In the span of two weeks, Nikulin handled $1 million

Oct 25, 2016 02:00 GMT  ·  By

Yevgeniy Nikulin, the Russian national that was recently arrested in the Czech Republic for hacking Dropbox, Formspring, and LinkedIn, might have also stolen around $400,000 from Bitcoin exchange BitMarket.eu, according to new evidence discovered by Microsoft security researcher Tal Be'ery.

BitMarket.eu was a short-lived Bitcoin exchange run by two Polish developers named Maciej Trębacz (M4v3R) and Paweł Makulski (Makhul) between 2011 and late 2013.

During its lifetime, BitMarket users didn't have the smoothest ride. The exchange had been at the center of several hacks, and towards the end, the site was asking for donations to keep the service alive, according to this Reddit post, and was also having problems refunding users who had lost funds in previous incidents.

BitMarket.eu was hacked several times

The most infamous incident took place in 2012 when Trębacz announced that BitMarket had lost 18,787.72139217 BTC, which is around $12,2 million in today's money.

As Trębacz explained on a BitcoinTalk forum post, BitMarket wasn't to blame for this incident. He says he decided to set up a Bitcoin hedge fund, very popular at the time, and he chose to do so using the services of Bitcoinica, a service for quick Bitcoin financial investments.

Unfortunately, Bitcoinica itself got hacked in May 2012, losing all of BitMarket's funds along the way, most of which Trębacz couldn't recover or refund.

Nikulin appears to have stolen $400,000 from BitMarket

Three months after BitMarket users heard from Trębacz that they'd lost some of their Bitcoin hedge fund investments, Trębacz was notifying them of another hack.

This time around the attacker only stole 620 BTC, which is around $400,000 in today's money.

In another BitcoinTalk forum post, Trębacz reveals the details of his investigation. He says that on February 14, 2013, the attacker used an SQL injection to gain access to BitMarket's servers after registering on the exchange.

Trębacz also explains that the attacker registered on the site with the chinabig01 username and [email protected] username. chinabig01 is one of the usernames listed in the official DoJ indictment for the LinkedIn and Dropbox breaches against Nikulin (page 4, here).

Nikulin then proceeded to assign a new Bitcoin figure to his account using the access he had to the site's database. After this, he used the site's user dashboard to send 1 BTC, then 9 BTC, then 55 BTC, and later 554 BTC to this Bitcoin address.

BitMarket heist as Bitcoin transactions
BitMarket heist as Bitcoin transactions

This same address also includes a later transaction of 912 BTC ($592,000) from March 2, 2013. The source of this transaction is unknown at the time of writing, and the large amount suggests another hack. This also means that in the span of two weeks, Nikulin had handled nearly $1 million, which he transferred to several other Bitcoin accounts.

Nikulin's extravagant lifestyle has been documented in Radio Free Europe and AutoRambler editorials, so these findings might explain how he managed to own a large number expensive cars such as a Lamborghini Huracan, a Bentley, a Continental GT, and a Mercedes-Benz G-Class.

Nikulin exhibits poor OpSec

The DoJ indictment also reveals that the hacker was selling the FormSpring data for only €5,500, so it appears that most of his funds came from other activities other than hacking Silicon Valley elites.

The BitMarket hack also took place after the Dropbox, FormSpring, and LinkedIn hacks, which happened between March and July 2012.

Trębacz's investigation reveals a poor OpSec (Operational Security), with Nikulin leaving a trace of his real IP address and using usernames and email addresses used for real-file profiles.

  The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia.  

  If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).  

This makes you wonder if he made the same mistakes when hacking Dropbox and LinkedIn, and if true, why it took these companies so much time to discover him.

As for BitMarket users, the sad news is that not all users received their funds back. There are numerous angry complaints, and as Trębacz shut down BitMarket and joined Bitalo as a developer, users kept hounding him for their money.

Softpedia has reached out to Maciej Trębacz for additional comments, but have not received an answer prior to publication.  

Photo Gallery (2 Images)

Yevgeniy Nikulin
BitMarket heist as Bitcoin transactions
Open gallery