WHAT HAPPENED?

	The purpose of this document is to help us better understand who was behind the coordinated attacks on Excoin in January and February 2015. We have reason to believe this person/group still poses a threat to the Blackcoin community as a whole and we wish to prevent such attacks in the future. I will reference a lot of different material to help us infer who might be responsible. These documents are attached or linked to in the post. Please comment if you find certain elements to be misleading or if you wish to state additional information. The text will be edited accordingly. I will hand over control of this document to a community leader who wishes to handle the investigation.

Every detail mentioned here must be independently verified by the community so we can move forward in an orderly manner. I do not wish to play the role of moderator in this discussion. We are asking for the community to fill in the blanks and help us in locating those responsible.
 
Relevant documents:

- login-times-ambiorx.txt
This document contains timestamps (UTC) from our server when ambiorx logged onto exco.in

- zeded-excoin-irc-log.txt
- syllabear-excoin-irc-log.txt
Provided to us by freenode user Zeded  is a log that goes back to December (many thanks! I banned him at the end of the log by accident, sorry!) The timezone used is unclear but likely to be easily determined with help from the second log. Syllabear has a more detailed log (thank you for your help, as well) in the AEST timezone and this goes back to January 19th. 

- blackcoin-irc-log.txt
This channel log was provided to me by #Blackcoin chanop Seopkip via Gritt-N-Auld. Thank you both. This log goes back to March 2014.

- insite-chat-logs.txt
These are logs from the web chat I found archived on Google, from January 24 to Feb 09. I will inquire if obtaining a full log from the server is a possibility.

Also referenced:

- http://otc.evilbs.com/
This site archives IRC nicks and IPs on relevant channels, useful for connecting shared accounts.











Basic facts:

Username: ambiorx

Email: exco@comtecservices.be (feel free to write them a lovely message)

IP Addresses used on Excoin:

141.101.105.65
141.134.108.38
62.210.170.27
171.25.193.20
194.150.168.95
82.116.120.3

Identified DDOS IP Addresses: 

104.131.204.15
104.131.213.10
104.154.38.52
107.170.150.138
130.211.185.192
146.148.40.57
172.245.55.112
184.172.15.235
50.97.173.18
5.255.253.51
66.249.69.136
66.249.69.88
66.249.75.104
66.249.75.184
66.249.75.216
66.249.75.88
66.249.79.111
66.249.79.119
66.249.79.127
66.249.79.135
66.249.79.4
66.249.79.95

IRC Records:
ambiorx (8d866c26@gateway/web/freenode/ip.141.134.108.38)







The first recorded data we have of ambiorx begins on January 14th with account creation on server. 
	 IP: 141.134.108.38
	Wed, 14 Jan 2015 22:40:59 UTC +00:00

Their first IRC presence begins ten days later on January 24th..
	Saturday, January 24th, 2015 ~ 9:09 AM
	5:49 PM <ambiorx> Hello
	5:50 PM <ambiorx> someone from excoin here?
	5:50 PM <ambiorx> support?
Their first webchat presence begins (as far as our logs can tell) on February 1st
	ambiorx 2015-02-01 04:07:45 UTC admin here?
	ambiorx 2015-02-01 04:08:56 UTC got a deposit that's not credited to my Excoin balance...
	ambiorx 2015-02-01 04:17:06 UTC And just created a ticket FYI













Starting with logs in December you will notice anonymous connections from tor, with nicks lurking in our channel. Normally this is not cause for suspicion but the pattern of these handles are troubling, and they permanently parted from the channel once ambiorx completed their attack.
The suspected handles:
coinbird, arrakian, scytale, facedancer

SyllaBear's #Excon log,
January 21 (note the times)
08:51 |-| arrakian [~arrakian@gateway/tor-sasl/arrakian] has quit [Write error: Connection reset by peer]
08:51 |-| scytale [~scytale@gateway/tor-sasl/scytale] has quit [Read error: Connection reset by peer]

23rd
00:34 |-| facedancer [~arrakian@gateway/tor-sasl/arrakian] has joined #excoin
00:35 |-| arrakian [~arrakian@gateway/tor-sasl/arrakian] has quit [Ping timeout: 250 seconds]
00:35 |-| scytale [~scytale@gateway/tor-sasl/scytale] has quit [Ping timeout: 250 seconds]

4th (Gritt and Syllabear were edited out of this excerpt)
09:31 |-| ambiorx [8d866c26@gateway/web/freenode/ip.141.134.108.38] has joined #excoin
09:31 < ambiorx> Excoin is offline?!
09:32 < ambiorx> blackwavelabs as well
09:34 < ambiorx> arturo you know more about this?
09:34 |-| arrakian [~arrakian@gateway/tor-sasl/arrakian] has joined #excoin

Last sign of ambiorx – Feb 8th 
12:08 |-| ambiorx [8d866c26@gateway/web/freenode/ip.141.134.108.38] has quit [Client Quit]
12:08 |-| arrakian [~arrakian@gateway/tor-sasl/arrakian] has quit [Quit: Leaving]
The tor connection
What is the significance of these sign in/outs? It seems likely that these were nicks designed to monitor rooms and keep their own personal logs. These handles were not just in #excoin, but also #blackcoin and can be found lurking in other crypto channels such as #viacoin, #stellar, #cann. 
Ambiorx makes no appearance in #blackcoin but arrakian's name appears in the channel over 2,000 times. Unless I missed something, they have never said a word except to collect rain. Same for scytale though their name appears less, ~700 times. Many of these nicks/bots use names that originate from the novel and film, Dune.

The #blackcoin log mentions on Nov. 27th: [20:40] * arrakian is now known as hayt
otc.evilbs.com links hayt with jacarutu: http://otc.evilbs.com/?hayt&tz=America/Los_Angeles&l=100
Jacarutu shares a name with this blackcoin twitter: https://twitter.com/jacarutu (NOT CONFIRMED)
Many of those handles also trace back to a 'milbot' – which was created by Sevith: https://twitter.com/xSevithx (NOT CONFIRMED)
I have compiled a list of suspicious nicks that I have linked with otc.evilbs.com and our DDOS IPs. I apologize if a few of these are incorrect and I encourage you to prove me wrong:
muddo
bloodshoteyes
finiternity
Valexus
whywefight
rake_boss
Valexus
koreandog
cryptovexed
marc_ffmz
AstralF0x
shovel_boss
lenar
mortale
_wewincoins-com
PCFiL
Wenter
perrier
Argamas
vlurk
kalisto
yescrypto

Traces of Ambiorx
So what happens when you search for Ambiorx? Well, it's a mispelling of a Belgian leader for one. And the main IP originates from Belgium so that may be a nice red herring or laziness. The e-mail address they used was a very selective one. I can find no useful information on that domain.

Sites where ambiorx has appeared recently:

http://otc.evilbs.com/?Ambiorx 
https://xrptalk.org/topic/4271-cryptsy-not-accounting-for-lost-xrp/
https://bitcointa.lk/threads/ann-pmtocoins-com-new-exchange-trading-helixcoin.252816/page-11
http://myr.nonce-pool.com/index.php?page=statistics&action=blocks&height=113214&prev=1
https://www2.coinmine.pl/drk/index.php?page=statistics&action=blocks&height=23406&next=1
http://steamcommunity.com/profiles/76561197997458320 (NOT CONFIRMED)
	This includes a full name and city. I stress this may not be related. 
http://www.swtor.com/community/member.php?u=356263 (NOT CONFIRMED)
	You must be registered to view the details of this. It's from 2012. A place of work is mentioned but this account is not confirmed to be related yet. An excerpt: 
	“About Ambiorx 
	Biography 
	I'm a social guy who likes to play mmorpg's, my first was Start Wars Galaxies (still miss) 
	Location 
	near Antwerp, Belgium 
	Interests 
	Star Wars, scuba diving, Motogp and last but not least: my wife and kids!! 
	Occupation ---removed until confirmation---”

Where we go from here?
We have a list of IPs, suspicious nicks, and a possible lead in Belgium but otherwise very little is known. I encourage others to comb through logs and help shed some more light on all these nicks populating IRC. The attack on Excoin was no doubt the work of a botnet and if we can confirm a connection between them then Blackcoin needs to be protected and freenode needs to be informed of all these bogus accounts. We greatly appreciate your assistance. 
-Arturo