Ornery_Maintenance_8 Malware Attack on Windows 7

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Just Artwork

Reddit user Ornery_Maintenance_8 reported on the theft of thousands of dollars worth of cryptocurrencies from their Windows 7 computer. They give a surprisingly candid and humble account of all the security issues with their setup.

About Ornery_Mainenance_8

Ornery_Maintenance_8 is a well known and active Reddit user from Austria[1] who's used the site since January 22nd, 2021[2].

He is highly active in the Monero community[3][4][5] and values privacy strongly[6].

At the time of the incident he was using an unpatched version of Windows 7 to handle many cryptocurrency transactions[7].

The Reality

As his post illustrates, security is paramount when self-custodying funds.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ornery_Maintenance_8 Malware Attack on Windows 7
Date Event Description
October 4th, 2021 Attack First Started As reported, the attack first started 6 days prior to his Reddit post. Apparently, the initial attacks included the removal of all related emails from his email account[7].
October 10th, 2021 6:27:34 AM MDT Incident Shared On Reddit The incident is shared on Reddit[7].

Total Amount Lost

The total amount lost has been estimated at $2,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Ornery_Maintenance_8 posted a detailed description of what happened on Reddit[7].

Emails From Other Exchanges

Ornery_Maintenance_8 reported that they noticed mail from exchanges they hadn't used before, including the successful funding and verification of his account.[7]

Full Descriptive Reddit Post

The incident was shared in all it's full glory on Reddit[7].

TL;DR: This post is meant to raise awareness and to incentive everybody to take your online security serious. I am a software developer and I really know how these things work. It happend to me anyway due to a mixture of laziness and arrogance I guess. Dont be like me !

First thing that caught my attention was that I received a bunch of mails from an exchange I never used before. They said that I successfully verified and funded my account. I did not pay much attention to it because I get these kind of scams, where they pretend to be support of Paypal, Amazon or some exchange, all the time. But when I looked into it in the evening again, it started to worry me. The emails were not tagged as spam by my email provider. The sender address seemed legit and the quality of the mails was very good for being fake. So I started checking my accounts and it hit me like a stroke ...

As I found out, the attack started already 6 days ago. They were inside all my email accounts and deleted all messages created by their activities. They were systematically overtaking and draining different accounts of mine and using cracked accounts to crack others. They basically got access to everything which was not secured via a 2FA application. Accounts with no 2FA or 2FA via SMS or mail were cracked.

But how was this even possible ? The answer is laziness and arrogance of my side. I was using an old Win7 installation and the whole computer was full of all kinds of trash. I always wanted to reinstall the system but never did. One day before the attack begun was was to cheap to buy a partition manager for 30 bugs and used several free tools from questionable sources instead...

... Hey, I am a PRO and absolutely able to distinguish between freeware and malware ... what could possibly go wrong ?

This is probably how they got in and the old unupdated system full of security holes made it easy to exploit.

After being cheap and arrogant infected my system with malware, laziness came into place. Of course I used the same few passwords over and over again. In the beginning, when I created most accounts, I was motivated to type the password every time. But after a while a lot of them somehow ended up being saved in my browser. For some more sensitive accounts I kept typing the password each time and not saving it but 2FA is a real pain in the ass, so I only had it on my most important accounts ... Needles to say that my saved passwords which included email accounts were the perfect collection for the attacker to start with and from that it was possible to recover the rest.

Everything which was not 2FA application secured was cracked. 2FA email of course was useless because they had my email accounts. 2FA SMS which I had in one account was cracked by adding a new phone number which of course was theirs. First they emptied browser connected wallets like e.g. Metamask, DEX's and even the BAT's from my Brave browser. Afterwards they started draining accounts like online banking, Paypal, Amazon and so on. In the end they even tried to contact support of 2FA secured accounts and tried to remove the 2FA. Luckily, I noticed whats going on before that could happen.

My total loss is a bit more than 1k$ but I think I still got away with a blue eye. It could have been a lot worse ... The accounts protected by a 2FA application, Ledger secured wallets and also my Monero GUI hot wallet withstood the attack. Big shoutout to the devs of those apps/devices !

Now my System is freshly set up, perfectly updated and clean. I will never install anything from questionable source on this system. I will never save a password in my browser again. All my accounts have different passwords now. Basically all my accounts are now secured via 2FA application. This also includes my email accounts where I had neglected security so badly before. Hot-wallets of mine are not longer connected to my browser via Metamask or anything and I also ordered an additional Ledger for my "less important" hot wallets ...

... I had to pay more than 1k$ to understand this necessity. Dont be like me and realize it for free.

I hope this story is an Inspiration for some of you to close some holes. Enable 2FA with applications like FreeOTP, Google Authenticator or Authy. Use different passwords for different accounts. Dont save passwords in your browser. Dont leave Hot wallets connected to your browser. Secure especially your email accounts properly. Update your System. Dont install trash from questionable sources.

EDIT: The most ugly thing is that feeling of paranoia which I have since all that ... I keep checking my accounts the whole day.

Criticism For Using Windows 7

The victim was criticized prominently for using Windows 7 as their operating system[8], primarily because it's an older operating system which may not receive the same security updates as newer versions of Windows[9]. There was an opinion expressed for the position that Windows 7 is a choice with less "bloat-ware" than later version of Windows such as Windows 10 and Windows 11[10].

A debate ensued about operating systems, with multiple proponents arguing heavily for Linux as an alternative[11]. Based on the upvote ratio, it would appear that the majority opinion was that the usage of an old operating system is not supported by the community. At least one user planned to give Linux another try[12].

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.


Cite error: <ref> tag with name "redditold-10671" defined in <references> is not used in prior text.