Bitforte: A masterclass in scamming

Earlier today I got an obvious scam email:

Return-Path: <no-reply@[redacted]>
Subject: Bitcoin Payment
To: Recipients <no-reply@[redacted]>
From: "Mr. Neves N" <no-reply@[redacted]>
Date: Mon, 11 Oct 2021 19:10:52 +0900

Hi Rob Hoffman, As requested, we have now deposited 30 BTC which amount to
($1,692,796.80 USD) into your bitcoin portfolio at bitforte.net/signin
 Customer Id: [redacted]
Customer Password: [redacted]

I was curious to see how this scam worked, so I fired up my favorite anonymizing VPN and private browser session and went to town.

UPDATE, March 31, 2022: It looks like these folks have changed their name to tatcoin.net. Same folks, same website, different name. Sorry, but that 30BTC payout sent to you by mistake is not real.

Bitforte’s site is ridiculously slick and doesn’t have any immediate hallmarks of a scam or phishing site. There was clearly a lot of engineering work put into it. I was wondering if maybe this was actually a legitim… reputab… um, hm, none of those words quite work in the context of cryptocurrency.

I thought maybe the site itself was operating in good faith, and this scam was operating through them.

Anyway. I signed in with the credentials they provided (knowing full well that this was probably going to put my email address on a list of potential suckers), and the first thing it asked me to do was change the password. Okay, fine, I’m no stranger to using a password manager to generate disposable passwords.

UPDATE: After poking at it some more it seems that many of the scam emails actually have the same initial login credentials, and it seems to only differentiate between “accounts” based on the password provided. The password given in the email starts the scam on a new instance, and they track individual suckers based on the unique password (which ties a phone number to it). So I’m no longer worried that my email address has been exposed to the scammers whatsoever.

Then it asked me to set up OTP via SMS. Fortunately, I have an account with a VoIP provider that lets me easily create burner numbers with voicemail and SMS inboxes, with no risk of calls or texts coming directly to me. I asked for an SMS code, but got it as a voicemail instead.

Anyway, after signing in, it presented me with what looked like a 100% legitimate dangit, there’s that word again. What looked like an actual, functional cryptocurrency wallet. And it showed me as having a “private account” with 30 BTC exactly, after a number of what looked like plausible transactions to someone who doesn’t know how cryptocurrency works damnit… uh… operates. Although there were some terminology things which were pretty strong “tells” to me that this wasn’t legitimate (not to mention the difficulty of ever having a precise amount of bitcoin anywhere, due to transaction fees and the like), and also pretty blatant things like the transaction history predating the supposed creation date of this account.

At this point I can imagine a lot of people thinking this site was for real and that someone had accidentally sent them money meant to be laundered by someone else.

Anyway, I was curious about how far this thing went. There was a “withdraw” function which allows wire transfers and BTC. I happen to have a Coinbase account (yes I know shut up) and so I set up a new BTC wallet on it and tried to “withdraw” some funds to it (even though the proper term would be “transfer” but hey I was playing along here). I got an error that due to the recency of my OTP setup I would only be allowed to withdraw 0.0001 BTC to “verify” my ability to receive funds so that they don’t get “lost.” I’m not sure how one thing would connect to the other but I’ve seen worse security theater.

I figured, worst case, the transaction wouldn’t go through, best case, this actually was a real wallet that really had 30BTC in funds, and I vaguely played with the idea of how I’d go about laundering it if it were actually true. Message 419 was fully playing in my head at this point.

Anyway, I decided I’d plant a few trees and then dutifully did the 0.0001 BTC transfer into my wallet. Then, amazingly enough, I got a notification from Coinbase: I’d just received 0.0001BTC. Which was… quite surprising. Could they somehow recognize that this was a Coinbase wallet and just email me a spoofed email? I checked the email out and everything about it looked legitimate; it came from the same purported servers as Coinbase’s, it had a correct, validating DKIM signature, and so on; if this was a forged email, it was done by exploiting Coinbase’s mailer directly.

I checked my Coinbase wallet again after half an hour or so. The transaction had actually gone through. So I was now about $5 richer, in carbon-burning pretend FakeBucks™, anyway. (Funnily enough, the transaction was pushed through with orders of magnitude more in transaction fees; the scammers actually spent around $470 to send me that $5!)

I tried transferring a larger amount out of the wallet, and this is when the reality of the scam became extremely apparent: it said that my account was set up to only allow withdrawals of at least 30.0007BTC, implying that in order to withdraw I’d have to transfer 0.0008BTC back into it first.

I was willing to play along for as long as I didn’t need to put any money into things, but obviously this was where I cut the experiment off. I have no idea how this scam escalates, but presumably they keep on whittling the target down with larger and larger transaction fees, or perhaps they need a direct payment of some percentage to make it go through, or maybe they pretend that you entered your destination address wrong and would need you to spend even more money to get it back, or whatever.

Out of further curiosity I decided to poke around more on the site to see how far they tried to look like a real wallet provider. Their information pages are all very slick and mimic Coinbase pretty well, and they even have a “sign up” page to make it look like you can create your own account. (This page, of course, leads to a “We are currently not accepting new sign-ups at the moment” message. I’m surprised they didn’t at least make a signup form that gave some excuse about “please give us 7-10 days to verify your account” while adding your information to another database of suckers.)

Parallel to all of this I of course was doing my due diligence and seeing what other things on the Internet had to say about Bitforte. There was surprisingly little about it anywhere, but it was mostly listings on “trust index” and scam sites, and they all rated it as 100% a scam. Tellingly, all of the emails were addressed to “Rob Hoffman” promising some multiple-of-10 amount of BTC, all with different account credentials of course mostly with the same credentials as the one I’d first received.

I also dug around enough to find that the site is hosted in the Netherlands on a fairly expensive dedicated hosting provider. They are trying their hardest to not look like a fly-by-night operation.

The account credentials do seem to be generated and validated server-side, and at least the phony account they gave me appears to keep track of the tiny amount of state necessary to perform the scam. Also, the fake account doesn’t have an email address associated with it on the dashboard; presumably if someone were dumb enough to provide an actual address there, that’d soon be inundated with more scam attempts.

In any case, I am impressed with the relative quality of this scam site, and since the time of the experiment, my actual Conbase… sorry, Coinbase wallet has increased in value to $5.74 (which would cost about 100x as much to actually use). I just wish these folks would use their skills for something, y'know, beneficial.

Well, I mean, aside from scamming cryptocurrency folks. Please keep doing that.

Anyway, now to plant a bunch of trees.

Comments

Before commenting, please read the comment policy.

Avatars provided via Libravatar