Thoughts on APT28

Posted in pentest, Security on 2015/11/22 by mram

I just went through the slides of Stefano Maccaglia on his research on APT Group 28. APT28 is also known as ‘Sofacy’ or ‘ Sednit’ and thought to be a Russian (semi) state sponsored group.

Stefano’s sheets are good to read as a write-up of his past and still ongoing research on this topic. The sheets can be found here (note: RSA seem to have removed the sheets from their website, here is a Google cache version, of course lacking pictures I found a copy on github here).

Here are a few items I think stand out from his slides and can be usable for us red teamers / defenders:

  • Once again its spear phishing that give the attackers the initial access.
  • The first round of phishing email did not provide much success. Main reason was that outgoing data for some several compromised systems was blocked due to filtering of outgoing data. Ive been saying this for years to my clients: filtering and logging of outgoing data is just as important as incoming.
  • Its not entirely clear from the sheets but it seems that external access to email (Microsoft OWA) with some compromised accounts was possible using just username and password. Using this and due to the wonderfully AD-integrated info of OWA the attackers could do some proper internal intelligence gathering and gain info for new phishing attacks.
  • This one is important: all servers where properly patched, except one server because of some legacy reasons (don’t you just hate / love exceptions). The patch they were missing was MS14-068: a major issue for AD domains. The bigger issue here that many people forget is that domain segmentation in a larger forest does not isolate domain compromises. In this case the DCs of a sub domain lead to full forest compromise. Ouch. So much effort put into proper patching of 99,9% of the systems, and just one missing patch lead to full forest compromise.
  • The defenders made a typical defensive error upon the first recognition of the compromise: they wiped the desktops and reinstalled. Of course the attackers noticed and stayed low for a while (20 days), but still had access via other compromised systems. It was only due to an unrelated investigation that they detected another way that the attackers still had access. Take away: understand your attackers and observe their modus operandi to hit them at the right level in the pyramid of pain. Hard, but so so important.
  • Even the real bad guys just loooove mimikatz.
  • Log analyses of Windows Active Directory remains a big challenge. You need to dive into tiny details of the logs and make correlations in order to detect lateral movement and some more advanced attacks on AD. Microsoft, please give us a better way of interacting with Windows logs!
  • The attackers used Windows mailslot for communication within the network. Mailslot is a form of IPC any modern Windows versions has. Not to be confused with named pipes.
  • The APT28 tools used – although some were relatively advanced –  follow the same stages of other know malware, namely downloader, persistent access stager, internal info gathering and some modular platform for target specific functionality.
  • Stefano tries to coin the term ‘actionable IOCs’. I agree not all IOCs are that usable and I like his term.

Go read the full slide deck of you are more interested in all the details.



Persistent GNU Radio Live SDR Environment on your Mac

Posted in Notes to myself, SDR, Security on 2014/10/19 by mram

Quick manual to get the GNU Radio Live SDR Envrionment to run on your Apple Mac.

The proces is the same as using the regular unetbootin tool and the ISO image. But for your Mac it taks a few essential extra stept. I couldnt find a manual online so perhaps this is of use for someone.

  1. Format your USB stick using Disk Utility. Create one new partition, using MBR boot partition layout (check Options). Make it FAT.
  2. From command line check what volume number the stick has using ‘diskutil list’. In my example its /dev/disk2
  3. Unmount volumes: ‘diskutil unmountDisk /dev/disk2’
  4. Make the newly created aprtition active:
    1. fdisk -e /dev/disk2
    2. f 1
    3. write
    4. exit
  5. Get syslinux
  6. Write the syslinux MBR image to the stick’s MBR: ‘dd conv=notrunc bs=440 count=1 if=syslinux/bios/mbr/mbr.bin of=/dev/disk2’
  7. Get unetbootin for Mac OSX
  8. Get GNU Radio Live SDR
  9. Start unetbootin, have it write to the USB stick with input file the downloaded iso.
  10. If you want persistent enter a size for persistence storage
  11. Mount the new volume and add ‘persistent’ to the boot parameter in the boot/grub/grub.cfg config file. I also removed the quiet and splash functions for better troubleshooting
  12. Reboot holding down the option key and select the disk to boot from.
  13. Profit.

WiFi Pineapple and Mac OS X Internet Sharing

Posted in Notes to myself, pentest, Security on 2014/10/03 by mram

Important: this approach does not seem to work since Mac OS X 10.10 Yosemite.

This one is for you Mac users out there that want to share your Mac’s WiFi internet connection via the LAN cable to the WiFi Pineapple. Using the out of the box Internet sharing option of your Mac doesn’t work with the WiFi Pineapple. I had experienced it again, but never gave it any good look and switched to Linux. Today I it frustrated me and I looked into it.

The problem with the setup is twofold: 1) The Pineapple expects the subnet, while OS X uses when enabling internet sharing, and 2) the Pineapple expects the default gateway on which is not a very logical address for a gateway. Now, we could change all these settings on the Pineapple to match the Mac’s. But sometimes your situation may require different. I couldn’t find any manual on the internet. So here are the steps you need to do:

  1. Disconnect cables from Mac’s LAN to Pineapple.
  2. On the Mac go to Internet Sharing and share your WiFi adapter to the LAN interfaces. Once enabled, disable it again and close the System Preference program. We need this step to write a default config file that we can alter.
  3. The config file that we need to alter is /Library/Preferences/SystemConfiguration/ We need to add an option “SharingNetworkNumberStart”. You can manually add this as a dict at the end of the file, or you can use the command “sudo defaults write /Library/Preferences/SystemConfiguration/ NAT -dict-add SharingNetworkNumberStart″. This makes sure that is now used as the subnet for the sharing interface, and as such fixes our first problem.
  4. Use the GUI again to start Internet Sharing.
  5. Manually change the IP address used by the Mac’s LAN interface with the command “ifconfig bridge100 netmask up”.
  6. Now we need to change some DHCP options, because by default the DHCP server tells the clients to use gateway We do this by altering file /etc/bootpd.plist. There are two mentions of that we need to change into We also need to adjust the pool range. Look for the <key>net_range</key> section. Alter the starting address to
  7. Find the PID of the bootpd process and give it a kill -HUP to reread its config file.

That’s it. Now you can connect the LAN cable and enjoy internet from your Pineapple.

SSLsplit on WiFi Pineapple

Posted in Notes to myself, pentest, Security on 2014/07/26 by mram

Update: after this blogpost somebody made an Infusion for SSLSplit on the WiFi Pineapple. That’s great! You can still use the howto below, but the easier way is to install the Infusion via the Pineapple bar.

Recently I was asked by a client to do a penetration test on one of their mobile apps. Fun stuff. One of the things I always test is security of the communication channel. Often SSL over HTTP is used for that. The WiFi Pineapple is a great companion for this as it provides an easy way for setting up a wireless access point with some attacks on the communication, leaving your own pentest machine free for other attacks.

Default approach to analyze traffic is to become Man-in-the-middle between App and server it communicates with. This is easily done by configuring the mobile device with a proxy (if the App communicates via a proxy aware protocol and if it accepts the system proxy settings) or to redirect traffic using iptables on the Pineapple. Than have Burp or any other proxy tool run to intercept and modify the traffic. Nothing new here.

But what was special at this specific engagement was that Burp (or any other proxy tool I know) was unable to interpreter the traffic. Yes, the iptables redirection was working, yes the SSL-mitm worked without a prob. Burp showed the initial request, and wireshark showed the traffic being forwarded to the actual server the App wanted to communicate with. But nothing was happening after that. No data, nothing. After some tinkering the hypothesis was formed that the App used non HTTP traffic over SSL and our proxy tools don’t understand it.

This is where I learned about this great tool SSLsplit. Its a proxy tool able to do full SSL certificate forging, full HTTPS decode, but also able to just show the decoded TCP and SSL traffic if it cant decode it into HTTP. Exactly what I needed! I had some compiling issues getting it to run on my Kali pentest machine. Im sure these could be fixed but I just tried installing it directly on the Pineapple. Turned out it works like a charm. Here is what you need to do:

  • SSH to your Pinapple and update the packages using opkg update
  • Get the OpenWRT libevent2 packages (all 5) from the official mirror at
  • Download the unofficial OpenWRT build of SSLsplit for OpenWRT at project Ghost on Github:
  • generate the SSL certificate authority and key for SSLsplit to use.
    • openssl genrsa -out certificate.key 4096
    • openssl req -new -x509 -days 365 -key certificate.key -out certificate.crt
    • Depending on the config of the mobile App you may need to import the newly generated certificate.crt onto the device.
  • Know what non intuitive parameters SSLsplit requires:
    • mkdir /tmp/sslsplit (make a working directory)
    • mkdir /tmp/sslsplit/contentlog (make a directory for session logs inside the working directory)
    • ./sslsplit -k certificate.key -c certificate.crt -D -l connections.log -S /tmp/sslsplit/ -L contentlog ssl 8888
    • This starts sslsplit with:
      • using the cert authority we just created, used for certificate forging
      • debug output to the main screen (I found this useful, you may not)
      • working dir /tmp/sslsplit, duping the actual content of the connections to /tmp/sslsplit/contentlog/
      • decoding traffic that comes in a port 8888 as ssl
  • Redirect the traffic we want to analyze to port 8888, with a simple iptables script
    • root@Pineapple:~# cat
      echo ‘1’ > /proc/sys/net/ipv4/ip_forward
      iptables -X
      iptables -F
      iptables -t nat -F
      iptables -P INPUT ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -t nat -A PREROUTING -p tcp -d @@SPECIFIC_DEST_IP@@ –dport 443 -j REDIRECT –to-ports 8888 (watch it, parameters –dport and –to-ports are double dashes but for some reason WordPress displays them as one).
      iptables -t nat -A POSTROUTING -j MASQUERADE
  • Start your app and see if it accepts the SSL certificate. In my case it did (bad for the App, good for the pentester) and the content was dumped on the pineapple in /tmp/sslsplit/contenlog with a file per TCP sessions.

Full SSL decode. Awesome!

OSCP tips and drawbacks

Posted in OSCP, Security on 2013/08/25 by mram

In part 1 I explained why the Pentesting With Backtrack + OSCP exam is a good course even if you are experienced with pentesting already. In this second part I’ll cover some items that will help you better prepare for the course. Besides its greatness the course also has a few drawbacks that I want to cover so you are aware of it.


Not many tips can be given without disclosing too much info on the course. Don’t expect tips about the content, just some tips on how to get you better through the course:

  • Plan for this, it will take time to do it right and you want to do it right. The course is full of great info, so make time to read and experience it all.
  • Don’t focus on the OSCP material alone. Be curious and investigate questions you may have. Especially if you have the lab still available you can easily experiment.
  • Be open for different approaches. This really is the case if you are experienced already.
  • OffSec does a good job by learning you the importance of note taking during the course on how you pwned each box. Yes, this is important. Especially if you continue for a career in pentesting. Take notes, notes, notes. Not only to make your own life easier for the reporting, but also for during the test. As with any pentest the slightest bit of info gathered on box A can help you get further on box B.
  • Experiment with different ways of note taking during a pentest. Again note taking is really key. I personally dislike the exact way OffSec teaches you to take notes. I tried it but simply can’t work and think efficiently the way OffSec teaches you to take notes (why on earth would you want to make a separate child note for every port of a system?!). But note taking is important so I needed to find a different way. In my day job as pentester most of the time a text editor and screen shots is good enough for smaller tests. For larger tests I use Notecase (Pro). Main take away is easy dumping of text in proper format combined with including of screen shots. After that its the search function that takes care of finding back my notes. Notecase was a good fit for me during this course. Of course this is a personal preference.
  • Again on note taking, but this time the advice to take notes of commands/hacks/tricks you use during tests. My ‘useful_commands.txt’ that I’ve been maintaining since my first pentesting day is by far the most valuable file I have on my computer. It contains tons of specific commands for specific situations. Many commands I know from memory, but many more I don’t. Also my brain doesn’t store stuff Ive seen one time. I need to see it more often. When encountering rare situations at a pentest, I research and write down in my file. Next time I encounter a similar situation I know I’ve encountered it before but will not remember exactly how I did this. With a simple look up from my file I save precious time. For example the command to add a 2nd uid=0 user on a HPUX box. Yes I somewhat know how to, and I could use the man page. But what if I only have non interactive access, or if the man pages aren’t installed? I could search online. But by far the quickest way is to check my useful_commands.txt file. I see many colleagues of mine mimic this, it works great!
    Update: nowadays there is a book called Red Team Field Manual that does about this. Its a good start containing many great operational commands.
  • Get online on IRC. The forum is helpful but not that active. The IRC channel is! great info there.
  • If you need it, try to find a studying buddy (on IRC). Somebody who is going through the course just as you are. Be careful not to give him answers of the end result and he/she will not do the same to you. But being able to discuss approaches may really help you to sharpen your ideas and counter those hard moments when you are completely stuck on one of the more difficult boxes.
  • Restore the VMs before you start pwning them. People don’t clean up, boxes are in unstable state, hints may be gotten from files left behind by others. Just restore before pwning and you will have the full learning experience.
  • Start in time with the reporting. If you do use the Offsec template (which I advise against, see further below this post for why) make sure to not wait till the end.

These are I think the most important tips for prepping for the course. There is one more, but it is needles to say as you sure have read on other OSCP write-ups: be ready to try harder.

Drawbacks of the course

Although OSCP is a great course that I recommend to others, I did notice a few drawbacks. Do note that I see OSCP as a preparation for a professional pentesting career, and from that perspective Ive noted the following items:

  • There aren’t many IT networks where you can exploit 8 year old vulnerabilities. At OSCP you can. Not all boxes, but some. For sure a nice trip down memory lane, but I would say that not all boxes are a good representation of the real world. No biggie, but please keep this in mind. Also don’t try to pwn boxes with exploits that are disclosed just last month. This might be possible, but you are spoiling your own learning experience if you aren’t aware of this.
  • Content wise I see several issues. I would say that there is:
    • Too much focus on info gathering over the internet.
    • Too much focus on exploit development. Yes this is important but this takes up a _very_ large part of the course, imho too big of a part.
    • Not enough focus on post exploitation. In the labs you are required to do so every once in a while, but in real world pentests post exploitation plays a far larger role namely to determine the business impact of a finding.
    • Not enough info on databases and networking. Yes both are somewhat covered, but there is much much more to learn on these topics for a starting pentester.
    • The majority of clients use Active Directory. Being experienced in management and hacking of Active Directory is a must for a good and efficient (internal) pentest. OSCP lacks true AD hacking in the lab and in the course material. A simple chapter on the basics of AD mngt and hacking would greatly be appreciated for a starting pentester. Be ready to learn this on your own.
  • The biggest point for improvement I think is the reporting. Offsec teaches you to write a technical report detailing the steps you took. I see and hear this at clients many times when talking about what they really want: clients are not happy with 100+ page reports where in length you detailed how you owned a specific box and in what order you performed which step, what you got from a NMAP output and how you modified a given exploit. Clients are interested in the factual insecurities, in the business impact of it and most of all in what steps to take for to improve. The OSCP report template forces you to report in a lengthy way that is easy to understand for other pentester. But how many times will you write a report for another pentester? Think of the audience you are writing for, and think in summaries and key messages. Why group your findings per system when it might be easier for the client to have a report per finding or per department that will need to follow up the findings, with a simple ‘applicable to system X Y Z’ list. While writing keep in mind what next steps the audience should do after your report. Don’t get me wrong, the mere fact that OSCP forces you to write a report for the course is a good thing. Its just a missed opportunity that the template kind of forces you to write down your lab notes instead of a quality pentest report. I understand this might be good for passing the course, but please don’t continue reporting like this once you are a professional pentester.

Despite the drawbacks listed above I want to stress I still think OSCP is a very good course. I recommend it to anybody thinking seriously about pentesting, experienced or not.

OSCP review for experienced pentesters

Posted in OSCP, Security on 2013/08/14 by mram

Some time ago I passed the Pentesting with Backtrack course and also the final exam that gained me the OSCP certificate. In the following blog posts I will write down my experience and give you my view on this exercise. You may also want to check out part two where I discuss some drawbacks of the course and tips for you to better prepare.

Why another review? There are many reviews already on the net that cover OSCP. These are excellent reviews with tons of info about the course to the extent that is allowed to share. It is not my goal to copy these reviews in my own words. Its my goal to give my opinion about OSCP as a professional security consultant with over 6 years of hands-on experience with pentesting. I work at an international consulting firm and have been performing all kinds of pentesting jobs through the years. From dedicated webapps, external perimeter, internal network pentest, hybrid internal/external on /16 networks, databases, mobile apps, SAP, SCADA, social engineering, red team assignments, etc., Ive been fortunate to be able to do them all. So if you happen to be experienced in pentesting and you are – just as I was – wondering if OSCP has any added value, this review is for you.

Why OSCP if you are experienced already?

This was the main question I was battling for some time. Having read about OSCP got me actually really excited. Finally a course that wasnt talking lightly about pentesting, required a true hands-on exam and – judging from many reviews – actually means something. Going through the syllabus I finally decided to leave behind any doubts on not adding value. Even if I could skip most modules I could always use the time to fill in any gaps in my knowledge that I might had gained in the recent years. In the worst case I would just spend some time pwning boxes. What’s not to like? Combining work and and the course I went for the 90-day option. I rescheduled the exam one time as I misjudged the prep time needed. I might have been ready for the exam already, but I also wanted to root the majority of the systems in the test network before starting the exam. I needed two more important boxes, so I rescheduled. I’m glad I did as I had _a lot_ of fun with these final two and also learned some new tricks.


Yes, I learned some really nifty things I never came across in my work. And not only on the topic for which I have to say I was very weak before the course (exploit development). Much to my surprise I also learned tons of cool little tricks on topics I thought I covered enough already. And here I can be very clear to you. Even if you have the experience, you will learn new stuff. As long as you are open to approaches you might not be used to you will learn, learn, learn. And in our quickly changing field that is never a bad thing :-) Also ask yourself the question: how many tools in BackTrack am I *really* experienced with? Another clear learning topic for me was the simple fact of doing hacks completely without a (web)vulnerability scanner and without all the Metasploit tricks. Being a consultant I’m often on time pressure, forced to gain the most impact in the least time needed. Using the best tools available is essential. This is not a bad thing. I will continue using the best tool for the job. But knowing how to do your work without all these tools makes you stronger.

Main reasons to do the course

These are important reasons why OSCP is a good course to do even if you already are experienced in pentesting. Below I list several items that really add to OSCP being one of the best certifications I ever did:

  • It never hurts to be critical on how and what you have learned yourself to do things through the years.
  • Strong focus is on pentesting without the one-click tools. You are encouraged to learn how stuff really works, in stead of how a certain vulnerability scanner or exploit framework does things.
  • Regardless of your exact background, the curriculum is diverse and you probably will learn new stuff. Even on topics that you already know pretty good it never hurts to have a fresh new look. I learned some new stuff on tunneling and put it in practice (e.g. where else can you tunnel in a tunnel that was setup over a tunnel :-) )
  • The teaching material is very good. Both the PDF and the videos are worth it. This makes learning so much easier. These guys know their stuff and can explain.
  • One of its kind with true hands-on hacking. What other security certification do you know that has such a large hands-on part? When you think about it, it is ridiculous all the other certs don’t have a hands-on part. Especially in the business of pentesting it is important to not only know in theory something is insecure, you also need the hands-on skills to exploit the insecurities. So if you get a pentesting certificate, you might want to make it this one.
  • The lab environment you get access to is great. It is a good match for the theory you will be going through. Immediately you can test in practice in the lab. And once you are done with all the theory you can immediately continue powning boxes in the network (and a big network it is).
  • Also, were you ever afraid of testing new tools/ways at a live client network? You might just be able to test it here in the labs.
  • You might just learn something from the fresh insight of the people in the community. There is large community available on IRC. Some members have already done the course and just hang around. Others are just as you working through the labs. Help is available, but be warned: no easy help! IRC moderators are available to help you through the most toughest moments. But be prepared to get an answer like ‘Ah, nice try. But try harder’. No easy help from them. Make sure to also check the forum. Some good, but sometimes outdated, info is there.
  • Great great fun. The network is setup to be one big CTF. Although not of the highest difficulty level, for some boxes you will have to think hard on how to pwn them. You will have fun by experiencing ‘pain’ and you will ‘suffer(erence)’.

Is it hard?

I’m afraid I cant answer that for you. I don’t know your skills. But I do know that probably you will go through the theory very fast. Perhaps just some emphasis on one or two chapters where you think you are weak. Don’t be stupid and skip parts, take time and see this as a learning opportunity. About halfway through the labs – when you have pwned all the easy boxes and have got a few of the harder ones – you will get a good idea if you are ready for the exam yet. If you need the 30, 60, or 90 day option depends on the dedication and time you can put into it. The exam itself I think was not hard. If you pwned your way through the labs in the proper way I don’t think you will find the exam that hard. Hell, I even got a severe food poison halfway through the exam, forcing me in my bed and bathroom for about the second part of the exam time (and additionally 3 days of recovery). Fortunately I gathered enough points in the first few hours. That actually became an issue the day after the exam, when the report needed to be written. Thankfully my day job requires me to write reports, so Im pretty skilled on that. Between the running to the bathroom, sleeping and feeling generally extremely miserable I found some time to write the report quickly (with one hand on the keyboard, the other one switching between holding my sore head and the emergency bucket). So I would say no, it’s not hard if you are experienced. Just make sure you actually are open to learn new stuff during the course. The way you have been pentesting isn’t always the best way, nor the way OSCP requires. I for one learned new cool tricks and gained great insight in how others think pentesting should be done. Im happy I did the course. Because Im happy with the way OffSec approaches training Im looking for other courses by them.

In part two of this post Ill dive into some drawbacks and some tips.

If I had a botnet in 2010 #bitcoin

Posted in bitcoin, Security on 2013/04/12 by mram

Just brainstorming here, but lets say you had a botnet in 2010. You could do all kinds of stuff with it, and you did. But eventually you got tired of performing the Nth DDoS or sending the gazillionth SPAM email. You also got more and more competition, so prices for your services were dropping. Something had to change.

Lets say you read about this new thing called bitcoin. And because you had so many nodes in your botnet doing nothing you decided to start a little experiment and have the nodes mine bitcoins. In that time mining with CPU was still lucrative so you mined a lot during 2010 and 2011. Perhaps you had a few GPU boxes in your botnet also, so you let it run for a while until the end of 2012. CPU and even GPU mining wasn’t an option anymore by then due to the complexity. The next step was ASIC or FPGA but these were not easy to include in your botnet, so this adventure was over. Let’s say you ended up with 50 thousand bitcoins.

Having 50K bitcoins means nothing if you cant cash. Because of the setup of bitcoin it actually is really simple to convert a bitcoin into EUR: just sell it on a one of the trading websites. No police or tax involved, even no laundry of money needed! So you decided its time to start selling and making some profit. But, there are actually two problems that you wanted to get rid of:

  1. The price of one bitcoin by the end of 2012 was merely EUR20 or so, perhaps a tad more. Not real shocking money in the business you are in.
  2. Dumping 50 thousand bitcoins on a premature market where not much trading is happening is not good. Simple demand vs. supply rules dictated that you will flood the market and probably will end up with bitcoins not worth more that just a few euros or even less. You could also try to sell over a much longer period of time. But that still would not get you high profits and will only cost you a lot of time.

Both problems result in low profit. And that is not what you want. So, before selling your bitcoins you need the value of bitcoin to go up. Even if you flood the market, having a high value before flooding means you will end up with more profit. So you started thinking about the options. You thought that getting bitcoin to go up requires two things:

  1. Create more hype. If people don’t know about bitcoin than they will not buy some. So you need to have the main stream media to talk about bitcoins. Main stream media means main stream people. Main stream people is a lot of people.
  2. Have people believe it is worth more than it is right now. So create artificial demand.

The two items above are interlinked. Once more people know, more might want to buy and the price will go up. So all you need to do is give it the first push.

So you perform a DDoS on trading websites and send some SPAM about bitcoins. You also start buying bitcoins for EUR50 while the current bid price is EUR20. You do this for some time and you see the price going up. You buy some more for EUR80 when the current bid price is on EUR50. Lets say you invested a total of EUR100K in buying bitcoins for above market prices.

Slowly but steady the price is rising. And then, all of a sudden the buzz is on. The big media start writing about bitcoins! People get interested and more demand is there. At the same time you get some (unintended) help from the Cyprus crisis. Now the buzz is really on! Bitcoins are in real demand. The big trading websites simply cant handle the demand. Even more news articles about bitcoin being in such demand that the trading websites cant handle the traffic. Great, you don’t even have to DDoS yourself, all the users are already doing that.

You point, laugh, and got a beer while you saw your 50K bitcoins sky rocket in value. You watched it for a few days and then you decided to cash. Just before 1 bitcoin hit EUR200 you decided to start selling all. First for market price EUR200, then below market price for EUR150 and within a few hours you sold all before market price was EUR100.

Yes, the market went down quickly, but you managed to sell all. Lets see what you cashed:

  • 50 thousands bitcoins for between 200 and 100 euro. So lets say 50,000 * 150 = EUR7,500,000
  • Your investment to get the price up was EUR100,00.
  • Profit is EUR7,4 million euro.

OK, there is also the investment of having your botnet mine and not send SPAM, performing DDoS or lend it out for cyber crime attacks. But I doubt that goes into the millions.

Now, if you didn’t do the EUR100K investment you might had cashed 50,000 * 20 euro = EUR1,000,000. So a EUR100,000 investment was for sure a good thing.

Hat tip to you if you had a botnet in 2010 and performed the above steps. The botnet part is criminal, but you are a smart criminal.