It actually would interesting to look at the addresses of the victims of this fraud, if the coins get stolen in the same block as the incoming transaction, then the thieves use the CPFP method and you should do the same to have a chance to beat them.
Funds get stolen in the same block, see
this example.
If you do go ahead, I would suggest making the receiving address in question multi-sig with some other forum users so you yourself can't be accused of stealing anything.
That's a good suggestion, I have to remain Switzerland after all.
I would have thought it wouldn't be too difficult for the scammer to overcome, however, without additional work on your part. I'm sure once the scammer sees their stolen money being "stolen" back, they will start changing things up to try and prevent it from happening. He could update the code frequently, every day or even more so, to change the set of pre-generated addresses it gives out to users, and you would need to update your monitoring system just as frequently. It could even be something as simple as changing the derivation path to some master seed every hour or so. You would need to be downloading the code after every change, extracting the addresses, and changing your monitoring system. I've not reviewed the malicious code, so I don't know how easy that would be to automate.
I can't check the code myself either, but indeed this is a possibility. If he gives every download a different set of compromised keys, this won't work anymore.
Worst case scenario, he could even change the code entirely to give out addresses which are not linked to the private keys displayed, but are instead linked to a set of private keys he is holding in secret. I would wager the majority of people who are falling for a paper wallet scam site don't actually bother to check the address they receive is actually derived from the private key they receive before they fund it.
You're right. Although this would make it easier to prove the site is a scam, it would make my idea completely useless.
I
always usually check the backup of my private keys before funding them, using different software from what created them. But it's likely most people won't do that.
only if you have extra time at your hand and don't mind it probably going to be wasted the moment you take the first coins out of their hands.
After reading the comments, it's probably not worth the effort indeed.