The Fulminare case

5 min readSep 15, 2023

The theft

On September 10, 2023, multiple users reported on various Neurai social media platforms that the coins they had in their Neurai-QT wallet have been drained to another address unknown to them.

The address that has received all these coins:

NRh11VStpcoW4B5vTXxTZUkABDM1DkyB2d

In Discord, a user comments at the same time that the Fulminare project had disappeared from its social media and its website, erasing any trace of its project.

The first thought was that there might be a connection, as several users with the stolen coins had this wallet installed.

We made a call on Twitter to the Y3TI group, which specializes in examining crypto wallets for potential vulnerabilities or malware, to review the Fulminare wallet. This happens in the following post:

They kindly responded that they would check it out and joined our Discord to continue discussing the matter and to obtain the wallet for examination:

At this time, we are unsure if the hacking of the Neurai-QT coins is related to Fulminare, but all signs seem to indicate that it is.

Y3TI requests the wallet file for examination, and we send it to them privately.

It seems that at first glance, the wallet contains malware.

And it turns out that the malware is from the Darkbit family.

For a more detailed analysis, y3ti will release a report on their website, which specializes in examining wallets to detect and prevent malware.

Their final report confirms our initial suspicions:

Y3TI

The Backbone of Tomorrow's Crypto Ecosystem In the ever-evolving world of crypto, Fulminare stands as your trusted…

y3ti.uk

Extra Malware Scan (Powered by Intezer)
Report shows malware detections for the following reason(s)
DarkBit — Malware & RansomWare (https://www.sentinelone.com/anthology/darkbit/)
DarkBit ransomware emerged in early 2023, and has been observed heavily targeting educational institutions in Israel. Actors behind DarkBit claim to be politically motivated and against any kind of racism, fascism and apartheid. DarkBit is written in Golang, following suit from other large ransomware families known for releasing payloads in Rust, Golang and similar cross-platform languages. The group is active on multiple social media platforms allowing them to spread details about their attacks as well as victim data.

From this investigation, we’ve determined how the coins were stolen. The Fulminare malware was scanning for wallets in common directories, subsequently sending the private keys to a location controlled by the scammers.

The private keys are stored in the wallet.dat file, and if someone gains access to this file, it becomes easy to steal the data. Especially if the wallet is not encrypted or if the encryption key matches the one used in Fulminare wallet.

Situation with Exchanges

The address NRh11VStpcoW4B5vTXxTZUkABDM1DkyB2d, to which the stolen coins were sent, does not belong to any exchange. This was confirmed by various exchanges.

On the 13th and 14th, all the funds were transferred to different addresses, with one being the major beneficiary receiving 12M at:

NM91rgVb1F1PXJ97dJjAJSDYnWGrMZMPBi

We reached out to various exchanges and eventually discovered that the address belongs to Xeggex. We spoke with their administrators, and they informed us that they had sold everything they received, but there remains 1000 USDT that has been frozen in their account.

To distribute this money among the affected individuals, a police report needs to be filed by one of the victims. We are currently looking for someone to file this report so we can return some of the stolen funds.

And my coins?

We understand the frustration of being robbed and feeling helpless, but there’s nothing we can do in this case. The Neurai blockchain is immutable, and we have no control over what happens there. And it should be this way; otherwise, it would have no value.

It’s a harsh lesson, but it’s essential to remember that security is something that must be taken very seriously to prevent the loss of coins, money, photos, or sensitive data. We will try to assist you in any way we can to enhance security on your devices and avoid similar future situations.

For the time being, a legal complaint is required and in the best case scenario, a refund of $1,000 of the total amount stolen will be possible.

And what do we do now?

This teaches us that in the crypto world there’s a significant lack of knowledge regarding security, and it’s essential not to run or install any executable on a computer without due diligence.

While this has happened to us, it regularly occurs in other situations where you install a free game’s installer or a patched program to avoid payment, blocking the whole pc or stealing the data of the grown card or the bank.

Creating malware is highly profitable, and we cannot make it easy for these scammers. If they have succeeded now, they will try again in a few months. We must be as prepared as possible to prevent it from happening again.

For this reason, we will create a guide that will be useful for any cryptocurrency and help protect us from these unpleasant situations.

Stay tuned.