Showing posts from February, 2022

AuthTxn[.]com Scam

This scam was recently reported in the Guild of Guardians report-scammers channel and the scam originated from a discord user impersonating a Guild of Guardians admin. The discord account that sent the scam message has already been banned, but I suspect other members of the community will be approached by a similar scam with new fake discord accounts. Reminder : The Guild of Guardians Team will NOT direct message you, and will never ask you for the seed phrase to your wallet!  Never ever share with anyone the seed phrase for your wallet.  This is super important whether you're new to crypto or not.  There is simply no reason for you to share your seed phrase with anyone. With that aside, let's take a moment to explore how this scam works. The scammer impersonates a Guild of Guardians team member and direct messages the victim telling them that they can help with their current issue.  They provide a link to a site, in this case: hxxp://authtxn[.]weebly[.]com.  I highly recommend

We Need To Talk About Phishing

Growing up my parents always reminded me " Never talk to strangers ".  I must have heard that bit of advice from just about every adult in my life at one point in time or another.  Back then I'm sure no one imagined that about 90% of the people we interact with online in the crypto space were going to be effectively digital strangers. The modern day equivalent of " Never talk to strangers " in the crypto space is " Never sign contracts from unverified sources... especially if it originates from an email. "  It's not quite as catchy, so maybe just " Don't digitally sign what you can't verify ". We'll work on the slogan. According to several sources, 254 NFT's were stolen yesterday from a set of OpenSea users, and you can find at least one description of the incident here . The leading theory I've come across is that the users were tricked into signing a fake contract regarding the OpenSea migration via a phishing email,

Chain Analytics on Scam Addresses

In January I created a post listing some of the ETH addresses associated with a set of scams targeting the Guild of Guardians community.  Yesterday night a member of the community reached out to as they were a victim of the scam and had performed some research that aligned with our findings, specifically they identified two ETH addresses that were used to move the proceeds of the scam: 0xf319B5047d657c054C73908308E4C22A98dC7C22 0xAcda910E9175E2B174266B9D80ED8be87CC79CB7 If you're new to the cryptocurrency space, it's important to remember that blockchain technology, by default, provides transaction transparency, but in many cases maintains anonymity.  Barring a leak from a centralized exchange or self identifying as the owner of an address, while you can see all transactions on Ethereum, you can't necessarily tie those transactions to a real world individual or group if they are making an effort to remain anonymous. So what do you do when you have

Does Reporting Make A Difference

Last week after looking into some scams reported by the Guild of Guardians community on the official Discord I did some digging and identified 27 domains hosting a fake cryptocurrency exchange mimicking MECX Global.  I reported the fake sites to: Reg[.]ru: the domain registar Digital Ocean: the webhosting provider MECX Global: the site being impersonated A week later I decided to check the status of the sites.  I found the following: 8 sites appear to have been taken down 1 site was unresponsive 1 site had a Metamask warning 17 sites remain active I was really happy to see at least one of the sites was flagged by Metamask, and that also directed me to one of my new favorite sites: It's not great to see that 17 sites remain active, and here is a list of all of the sites current states as of this posting: bin-core[.]com: Active bit-camp[.]com: Down bit-cron[.]com: Down bit-ext[.]com: Down bit-green[.]com: Down bit-investor[.]com: Down bit-thor[.]com: Active

Vrytex et al. Impersonating MEXC Global

It was bothering me that the group of scammer sites I was looking at today, for example vrytex[.]com, all had what looked like some reasonable page content including a FAQ with the kind of questions and answers I would expect on an actual exchange site. I figure it had to be the case that they were impersonating an actual exchange and I think I found it. The scam pages appear to be ripped off from MEXC Global, While I'm not familiar with MEXC, the scammer pages are basically simpler versions of the MEXC page.  I reached out to MEXC on twitter and will email them shortly, but I imagine they must have come across these scam sites already. At least now MEXC can go ahead and raise an official impersonation complaint against the scam sites and get them taken down since this would definitely be brand infringement.  Here's hoping their security team is already on it.

Down the Domain Research Rabbit Hole

Let's face it, being anonymous is hard if you're managing a large volume of scams. You have to be able to hide your tracks really well and assume no one is going to take the time to go far enough down the rabbit hole to find anything useful. Turns out, I'm on vacation this week, and what better way to spend it then heading down a rabbit hole. Pivoting from the 12 domains and the email addresses mentioned in the last post, it looks like there are several similar domains using the same name server.  That brings the full list to: bin-core[.]com bit-camp[.]com bit-cron[.]com bit-ext[.]com bit-green[.]com bit-investor[.]com bit-thor[.]com camp-bit[.]com camp-token[.]com chain-bit[.]com coin-bin[.]com cron-bit[.]com crypto-floor[.]com ext-bit[.]com first-token[.]com flow-bit[.]com link-token[.]com market-token[.]com more-bit[.]com set-bit[.]com temp-bit[.]com token-club[.]com token-next[.]com token-smart[.]com vrytex[.]com wall-bit[.]com If these domains weren't so similar I

Fake Crypto Sites Followup

After a bit of digging I think I've found the batch of domains that were all registered on January 13th 2022 that are involved in the recent uptick in discord direct message scams.  These are all associated with the email address avgustaefremova1993@bk[.]ru. Avoid these sites.  I'm hoping that by reporting them to Digital Ocean and reg[.]ru we can get them taken down quickly. bin-core[.]com camp-bit[.]com camp-token[.]com coin-bin[.]com cron-bit[.]com ext-bit[.]com link-token[.]com market-token[.]com more-bit[.]com set-bit[.]com temp-bit[.]com token-smart[.]com token-next[.]com There are an additional two domains that are registered using a different email address, but still associated with LLC Good using the identity Ovidiy Lapin, ovidiilapin2872@list[.]ru. bit-investor[.]com first-token[.]com These were registered on January 8th 2022, so slightly earlier.  Time to pull the thread on Ovidiy. Sure it feels a bit like whack-a-mole, but at least we can try to get these things kno

Fake Crypto Exchanges

Remember: Turning off direct messages from people you are not friends with is one of the most effective ways of avoiding Discord Direct Message scams. Things have been heating up on the Discord direct message scam front, and with the addition of the #report_scammers channel on the Guild of Guardians Discord it's much easier to report these scams and the Discord moderators are doing a great job banning Discord accounts. The scam flavour of the month is a bit more generic than the previous Guild of Guardians themed token sale sites.  In this scam the fake webpage is probably re-purposed for many crypto scams. It starts with a direct message like the one here: The premise is that there is a giveaway of BTC to attract new users and you have to go to the site and register, then provide the registration code. You can tell this is a generic scam re-purposed to target the Guild of Guardians family, as BTC would be a very odd prize for GoG users... wouldn't you give out ETH, GoG, or NF