Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Extracting BTC addresses from emails

Published: 2018-07-15
Last Updated: 2018-07-16 00:07:22 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I was asked if I had a tip to automatically extract Bitcoin addresses from emails (cfr. Retrieving and processing JSON data (BTC example)). I do.

My tool,, comes with a regular expression to match Bitcoin addresses, and also with the Bitcoin address checksum validation algorithm.

Bitcoin addresses are base58check encoded integers with a checksum. The following regular expression will match a Bitcoin address:


Of course, regular expressions can not be used for checksum calculations, and hence this regular expression will also match strings that are not valid Bitcoin addresses (e.g. correct syntax, but invalid checksum).

My tool contains a function to validate Bitcoin addresses (BTCValidate) by checking the checksum. It is used like this:


(?# ... ) is a comment for regular expressions, and is thus ignored by regular expression engines, but re-search interprets this comment to take extra actions, like in this case, calling BTCValidate.

This is the command I use to extract Bitcoin addresses from emails:

Option -n with argument btc directs to lookup and use the regular expression with name btc from its library. That's the regular expression for Bitcoin addresses.

Option -c directs to perform case-sensitive matches (Bitcoin addresses can contain an uppercase letter L but not a lowercase letter l).

Option -u directs to produce a list of unique Bitcoin addresses, i.e. to remove duplicate entries.

And finally, option -e directs to extract strings from the files it processes (*.vir files). That's because the extortion emails that I have come in various formats: MIME files, RTF files, MSG files (e.g. ole files). ole files are a binary format, and by default reads text files. Option -e extracts ASCII and UNICODE strings from binary files (and text files too) before processing.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: bitcoin emails
0 comment(s)

Video: Retrieving and processing JSON data (BTC example)

Published: 2018-07-15
Last Updated: 2018-07-15 11:27:36 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I produced a video showing step-by-step how to retrieve and process JSON data, like I used in my diary entry Retrieving and processing JSON data (BTC example).

curl -s | jq -r ".addresses | .[] | [.address,.final_balance/100000000] | @csv"


Didier Stevens
Senior handler
Microsoft MVP

Keywords: bitcoin json video
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Retrieving and processing JSON data (BTC example)
Jul 14th 2018
1 day ago by DidierStevens (0 comments)

Cryptominer Delivered Though Compromized JavaScript File
Jul 13th 2018
2 days ago by Xme (0 comments)

New Extortion Tricks: Now Including Your Password!
Jul 12th 2018
3 days ago by Johannes (4 comments)

Well, Hello Again Peppa!
Jul 11th 2018
4 days ago by Remco (0 comments)

Microsoft Patch Tuesday July 2018 (now with Dashboard!)
Jul 10th 2018
5 days ago by Johannes (5 comments)

Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp)
Jul 10th 2018
5 days ago by Johannes (1 comment)

Apple Patches Everything Again.
Jul 10th 2018
6 days ago by Johannes (0 comments)

Criminals Don't Read Instructions or Use Strong Passwords
Jul 9th 2018
6 days ago by Renato (3 comments)

View All Diaries →

Latest Discussions

Botnet brute forcing mail accounts?
created Jun 22nd 2018
3 weeks ago by Anonymous (0 replies)

Simple SMTP/network routing questions
created Jun 14th 2018
1 month ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 month ago by David (2 replies)

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
2 months ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
11 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
6 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
10 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
10 months ago by Renato (0 comments)