Bitcoin Forum

Hi All,

Could somebody help me ?

I traded  2.1 BTC with someone with Cash in IDR ( there's still few BitCoin  market in my country ), everything seem ok. And after i have deal and transfer the money, instead the sending the BTC to my wallet, he give me private key  to be scaned on the blockchain wallet.  He said to make no fee transaction, i accepted his argue. So i scanned and import it, and i can see my wallet has been added with the 2.1 BTC.  But there's problem when i trying to move the BTC to my empty wallet it always have warning ' invalid signature ' and i cannot move the BTC. Then he said should wait for 24 hour before can spend it. But it not gonna make it.

So could somebody explain,  if this guy trying go fool me ??

Thanks,
Cheers

Good lord!

He gave you a private key that he still has access to. Next time have the coins sent to your wallet immediately during the sale.

Are the coins still at the address?

Hi Lucky,

Yes  the coin still on my wallet , but i cannot make to move  or  to spend it, there always has warning. ' Invalid signature '

Have you tried to import the private key?

Yes already, now in my blockchain wallet i have two address, my own address, and the address of Bitcoin Seller

If using blockchain.info, generate a new address, therefore one which only you control, and send the coins you received to it. If you can do this, you're okay.

If you cannot move the coins, it is because you have imported a public key which is for your purposes the same as an address. You must import the private key. If you only received one string of letters / one QR code, and you cannot do anything but look at it, yes, it would appear you may have been had.

Thanks for the feedback,

I am sure that i imported the private key,  I used scan private key from the Blockchain wallet on Galaxy4.  after i imported , i got the coin just can spend it.

So i trying again create new account  on blockchain.info. And imported again. Now i have two account and all have same amount, thats suprise me that two account can have same wallet address. But both of them cannot be spend. Confusing ..

Bitcoins are held in the private key, not in the account.

Ask him to send the BTC to your own address. Otherwise ask for your money back.

serotin
Member
**
Offline

Activity: 70


Minning powa


View Profile  Personal Message (Offline)
Trust: -6: -1 / +0(0)
Warning: Trade with extreme caution!
(No subject)
« Sent to: ironmask on: Today at 07:46:09 AM »
Reply with quoteQuote  ReplyReply  Remove this messageDelete 
i can help you out with the problem
give me the private key and your permanent wallet adress,i will transfer them to your main wallet


Why you PM me, help with on public area please, i will appreciated

yes he gave me the private key, just curious maybe the private key already passworded

Well at least you know not to fall for that business.

Okay, let's figure out what's happening here. Give us the address in question. This is the PUBLIC one — technically, when we say address we mean the hashed and Base58-encoded version of the public key. These are the same thing, just displayed differently. Assuming you received it in a normal format (and you must have, because you imported it into a blockchain.info wallet, which only accepts major formats), you're looking for a string of characters beginning with 1, no less than 27 characters long, and no more than 34.

My forum address has a few vanity characters at the front, and looks like this: 1FENiXqLFhJQeoMA5rVAGXGjTgHgSNz7Sc

As you noticed, multiple people can look at the contents of an address at the same time without any effect on the control of it. This is what I intend to do: look at it and make sure there are really coins there, and see if there are any wacky requirements on the last spend that would prevent you spending them (very unlikely).

This is his wallet address

https://blockchain.info/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh

and the private key

5HpHagT65TZzG1PH3CSu**k8DbpvD8s5ip4nEB3kEsreAbuat**

So he give me the QR Code of private key.
But i think the address he give to me is the  default address when open account on blockchain, so actually the empty wallet but he already  have some another wallet that have coins inside. So when i  scanned and import the private key its appear 2.279 BitCoin.

Yes ..  I already ask my money back, and the guy disappear now after his SCAM  is exposed. So I plan  to make report for Police department . 

If importing the private key gives makes 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh appear in a brand new wallet, you definitely have the coins. They're still there, and the private key won't generate that address out of nowhere otherwise.

When you imported the private key, it should have given you the option to "import directly" or "sweep". It would also have shown a balance. In fact, if you begin a new wallet on blockchain.info, it will do this now as well, if you try to again import it. I'm not convinced you were scammed yet, but you may have your funds stolen soon, since you posted your private key with only a few characters missing from it. There are a bit less than 11.5 million combinations to complete the key you posted, and probably only 1 is a valid WIF-type, if we assume that it is one. (The probability of an accidental WIF is pretty incredibly low.)

At this point, you might want to take your chances and PM me the missing characters. I'll recover your BTC for a 5% finder's fee, if I'm able to do so. You can't wind up any worse off than you are now. It's your call, but consider that if I were motivated I (and many others on this forum, so you should figure out what you want to do pretty soon) could write a quick script to run through those 11.5 million combos and check for one that zeroes out to a valid WIF key. In fact, if I don't hear from you soon, I will prooooabbably do it anyway, because if I don't do it someone else soon will. If I collect them that way, I'll give them back for 10% (for the extra work involved writing the script).

I'll also be happy to show you where you went wrong, if it turns out that was the case.

I send it the private key already, please find out what happened

*sigh*

Yes, you've been had. How did you get the public address? The private key you sent me does not correspond to it, and is one of a small handful of "valid-looking" WIF strings that, after the checksum is decoded, result in garbage. In this case, the supposed actual private key is all zeroes:

http://s7.postimg.org/podatq10n/fake.jpg (http://postimg.org/image/podatq10n/)

That key has been published before during the directory.io bit back in the day: http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/ (http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/)

Many different odd errors arise from trying to use it, depending on the client. C's address verifier completely crashes if I try to check it a certain way. You can however look at what I'm talking about here: http://gobittest.appspot.com/PrivateKey (http://gobittest.appspot.com/PrivateKey)

That presents the most accurate answer. It's not included in my screenshot, but if you test it yourself, it's at the top of the page in red: Private key is not on curve

It's a deliberately-chosen "private key" coordinate that does not have a coordinate pair. It is not a point in the elliptical curve used in Bitcoin at all. (According to most client interpretations.) You can actually send coins there with certain clients and retrieve them also, but, as you can see here: http://directory.io/0 yours is the very first one, and has been used before, and is definitely not the key to the address you were expecting, with 2.2~ish BTC.

Thank you for the analysis, i saw the QRCode of private key is  likely not flat, can it make the problem ?, i send to you the original QR Code which he send to me

I can import the QRCode to the blockchain wallet perfectly, and get the coins (2.2 BTC ) without addressing the public key at all.

No, the QR Code and WIF_PrivKey you showed me are for a private key, in hex form, of *ALL ZEROES*. Blockchain.info does not parse that properly (it will tell you "Error importing private key: TypeError: this.x is null"). Which is pretty irrelevant, because even if it could, the addresses associated with that private key are https://blockchain.info/address/1MsHWS1BnwMc3tLE8G35UXsS58fKipzB7a and https://blockchain.info/address/1Q1pE5vPGEEMqRcVRMbtBK842Y6Pzo6nK9 (uncompressed, and compressed, respectively; the compressed WIFprivkey would be KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73Nd2Mcv1 btw, but blockchain.info will error out on that one as well), neither of which is the address you're talking about, and neither of which currently has coins.

Edit: public addresses based on list at database.io; perhaps the nature of that site didn't require complete  protocol compatibility. The ones I listed may not be (or at least not the only) addresses for this privkey.

The public address you showed us all way earlier has a couple BTC, yes. However, none of the information you've showed since (QR code, private key, etc) grants you spend power over those coins, and there is nothing we can do about that. If you were scammed, that is truly unfortunate and I am sorry about that, but unless the guy gave you any other QR codes or something, we can't do anything I'm afraid.

Also, to your question, that I think you're asking about QR scanning... no, if it "scans" and gives you characters, it is very rare for it to have been a "mis-scan". And if it did misscan, which I have been occasionally, it is unfathomably improbable that it would become a privkey of all zeroes! It doesn't mess up by a letter or two, it'll turn a string like KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73Nd2Mcv1 into something like a few letters, weird ASCII symbols, that kind of thing. QR codes don't have to be flat. Either they scan or they don't. That's part of the crazy pattern on them, to allow for the correction of skewed and off-axis camera angles.

Anyway, bottom line is, if that's the QR code he gave you, while you thought your coins were at the address you gave way earlier, yes, it seems you were scammed.

Thanks i will make some learning about what you mention earlier.

I send video to you how i scan , and import the private key also.

Okay, now that is weird. This is something that only is occurring for me on the android app.

Lemme look into this a bit more.

It's things like this that keeps my faith going in this community. FenixRD, you rock! I know you haven't recovered the coins yet (I hope you do), but thanks for setting a good example :)

Okay. So, although the way the Android Blockchain app errors out is new to me, the facts are unfortunately unchanged. Hopefully this thread will help to explain this better:

https://bitcointalk.org/index.php?topic=50206.10

It's about this exact address. It's been collecting funds for several years now. As I was saying before, it's address zero, which is a unique thing in the  protocol. I'm not a SCRIPT expert, personally, but in the thread Theymos and others make it clear that this address is unable to be spent from due to the way the hashing works — it's just not possible to create a valid TX signature for it, even with the "right" private key. This is a very unique phenomenon and yes, by the guy convincing you to accept the coins without Tx, that's how you were scammed.

That said, now that 2.2 BTC is a significant thing, this might deserve to be added to the list of scams to watch for. It's certainly not well-known (there's only ONE zero address, out of the uncountable numbers that exist) I don't think. But again, and someone is welcome to explain how I'm wrong and clarify what Themos means, but if seems pretty straightforward. He says they're unspendable.

I'd have thought a custom client would allow them to be spent, as can happen with pretty much every other nonstandard keypair introduced to the raw blockchain ledger. But it seems zero is unique.

I don't rock nearly enough. I can think of no way to resurrect these coins. People have been wanting to for years. :(

I PMed a couple fellows more  knowledgeable than I to make sure I'm not missing something, just in case.

Oh take the compliment for what it is, seriously! I'm not talking about you're know how to solve this - but you would be hailed as a genius if you succeeded.  :P  What I meant to convey is how refreshing it is to read this thread. I enjoy reading the scams (no pun intended OP, it's so I won't get caught with my skirt up again; learn from others' mistakes), but your willingness to help and the fact that you're obviously not trying to pull a scam within a scam, brings things back into perspective a bit. If that makes any sense :)

Heh. Of course, sorry. I've never been very good at accepting compliments based on effort alone. It is a character flaw of mine. Thank you for the kind words. :)

Indeed, this scam was completely off my radar. Granted, adopting the recommended policy of *always* sweeping funds before completing a deal, rather than accepting an exposed privkey, negates this threat; but, I would not have been looking for this type of thing specifically. And I've been around for a good while. It's a useful reminder to keep the guards up and not make exceptions to the "best practices".

No doubt!
****
dang it... I just read my previous post. I know the difference between you're and your. I hate when my fingers think for me, lol.

FenixRD,

What actually address zero ?  is this address create illegal coin that the protocol cannot accept it ?, why still recorded on the blockchain ?

And how this guy can have the coin ? He said got it from mining ... or it has another way to get coins ?, are he bought it ?

When it's said not possible to create a valid Tx signature its mean that this guy also cannot spend it right ?, but the dangerous thing that he able to make same SCAM scenario again and again, because the coins will always there.

If this so, BitCoin  .. still have big vulnerability due this kind of bug, regular guy like me will be very careful to have any interaction with BitCoin , there still so many threat that us not yet have any clue due security and network protocol.

ironmask,

I'm certain English isn't your first language, so I'll try to translate what's going on:

The address is not creating coins. It's on the blockchain because all transactions are listed. You are correct. The scammer cannot spend the coins, no can spend them. Ever. Coins are sent to bitcoin addresses. So the address can still accept coins, but no one will ever be able to send the coins out of that address.

Honestly, I don't know enough about the technical part to break it down, but I can tell you that it doesn't happen often. Using bitcoins is safer than using your credit card. The problem isn't with vulnerabilities or other security features of bitcoin, the threat comes from regular who don't understand how the system works.

I get it now

https://github.com/jim618/multibit/issues/403

thanks both of you rock !!, this will not make my out from BitCoin,

Cheers,

That's the spirit! Welcome to the world of bitcoin. :)

Yup, :)

there's complete link, this scammer totally AS****E

https://twitter.com/DefuseSec/status/407219888780873728

https://eprint.iacr.org/2013/734.pdf

http://bitcoinstats.com/irc/bitcoin-dev/logs/2013/04/26

https://bitcointalk.org/index.php?action=profile;u=101868;sa=showPosts

https://bitcointalk.org/index.php?topic=252674.0;wap2

https://drive.google.com/file/d/0BxLEEYjCKBuoaDhXRzhra0ZWQjQ/edit?usp=sharing

Cheers,

Impressive - excellent investigation! Do yourself and the community a favor by helping to spread the word that he's a scammer :)