Hey Exploit01, please let me know what you have found here. I don't consider the scammer to be technically skilled at all; the phishing page in itself is very primitive and reportedly the code only stores the _last_ password. The following files are courtesy of scotaloo; who despite our history I have chose to sent him 0.25 BTC out of the bounty in order to reward him for his efforts. Access logs: https://mega.nz/#!KxhyCK6S!cPInrNU2tIJF9LP30Upex7Z6j4CAEAyad0APxqXaFFs Extra logs: https://mega.nz/#!T5pymarT!oKVdk3yG4V16SBBHAHzc2fGOrWCijednGa9U6FRgOD4 Dump of public_html (431MB): https://mega.nz/#!y8QDkAzD!cB_B-fG9oA0t8lBRq8LMa_tN3KOKiol6FTwGSAXIexA |
|
|
|
|
The yield curve inversion is probably the most watched indicator in the US economy now, and that makes me curious if plans to market time their entry / exit into the stock market based on this figure.
I was able to make a simple model in Google Spreadsheets that exits the stock market completely when the minimum T10Y2Y of months T9-T21 is less than -0.2%, and that would have successfully avoided every recession with a re-entry position around the bottom.
Obviously, those are very backtested results and I optimised the parameters based on the past recessions, and the big question is if the future will hold the same. I'm curious if there is anyone out there thinking of exiting the stock market, about 9 months after the yield curve inverts and getting back in 21 months later?
|
|
|
|
That will only help with a situation where someone does not have access to the old email. In this case, they did, the scammer just pretended to be me and got the actual accountholder to email me using their email.
(In this case, I spoke to the accountholder on the phone and was able to get their correct bitcoin address; and they will still be receiving their reimbursement). Is it possible the accountholder played you to receive double the funds?
I wasn't around in 2013, but I'm curious enough to follow this case now. I'm very confident that the accountholder is not the same person as the scammer. Was able to send another round of reimbursements just then. |
|
|
|
|
Well, it turns out this guy is actually from Africa. Morocco to be exact. (Before successfully impersonating me, he claimed in a email that he is from Africa). Those IPs also aren’t proxies or VPNs.
I’ll be doing some research to decide the next course of action. But just throwing this out there: if anyone is near Morocco, or would like to visit Morocco for an all expenses paid trip (and then some), let me know!
|
|
|
|
|
I have some IP addresses! Thanks for the source who supplied the info below, reportedly from the Maxpara server.
I will be compensating them with some BTC tomorrow for these important discoveries.
—-
Email I received below:
One things that sticks out to me in the logs is this:
5.59.62.208 - - [05/Jul/2018:01:52:27 +0700] "GET /login/?u=MiningBaby&r=3034878.0 HTTP/1.1" 200 132220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36"
196.122.160.233 - - [05/Jul/2018:02:10:50 +0700] "GET /login/ HTTP/1.1" 200 132206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"
196.122.160.233 - - [05/Jul/2018:02:13:47 +0700] "POST /fonts/a.php HTTP/1.1" 200 4461 "<removed phishing url>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"
/fonts/a.php is a php web-based shell that is being quite frequently used. There are 90 hits to that page from 3 different IPS:
196.121.75.176
196.122.160.233
45.219.197.30
Obviously if you look through the logs this server is getting pwned by every spammer on the net, but what strikes me about this activity is that:
* This is a web shell, the person is manually logging into the server via his browser.
* It often happens right after there are hits to the phishing page, such as shown above, and the phishing page only logs the last login attempt so the phisher would have to be quick.
|
|
|
|
Return to Player is lower than before and most players are better off without the bonus system than with it.
You can't have a lower RTP AND be better off for the player. Lower RTP = worse for the player. Higher RTP = better for the player. |
|
|
|
Enough time has passed; you can edit your posts now. Note however that unlike how it was years ago, edits are now logged and available to admins. Also, since you were previously prevented from deleting replies to selfmod topics, and I see value in continuing to prevent this, I removed selfmod status on all of your past topics (topics 166416, 166498, 180287, 206948, 206949, 248803, 270101).
Thank you! |
|
|
|
When are the rest of these going to be listed for general sale? Me wants and me wants some now  Yes please! I want some |
|
|
|
If you google the domain it looks like it was compromised by some guy who owns the instagram account mwr and goes by 'SLNTAR' as seen in a mirror of the website from May 18 2018. It looks like the owner of the website has regained control but it's possible the website is still under the attackers control. Keep in mind it's possible that the person using it now isn't the same person as SLNTAR as it appears SLNTAR just runs a bot and hacks websites en masse by the looks of it. edit: also looks like there was another scam on this website pretending to be an ico preregistration If the website owner isn't the culprit it's likely he can still get the server logs and send the IP of the operator accessing it -- however, by the looks of it he is some Vietnamese dude selling illegal clothing dupes, so that's fun extra edit: It actually looks like the website might be owned by a Vietnamese company that sells kitchen appliances based on the whois information. It appears this is a legit business with a physical location in Vietnam. If you can somehow get someone who knows Vietnamese to help you get them on board your investigation it is likely that there are log files which will COULD give you more information on whoever is doing this. They have a facebook page @ https://www.facebook.com/maxpara[dot]vn and the email listed on the facebook is minhhuy.maxpara@gmail.comcheers, this is very helpful, I have reached out to them |
|
|
|
If you google the domain it looks like it was compromised by some guy who owns the instagram account mwr and goes by 'SLNTAR' as seen in a mirror of the website from May 18 2018. It looks like the owner of the website has regained control but it's possible the website is still under the attackers control.
Considering that the domain is still being used as a phishing site to steal login credentials, I would say whoever currently is in control of the domain is the culprit. I wouldn't overestimate the technological ability of random Vietnamese business owners. It is highly likely that: a.) they are technologically uninclined b.) started the website for their business legitimately as they still list it on their Facebook page to this day even though it's not currently in use They probably were using a vulnerable version of some publicly available software which then allowed someone to upload a shell to the website. The owner then likely probably set the entire website to the current default page as a remedy to the problem. If the vulnerable software in question was something like an online store to sell their kitchen hardware, they could have deleted that but the shell could have given them SSH access to the entire system or worse. The alternative is the website could have been vulnerable to some other remote exploit due to outdated server software which would mean the attackers still got SSH access and owned the server. By your logic, a bunch of Vietnamese kitchen hardware dealers (who own a physical building apparently???) are using their own website which was hacked at least once before to scam people. The business is registered in Vietnam and it's listed on their Facebook page and on the domain registration so I think it'd be a little dumb for them to use that as a platform if the culprit was they themselves. The phishing pages aren't extremely sophisticated but by the looks of it they were probably created from scratch or using a program and the ICO page has an advanced mechanism that a.) only allows 1 registration per IP to prohibit bot spamming or the like and b.) requires passwords of 8 characters. The website also uses fairly good English and punctuation which it is evident the owner of the website or whoever is operating their social media does not have. The person who executed the scam seems technologically savvy and is at least familiar with the English language which it doesn't appear the people at Maxpara are. All evidence points to the website being used by external people to run their scam to avoid getting caught. Someone who is smart enough to code their own phishing page that shows a relative familiarity with computer programming probably isn't using their own domain name with no whois protection to run a scam. It'd be funny if it actually was Vietnamese kitchen dealers but unfortunately if it's probably not Quoting this post, 0nc3forg0tt3n had also pretended to be another CL user so they may be related, or they may be another person. In any case, the email communications of the maxpara phisher did not demonstrate solid English. English is definitely a very second language for them; there is no reason for them to use broken english while trying to pretend to be me and communicate with a CL user. |
|
|
|
I am looking for an escrow to hold 20 BTC for a bounty placed upon a phisher / scammer, and manage the corresponding bounty. For more information, please see this thread: https://bitcointalk.org/index.php?topic=4623173.0Please let me know (via a reply or PM) if you are interested in being the escrow and manager of this bounty. You should be very trusted, and have held more than ~$100k in value before as an escrow. Terms and definitionsThe bounty will run until August 1st, 2019. The phisher is defined as the person who operates max para.vn, as well as operating social engineering and impersonation attacks against the CoinLenders reimbursement process. This user has been contacting multiple users pretending to be me, and have successfully stole 50.625732 BTC. Of course, the phisher most likely is involved in more activities than this. There are many reports of the operator of max para.vn using his phishing links to steal bitcointalk accounts, and credentials. Primary Release Condition: The 20 BTC should be paid out to anyone who provides information that leads to the arrest, or a credible civil suit launched against the phisher that has proceeded past the discovery stage. This party must not be the phisher, however can be associated with the phisher (e.g. partners in crime, friends, family) if you believe the release of the funds will not benefit the phisher in any way. Once the party has been identified, I intend to fully assist the respective police agencies in pursuing justice, including following up with the assistance of professionals, evaluating civil action, etc. All the evidence will be publicly posted however already. Secondary Release: At your discretion, you may provide up to 5 out of the 20 BTC to parties that have provided important information about this case, such as credible dox to the Investigations section, etc. The release of this portion is at your discretion for what would be in the best interests of justice in this case. You should not pre-pay anyone for information. CompensationI will transfer you 21 BTC, which is placed under escrow / trust. If the Primary Release Condition is met, you may claim 1 BTC from the escrow. If the Primary Release Condition is not met by the end date of August 1st, 2019, you may claim 0.25 BTC from the escrow. You must transfer any remaining amounts back to a bitcoin address I will publicly provide. You may not transfer any remaining amounts, after the release date, to any other party (including yourself), even if they purport to have claims against me of any kind. You may not use the remaining amounts to settle any obligations. Thread local rulesVod, and any alt accounts associated with Vod, is not allowed to comment on this thread, and should be immediately deleted. |
|
|
|
|
OP is trying to scam someone by pretending they've been in bitcoin since 2011. There is not a single legitimate person to buy an old bitcoin address.
|
|
|
|
<snip> Blatantly obvious that this dude works for ICODrops.com |
|
|
|
A google search of hardymlt@safe-mail.net reveals a password dump paste, which contains that email. Please note that the email account could be a fake name, or a hard amount, and the username in the dump should not be presumed as the scammer (at this point). |
|
|
|
This email was sent to me, but the link actually pointed to a phishing site: http://maxpara[dot]vn/login/?u=TradeFortress&r=4589356.0 << DO NOT ENTER LOGIN DETAILS ON THIS PAGE I didn't fall for it, however I have reasons to believe that the same scammer was responsible for successfully impersonating me and being the 'man in the middle' between a CoinLenders user. The scammer originally emailed me, claiming to be a CoinLenders user. They used a different email address to the actual user, being hardymlt@safe-mail.netWhen I asked the user to email me from their registered email, they were able to convince the actual user to do so, by emailing them from TradeFortress@protonmail.com (which is fake). The actual user sent evidence that allowed me to verify the claim. A reimbursement of 50.625732 BTC was made to 1Aztzs1qHqKiVuZaoa7s23KoHCjeBSeqrT. The funds are currently residing in 1B5b3CcSG5YP9JavrKv8UwV3dcgpT4g3wV I believe a good starting point to track down this scammer is the domain name maxpara[dot]vn ; I believe it is a website operated by the scammer (and not a hacked website) given its content. A reward of 20 BTC will be offered to anyone who provides information that leads to the arrest of this scammer. I'm not super expecting this bounty to be filled, however I'm sure this scammer has put his hands in many pots before; and it looks like there is lots of info to track him down using maxpara[dot]vn Escrow can be arranged. |
|
|
|
|
Show Posts
