Uncovering a “Bitcoin Generator” exploit scam

Uncovering a “Bitcoin Generator” exploit scam

*Note after a year of putting this article in the draft folder I decided to publish it as is. The accounts are no longer up and the websites are also down from what I have checked. Be safe and enjoy!

As Benjamin Franklin once said “… in this world nothing can be said to be certain, except death, taxes, and internet scams” or at least that is what the internet told me one time.

It is nothing new to anyone who has been on the internet in the past couple years that “Bitcoin” and “Cryptocurrencies” are the new hot things that is going around. Pretty much the only thing people know about them is that no one really knows how it works and that everyone but you is getting super rich off of them *Spoiler alert: both are false*. Since Bitcoin is the most popular Cryptocurrency currently, it come to no surprise that there are many scams claiming to have found exploits or vulnerabilities that can “give you free bitcoin!”. Today I will be writing about how I found one that is currently floating around and some interesting items I found out about the scammer/scam.

 

How the scam works:

I have posted about Cryptocurrencies (from now on I will call them cryptos) on my instagram and occacuanally browse around on instagram. I noticed that I was being followed by a few bots like this one.

Wow, look at that! You can get free bitcoins by going to that website, how nice of them. To just about anyone reading this (Hello hackernews or other techies) it is obviously a scam since the protocol of BCash is just a fork of Bitcoin which was designed to protect against replay attacks from the beginning, and also it just looks super scammy.

 

Let us jump right into the website and get us some free Bitcoins! For your convenience I saved a copy on web archive which you can go to here: https://web.archive.org/web/20180408225415/http://bitcoinswap.space/ It should work just fine since it is all just a bunch of bootstrap and flashy JavaScript to make you think it is “injecting” your Bitcoinz into the Blockchain, cause that’s how that works right?!?

After we tell it to give us our free Bitcoins to our wallet address, it tells us that we must pay the miner fee to a particular address. You can view all of his transactions here: https://blockchain.info/address/1HACKEDi2wnTJ5hVjdSQdb6mv4Yp5ZCQtv Yes, you read that correctly. His (more on their identity later) wallet address starts with “1Hacked” because everyone in Bitcoin is a 1337 hacker! After the victim sends the scammer .001 btc then the scam is over, and all the Bitcoin is lost into the ether of the Blockchain *que scary music* The scam overall is pretty simple and short once the user lands on the site. I find the code behind the scam to be much more interesting.

There are a few interesting things I would like to point out. The wallet address is actually dynamic and gets pulled from another url that is owned by the same scammer. https://web.archive.org/web/20180408230520/http://coin-pump.com/addr.txt I have saved the txt file that is linked on the site. The second interesting tidbit is that the blockcypher.com url is hardcoded in the page and is purposely incorrect to further the legitimacy of this “Bitcoin Generator”. The third and final point is something you may have noticed. Why is it pointing to coin-pump.com? The answer takes us even deeper into the scam operation.

 

Code behind the scam:

Taking a look at the source code led me to see that the source code of the site is just a copy paste from the main web page of coin-pump.com I saved the 3 main JavaScript files from the site as they are pretty interesting. The text files can be found here (these are links to my site):

Main

Standard

Compressed

 

Main and Standard are the most interesting files since they take care of the site and the “Exploit module” once you put in a bitcoin address, or any text for that matter.

Main includes everything on the page including the chat! Obviously those are all real people talking about how they scored a bunch of Bitcoin. Don’t call them bots either, they will firmly respond swearing they aren’t bots with great one liners like

“are you stupid or something? they have anti bot protection” or “no, we’re not bots. go and get your free btc ;)”

Truly the work of a master. What is even more entertaining is the list of usernames for said “not bots”. The names range from normal internet usernames, professional League of Legends players and twitch streamers, to straight up “internet cancer”, as some might say. The following are some sample names:

“VoyboyCARRY” “Jintea” “nokappazone” “TwitchTvAuke” “C9Balls” “ninjamaster69xxx”

Standard is where all of the showmanship takes place, aka. the loading bar with lots of tech phrases like

“Tunnelling via be6e:854229af:c9a::34” “Reading Blockchain Head…!” “Removing exploit code from blockchain…”

Remember folks, don’t forget to tunnel through a invalid address then remove stuff from the blockchain, that is a very important step. Ok, sorry, I couldn’t help but make a joke at this because if you know about Bitcoin and how it actually works, then this is extremely ridiculous.

 

Scale of the scam:

The final part I will hit on is the scale of the scam. In terms of profit, it looks like the scammer hasn’t even made 1 Bitcoin off of it, but the address only received its first payment in early March which leads me to believe that he changed it. That number is suprising because of the number of sites he owns. Doing a who is on the domain brings up his, supposily, real info including his email. https://whois.icann.org/en/lookup?name=coin-pump.com

Furthermore we can look up the other domains that are registered to that email address here: http://viewdns.info/reversewhois/?q=yaaa_who%40yahoo.com

As you can see he owns quite a few domains for cloning Bitcoins with the “special flaw” that he most kindly shared with the world. Looking into the domains further, they seem to be hosted on the same server as well as a couple other domains registered under a different email.

 

In conclusion be safe on the interwebs and make sure to always triple check something when it looks to good to be true.