Will John McAfee save us from Petya?
Hidden message in vanity bitcoin addresses paying into Petya wallet references the famous tech founder.
Instead of just fading away into the background noise of the general threat landscape like most cyber attacks, the Petya outbreak story continues to rumble on. There’s already been plenty of commentary about the possible motivations of the attackers i.e. were they financially motivated criminals, or state-backed actors looking to cause damage and disruption? If it was motivated by finance then we know that, due to basic errors in how they went about their attack campaign, the whole effort has pretty much fallen on its face. The use of a single email address, and single bitcoin wallet for collecting funds, have pretty much seen to that.
We have now also learned that the account used for collecting ransoms has actually been emptied, which is unexpected.
Back in May, the folks behind WannaCry made similar errors to the Petya attackers. They used only three bitcoin addresses to collect ransom and, even now, those funds remain untouched. It’s unsurprising they remain untouched considering every government and law enforcement agency must be all over those accounts, watching and waiting for any movement.
Blockchain graffiti
So that makes it all the more interesting that somebody who has access to the wallet key for the Petya attack moved funds out of the ransom wallet into other wallets. An interesting twist in this tale is the use of some vanity bitcoin addresses for payments into the Petya bitcoin wallet. In particular, a sequence of five small payments totaling around 0.006795 BTC (approx. $17) that was made into the ransom account shortly after the account was drained of funds.
What’s interesting are the bitcoin wallet addresses from which these payments were made.
Let’s take a look at these addresses in sequence:
· 1John2h6PmKVuazyqnzakh1MkBVe44hXUh
· 1McAfeeeQNYJRtxhrBNrQHWHDytAyAwdR5
· 1Wi11X7DJFTQtP9AoDvz8qgUr7w2wXLyx
· 1Save2HNzFFm7Z1R3QDqE5HAur9L7t8TM
· 1Us2bD8nBmDcqtaFPASHsQFrERQZV2yow
It’s clear that the first words in these sequences make the sentence “John McAfee Will Save Us”.
The “McAfee” address appears to be the one where funds were split from to make up the other transactions that are used to make up the sentence.
But why McAfee?
Why is John McAfee mentioned in these hidden messages in the blockchain? It’s hard to know for sure, but John McAfee, apart from being founder/ex-CEO of the well-known security company that bears his name, is also now well known for his involvement in cryptocurrencies, and is quite outspoken in his views on the matter, as well as on many major recent cyber attacks.
Of course, McAfee himself has nothing to do with Petya, but whoever made these transactions is clearly quite familiar with the crytocurrency world. After all, not everybody goes to the trouble of generating a series of vanity bitcoin addresses to string out a sentence and then make a series of transactions to spell out the message. Certainly crypto newbies (as many victims would be) would probably not know about vanity addresses, nor go to the trouble of creating them.
Somebody is obviously having a laugh with this blockchain graffiti. Are they inviting attention or are they goading the authorities? It’s hard to know. In case you’re wondering, it’s not the first time we have seen this kind of thing, there were some similar types of micro payments made into the WannaCry wallets spelling out colorful blockchain address based messages to the attackers.
