New Crypto Scam! How to Prevent Yourself From Becoming a Victim

Blockchain technology adoption is steadily increasing. However, hacking and scam attempts are also becoming more prevalent. Every crypto owner, be it a private person or a company such as an ICO project or crypto exchange, can be a target for hackers. We have repeatedly observed this in the crypto marketplace since its inception, with scams being exposed on a daily basis. Ernst & Young report showed more than 400 million dollars have been lost due to hacks and scams during ICOs in 2017. Blockchain security firm CipherTrace recently reported that $731 million worth of cryptocurrencies were stolen from crypto exchanges during the first half of 2018. Even with massive amounts of money at risk, no security solutions have been created. So Sentinel Protocol took the initiative to create a crowdsourced threat intelligence security solution to defend against crypto scams.

Black hat hackers use countless methods to steal crypto assets. They were especially effective in the early years of cryptos because most early adopters were not educated about the common security risks of new technologies. Some of the most frequent security issues were associated with fake wallet addresses, scam exchanges such as BitKRX, fake social media accounts, phishing URLs, and malware.

In this article, we want to focus on the latter and share how we caught a fraud wallet with a report from a user of our Crypto Scam Protection Solution. We hope that crypto users will no longer become victims of such malicious behavior.

Report by Anonymous User Through the UPPward Chrome Extension

In August we launched the Crypto Scam Protection Solution, a product based on a people-powered architecture that crowdsources the latest information from our crypto community. Users can now search and check data to prevent themselves from becoming victims of scams, hacks, and many types of online fraud. They can also contribute to the ecosystem by reporting suspicious activity, leading to the growth of the decentralized Threat Reputation Database (TRDB) and a safer crypto world.

The Crypto Scam Protection Solution is a synergetic working product of three core components with equally important roles:

1. TRDB (Threat Reputation Database)
2. Sentinel Portal
3. UPPward Chrome Extension

The UPPward Chrome Extension acts as a search engine for secure crypto transactions. The key feature of this chrome extension is the Reporting Tool where any user can report any suspicious URLs, social accounts or wallet addresses. Once the report is submitted, it is analyzed and verified by security experts — the Sentinels — and the validated report goes onto the blockchain. This is what happened on September 10, when an anonymous UPPward user submitted a case where he lost his funds as a result of installing malware.

Case Description

The user informed the Sentinels how the installation of two chrome extensions resulted in his funds being sent to a phishing address instead of his deposit address on the Binance exchange. What the extensions did was to substitute the BTC deposit address with the phishing address. As a result, his BTC never entered his Binance account. Instead his BTC went to the phisher’s wallet.

Together, with the description of the case, the following data was shared through the report:

The following is the malicious Bitcoin wallet address:

14yeAMcWE3tJzcxs1RR3d6puHHHPLfc7Gu

The following are the two Chrome Extensions the user had recently installed:

1. “Binance Instant Access”

2. “Binance Desktop Tool — Pro Version”

Case Analysis

When the Sentinels picked this case up, they began their preliminary investigation by running these files on Virustotal. This, however, did not show any malicious activity by the files from the two chrome extensions. This meant that until the user reported the case through the Sentinel Portal, there were no current tools available that could detect any malicious activity on these files (as shown in the images below).

Extension 1 — Binance Instant Access

Extension 2 — Binance Desktop Tool — Pro Version

Noting the lack of detection of any malicious activity, the Sentinels decided to set up a sandbox environment to further analyze these files.

In the “Binance Instant Access” sandbox environment, the results showed that the sole purpose of the extension was to open a new chrome tab on Binance, with a referral link. https://www.binance.com/?ref=17526151

This was also confirmed by looking through the JavaScript code, as shown below:

var openUrl = ‘https://www.binance.com/?ref=17526151';

chrome.tabs.getAllInWindow(null, function (tabs) {

Furthermore, with the “Binance Desktop Tool — Pro Version” extension, the Sentinels noticed that, after starting the deposit process in the Binance account, the deposit address was the same address reported by the anonymous user.

The malicious nature of this extension was also confirmed by the fact that, when disabled and the page refreshed, the real deposit address was shown on the Binance exchange.

The same malicious behavior was also shown when using an ETH address.

The address reported by the anonymous user was found in the extension’s JavaScript code along with other types of cryptocurrency addresses:

var key_active = ‘{“bch”:”qrpwppymemxw5aeg2j4yxkvvuw8z3dhg456ytfh6sq”,”btc”:”14yeAMcWE3tJzcxs1RR3d6puHHHPLfc7Gu”,”eth”:”0x159155A7198CB135A14366A87F594D869c01b7C8",”usdt”:”1CaNBnqVkA34wnvAyzx2MQbkBFDsmJbFYh”,”ltc”:”LMuchiXZZEH6y2uUvX6TxNkGqeSbP8KxyP”,”dash”:”XeQghJN6DNXA25ukUktbBo6kaU5BEDBBfm”,”etc”:”0x0446a80b340f330e78338fd35abb01049a4689ec”}’;

if (check_balase != ‘19z26FDPfy2u1aruW1RL1YcbSo7GRm7SPv’) {

if (check_balase != ‘0xaf92e963bb0130f778cc85d503749cac0577754f’) {

if (check_balase != ‘13whpwiT6HjtQrBSDkmME6Kt8RqfrQthLW’) {

if (check_balase_1 !== ‘14yeAMcWE3tJzcxs1RR3d6puHHHPLfc7Gu’) {

if (check_balase_2 !== ‘16H5VhFkc4DmMfMPZVcMRzMnbvqZXNvkfj’) {

if (check_balase_3 !== ‘19z26FDPfy2u1aruW1RL1YcbSo7GRm7SPv’) {

if (check_balase_1 !== ‘0x159155A7198CB135A14366A87F594D869c01b7C8’) {

if (check_balase_2 !== ‘0xAbE75a569D4F312327D86e022739EEb17B045beD’) {

if (check_balase_3 !== ‘0x652507829bf1e2065e9892f04037e942c25b68a2’) {

if (check_balase_1 !== ‘qrpwppymemxw5aeg2j4yxkvvuw8z3dhg456ytfh6sq’) {

if (check_balase_2 !== ‘qrm3t7s2ndy8qgr9gh5dyc9ev4x8ecrenvlrfx5d9t’) {

if (check_balase_3 !== ‘13nueTPBAiazFtiejfgd3sN7QuCyZEFzg9’) {

if (check_balase != ‘16H5VhFkc4DmMfMPZVcMRzMnbvqZXNvkfj’) {

The Sentinels also proved that Binance was not the only exchange where the extension interfered with the users’ transactions. The same behavior was found on the following exchanges: Remitano, Cryptopia, YoBit and BitMEX.

} else if (window.location.hostname === ‘remitano.com’) {

} else if (window.location.hostname === ‘eth.remitano.com’) {

} else if (window.location.hostname === ‘bch.remitano.com’) {

} else if (window.location.hostname === ‘usdt.remitano.com’) {

window.location.hostname === ‘www.cryptopia.co.nz') {

window.location.hostname === ‘yobit.net’) {

} else if (window.location.hostname === ‘www.bitmex.com') {

The same developer had also released two other extensions that functioned the same way for Poloniex and Bittrex.

For both extensions reported in this case, the developer went an extra step to encode the wallet addresses using Base64 to avoid detection.

var key_active = ‘eyJiY2giOiJxcnB3cHB5bWVteHc1YWVnMmo0eXhrdnZ1dzh6M2RoZzQ1Nnl0Zmg2c3EiLCJidGMiOiIxNHllQU1jV0UzdEp6Y3hzMVJSM2Q2cHVISEhQTGZjN0d1IiwiZXRoIjoiMHgxNTkxNTVBNzE5OENCMTM1QTE0MzY2QTg3RjU5NEQ4NjljMDFiN0M4IiwidXNkdCI6IjFDYU5CbnFWa0EzNHdudkF5engyTVFia0JGRHNtSmJGWWgiLCJsdGMiOiJMTXVjaGlYWlpFSDZ5MnVVdlg2VHhOa0dxZVNiUDhLeHlQIiwiZGFzaCI6IlhlUWdoSk42RE5YQTI1dWtVa3RiQm82a2FVNUJFREJCZm0iLCJldGMiOiIweDA0NDZhODBiMzQwZjMzMGU3ODMzOGZkMzVhYmIwMTA0OWE0Njg5ZWMifQ==‘;

Wallet addresses shown after decoding Base64:

{“bch”:”qrpwppymemxw5aeg2j4yxkvvuw8z3dhg456ytfh6sq”,”btc”:”14yeAMcWE3tJzcxs1RR3d6puHHHPLfc7Gu”,”eth”:”0x159155A7198CB135A14366A87F594D869c01b7C8",”usdt”:”1CaNBnqVkA34wnvAyzx2MQbkBFDsmJbFYh”,”ltc”:”LMuchiXZZEH6y2uUvX6TxNkGqeSbP8KxyP”,”dash”:”XeQghJN6DNXA25ukUktbBo6kaU5BEDBBfm”,”etc”:”0x0446a80b340f330e78338fd35abb01049a4689ec”}

As of today, the following amounts of cryptocurrencies were received by the scammer from his victims:

BCH 0.42500000: qrpwppymemxw5aeg2j4yxkvvuw8z3dhg456ytfh6sq

BCH 0: qrm3t7s2ndy8qgr9gh5dyc9ev4x8ecrenvlrfx5d9t

BTC 4.63848217: 14yeAMcWE3tJzcxs1RR3d6puHHHPLfc7Gu

BTC 0.14316292: 16H5VhFkc4DmMfMPZVcMRzMnbvqZXNvkfj

BTC 0.0001: 19z26FDPfy2u1aruW1RL1YcbSo7GRm7SPv

BTC 0.01503822: 1CaNBnqVkA34wnvAyzx2MQbkBFDsmJbFYh

BTC 0: 13nueTPBAiazFtiejfgd3sN7QuCyZEFzg9

BTC 0: 13whpwiT6HjtQrBSDkmME6Kt8RqfrQthLW

ETH 24.30768662: 0x159155A7198CB135A14366A87F594D869c01b7C8

ETH 1: 0xAbE75a569D4F312327D86e022739EEb17B045beD

ETH 0: 0x652507829bf1e2065e9892f04037e942c25b68a2

ETH 0: 0xaf92e963bb0130f778cc85d503749cac0577754f

LTC 8.63924826: LMuchiXZZEH6y2uUvX6TxNkGqeSbP8KxyP

DASH 0.0763047: XeQghJN6DNXA25ukUktbBo6kaU5BEDBBfm

ETC 5.43199613: 0x0446a80b340f330e78338fd35abb01049a4689ec

Donation address — 0.39050486 BTC: 1BsVna9WTUZs6DYsEhXsxx686CYfcoR7hr

16 wallet addresses, 3 Chrome Extension links, and one website address were entered and committed into the TRDB at 09–10–2018 15:30:07.

This particular case perfectly illustrates how effective crowdsourced threat intelligence is, and demonstrates how crypto users can help solve cases like these before scammers cause further damage. Our mission is to continue the development of effective security solutions as nothing can be more powerful than a community of determined users to fight hacks, scams, and fraud.

Together we can overcome the disadvantages of decentralization by transforming them into an advantage for security. Stay safe by installing the UPPward Chrome Extension.