BTC pickpockets are back

Published: 2018-07-21. Last Updated: 2018-07-21 15:25:58 UTC
by Didier Stevens (Version: 1)
3 comment(s)

About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.

It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.

If you have observed this too or have a remark, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: bitcoin pickpocket
3 comment(s)

Comments


Diary Archives