blackmail and legal trouble. Hypixel is aware of the issue and is taking steps to combat it. To stay safe, it is recommended to only download mods from trusted sources, avoid suspicious files, and spread awareness about the dangers of malicious mods.
December 13th, 2022 12:26:21 AM MST Security Thread A HyPixels forum thread provides tips to avoid being targeted by ratting attacks, which involve compromising user accounts. The suggestions include using common sense and not clicking on suspicious links, adding a feature to lock accounts and require verification for login from different IP addresses, being cautious when adding strangers, enabling two-factor authentication (2FA), and using common sense. The thread also acknowledges that ratters are unlikely to stop their activities. Some forum members comment on the suggestions, highlighting the limitations of certain measures like passwords and 2FA. Overall, the thread aims to provide guidance on protecting accounts from ratting attacks in an online gaming context[6].

Technical Details

"In one twisted paragraph that's both a confession and a wierd flex, an individual in the hacking community wrote that readers that should 'keep in mind, I'm an international business school IRL in a highly prestigious school, so I know how to impress'. And that 'at one point my ignore list was 700 people'. 'I scammed over 600 pieces of superior' and went ahead to explain his boring empty life story filled, with his how he was able to socially engineer people and get them scammed and hacked - as if that is a good thing to be flexing about. And that studying business isn't the most generic thing possible. So, as you can tell, most of these people aren't the greatest kind of human beings."

"Sometimes, the programmers can also be their own ring leaders, but it depends case by case. Below them are a group of people who want to earn SkyBlock coins. Usually, they are the ring leaders friends or people well known in the hacking community, who will try to convince others into downloading the mods and running them. And these people I'll refer to as minions. These minions are usually impressionable and young themselves, and will send the mod to their friends or other victims to trick them into downloading it, with the promise of also taking a cut of the profits. And this is what happened in our opening story. These minions usually never interact with the programmers, and sometimes they don't even know them. So the ring leaders act as a middle man."

"Whenever a victim is tricked and they run the mod by putting it in their mods folder and starting the game, their information is sent directly to the programmer, who does basically whatever they want with whatever the mod steals. And, it can get pretty scary. This could include session IDs, all Chrome passwords and information, Discord tokens, your IP and your home address and hardware information, and could even do things like take all the screenshots and images you have stored on your computer. Or taking pictures and videos from your webcam, which gets used for blackmailing the victim. There's really no limit to what can be done here, and Windows Defender or any antivirus will never pick up on this because all of the malicious mods are totally different and aren't recognized. Some mods may even embed themselves into programs and run every single time a PC is started without the user knowing, allowing them to gather personal information or use the computer for other malicious purposes like email access to bypass 2FA in places passwords were stolen from, even after someone realizes they got hacked, and even if they removed the mod from their computer."

"Throughout the process, little cuts of stolen coins and money are given out to everyone involved, all whilst the people at the very top who are profiting the most can stay relatively free of any kind of consequences since they aren't the ones directly distributing malware to the victims. Instead, it's the impressionable minions at the very bottom of the pyramid basically committing serious cybercrimes, the kind of cyber crimes that they can face prison time for, or very steap fines if they're adults, and possibly having a criminal record from such a young age, which can ruin your life. Some people really don't know the seriousness of spreading malware that takes over entire computers and personal data, and developing it is even worse and punished harder by the law. Some of these minions may not even know the full extent of what is being stolen, and may thikg it is only SkyBlock coins."

"The minions are generally very young people, sometimes as young as 11 years old, who are both much more impressionable than older people, and much more likely to have other impressionable friends who they will send the mod to. A large pile of easy coins sounds so much more appealing to a child than an internet friend who they probably don't care that much about, or a guildmate that they'll forget about in 6 months time. Sometimes, the fake mods themselves don't even look that malicious."

"It's also very common to see people spend hours convincing potential minions that the mods they're sharing are actually legitimate, and will say things like 'You can not get hacked through a .jar file', which is obviously very false. The minions may even run the mod themselves. 'See it's safe' because the hacker purposefully doesn't instantly hack them. And then becomes convinced that it's safe to share to friends without any profit incentive at all. Furthermore, any sort of data stolen from the victims and sometimes the minions themselves can be used to blackmail them into all sorts of things, including threatening to DOX them if they don't keep spreading this malware, essentially turning a young person into a cyber-criminal."

Total Amount Lost

The total amount lost has been estimated at $22,000 USD.

Immediate Reactions

"On the 16th of January, 2022, [he] woke up to find $22,000 gone from his virtual wallet account, which was all of his savings. For the first few minutes, he was in shock and didn't know what's going on. He also noticed that other accounts of his are not working either. But when he logged onto SkyBlock and found out that all of his coins and valuable items are gone, he quickly realized what had happened to him."

Ultimate Outcome

"So what is HyPixel going to do about it? Well, we went ahead and got in contact with a couple of admins for their thoughts on it. And they were very well aware of this situation and told us that they are planning on combatting it. Which, I suppose we could see them slowly doing by hiring more game masters and by adding the new security sloth NPC to the hub that links to an article by HyPixel that tells you how to stay secure, although the information there is a bit vague in general and doesn't exactly tell you what you need to know to be able to keep using mods and staying secure. And it feels like they aren't doing this stuff fast enough. Maybe at least adding a 2FA can help a little bit."

The victim "who lost $22,000 had his CoinBase account information saved [in Google Chrome]. He was logged out of his account for the next 2 weeks." "After contacting the CoinBase employees with the help of his parents and a lawyer for two weeks, he was able to get his money refunded to him, which was 7 Ethereum or $22,000 back then. So, I suppose his story didn't end very terribly. But, his SkyBlock items and all his personal information are now forever in the hands of people who can maliciously use them in any way they want. And, that is something very dark to think of. And this is the darkest side of Minecraft's multiplayer."

Total Amount Recovered

The total amount recovered has been estimated at $22,000 USD.

Ongoing Developments


Individual Prevention Policies

Be aware that JAR files are able to execute code. Never run a JAR file from an untrusted source. The majority of funds should be stored offline.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

"So, what can you do about it to keep yourself safe and others safe? Well, the easy answer is - don't install any mods. But, you can of course still install mods whilst being 100% safe. You just need to only install mods from trusted sources such as the official Discord servers or places or SkyClient or other official websites. Always check if the place is official before downloading a mod. Never downlaod mods someone sends you on Discord in DMs, even if it was your best friend. Just tell them it's nothing personal. If something sounds too good to be true, it is. Don't attempt to download macros or cheats, since those are usually filled with viruses. You will end up getting banned or hacked - no in-between, so it's not worth it. Any .exe file or a JAR file can get you hacked, so be cautious around them." "If you are suspicious about something like a mod, ask about it in public channels or ask the moderators of the SkyBlock community. The more you ask different people, the better. Just make sure you don't send the mod there. That would get you terminated. The best way to combat all of this is to spread awareness."

The amount of funds at risk can be reduced by storing most funds offline. Only bring funds to an online wallet when you are actively using them.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms can better protect their users through increased education and working together to establish an industry insurance fund.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Regulators can better protect their citizens through increased education and working together to establish an industry insurance fund.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.