Millions of malicious Internet-wide scanning are happening on a daily basis, looking for exposed sensitive files on insecure Internet-facing servers. Corporate info, sensitive data, or personal files are always the popular juicy targets. What if we can easily craft a 'tailor-made' deceptive file, let it get stolen on the Internet and notify us with the 'thief' information? In this session, we will showcase a 90-days interesting real-world use case, by spreading '$100,000 worth' Bitcoin wallets on the Internet with different means selectively. These wallets were embedded in 'tailor-made' archive file, with custom alerting mechanisms. Surprisingly all wallets were stolen, and some of them even get stolen within minutes! We will share the technique in detail, do's and don'ts with lessons learned. We will deep dive into the interesting collected results, unexpected fruitful observations and expose the 'thief'. We will introduce 'Honeybag' - a new open source honeyfile which everyone can easily craft the deceptive archive, with tailored alerting mechanism and support for any embedded decoy documents. This will be useful in data breach detection and cyber crime investigation.

1. Who Stole My ‘$100K’ worth of Bitcoin Wallets
Catch Them All with New Deceptive Bait
Tan Kean Siong
The Honeynet Project
twitter: @gento_

6. Honeybag
A tool that helps you to create 'bait archive'
with any folders and files,
notify you if someone access it.
Useful for data breach detection, deception defense mechanism, etc.

7. How Honeybag works
1. Honeybag client
Generate ‘bait ZIP file’, with
any embedded folder /
files / doc / PDF, etc

8. How Honeybag works
1. Honeybag client
Generate ‘bait ZIP file’, with
any embedded folder /
files / doc / PDF, etc
Alerting mechanisms:
- desktop.ini
- .url

9. How Honeybag works
1. Honeybag client
Generate ‘bait ZIP file’, with
any embedded folder /
files / doc / PDF, etc
Alerting mechanisms:
- desktop.ini
- .url
2. Honeybag simple DNS server
Listening for incoming alert with DNS
traffic, sqlite3 logging
3. RESPONDER IP address
Listening on incoming alert with
SMB traffic / NTLM hashes

11. If we place
‘$100,000’ worth BTC wallets
on the Internet for 90 days
What will happen next?

12. What we have:
10 Bitcoin Wallets
- unprotected
- each contains 1 BTC Testnet
( In early 2020
Real 1 BTC = ~USD $10,000 )

13. What we have:
10 Bitcoin Wallets
- unprotected
- each contains 1 BTC Testnet
( In early 2020
Real 1 BTC = ~USD $10,000 )
Where we put it:
Open directory web servers

16. What’s happening in 90 days?
All 10 wallets (Honeybag) were stolen
9 / 10 wallets alerted us with ‘thief’ info. 1 missing
Fastest record of stolen wallet: < 1 minute (after posted on Pastebin)

17. An Unexpected Scene
Someone just ‘wipe out’ one of our BTC Testnet wallets

18. Timeline analysis - 2020-03-24
1. Web Server HTTP log

19. 2. Honeybag DNS Alert log
Timeline analysis - 2020-03-24

20. Timeline analysis - 2020-03-24
3. RESPONDER

21. Timeline overview - 2020-03-24
14:40:46 UTC - Wallet.zip was stolen from web server
14:42:27 UTC - First DNS alert,someone accessed Wallet.zip
15:01:00 UTC - SMB Alert in RESPONDER log
15:15:00 UTC - He/she ‘wipe out’ our BTC TESTNET wallet

22. Do & Don’t
● Be patient!
● Customise our own unique deceptive baits
● Put up warning message / banners
● Never underestimate the great impact of this

23. Honeybag
A tool that helps you to create 'bait archive' with
any folders and files, notify you if someone access it.
https://github.com/honeybag

24. Thank you !
CODE BLUE 2020
Tan Kean Siong
The Honeynet Project
twitter: @gento_