Security researchers at Securelist have found that the data “stolen” from Mark Karpeles’ computer actually contained a BTC-stealing Trojan that masqueraded as a back-end app for managing Mt.Gox trades. The app searched user directories for Bitcoin -related files – wallet.dat and bitcoin.conf – and uploaded them to a server that is now defunct.
The app apparently ran on OS X and Windows.
The files appeared after Mark Karpeles’ website was hacked by unknown assailants. The documents contained mostly public information regarding Mt.Gox and the aforementioned payload.
Writes Kaspersky’s Sergey Lozhkin:
The malware creates and executes the TibanneSocket.exe binary and searches for the files bitcoin.conf and wallet.dat – the latter is a critical data file for a Bitcoin crypto-currency user: if it is kept unencrypted and is stolen, cybercriminals will gain access to all Bitcoins the user has in his possession for that specific account.
In short, delete that payload if you’ve downloaded it.
Illustration by Bryce Durbin