Exploiting Github to Mine Crypto

3:00 You can't just validate arbitrary transactions. The point is that you can revert transactions that have already been confirmed by crypto exchanges and thus "double spend" them.

Seems self-destructive for a botnet to allow installation of malware on its computers.

The mining thing was inevitable, although I pray that they don't limit it because it's a great service when you use it legitimately

"this runs on github actions"
i saw this coming 5 months ago when setting up workflows for my github game
i easily & accidentally ran the game on the servers and had to manually terminate it, then talked to my friend about how bad that is in terms of github's VM security and could be easily exploited
(i ran lime test instead of lime build)

The GH Action vulnerability was known for years, but Microsoft had always ignored it. There was a time where attackers would create PRs to opensource projects and abuse GH actions to try and grab credentials

To be fair, they never actually said he died, only that he was no longer with them, considering he was in Amsterdam that tracks

So you're telling me that for just 10¢ i can have bonzi buddy installed on some random person's computer?

The Captcha reminds me of this one time I was creating an account for some site and could get through the captcha and realised there was a report button beside the captcha that lets you bypass it by flagging it. Made me think of ways how this could be exploited.
Edit: I think it was reCaptcha or hCaptcha, unsure

They didn't really say that he died, they just said "loss" which is kinda fair given the circumstances

"The feds accessed it" I wonder how they did that...

This channel makes me realize how big of an issue malicious hacking is

my hopium interpretation of that last malware is that someone had a few hundred dollars to burn and wanted to unplug some computers from botnets, maybe give people a hard lesson on security in the process

Imagine being infected by your own malware when you signed up to spread your malware through botnet forums.

Big oof for the Raccoon Stealer guy, almost got away with it but his girlfriend ratted him out on Instagram, guess you really can't trust anyone but yourself.

i don’t think they’re gonna launch a larger mining op for monero - i think they’re mining coins that are easier to mine that they project may increase in value. i also am not sure if they’re trying to gain control of a singular blockchain, either

I find it odd that botnet owners let others install wiper malware for only a few cents. Those machines are then no longer part of it, so one can‘t sell another install. Keyloggers or other type of info-stealers can be put onto a machine several times, so that the botnet owner also earns more. How does this make sense? Do they charge more for wipers/ransomware?

9:45 wait, so you are saying people can pay botnet operators to run an executable that warns the victims saying that their machines are infected, or to run anti-malware, or even wipe out the entire botnet by taking the victims offline?

damn, a news regarding hackers and other secret stuff!
guess who got a new sub?

Damn there's always some crazy shit every week

can someone point me to where i can find out about the >51% of mining allowing the miners to validate arbitrary transactions?

I would imagine it's called Purple Urchin because the purple sea urchin is responsible for the destruction of kelp forests in California.

For a moment i tought "But the spiffing brit does comedy, not the naughties" and then I read the name of the channel, but now I'm invested in the video so win-win for me

The takeaway here is that audio captchas are a vulnerability in their current form.

This is cool to watch, nice video!

the three coins on the 2:56 list I checked all explicitly stated that they are CPU minable. That seems to be the reason they mine them

wow... that octopart ad is very relevant to me. Wouldn't expect that with this topic of video.

Why was the racoonstealer dev extradited to the states? The US was not an involved country before that bit

Seeing the name ChingLiu gives me so much nostalgia.

Nice video, you just earned a sub

I had always guessed it was possible to mine on github actions

Holy shit. What a good material!

9:43 Can someone explain what is meant by "buying installs"

What is the website ?

Hi, I’m one of the lead developers behind the GitHub crypto test. Thank you for the video.

Heroku could have at least offered a 1 time payment tier account instead of the free tier. Hackers are detected fairly quickly and they rely on recreating new accounts to keep going. The average guy would only pay once and keep using the low tier account for years whike a hacker would have to pay on a daily basis for thousands of new accounts making the process not worth it.

Wow great video!!

I don't recall the last time I mined with actual equipment. I'll continue to use mining services and tech host farms. They are superior.

Some CPU coins are basically 1:1 in cost and reward, sometimes being a little profitable. Every $1 "earned" or so, it would realistically cost GitHub $1 if there was enough research done.

The german part of the note is also clearly google translated

Octopart sounds pretty useful. Especially the CAD models...

I feel that it would be quite easy to circumvent this through a few requirements such as having valid phone number bound to the account. Many services and even games do this already such as mw2 and overwatch 2 though it would limit a few people who don't have access to valid phone numbers it would help to keep the free service to those who really need and benefit from it still using it.

wrong tho they are speculative mining because the returns in the short term as the gpu hashrate moves around will cause many of these to increase in value in relation to the hash power. No one going to mine monero on this setup its pure spec baby!

These are "shit coins."
VERY PROFESSIONAL, MICHAEL

I think just requiring a small payment of 20 cents to unlock could resolve that issue

I'm not sure if they're using Monero Ocean or not to mine the shitcoins and get paid in monero. The coins these guys are mining I don't think are on MO, but they certainly could be since I have not checked the list in a while.

It sucks that miscreants are ruining potentially a fantastic service for hobbiest developers for their own selfish gain.

Ahh yes, notorious hacker fleeing to the Netherlands. Nice move!

Google has a free cloud shell for every google account too. I wonder if they're absuing this

5:56 they look like NPCs posed with Daz💀

Is that AWS got rid of their free tier

Hang on, is the data dumb email checker going to all the emails adresses on have I been pwned? Only because those checking may be next on the peep list.

20 years for cyber crimes? That is absolutely redic.

not only are they not getting gpu performance but they are only getting 14 gig ssd performance so they cant do much burst coin (if that is still a thing anymore)
so either they are buying a bunch of instances or they are not mining on the servers but on the user end and using the servers for the crypto equiv to a bit torrent tracker to coordinate the machines.
github can defeat purple urchin just by disabling the audio captcha.
thats what i thought they are mining severe hail intercept team coins
maybe instead of doing away with free services they could charge for crypto mining operations while giving compiling for free or make it not allowed for mining.
they could also to help make mining more difficult have intel custom design cpus that dont have the aes support or make the servers run pentium or celeron cpus witch does not support aes.

These News Vids are epic ! Keep up the Good work !

Oracle clouds services have an algorithm that detects mining and bans the account because its a violation of their aup.

can they not make passport varification if you want to sue it for free? they dont have to check most, only if the account is suspicios

You can easily automate signup with Github API, so no need for browser.

This sucks! I have used Heroku free tier for ~3 years now, hosting one of my project sites on my resume. What chance I clicked on this video to find out I have just 2 weeks to migrate to a new PaaS. Ya'll know any good alternatives out there that still offer a free tier? Github?

Thats a lot of events damn

Isn’t it a simple solution charge 1c per month for the free tier, then the task of the miner is multiplied into credit card fraud

Video created 9 days ago
This was possible more than a year ago with free cloud computing like google colab, jupyter and similar cloud notrbooks

Just wait. The dude from Racoon Stealers is gonna be released for cooperating with the NSA to bring down some crime syndicate. Chris Hemsworth will play him in the movie, there will be multiple scenes in which his oiled, toned abs are seen shirtless and he's typing away methodically. After the movie premier he will inevitably launch his own cyber security firm and sail into the sunset.

This is why GitLab runners require credit card details even in free tier.

Apple be like: We didn't give access to his apple cloud hehe😉

Never use a email that is connected to anything ever

Crypto miners ale the worst, i had free tier Oracle Cloud (which was quite good) and because of bots they started to randomly terminate accounts i cannot play Minecraft with friend bcs of that :(

They would mine $160 worth of crypto and will $500 to convert it to real money.

That's an amazing story. They could make a movie out of that one guy's life.

Proof of stake is the only way to mitigate this

Best episode

Dit is just get a fireship ad on a seytonic video?

2:43 monero is designed to be just as efficient to mine with a cpu as a gpu.

Some points:
2:16 there is no real "technical definition" (though, I think this is a joke) for coins mined with low profitability. The term "shitcoin" is relative to who is using it. Someone who is "invested" in bitcoin might consider all other cryptocurrencies a "shitcoin". Others might consider shitcoins to be coins that are essentially created to make the founders rich or those that put their efforts into enticing "investors" without actually providing any meaningful protocol features. Some people would consider every cryptocurrency a "shitcoin" for one reason or another. It's a subjective word that frankly sounds stupid.
2:23 I don't see why you would need a test for this. Monero is mined by CPUs so if the goal is to make money they would just mine monero now instead of testing it on coins that might disappear the next day. The alternative explanation of attacking these low interest coins with a 51% attack seems more likely, though also quite pointless (from a monetary perspective) as there is no way to make a large transaction on a low interest chain since the market cap (and thus underlying assets) is too low in value.
3:00 this is not true. Controlling 51% of the hashrate does not allow you to "submit arbitrary transactions" as this would imply a breaking of cryptography. Instead, this allows an attacker to "replace" the tail end of the chain with their own, longer chain, essentially voiding transactions made between. For example, an attacker decides on block 5120 that they are going to commit a 51% attack using an excess of hashrate. They silently generate proofs for empty blocks (or whatever they want included, doesn't matter much) and wait to release the chain. Then, on block 5150 or (insert number here) they release their version of the chain with more than 30 blocks, thus causing the consensus to ignore the "real" transactions between block 5120 and 5150 opting instead for the attackers chain containing nothing in-between. This basically reverses everything done between blocks 5120 and 5150 by users. However you will never be able to spend (create a cryptographic proof) for coins your wallet does not own unless the underlying cryptography scheme itself is flawed and allows you to derive private keys from public keys.

How has using github to mine crypto become illegal? That doesn’t make any sense

It's also possible for creating botnet that u can use to ddos bruh

If only bad actors learned about OPSEC... Pretty ironic

regarding the racoonstealer part: you seem to have glossed over the "the fbi accessed his iCloud account" bit. what do you mean they "accessed it"? isnt that data supposed to be encrypted? protected by apple, if not tim cook himself? dont they advertise with "your data is your data alone" for years now? what the hell happened there???

What doesn't make sense is, why not make users wait before they can USE YOUR SERVICE!

It's always a gmail account that gets them huh?

Love these man! Crazy stuff this week.

Damn they gonna ruin free features for the rest of us

This is why we can't have nice things

simply blacklist all vpn ip addresses from using the vm feature

1:16 there's no longer free tier on Heroku lol

that taiwan is china bit... was meant to throw you off. "oh it must be china" ...prolly not.

I kinda hate those guys.
How they have the brain muscle to find such ways and I don't ?!
wtf ? sucks af to get older, even that I'm not OLD, I'm no more 10 or 14

Purple Urchins are taking over the ocean floor.

Taiwan Is NOT China BTW

The 'Ransom note' is obvious Chinglish.
The whole thing is written by a native mandarin speaker, the *distinctly Chinese way* bad grammar, is a dead giveaway.

to be fair, the phrase "no longer with us" is just being misconstrued here

It amazes me how people are on top of everything, any new feature or service and they flock to abuse it 😂 i love it

How do I request the data that was stolen by Racoon Infostealer? I put in my email and it said my data is in the info law enforcement has.

i thought feds dont have access to icloud rip

How about a video on how to make your own flipper zero?

It's pretty dumb these services don't just use the Google's reCAPTCHA v2 service instead of their own captcha system, it'd be so simple to implement too.

8:58 What a hilariously obvious false flag. This had to have been done by enthusiastic non-state actors because if that was done by Russia or China, that would be embarrassing, even for their standards.

8:55 The german text is almost nonsense :D
Just translated each word to english without thinking about the grammar differences between languages

4:48 as far as i know chingliu is safe on thepiratebay

I literally had this idea, why didn’t I do it…..

It's pretty funny that this hacker managed to cheat and bribe his way all the way to Amsterdam, but he couldn't convince his girlfriend _not_ to document the trip on Instagram. I'm guessing she didn't know about his career choices, because surely no one is _this_ stupid