Bitcoin Forum

What happened::
A brand new user named Btctrader12 started pming me constantly for choosing me as a partner on his gambling site. He then sent a link to a phishing site of Luckybtccasino. He also sent me another link which will probably download a keylogger and gave a fake login details to camouflage that link saying that they are the login details for admin panel.

LOL! He though I was such a fool! ;D

Scammers Profile Link:
https://bitcointalk.org/index.php?action=profile;u=741689

Reference Link:
1. Real casino site: https://www.luckybtccasino.com/

2. Phishing site: 3. Keylogger:
PM/Chat Logs:


Additional Notes:

1. Never feed any troll pms send by newbies.
2. Always investigate thoroughly a link given by them. Never follow their instructions blindly for money.
3. Always look for SSL certificate and verify if necessary. (Look at the phishing link. There is no https://)

For further information regarding the phishing site, here is the whois details.
Comment here if anyone finds similar details given below for any previous phishing sites.

btcluckycasino.com registry whois

---

Domain Name: BTCLUCKYCASINO.COM
Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
Sponsoring Registrar IANA ID: 1606
Whois Server: whois.reg.com
Referral URL: http://www.reg.com
Name Server: NS1.REG.RU
Name Server: NS2.REG.RU
Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Updated Date: 24-jan-2016
Creation Date: 24-jan-2016
Expiration Date: 24-jan-2017

btcluckycasino.com registrar whois

---

Domain name: btcluckycasino.com
Domain idn name: btcluckycasino.com
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Domain ID:
Registrar WHOIS Server: whois.reg.com
Registrar URL: https://www.reg.com/
Registrar URL: https://www.reg.ru/
Registrar URL: https://www.reg.ua/
Updated Date: 2016-01-24
Creation Date: 2016-01-24T16:46:54Z
Registrar Registration Expiration Date: 2017-01-24
Registrar: Registrar of domain names REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: email@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Andrey Ivanov
Registrant Organization: Yandex TDA
Registrant Street: Armeyskaya 42
Registrant City: Moscow
Registrant State/Province: MOSCOW STATE
Registrant Postal Code: 121500
Registrant Country: RU
Registrant Phone: +18004699269
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@mail.ru
Registry Admin ID:
Admin Name: Andrey Ivanov
Admin Organization: Yandex TDA
Admin Street: Armeyskaya 42
Admin City: Moscow
Admin State/Province: MOSCOW STATE
Admin Postal Code: 121500
Admin Country: RU
Admin Phone: +18004699269
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@mail.ru
Registry Tech ID:
Tech Name: Andrey Ivanov
Tech Organization: Yandex TDA
Tech Street: Armeyskaya 42
Tech City: Moscow
Tech State/Province: MOSCOW STATE
Tech Postal Code: 121500
Tech Country: RU
Tech Phone: +18004699269
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@mail.ru
Name Server: ns1.reg.ru
Name Server: ns2.reg.ru
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-01-26T15:58:27Z <<<

Thanks for the whois search.

He is the one who hacked letyouearn account..Nice work @Indiana

Why don't you just try giving him a call? He'll get afraid as shit :p .

Same incident happened with knightdk here (https://bitcointalk.org/index.php?topic=1340882).

Looks like he's on a hacking spree!

He is back  ::)

better be careful on all the links sent via PM, double check triple check before clicking, this gyus should be banned permanently, ban their IP for life. so they cannot comeback

No this is impossible.
Because there are so many members browsing this forum with VPN.
So chances are that, same IP address will get blocked for other members too.

Better option is to ban their profile immediately after they start sending these kind of messages.
For this you must click the "Report to moderator" option.

This dude damon3228 is not only hacking bitcoin talk accounts but he is posting the same add on other crypto forums such as :
https://cryptocointalk.com/topic/44417-need-administrators-for-bitcoin-casino/

http://cryptocurrencybuzz.com/news/need-administrators-for-bitcoins-casino/

https://forum.bits.media/index.php?/topic/20127-nuzhny-adminy-dlia-kazino-bitkoinov/

Unsolocited PM about installing something and entering your details on a site, which has a similar name as another famous casino. What could possibly go wrong? /sarcasm
Good thing my advice came in handy for you OP.

Edit: If anyone else gets a similar PM, use the "Report to admin" feature

Malware is packed with Confuser 1.9, common in this kind of malwares. Using a quick scan on Malwr (because I don't analyze malware now on my computer). It has an anti-honeypots installed, the owner might have bought a crypter to stop that.

https://malwr.com/analysis/NTI2YmMxYmJlNDUwNDY4M2EyNTZlMGUzZjYxZDIwMDE/