QR Code replacement scam

[DannyHamilton]

Engaged in a transaction with someone today.

They opened up their Mycelium wallet on iOS (looked like an iPhone 6+ or 7+).

I opened up Mycelium on my phone.

They chose "Receive" and I chose "Send".

I scanned the QR Code that was displayed in their Mycelium app.

I added the amount, adjusted the fee to "Priority", and tapped on "Send".

The transaction was sent and quickly gained 3 confirmations according to my wallet.

HOWEVER...

Their wallet never showed the transaction as arriving.

After about an hour of trying to figure out what was going on, I saw (looking at a block explorer website) that the funds were forwarded on to a new address!

Another 15 minutes of investigation and we discovered that the address displayed by Mycelium did NOT match the QR Code displayed by Mycelium.

As far as I can tell, they must have some sort of malware on their phone, or some hacked version of Mycelium that is replacing the QR Code with a scam code. Unfortunately, they weren't willing to complete their end of our transaction since they felt they hadn't been paid. I wasn't ready to fight them over their own stupidity and lack of sufficient security on their phone. Therefore, I'm out the bitcoins and received nothing in exchange.  Their mistake, and yet I suffer for it.

Lesson learned the hard (and VERY expensive) way...
ALWAYS CAREFULLY DOUBLE CHECK THE ADDRESS WHEN YOU SCAN A QR-CODE!

Of course, if someone finds a way to replace BOTH the QR Code AND the displayed address, then there would be no way to know that the address is wrong.  But until then, if the code doesn't match the written address, do not send the bitcoins!

[1713559687]

1713559687

[1713559687]

1713559687

[1713559687]

1713559687

[1713559687]

1713559687

[HCP]

Two things spring to mind on this...

1. Malware on iOS (while not unheard of) is relatively rare
2. The iOS settings/instructions for Mycelium Gear (website payment processor) actually generates different addresses to the iOS wallet itself (derivation path issue)

I'm wondering if the QR Code generator in Mycelium iOS is having the same issue? Perhaps it is generating an address from the right xpub, but using the wrong derivation path? Or was it obviously a "scam address" with a lot of transactions in/out?

[DannyHamilton]

Or was it obviously a "scam address" with a lot of transactions in/out?

The transaction that I sent to the address was the first transaction ever to be sent to that address.

Once the transaction I sent to the address had 2 confirmations, the entire amount that I sent to that address (minus a transaction fee) was moved to another address. It was the first transaction to ever be sent to that other address.

12 hours later, that output was spent and split between 2 more addresses. That is the first transaction to ever send to either of those other addresses.  At the moment, the funds are still there.

1. Malware on iOS (while not unheard of) is relatively rare

I agree.

I understand that the person I was engaging in the transaction with might have been scamming me with a fake "Mycellium" app of his own.  Based on transactions and interactions I've had with him in the past, as well as the way this one went down, I think that is unlikely, but he might just have been a skilled actor that played a long con.

If I assume for a moment that he wasn't intentionally scamming me, then malware on the phone is the only other thing I can think of.

2. The iOS settings/instructions for Mycelium Gear (website payment processor) actually generates different addresses to the iOS wallet itself (derivation path issue)

I'm wondering if the QR Code generator in Mycelium iOS is having the same issue? Perhaps it is generating an address from the right xpub, but using the wrong derivation path?

If that was the issue, then the funds shouldn't have moved.  The address shouldn't have been accessible by anyone else.

[bob123]

~snip~
Another 15 minutes of investigation and we discovered that the address displayed by Mycelium did NOT match the QR Code displayed by Mycelium.
~snip~
As far as I can tell, they must have some sort of malware on their phone, or some hacked version of Mycelium that is replacing the QR Code with a scam code.
~snip~

~snip~
If I assume for a moment that he wasn't intentionally scamming me, then malware on the phone is the only other thing I can think of.
~snip~

In my opinion you most likely got scammed. But without any further information thats just my first guess!

May i ask how you found out that the displayed address doesn't match the displayed QR code?
If you used your phone to do that it might also be possible that your phone (instead of theirs) is infected with malware.
It may be more likely that your counterparty had an infected version of mycelium / malware, but i wouldn't completely exclude this option.
I'd suggest to (at least) run an anti virus check on your mobile and/or check the QR scanning a few times.

[DannyHamilton]

In my opinion you most likely got scammed. But without any further information thats just my first guess!

I've been doing this for a few years. So I've gotten pretty good at telling the difference between incompetence and malice in these situations.  I'm not completely ruling out the possibility that he intentionally scammed me, but given the specifics of the situation, it seems quite unlikely.

May i ask how you found out that the displayed address doesn't match the displayed QR code?

Initially it was just because we noticed that the address that mycelium used on my phone had used was different than the address displayed on his phone. Then to test the theory, we tried scanning the code on his phone with another QR scanner from another phone.  The address returned by that other phone matched the address that my phone had sent to and did not match the address displayed on his phone.

If you used your phone to do that it might also be possible that your phone (instead of theirs) is infected with malware.

I had used mycelium to send bitcoins from my phone very recently prior to this without issue, and then used my phone again afterwards (but before creating this thread) to send bitcoins from mycelium without issue.  Additionally, because I've been at this for several years now, my security practices are significantly more careful than the average user. It isn't impossible that I could have an infected phone, but again given the specifics of the situation, it is orders of magnitude more likely that he was an extremely talented scammer, and orders of magnitude above that more likely that he is incompetent and a victim of some sort of malware on his phone.

It may be more likely that your counterparty had an infected version of mycelium / malware, but i wouldn't completely exclude this option.

I never exclude the possibility that I've made a mistake. As it is, I KNOW that I made the mistake of not double-checking the address before sending this time.  I'm typically pretty careful about that, but (making excuses for why I wasn't as careful this time):

• I had many transactions in the past with this individual
• All previous transactions went smoothly, without ANY issue, so I was feeling confident that their phone was secure
• The amount I was sending the individual was less than the total profit I've earned so far from this individual (meaning that if they were scamming, they were only gaining back a percentage of what I had earned from them.  They would still come out behind in such a scam, they would just come out less behaind)
• The individual had reason to want to engage in future transactions with me, and in refusing to pay me after I sent bitcoins they have terminated our business relationship.  This will hurt them more than it will hurt me, as they have lost access to one of the most reliable, knowledgeable, and cheapest sources of bitcoins in the area.
• The user was using iOS and Mycelium (two pieces of software that I'm familiar with and for which I was unaware of any known threats that could replace the QR Code)
• And probably my biggest mistake...  I was being impatient. Since there was no obvious threat, and an intentional scam would hurt him more than me, I figured I could get the transaction done quickly and with minimal inconvenience and then get back to what I was doing prior

The more I think about the situation, the more I realize the possibility that he was scamming me intentionally.  This has many indicators that he did.  The main reasons that I feel like he is a victim of malware, and not an intentional scammer are:

• In all my dealings with him, he hasn't come across as technically savvy
• This is going to hurt him a lot more than it is going to hurt me
• If he "stole" these bitcoins from me, then he stole back less than I've profited so far, so he isn't coming out ahead on a long con. He's just gaining back a portion of the profit that I've made over many months. I'd expect a con artist that talented to have gone for a bigger payoff at the end.
• He continued to contact me after we went our separate ways and came across as genuinely distraught about the entire situation whereas he could more easily have simply disappeared and never contacted me again once he was successful in his "scam"

I'd suggest to (at least) run an anti virus check on your mobile and/or check the QR scanning a few times.

I'm very careful about what is allowed to run on my phone.  I've checked it over since this event.  My phone is fine.

[bob123]

~snip~
I'm very careful about what is allowed to run on my phone.  I've checked it over since this event.  My phone is fine.

In case of you both being a victim of a 3rd party malicious software it would be interesting to know whether
1) he was using a malicious version of mycelium or
2) he had any other form of malware on his phone

• He continued to contact me after we went our separate ways and came across as genuinely distraught about the entire situation whereas he could more easily have simply disappeared and never contacted me again once he was successful in his "scam"

Is there a chance of retrieving information about the integrity of the version installed on the phone of your 'partner'?

[DannyHamilton]

In case of you both being a victim of a 3rd party malicious software it would be interesting to know whether
1) he was using a malicious version of mycelium or
2) he had any other form of malware on his phone

I agree, it would be interesting to know.  It would also be interesting to know for certain whether he successfully pulled of an intentional scam against me (I can think of a few ways for him to have done so if he, or a partner, were technically savvy enough), or whether he unknowingly had malware of some form on his phone.

Unfortunately, I've probably burned that bridge at this point.  Within a few hours of this all happening, I made it pretty clear to him that I have no way of knowing for certain whether he is the scammer, or if he unknowingly has malware on his phone.  I also made it quite clear that it the end result for me is the same regardless... Unless he is willing to uphold his end of this transaction, I will refuse to have anything to do with him any longer.  If I (or my phone) were at fault, I would ABSOLUTELY have accepted responsibility and honored my side of the transaction.  I expect the same of anyone that I transact with.  If he's not willing to be reliable in this manner, then I am not willing to interact with him any longer.

• He continued to contact me after we went our separate ways and came across as genuinely distraught about the entire situation whereas he could more easily have simply disappeared and never contacted me again once he was successful in his "scam"

Is there a chance of retrieving information about the integrity of the version installed on the phone of your 'partner'?

I could try, but I've laid out enough accusations and insults after he refused to uphold his side of the deal upsetting him enough at this point that I expect to be ignored from now on.

As far as I'm concerned, his refusal to uphold his side of the deal makes him a de facto scammer in this situation regardless of whether that was his intention or not.  I was presented with a QR Code and asked to send bitcoins.  I scanned the code and I sent the coins as asked.  I held up my end of the deal.  I expect the same of the counterparty regardless of whether they accidentally or intentionally gave me the incorrect address.  As far as I'm concerned, refusal to follow through when I can demonstrate that the bitcoins were sent and confirmed as requested makes one equally a scammer regardless of the fact that he may not have received the bitcoins that he wanted.

[bob123]

As far as I'm concerned, his refusal to uphold his side of the deal makes him a de facto scammer in this situation regardless of whether that was his intention or not.  I was presented with a QR Code and asked to send bitcoins.  I scanned the code and I sent the coins as asked.  I held up my end of the deal.  I expect the same of the counterparty regardless of whether they accidentally or intentionally gave me the incorrect address. As far as I'm concerned, refusal to follow through when I can demonstrate that the bitcoins were sent and confirmed as requested makes one equally a scammer regardless of the fact that he may not have received the bitcoins that he wanted.

I completely agree with you on that statement. But unfortunately most people just have one thing in mind, money.
I hope the loss is relatively low compared to your average transactions.
This way this sour lemon may still be worth the lesson learned for future transactions :/
I wish i could live in a world where its enough to keep myself secured, instead of having to trust everyones mindset regarding security.

[DannyHamilton]

I hope the loss is relatively low compared to your average transactions.

As I mentioned, one of the reasons that this doesn't feel like a long con is that my loss is lower than the total profit I gained from past transactions just with this individual.

Imagine a con artist spending nearly a year giving you a sum of $3k and then at the end of his con taking you for $2k and destroying any chance he had of ever engaging in another transaction with you again.

A con artist skilled enough to have pulled it off would have at a minimum pulled a profit in the end.

Someone dumb enough to kill all future opportunities, and to do that at a loss to themselves, doesn't seem skilled enough to have pulled the type of con they would have needed to.

This way this sour lemon may still be worth the lesson learned for future transactions :/

Yeah, it probably stings more because I know I could have avoided it. I know that I have processes in place specifically to avoid this sort of thing and I got sloppy.

I don't really do these transactions to profit (the little profit I get is nice, but not the motivating factor).  I do this as a service to the local community.  I provide access to bitcoins, knowledge, and experience. I help others learn and help them avoid pitfalls like this.  This isn't the first time that I've encountered someone that was using an infected device, and if it was a scam, it wasn't the first time that I encountered someone trying to scam me.  It's just the first time that I got sloppy enough to end up with a loss over it.

It's a lesson learned, and such a small mistake after 6 years of this isn't a horrible track record.  This thread was more about letting others know about something to watch for than it was about figuring out exactly what happened, why, or how.

Had I seen a thread similar to this at any time in the past few years, I think I would have been more vigilant and less likely to have fallen for it.  So, this thread is just that help/warning for someone else.

[HCP]

Or was it obviously a "scam address" with a lot of transactions in/out?

The transaction that I sent to the address was the first transaction ever to be sent to that address.
Once the transaction I sent to the address had 2 confirmations, the entire amount that I sent to that address (minus a transaction fee) was moved to another address. It was the first transaction to ever be sent to that other address.
12 hours later, that output was spent and split between 2 more addresses. That is the first transaction to ever send to either of those other addresses.  At the moment, the funds are still there.

So not an "obvious" scam address like some of the "clipboard" viruses, or you were the first victim.

If that was the issue, then the funds shouldn't have moved.  The address shouldn't have been accessible by anyone else.

Quite... it would indeed appear that it is a deliberate modification to the QR Code. I have previously seen other users on here claim that they've "scanned QR Codes" but somehow the address they sent to was the wrong one. Perhaps this QR Code modification is a less used, more subtle and better disguised scam?

In any case, it would appear that maybe the "blind trust" that people seem to have in QR Codes (myself included) is somewhat misplaced. Indeed a valuable lesson for everyone, unfortunately, at your expense.

[Agzgroup]

Scam … we’re simply using the API of the Mycelium to receive payments from our users, and we had a serious Problem
The user paid $1000 for a service, the API reported that paid, activate bo system, but where was the $1000?

Nobody knows, on our portfolio registered does not appear. 2 days already I’ve forwarded 6 emails and no answer. Not to mention that the bitcoin is in Fall and lost more than 10% of value if we responded and sent.

 Don’t trust on the API and in the wallet of the mycelium, already had other uncomfortable and doesn’t work properly.
Without support.

[BitMaxz]

Scam … we’re simply using the API of the Mycelium to receive payments from our users, and we had a serious Problem
The user paid $1000 for a service, the API reported that paid, activate bo system, but where was the $1000?

Nobody knows, on our portfolio registered does not appear. 2 days already I’ve forwarded 6 emails and no answer. Not to mention that the bitcoin is in Fall and lost more than 10% of value if we responded and sent.

 Don’t trust on the API and in the wallet of the mycelium, already had other uncomfortable and doesn’t work properly.
Without support.

I think it's much better if you make your own thread to discuss this.

Are you talking about mycelium gear? And where did you get the API code?

You must follow their guide from here Payment Gateway

The reason that's why I'm asking about where you get the API code it's because I found few posted here in the forum with ready-made mycelium payment gateway on GitHub which I think fake. So beware of using a fake API code.

[krogothmanhattan]

Thanks for this thread. It reminds me to be vigilant all the time..

One thing I do anytime a large amount of btc is sent ..say..$500 and up...I send 0.001 and see if person gets it...once confirmed I send the remaining amount to the SAME address. Better safe than sorry.

Cheers

[gentlemand]

In any case, it would appear that maybe the "blind trust" that people seem to have in QR Codes (myself included) is somewhat misplaced. Indeed a valuable lesson for everyone, unfortunately, at your expense.

It seems like an increasingly obvious way to hijack funds. I find it pretty amazing when people use totally random websites to generate QR codes and don't ever seek a second opinion on the results they get.

I have zero idea how ios apps work. Is it easy for a user to crack them open and start fiddling with them? Mycelium on ios has basically been abandoned for well over a year which gives plenty of time to learn the ins and outs.