Should I remove my red tag on bountyhunters.io? DT please discuss

[LoyceV]

Based on the evidence provided in Bountyhunters.io probably will scam their members. Watch out!!!, I tagged bountyhunters.io on November 13:

Asks users for their "Private Key or Mnemonics" to claim bounty tokens. NEVER GIVE YOUR PRIVATE KEY TO ANYONE!
See Reference link or https://archive.is/5WICa

Today, I received a PM asking to remove the red trust. This is the only tag I've always wondered about when I would receive a PM asking to remove it. I'm willing to remove it, but I'd like to hear some community input first.

Short version: bountyhunters.io was asking users to provide their private key or mnemonics before giving them their bounty payment in Tokens. The fact that they asked for private keys in order to be paid is very shady at least, and a potential exit scam at worst. They seem to offer other options now to be paid (in Tokens). I don't use their platform myself.

I'd appreciate it if someone (or a few people) can take the time to give their opinion on this.

[1713529494]

1713529494

[1713529494]

1713529494

[1713529494]

1713529494

[actmyname]

No. If there was no clear idea of how to pay users without having access to their wallet, then at best they are incompetent.

[suchmoon]

Your feedback is factual and supported with a proper reference. Why should you remove it just because the recipient says they won't do it again? I'd say you can modify it or add a neutral if new facts came to light but that's about it.

[LoyceV]

Thanks (to both of you) for taking away my doubt.

[mikeywith]

This more like the "red and green" we talked about in my topic. asking for a private key is an act of scam be it used to scam or not should be the least of our concern. also i would love to see more of these threads where DT members seek the opinions of others.

[The Sceptical Chymist]

also i would love to see more of these threads where DT members seek the opinions of others.

I don't mind this either, but I don't think every neg needs to be discussed and voted on.  If you're on DT, you ought to have good judgement to begin with and faith in the strength of your convictions--at least enough such that you don't need to seek advice for the feedback you leave (but there are times when it's necessary, and I've done it myself).  This issue is more complex than other ones IMO and it's good that advice is being sought.

In this case, I think LoyceV was pretty justified in giving a neg to someone asking for people's private keys.  That, in my opinion, is an even worse offense than being a newbie and asking for a no-collateral loan or to buy bitcoin with PayPal, both of which can and do earn those newbies negative trust (usually from Vod).

However, my ignorance of all things ETH-related kicked in pretty quick while reading that scam accusation thread.  But what grabbed me is that if this post is true (which was responded to by bountyhunters.io in the next post), then I would say the neg is completely justified and should stay because that would mean bountyhunters.io outright lied.  But the explanation they gave sails right over my head.  I do understand quite well that asking for someone's private keys is a big no-no, but in this case it seems like the suggested solution of creating a throwaway wallet would solve that problem.  The only thing with that is that we (and certainly bountyhunters.io) know not everyone will do it.

My current understanding is that they've fixed this issue now, is that right?  People no longer have to give up their private keys?  If that's the case and it's also true that they haven't scammed anyone, then feedback removal at this point might be appropriate.  It could be a case of them being naive about how their initial system that required private keys would be perceived, i.e., that people wouldn't think they were scammers.  Unfortunately it's impossible to know someone's intentions; we can only judge people by their actions. 

[The Cryptovator]

Apologies for my reply since title said DT discussion. Although I am not DT but I can't stop myself to reply this thread. Just wondering why he has got single negetive feedback ? Who have asked for private key his clear intention is to scam people's. I don't think need to discuse about remove his negative feedback. I believe he deserve more negative feedback a well. Asking for private key I will not take it easy. Just now I have tried to register and check withdrawal option but unfortunately if no balance there is no option for withdrawal. I believe acuusation is valid and you don't need delete your feedback. I have left another negative feedback.

I can see he has self admitted about private key or similar Some thing which is really not legit to ask.
 http://archive.is/RPHqs

There are 3 ways of signing the transaction:
1.By importing his private key;
By importing mnemonic seed
By importing his wallet file + passphrase

Edit :

My current understanding is that they've fixed this issue now, is that right?  People no longer have to give up their private keys?  If that's the case and it's also true that they haven't scammed anyone, then feedback removal at this point might be appropriate.

How you consider to remove it ? They have asked already and although they fixed it doesn't mean they are legit. There is no point of their Explaination why must need provide private key. If like that then you should remove all negative feedback from Account buyer or seller, because after got tag everyone say sorry and they promise they will not repeat (IMO). Problems was not on website design or coding that they will fix. They are fully aware about that they are asking for private key. Check my above quote. They are asked something that they can control wallet.

If I am not wrong mdayonliner got tag just for asked escrow 20BTC and later on he withdraw his offer. But feedback is still remain. So why should remove negative feedback from Bountyhunter.io ?

[suchmoon]

But the explanation they gave sails right over my head.

Their "explanations" seem to be just some random texts. No verbal gymnastics can justify asking for private keys. I think their attempt to whitewash it is a big part of the issue. There is also some weird arrogance along the lines of "do you think we would stoop to scamming piddly bounty hunters who only have dust in their addresses" (this is not a literal quote LOL), which is kinda weird attitude towards their customers to say the least.

My current understanding is that they've fixed this issue now, is that right?  People no longer have to give up their private keys?  If that's the case and it's also true that they haven't scammed anyone, then feedback removal at this point might be appropriate.

I haven't read it far enough to figure out if they completely removed the option or just added other options. Here's the thing though: they only did this after get called out and it's impossible to ensure that the keys they already (possibly) collected wouldn't be misused. It's up to LoyceV to decide how much time needs to pass to review this again but I'd say it's all still too fresh ATM.

Apologies for my reply since title said DT discussion. Although I am not DT but I can't stop myself to reply this thread. Just wondering why he has got single negetive feedback ? Who have asked for private key his clear intention is to scam people's. I don't think need to discuse about remove his negative feedback. I believe he deserve more negative feedback a well. Asking for private key I will not take it easy. Just now I have tried to register and check withdrawal option but unfortunately if no balance there is no option for withdrawal. I believe acuusation is valid and you don't need delete your feedback. I have left another negative feedback.

I was considering it but I'm still missing a few bits of the story that I don't have time to research now... perhaps next year

[The Sceptical Chymist]

If I am not wrong mdayonliner got tag just for asked escrow 20BTC and later on he withdraw his offer. But feedback is still remain. So why should remove negative feedback from Bountyhunter.io ?

If I'm not mistaken, I think I voiced some disagreement about that feedback on mdayonliner.  I happen to believe he wasn't intending to scam but wouldn't rule out the possibility of it happening if someone actually sent him that $100k (or whatever the number was).  I also think he's learned his lesson about doing stuff like that and don't think that feedback removal by hilariousandco would be a bad idea at this point--but there's also the ponzi stuff that other members feel strongly about, and I don't think that feedback is going to be removed.

Most of you may not believe this, but I do believe in second chances and removal of feedback if the member has learned his lesson.  I've removed lots of negs from account buyers/sellers if they've not repeated the behavior and have shown evidence of being a valuable member of the forum. 

I may not have made myself clear in my previous post, but I am not arguing that LoyceV should remove his feedback.  I'm saying I don't understand the explanations given by bountyhunters.io enough on a technical level to judge whether what he was doing was the only option (which is what he initially seemed to be arguing) or whether he was caught in a lie.  I get that asking for private keys is a no-no.  I also get that a member with no escrow history who's not on DT offering to escrow $100k is a no-no.  Both of those things are huge red flags.

In my previous post I said that if bountyhunters.io changed their method to one that doesn't require private keys and if they haven't scammed anyone, LoyceV's feedback might be worth removing.  But suchmoon's point I hadn't considered before writing my post:

Here's the thing though: they only did this after get called out and it's impossible to ensure that the keys they already (possibly) collected wouldn't be misused. It's up to LoyceV to decide how much time needs to pass to review this again but I'd say it's all still too fresh ATM.

If they've got a bunch of people's private keys, they still could scam if they wanted to.  It does make sense to me now to leave the neg intact.

[bountyhunters.io]

No. If there was no clear idea of how to pay users without having access to their wallet, then at best they are incompetent.

As we explained for many times, we DO know how to pay bounty tokens without any confirmations. Traditional airdrop is not a difficult task, but it has disadvantages we want to avoid by moving to the Merkle airdrop system.
In this message you can find detailed explanations about it: https://bitcointalk.org/index.php?topic=5067062.msg48315041#msg48315041

My current understanding is that they've fixed this issue now, is that right?  People no longer have to give up their private keys?  If that's the case and it's also true that they haven't scammed anyone, then feedback removal at this point might be appropriate.  It could be a case of them being naive about how their initial system that required private keys would be perceived, i.e., that people wouldn't think they were scammers.  Unfortunately it's impossible to know someone's intentions; we can only judge people by their actions. 

The answer is «yes» and «no».
   
   From our FAQ:
- Confirm your transaction via your private key or with a help of MetaMask plugin. Note, we would highly recommend that you DO NOT use your main Ethereum wallet for this step. Instead, choose a new wallet that contains a minimal amount of funds. (If our website is compromised or you accidentally visit a different website, your funds can be stolen. You are doing this at your own risk). 

   
- The transaction is then formed and signed in the user’s browser. We don’t store or transfer any private data, as we care about the security of your wallet. This operation is only needed when you personally sign a transaction; otherwise we will not be able to transfer your tokens. 
   

[suchmoon]

As we explained for many times, we DO know how to pay bounty tokens without any confirmations. Traditional airdrop is not a difficult task, but it has disadvantages we want to avoid by moving to the Merkle airdrop system.
In this message you can find detailed explanations about it: https://bitcointalk.org/index.php?topic=5067062.msg48315041#msg48315041

The best I can figure out is that you heard of this fancy new thing (Merkle airdrop) that would shift the cost of distributing tokens onto the recipients and you decided to do it despite having no clue how to implement it safely.

[bountyhunters.io]

Here is a video explanation of the situation made by Mikhail Savchenko (CEO at BountyHunters.io, CTO at chronobank.io): https://www.youtube.com/watch?v=5ffX7tmW2vA&t=2s

(Linkedin profile: https://www.linkedin.com/in/mikhail-savchenko-78291916/)

Take a note, that BuntyHunters is a project created by the ICOPromo team (https://icopromo.com/): a subsidriary of ChronoBank.io (one of the first successful ICOs on the market, that raised over 5,400 BTC in their in early 2017). ChronoBank, in its turn, is well known for its good reputation and strong developer team. Our main investor is Sergei Sergienko (https://www.linkedin.com/in/sergeisergienko/), a well-know figure of the blockchain market.

Our company is totally legit and transparent, and we care about the reputation of our products.

We admit that launching the new system without decent preparation was an incorrect step. Currently we have no any new accusations from the community, as our users can choose between different options to sign their transactions (including Metamask app).  Our bounty hosts are also free to choose between different systems of processing payouts (so traditional airdrops can also be produced).

In the main discussion thread (https://bitcointalk.org/index.php?topic=5067062) we have given enough of information for those who are really interested in the situation. We ask all the participants of the current thread to read it carefully.

[bountyhunters.io]

As we explained for many times, we DO know how to pay bounty tokens without any confirmations. Traditional airdrop is not a difficult task, but it has disadvantages we want to avoid by moving to the Merkle airdrop system.
In this message you can find detailed explanations about it: https://bitcointalk.org/index.php?topic=5067062.msg48315041#msg48315041

The best I can figure out is that you heard of this fancy new thing (Merkle airdrop) that would shift the cost of distributing tokens onto the recipients and you decided to do it despite having no clue how to implement it safely.

Merkle airdrop is not only about cutting the costs of an airdrop. Please read the information we have provided.
Currently we have implemented an option to create new wallet right within the system, as well as an options to sign transactions with Metamask plugin, so your claims that "we have no clue how to implement it safely" have no more ground.

[suchmoon]

As we explained for many times, we DO know how to pay bounty tokens without any confirmations. Traditional airdrop is not a difficult task, but it has disadvantages we want to avoid by moving to the Merkle airdrop system.
In this message you can find detailed explanations about it: https://bitcointalk.org/index.php?topic=5067062.msg48315041#msg48315041

The best I can figure out is that you heard of this fancy new thing (Merkle airdrop) that would shift the cost of distributing tokens onto the recipients and you decided to do it despite having no clue how to implement it safely.

Merkle airdrop is not only about cutting the costs of an airdrop. Please read the information we have provided.
Currently we have implemented an option to create new wallet right within the system, as well as an options to sign transactions with Metamask plugin, so your claims that "we have no clue how to implement it safely" have no more ground.

I have read a lot of that information and it's quite interesting, thank you.

However I couldn't find any justification for requiring private keys in any of those articles. Even your solution of having a wallet "within the system" does not sound that much safer. I'm guessing you're doing this because you think your customers wouldn't be able to figure out how to sign the transactions using their own wallets. That still seems to fall under "no clue how to implement it safely".

Anyway, not to derail this thread any further - I'd still recommend for LoyceV to not rush with any revisions just yet.

[examplens]

I completely forgot about this bounty service.
Now I have checked them again and still can't withdraw any of my stuffed tokens there. They asking to import my wallet ie keystore file there.

[marlboroza]

If it is worth to mention:

Ether delta(already hacked):


Fork delta:


Idex:


Stellarterm:


And so on...they all ask for private keys.
If I am not wrong, metamask should resolve this problem.

The thing is, I am not really sure about this one and I have more than 1 opinion. I just don't have clear answer and I understand your doubts, especially when someone ask for private keys.

[suchmoon]

And so on...they all ask for private keys.

Those are all exchanges though, right? Exchange shared wallets have been horribly unsafe since forever and these "decentralized" contraptions might actually be an improvement. It's the opposite with bountyhunters.io - they went from a safe if costly airdrop method to asking for private keys because they want to send out worthless tokens that might not even be worth the TX fee.

[bountyhunters.io]

I completely forgot about this bounty service.
Now I have checked them again and still can't withdraw any of my stuffed tokens there. They asking to import my wallet ie keystore file there.

First of all, not ALL the tokens require the claiming process. Most of rewards for our latest campaign are to be sent automatically, as a usual airdrop.

Second: there is an option to create a wallet within the system or to sign transactions with Metamask plugin.

[bountyhunters.io]

And so on...they all ask for private keys.

Those are all exchanges though, right? Exchange shared wallets have been horribly unsafe since forever and these "decentralized" contraptions might actually be an improvement. It's the opposite with bountyhunters.io - they went from a safe if costly airdrop method to asking for private keys because they want to send out worthless tokens that might not even be worth the TX fee.

We have 2 distribution options for our bounty hosts. Common airdrops may also be used. But as "traditional" airdrops may soon go to the past, and as they may affect projects in a negative way, we offer an alternative solution as well. Its still up to bounty hosts to decide.

[Pffrt]

Like as people said, asking for private key is of course an doubtful task. The most forbidden task in crypto is not to give private key to anyone. So, I think you should not withdraw the feedback. Wait and observe couple of months more and decide later.