repost. DON'T open the xlsx locktime file, beacon image confirmed in it with Hansa's server IP address

This is VERY IMPORTANT, someone please post this as a new threat, as I'm a new user, reddit doesn't allow me to make new post. It can save many vendors' life I looked into the loctime xlsx file. it's basic a zip file containing many plain text xml files, you can change the file name from .xlsx to .zip and open with your zip viewer. I looked into the xml files one by one and guess what I find, the IP address of the hansa server.

in folder xl/drawing/_rels

<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="http://217.182.159.33:9998/img/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/logo/logo.png" TargetMode="External"/><Relationship Id="rId6" Target="/xl/media/image2.png" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" /> the "xxxxx" is a long generated unique code, I guess each vendor has a unique one, this way when you open the xlsx file, excel send request to the IPv4 IP address for the image and they know your IP address without Tor protection. That's why they said they were able to get IP addresses of users

When you try to open the IP address, it shows exact the same image as hansa's onion domain

If you ever opened the file without IP address protection, you are fucked, your real IP address is leaked! clear your house ASAP

One more thing to say, athough there's this beacon image, but there's no hidden malware or macro VB code in the file, maco code can not be saved into a xlsx file, it can only be saved into a xls, xlsm and slxb file, so you don't need to worry about malware


Comments


[49 Points] b1ack-spyd3r:

Why is all the tinfoil hat bullshit being discussed but no-one is even taking a second look at this? seems like dank-nation was talking about it yesterday..


[15 Points] sharkbetfarkets:

Replacing the vendor keys with the key of the dutch police was fucking stupid, but this is actually really smart


[10 Points] ItsAllJustPretend:

MODS PLEASE STICKY. EXTREMELY IMPORTANT INFO FOR VENDORS.

/u/Theeconomist1 /u/coffeencreme /u/wombat2combat /u/endedbytheknife /u/CrushOnJenny /u/pinochetHA /u/cheapcab


[4 Points] sippinrealactavisjk:

original. by /u/pxx51092. https://www.reddit.com/r/DankNation/comments/6pi0et/dont_open_the_xlsx_locktime_file_beacon_image/


[5 Points] None:

[deleted]


[3 Points] PM_ME_SAD_STORIES_:

Wait what file? Is this for Hansa or something? Fuck I'm so confused


[2 Points] UndeadMarine55:

By experts, I'm referring to guys like Jacob appleboum who've spoken at DEFCON.

My point is, let's say hypothetically that NSA doesn't officially help the FBI bust druggies by using the NSA leet god mode tools.

But would it be a stretch to say that every once in a while NSA unofficially gives a tool to enable parallel construction? I'd say not a stretch.

If you downloaded that file, I don't see how it's unreasonable to assume that comp is fucked. And if it were me dabbling in the dark webs, I'd burn the network too.

Are these unreasonable assumptions?


[2 Points] theshadowfax:

So fucking glad I never used the shithole that was Hansa.

"Our wallets are stored off the servers, they can never take our coins, kekekekeke!" turned out to be the "Not even God can sink this ship" of 2017.


[1 Points] R245SA:

LE is a bunch of morons why would they not do a massive arrest SW and run Markets longer? They got nada. I call bluff.


[1 Points] _PrinterPam_:

<sigh> More FUD. 1: I have a collection of those files, right up until a few hours before the site went down. I'm not seeing what you're seeing. 2: I see several different accounts posting this same thing on several sites/subs. 3: The 'new user' thing should be a flag. 4: None of that necessarily indicates a threat. 5: wtf is 'ip address protection'? Excel has no such 'option' to my knowledge. 6: Even if your accuastions were true, why would pulling an image (and thus revealing an IP) in any way implicate someone in ANYTHING if no other info is sent? (the meaning of that 'xxxx' does not mean what you think it does). 7: You're assuming "they" (Dutch LE) are being truthful, rather than bragging/scaring, about "knowing people's IP addresses." 8...shit, there's a ton of other glaring holes in this but I'm about to lose interest in thi...bye.


[1 Points] ice_cream4breakfast:

So if someone opens this with tails os are they fucked?


[1 Points] dnet33991:

People underestimate the importance of practicing proper OpSec.

This is a very good warning and find for those who weren't already aware.


[0 Points] Hairybristols:

Who's to say that the mods, who were unawares LE was in control, didn't put that there, so no ip signalling. They made the decision to ban fent, not unlikely they would have also wanted vendors to dl there locktimes etc...?

Could be LE trying to find vendors ip addresess, is there a definitive answer on this?


[0 Points] Hairybristols:

So, this document has hansa ip address in it, it would have anyway, that in itself doesn't mean LE is behind this, plenty of faulty logic at work here, and people who seem to know technical details not really helping with their posts.

Also the original poster is a fresh account, and from what i have read has spread this post on many forums, and not used his account for anything else, is that dodgy?