{
	"id": "280621c8-0b4d-4984-823b-70885bd3d05c",
	"created_at": "2026-04-15T02:23:52.437343Z",
	"updated_at": "2026-04-18T02:21:04.239118Z",
	"deleted_at": null,
	"sha1_hash": "8d3746b7cf33c97656a242d001e35442e86e6bab",
	"title": "Pony’s C\u0026C servers hidden inside the Bitcoin blockchain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61242,
	"plain_text": "Pony’s C\u0026C servers hidden inside the Bitcoin blockchain\r\nBy Omri Herscovici\r\nPublished: 2019-10-17 · Archived: 2026-04-15 02:11:08 UTC\r\nResearch by: Kobi Eisenkraft, Arie Olshtein\r\nIntroduction\r\nRedaman is a form of banking malware distributed by phishing campaigns that target mostly Russia language\r\nspeakers. First seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017\r\nand 2018.  In September 2019, Check Point researchers identified a new version that hides Pony C\u0026C server IP\r\naddresses inside the Bitcoin blockchain.\r\nIn the past we have seen others techniques that used Bitcoin blockchain to hide their C\u0026C server IP address, but in\r\nthis blog we will share an analysis of the new technique.\r\nThe malware connects to Bitcoin blockchain and chaining transactions in order to find the hidden C\u0026C server, we\r\ncalled this new technique Chaining.\r\nInfection chain\r\nHow the attacker hides the C\u0026C servers in Bitcoin blockchain\r\nIn this real example the attacker wants to hide IP 185.203.116.47\r\nIn order to do this, the attacker uses wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ :\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 1 of 6\n\n1. The attacker converts each octet of the IP address from decimal to hexadecimal: 185.203.116.47 =\u003e\r\nB9.CB.74.2F\r\n2. The attacker takes the first 2 octets, B9 and CB and combines them in opposite order B9.CB =\u003e CBB9\r\n3. The attacker then converts back from hexadecimal to decimal, CBB9 ==\u003e 52153.\r\n0.00052153 BTC (about 4$) is the first transaction he will do to the\r\n1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet\r\n4. The attacker takes the last 2 octets, 74 and 2F and combines them in opposite order 74.2F =\u003e 2F74\r\n5. The attacker converts back from hexadecimal to decimal, 2F74==\u003e 12148.\r\n0.00012148 BTC (about 1$) is the second transaction he will do to the\r\n1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet\r\nFigure 1 – Related transactions with amounts of 0.00052153 and 0.00012148 BTC\r\nhttps://www.blockchain.com/btc/address/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ?sort=0\r\nHow Redaman malware reveals the dynamic hidden C\u0026C server IP\r\nRedaman does the opposite to the algorithm described above.\r\n1. Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet\r\n1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ  \r\nhttps://api.blockcypher.com/v1/btc/main/addrs/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ?\r\nlimit=10\r\n2. It takes the values of the last two payment transactions to Bitcoin wallets 52153 and 12148.\r\n3. Converts the Decimal values from the transactions to Hexadecimal 52153==\u003eCBB9 and 12148==\u003e2F74.\r\n4. Splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal.\r\nB9==\u003e185, CB==\u003e203, 74==\u003e116, 2F==\u003e47\r\n5. These values together combine the IP address of the hidden C\u0026C server IP 185.203.116.47.\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 2 of 6\n\nFigure 2 – The actual code that calculate the C\u0026C server IP, you can see in “Dump 1” the hexadecimal values of\r\nthe C\u0026C server IP: B9 CB 74 2F (185.203.116.47)\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 3 of 6\n\nFigure 3 – Json response that include the hidden C\u0026C server IP\r\nConclusion\r\nIn this blog, we described how Redaman has become more effective by hiding dynamic C\u0026C server addresses\r\ninside the Bitcoin blockchain.\r\nIn contrast to the simple C\u0026C setups based on static/hard coded IP addresses that provide an easy way to defend\r\nagainst this type of attack.\r\nIndicators of Compromise:\r\nHidden C\u0026C servers\r\n185.203.116.47 35.216.185.203 78.108.216.39 100.66.91.200 72.50.91.200\r\n117.49.185.203 170.51.35.216 91.200.78.108 69.5.100.66 185.234.72.50\r\n185.203.117.49 118.16.170.51 103.136.91.200 91.200.69.5 150.254.185.234\r\n119.169.185.203 94.156.118.16 100.174.103.136 54.151.91.200 212.73.150.254\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 4 of 6\n\n185.177.119.169 85.217.94.156 91.200.102.39 172.104.54.151 227.99.212.73\r\n185.203.185.177 35.216.85.217 91.200.103.136 69.5.172.104 195.123.227.99\r\n171.48.185.203 94.156.35.216 216.39.91.200 172.105.69.5\r\n59.149.171.48 119.18.94.156 100.134.78.108 100.134.172.105\r\n85.217.59.149 170.51.185.203 91.200.100.134 91.200.100.66\r\n119.169.85.217 85.217.170.51 100.136.91.200 195.123.91.200\r\n185.203.119.169 118.16.85.217 91.200.100.136 185.234.195.123\r\n85.217.171.48 185.203.118.16 100.134.91.200 72.50.185.234\r\n59.149.85.217 91.200.185.203 172.105.100.134 212.73.72.50\r\n185.177.59.149 100.174.91.200 54.151.172.105 100.136.212.73\r\n119.18.185.177 91.200.100.174 100.136.54.151 227.99.91.200\r\n185.203.119.18 102.39.91.200 172.104.91.200 150.254.227.99\r\n185.203.185.203 216.39.102.39 91.200.172.104 100.136.150.254\r\nRedaman samples\r\ncf9c74ed67a4fbe89ab77643f3acbd98b14d5568\r\nc098dc7c06e0da8f6e2551f262375713ba87ca05\r\n3933f8309824a9127dde97b9c0f5459b06fd6c13\r\n817bd8fff5b026ba74852955eb5f84244a92e098\r\n51c7a774a0616b4611966d6d4f783c1164c9fa50\r\n44b6627acd5b2c601443c55d2e44ae4298381720\r\nd9fb2504008345af97b0e400706cdaa406476314\r\nbbdce69acc6101c1f61748c91010c579625ef758\r\n3f2b758122c0d180ccfba03b74b593854f2b0e86\r\n9d7b264367320da38c94be1f940c663375d67a2a\r\nBitcoin wallet\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 5 of 6\n\n1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ – The wallet is not recognized as malicious in any blockchain\r\ndatabases but Check Point incriminates it.\r\nSource: https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/"
	],
	"report_names": [
		"ponys-cc-servers-hidden-inside-the-bitcoin-blockchain"
	],
	"threat_actors": [],
	"ts_created_at": 1776219832,
	"ts_updated_at": 1776478864,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d3746b7cf33c97656a242d001e35442e86e6bab.pdf",
		"text": "https://archive.orkl.eu/8d3746b7cf33c97656a242d001e35442e86e6bab.txt",
		"img": "https://archive.orkl.eu/8d3746b7cf33c97656a242d001e35442e86e6bab.jpg"
	}
}