Bitcoin Forum

This email was sent to me, but the link actually pointed to a phishing site:

http://maxpara[dot]vn/login/?u=TradeFortress&r=4589356.0 << DO NOT ENTER LOGIN DETAILS ON THIS PAGE

https://i.imgur.com/5IlvD0y.png


I didn't fall for it, however I have reasons to believe that the same scammer was responsible for successfully impersonating me and being the 'man in the middle' between a CoinLenders user.

The scammer originally emailed me, claiming to be a CoinLenders user (https://bitcointalk.org/index.php?topic=4589356.msg41741171#msg41741171). They used a different email address to the actual user, being hardymlt@safe-mail.net

When I asked the user to email me from their registered email, they were able to convince the actual user to do so, by emailing them from TradeFortress@protonmail.com (which is fake). The actual user sent evidence that allowed me to verify the claim.

A reimbursement of 50.625732 BTC was made to 1Aztzs1qHqKiVuZaoa7s23KoHCjeBSeqrT. The funds are currently residing in 1B5b3CcSG5YP9JavrKv8UwV3dcgpT4g3wV


I believe a good starting point to track down this scammer is the domain name maxpara[dot]vn ; I believe it is a website operated by the scammer (and not a hacked website) given its content.

A reward of 20 BTC will be offered to anyone who provides information that leads to the arrest of this scammer. I'm not super expecting this bounty to be filled, however I'm sure this scammer has put his hands in many pots before; and it looks like there is lots of info to track him down using maxpara[dot]vn

Escrow can be arranged.

A google search of hardymlt@safe-mail.net reveals a password dump paste, which contains that email.

Please note that the email account could be a fake name, or a hard amount, and the username in the dump should not be presumed as the scammer (at this point).

I believe this case is associated:

https://bitcointalk.org/index.php?topic=4304199.msg%msg_id%

It seems that your attacker deposited 0.7BTC to whatever service owns this (https://www.walletexplorer.com/wallet/000020ca924cef05?from_address=3NFu8iQdp18fmgYXFX78V4iqviLFWXTcZd) wallet.

Looking for an escrow for this bounty, 0.25 to 1 BTC payment:

https://bitcointalk.org/index.php?topic=4627105.0

If you google the domain it looks like it was compromised by some guy who owns the instagram account mwr and goes by 'SLNTAR' as seen in a mirror of the website from May 18 2018. It looks like the owner of the website has regained control but it's possible the website is still under the attackers control.

Keep in mind it's possible that the person using it now isn't the same person as SLNTAR as it appears SLNTAR just runs a bot and hacks websites en masse by the looks of it.

edit: also looks like there was another scam on this website pretending to be an ico preregistration

If the website owner isn't the culprit it's likely he can still get the server logs and send the IP of the operator accessing it -- however, by the looks of it he is some Vietnamese dude selling illegal clothing dupes, so that's fun

extra edit: It actually looks like the website might be owned by a Vietnamese company that sells kitchen appliances based on the whois information. It appears this is a legit business with a physical location in Vietnam. If you can somehow get someone who knows Vietnamese to help you get them on board your investigation it is likely that there are log files which will COULD give you more information on whoever is doing this. They have a facebook page @ https://www.facebook.com/maxpara[dot]vn and the email listed on the facebook is minhhuy.maxpara@gmail.com

Contact someone from the following lists:

- Recommended bitcointalk escrow services (https://bitcointalk.org/index.php?topic=2439910.0)
- ⛓LIST⛓ BitcoinTalk's Escrow Providers: Ranking & Blacklist ☠ Avoid Scammers ☠ (https://bitcointalk.org/index.php?topic=276897.0)

---

Don't contact me (unavailable until August 12 + IIRC, I never held $100k or more).

Considering that the domain is still (http://archive.is/vJ2S6) being used as a phishing site to steal login credentials, I would say whoever currently is in control of the domain is the culprit.

I wouldn't overestimate the technological ability of random Vietnamese business owners. It is highly likely that: a.) they are technologically uninclined b.) started the website for their business legitimately as they still list it on their Facebook page to this day even though it's not currently in use

They probably were using a vulnerable version of some publicly available software  which then allowed someone to upload a shell to the website. The owner then likely probably set the entire website to the current default page as a remedy to the problem. If the vulnerable software in question was something like an online store to sell their kitchen hardware, they could have deleted that but the shell could have given them SSH access to the entire system or worse. The alternative is the website could have been vulnerable to some other remote exploit due to outdated server software which would mean the attackers still got SSH access and owned the server.

By your logic, a bunch of Vietnamese kitchen hardware dealers (who own a physical building apparently???) are using their own website which was hacked at least once before to scam people. The business is registered in Vietnam and it's listed on their Facebook page and on the domain registration so I think it'd be a little dumb for them to use that as a platform if the culprit was they themselves.

The phishing pages aren't extremely sophisticated but by the looks of it they were probably created from scratch or using a program and the ICO page has an advanced mechanism that a.) only allows 1 registration per IP to prohibit bot spamming or the like and b.) requires passwords of 8 characters. The website also uses fairly good English and punctuation which it is evident the owner of the website or whoever is operating their social media does not have.

The person who executed the scam seems technologically savvy and is at least familiar with the English language which it doesn't appear the people at Maxpara are. All evidence points to the website being used by external people to run their scam to avoid getting caught. Someone who is smart enough to code their own phishing page that shows a relative familiarity with computer programming probably isn't using their own domain name with no whois protection to run a scam. It'd be funny if it actually was Vietnamese kitchen dealers but unfortunately if it's probably not

Quoting this post, 0nc3forg0tt3n had also pretended to be another CL user so they may be related, or they may be another person.

In any case, the email communications of the maxpara phisher did not demonstrate solid English. English is definitely a very second language for them; there is no reason for them to use broken english while trying to pretend to be me and communicate with a CL user.

The facebook page lists bepminhhuy[dot]com as their website, while their facebook page is called "maxpara[dot]vn"

This leads me to believe that the business owner in Vietnam created a website on the maxpara domain, created a Facebook page with the same domain, then somehow lost access to the domain (and/or server), and created a new website on the bepminhhuy domain, and forgot about the maxpara domain.

cheers, this is very helpful, I have reached out to them

I am not related but it goes to show how many people are hustling on this forum and how careful you have to be.

I didn't read the emails you uploaded, I was only going off what I knew from examining their website.


Interestingly enough, the website was compromised by SLNTAR on May 16th (or the 18th I can't recall what the mirror date was and I cba to look again) and on May 28th the domain was being used to scam Bitcointalk users. Again though, SLNTAR appears to be using automated methods so it's possible multiple people were able to gain a foothold into the website. SLNTAR doesn't appear to have a good grasp on the English language and (his instagram is in arabic).

There's publicly available information to contact the company who owns the domain to the website and assumingly the server. If you can contact them, theoretically you could get the logs and locate the person who uploaded the shell/compromised the server. The language barrier might be an issue but their cooperation is probably your best bet here

The best avenue besides that for you to take would be Blockchain analysis. It's a long shot but there's always a possibility of something coming up.

If the victims of the scam were able to provide additional information on the perpetrator/copies of emails (with metadata as to see what server the spoofed emails are coming from -- are they coming from a public service or a private server? It's a good question and if it's a private server then you have a good lead there. received that'd also be useful.

edit: also didn't read your response before posting but no problem lol it's kind of like a puzzle to be solved and puzzles are exciting

In response to Quickseller, it's possible that they just switched to the new website because the old one was defaced and they didn't know how to fix the vulnerability or whatever so they switched domains/hosts to alleviate the problem. I didn't check the registry but the odds are that they still own the domain and the server that hosts it as the IP of the website is the same as it was when it was mirrored on May 18th. I'll check later though

Looks like “team scotaloo” has now hacked maxpara vn:

http://archive.is/2X9jf

So the site is still vulnerable and anyone who downloads Metasploit can probably get a foothold, amazing


Hopefully the people who hacked it just now are competent enough to get the logs for you so you can figure out what dumb person made it

I have some IP addresses! Thanks for the source who supplied the info below, reportedly from the Maxpara server.
I will be compensating them with some BTC tomorrow for these important discoveries.
—-

Email I received below:

One things that sticks out to me in the logs is this:

5.59.62.208 - - [05/Jul/2018:01:52:27 +0700] "GET /login/?u=MiningBaby&r=3034878.0 HTTP/1.1" 200 132220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36"
196.122.160.233 - - [05/Jul/2018:02:10:50 +0700] "GET /login/ HTTP/1.1" 200 132206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"
196.122.160.233 - - [05/Jul/2018:02:13:47 +0700] "POST /fonts/a.php HTTP/1.1" 200 4461 "<removed phishing url>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"

/fonts/a.php is a php web-based shell that is being quite frequently used. There are 90 hits to that page from 3 different IPS:
196.121.75.176
196.122.160.233
45.219.197.30

Obviously if you look through the logs this server is getting pwned by every spammer on the net, but what strikes me about this activity is that:

* This is a web shell, the person is manually logging into the server via his browser.
* It often happens right after there are hits to the phishing page, such as shown above, and the phishing page only logs the last login attempt so the phisher would have to be quick.

Well, it turns out this guy is actually from Africa. Morocco to be exact. (Before successfully impersonating me, he claimed in a email that he is from Africa). Those IPs also aren’t proxies or VPNs.

I’ll be doing some research to decide the next course of action. But just throwing this out there: if anyone is near Morocco, or would like to visit Morocco for an all expenses paid trip (and then some), let me know!

NOT TRUE,

First thing; you need to Note that NO ONE SKILLED ENOUGH TO RUN SUCH A PHISING PAGE, would be DUMB enough to Leave IP tracks that silly!  They always, and always will stay behind fake IP protocols.

He could be running from a hacked RDP or RENTED -- How would you defend against that? N/B RDPs will never reflect as proxies or VPNS.

The second point already rules out the addition that he is from Africa.

The guy is VIETNAMIS to be precise! I have full activity change and log... WHOIS hide log, Government records, facebook aliases, relatives aliases And business change after he pulled the scam successfully home address and lots of proof that you can actually present to a law enforcement for apprehension. You can not use just IP to table a case in such a matter. If you still interested in my finding I will drop it to yah.

And if I may add. Whoever's behind maxpara.vn has been cleaning tracks in an Impressive way!! After this expose.. his killed the official facebook page which is  https://www.facebook.com/vmaxpara . But  minhhuy.maxpara@gmail.com and https://www.facebook.com/maxpara.vn fucks him real hard. He went ahead and pulled down the official website that had his real  whois and contacts right on afterwards... Forgets a name change and something very vital! and btw @TradeFortress  so you know; this B/S started to run ON 29 December 2017 and nothing as genuine as you would think. @Elles was  hired by to market the link smh... acting like he doesnt know shit ! I got it all.

Hey Exploit01, please let me know what you have found here. I don't consider the scammer to be technically skilled at all; the phishing page in itself is very primitive and reportedly the code only stores the _last_ password.

The following files are courtesy of scotaloo; who despite our history I have chose to sent him 0.25 BTC out of the bounty in order to reward him for his efforts.

Access logs: https://mega.nz/#!KxhyCK6S!cPInrNU2tIJF9LP30Upex7Z6j4CAEAyad0APxqXaFFs
Extra logs: https://mega.nz/#!T5pymarT!oKVdk3yG4V16SBBHAHzc2fGOrWCijednGa9U6FRgOD4

Dump of public_html (431MB): https://mega.nz/#!y8QDkAzD!cB_B-fG9oA0t8lBRq8LMa_tN3KOKiol6FTwGSAXIexA

I have given you the direct proof and link to the people invloved. The main guy behind spreading the link on bitcointalk is  "Ellles" don't know if the alias is right on here.

SLNTAR goes by the user "Ellles" on this forum. He is currently marketing something to do with Ico on his facebook page. You can check his facebook account. @TradeFortress knows about him already. They ignorantly and stupidly left traces everywhere.

Can you give evidence SLNTAR goes by the user "Ellles" on this forum?

Sent you a message.

MAJOR UPDATE ON SLNTAR AFTER HOURS OF WORK.


Slight confusion UPDATE!

SLNTAR who goes by https://www.instagram.com/mwr/ does nothing apart from hacking vulnerable websites for the fun of it. He is an expert, and only asks for bounties where necessary (majorly Deep web sites). I doubt he would make such a crappy phising page, do such a shady job and pile the time to market it to bitcointalk users. And yes he is ARAB.

This is how he operates: https://www.google.com/search?client=ubuntu&channel=fs&ei=ajVGW7nFDcGoUYynlZgK&q=hacked+by+SLNTAR&oq=hacked+by+SLNTAR&gs_l=psy-ab.3...2582.4449.0.4671.0.0.0.0.0.0.0.0..0.0....0...1c.1.64.psy-ab..0.0.0....0.-jDei02kZgM

He did hack the site before, but after the compromise, as seen in a mirror of the website from May 18 2018. The "owner/developer" of the website regained control and major changes were done on it.

I believe @TradeFortress Now have enough links, contacts and leads to table to the authorities and Apprehend the culprit.

Still waiting on @TradeFortress to send the Bounty my way as agreed.

Still no word from  @TradeFortress, he seems to be ignoring my Messages yet we had an off escrow deal hope am not played lol.

Exploit01 how do you know if this person didnt steal someone identity? Have you factor that in? Considering the fact that you mentioned someone possibly used a vpn (or maybe took advantage of someone network), you shouldve factored that in. Plus on top of that, the links doesnt exactly prove it enough or even warrant authorities to take action. If it does, it doesnt happen over night and depending on the location the authorities would have to work with other country authorities to take proper action. I extremely doubt that the information you have provided (if correct) is enough for them to take action. They may put it on the back burner.

I submitted every detail via Private message to TradeFortress. Included extra informations he asked for.... But he seems like a selective scammer. Actually based on 2013 reviews that he himself had pulled an impersonation scam attempt makes this thread a scam conseal attempt. He could have been involved yet claims impersonation.

Quote
Checking Domain Name
Domain Name: [phishing]
Top Level Domain: VN (Viet Nam)
DNS Lookup
IP Address: 125.253.112.146
Geolocation: VN (Viet Nam), 67, Tra Vinh, N/A N/A - Google Maps
Reverse DNS: mail112.e146.evlms.net

Also, this IP address is linked to this guy :
(original WHOIS query : https://www.whois.com/whois/125.253.112.146)
Quote
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '125.253.112.0 - 125.253.127.255'

% Abuse contact for '125.253.112.0 - 125.253.127.255' is 'email@vnnic.vn'

inetnum:        125.253.112.0 - 125.253.127.255
netname:        ODS-VNNIC-VN
descr:          Online data services JSC
descr:          123 Truong Dinh, dist 3, HCMC
country:        VN
admin-c:        HTV3-AP
tech-c:         HNT6-AP
status:         ALLOCATED PORTABLE
remarks:        send spam and abuse report to email@ods.vn
mnt-by:         MAINT-VN-VNNIC
mnt-lower:      MAINT-VN-VNNIC
mnt-irt:        IRT-VNNIC-AP
last-modified:  2010-12-29T01:48:01Z
source:         APNIC

irt:            IRT-VNNIC-AP
address:        Ha Noi, VietNam
phone:          +84-24-35564944
fax-no:         +84-24-37821462
e-mail:         email@vnnic.vn
abuse-mailbox:  email@vnnic.vn
admin-c:        NTTT1-AP
tech-c:         NTTT1-AP
auth:           # Filtered
mnt-by:         MAINT-VN-VNNIC
last-modified:  2017-11-08T09:40:06Z
source:         APNIC

person:         Hoang Ngoc Tuyen
nic-hdl:        HNT6-AP
e-mail:         email@ods.vn
address:        ODS-VN
phone:          +84-28-62888999
fax-no:         +84-28-39320299
country:        VN
mnt-by:         MAINT-VN-VNNIC
last-modified:  2018-01-04T08:44:16Z
source:         APNIC

person:         Huynh Trong Van
nic-hdl:        HTV3-AP
e-mail:         email@ods.vn
address:        ODS-VN
phone:          +84-28-62888999
fax-no:         +84-28-39320299
country:        VN
mnt-by:         MAINT-VN-VNNIC
last-modified:  2018-01-04T08:43:53Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)

Even though that web hosting company is vietnamese (https://www.ods.vn/default.aspx) , I guess you should be able to contact  them, since you would be engaging a law action against the scammer, and should be able to retrieve informations about the guy who bought that domain.

Even then, if this isn't the right person, and that website has actually been compromised by another person, as some persons might have stated it above, then ods.vn will be able to confirm that theory because of suspicious logs on their backend (because obviously they will have suspicious logs that aren't the ones of the owner)