bitcoinpaperwallet.com - scam still alive?

[Sassoft]

Hey people, I found some posts from the last year.. Recently one of my clients also lost their funds via that "safe paper wallet".
Based on the transactions where coins were moved I see more victims - so probably the owner still alive and that website still working. However coins are not moving anywhere and still on that address.

Maybe here more people who lost their money? Or maybe someone dig into it?

I don't believe that community can't stop him and he can keep doing his phishing.

[1714467030]

1714467030

[1714467030]

1714467030

[1714467030]

1714467030

[OmegaStarScream]

Apparently, CoinDesk tried to dig into it and to reach out to the new owner, but he's denying that they're responsible for people losing their funds...

https://www.coindesk.com/tech/2021/02/24/bitcoinpaperwallet-back-door-responsible-for-millions-in-missing-funds-research-suggests/

The good thing now is that most people use MetaMaks nowadays, and since the site is added to their domain warning list, people shouldn't be able to access it. Not without seeing a warning anyway.

[hosseinimr93]

The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.

Maybe here more people who lost their money?

Yes, Visit the following topics.

bitcoinpaperwallet[.]com is a scam
Why has my newly created Bitcoin address already been used?

[JeromeTash]

The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.

What I don't understand is why canton handed over such a sensitive and popular website to new owners who reputation was still unknown?

Why didn't he just put down the whole project if he could not proceed, supporting it?
I mean, that's a honeypot for scammers. It was a just a matter of spending a few thousands of dollars to buy it and then later scam the hell out of some many users who used the site

[Sassoft]

Not everyone uses MetaMaks..

What I see the guy still hold coins, and he scammed already hundred and hundres of dollars. No way to withdraw them, so it just matter when authorities will start investigate this case. Also all victims can make one money pool and just hire lawyer to start proceeding him.

[BitMaxz]

It seems the website is 9 yrs old alive and kicking and they keep scamming but we do not know if the owner is already dead or not. As you said your client lost funds and the transfer amount has still not been transferred to another wallet yet.

I'd like to suggest you try if you want to know the name and address of the owner of the website try to contact this https://www.enom.com/reseller/contact-us/
Because the domain is registered on that site.

I think that you can able to get the real name and address of that scammer on enom.com because they only accept these payment methods credit cards, PayPal, check, or wire transfers.
Just try to ask them about the name, address, and contact number of the owner of that website. Let's hope that the domain provider will cooperate and don't forget to tell them that the owner is a scammer send some proof.

[DaveF]

In addition to complaining enom don't forget to report to all the other AV sites too, here are a few:

https://safebrowsing.google.com/safebrowsing/report_phish/?rd=1&hl=en
https://support.malwarebytes.com/hc/en-us/articles/360038522814-Submit-a-phishing-link-malicious-website-or-file-to-Malwarebytes
https://submit.norton.com/?type=URL
https://global.sitesafety.trendmicro.com/
https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

The site itself is behind cloudflare, you can try to report to them but for the most part they really don't care about what they protect.

-Dave

[pooya87]

The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.

What I don't understand is why canton handed over such a sensitive and popular website to new owners who reputation was still unknown?

Why didn't he just put down the whole project if he could not proceed, supporting it?
I mean, that's a honeypot for scammers. It was a just a matter of spending a few thousands of dollars to buy it and then later scam the hell out of some many users who used the site

To make some money from a project they had made!
But it wasn't really popular though, bitaddress.org was popular and is still around. This other site came later and tried gaining some popularity by duplicating the same service but couldn't succeed as much. Then the developer abandoned it while trying to make some money from his work.

In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.

[PX-Z]

In addition to complaining enom don't forget to report to all the other AV sites too, here are a few:

https://safebrowsing.google.com/safebrowsing/report_phish/?rd=1&hl=en
https://support.malwarebytes.com/hc/en-us/articles/360038522814-Submit-a-phishing-link-malicious-website-or-file-to-Malwarebytes
https://submit.norton.com/?type=URL
https://global.sitesafety.trendmicro.com/
https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

The site itself is behind cloudflare, you can try to report to them but for the most part they really don't care about what they protect.

-Dave

Good idea. Google is best for this coz they are the most common search engine used by ordinary people who doesn't have an idea about these websites and to avoid it appearing in the search query as well. Well, as long as many people report it.

In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.

So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.

[Sassoft]

What I see right now it is literally wild west - none of those companies even get back to me and acknowledged the problem.
They guy even has PayPal for his orders@paperwalletshop.com account and PayPal doesn't give literally a shit.

And here what he replied via his contact form:

Bitcoin Paper
Thu, Feb 10, 10:46 PM (8 days ago)
to me

Hi,

When you create a wallet, you, and only you have control/knowledge of your address and private key.

Keys are generated in your browser locally.

There is a few things I can recommend checking:

1. Do you have an up to date antivirus?
2. Do you have any browser extensions?
3. Are you sure you were using our domain and not a phishing site?
4. We're you using TOR to access the website?
5. Are you sure that you and only you had access to your private key?
6. Did you run the website offline?

I know of a website out there phishing on google called PaperWalletBitcoin.com that steals your private key. I have already reported them to google but no action has been taken. If you inspect element on the page when you generate a key on their website you can see your private key being sent out 5-10 seconds later to their server. Did you by chance click on this website and not the official BitcoinPaperWallet.com?

I hope you can find out what happened to your coins,

Regards,

BPW Team

So we know his: PayPal, Domain, Hosting, Cloudflare account, Gmail and can't do anything with that.

[pooya87]

So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.

There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.

[NeuroticFish]

So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.

There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.

Truth to be told many most have no idea what they also install. Even in the rare cases the program has its source code at hand, they won't read it, clearly won't build it themselves. And the compiled binaries may or may not be from the source code you'd expect. Verifying the traffic one program makes is something also very few people do.

Indeed, there's still a big step, since a website can offer different page for a while and steal information and deny it, while 90% of the time operating clean. This is much less likely with installed programs. But most people don't understand software and don't care much either.

Some will look whether this or that is labeled as legit or scam, and that's all. I fear that we're expecting too much from the average Joe... (hence I am happy when this kind of questions pop up - they give a chance to a few more get on the right track).


Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.

[PX-Z]

There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.

Yes, I know the advantages of open source compare the other one. But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?

Coz what I have in mind is, the developers  or anyone can update the code (with malicious or not) of the app and then upload it on this mobile distribution services using their compromised accounts, without updating the code in github of course.
Is this possible? How it can be avoided without downloading the app fist just to try it and become the first victim?

[o_e_l_e_o]

But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?

If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.

[PX-Z]

If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.

And that's a knowledge to consider not just from crypto but to all who used to download and install from this mobile distribution services such app store and play store.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.

Common smartphone users don't actually do this, idk if they know such thing exist, even most of the users here probably and that's quite alarming.

[o_e_l_e_o]

Common smartphone users don't actually do this

Absolutely. But common smartphone users all do a bunch of other widely insecure things, such as using biometrics, keeping their 2FA app on the same device which has all their passwords saved, installing a bunch of apps which track everything they do, using terrible closed source wallets and then storing significant amounts of coins on them, back up sensitive information to cloud storage, and so on. And even among people who use good open source wallets, very few of them actually properly verify those wallets, and even fewer of them have ever actually looked at the code or tried to build the wallet themselves.

But the question wasn't "What do people commonly do?". The question was how to ensure that the app you are installing is doing what you think it is doing. The answer to that is as I described - download the code, review it personally, then build the app yourself from that code. Unfortunately lots of people take risky shortcuts and often end up paying the price for doing so.

[pooya87]

But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?

If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.

There is also this thing called deterministic or reproducible builds that only a handful of wallets like bitcoin core and Electrum support which is when anybody who builds the same source code following the same steps will always end up with the same binaries. This is useful for those who can't build the binaries from source themselves and it gives the additional security assurance that the source code was not modified when building the software.

[Sassoft]

Ok all stolen money was moved from scammer's address to a bunch of addresses:
https://www.blockchain.com/btc/address/19YJVYZyuYvx9U3e6oGYsN4gqeRZeCKgje

One interesting transfer was to this address:
https://www.blockchain.com/btc/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h it holds 35016.15030071 BTC

It is hard to follow all transfers from just explorer, I believe there are some tools that can visualize and identify where funds were moved..

[o_e_l_e_o]

One interesting transfer was to this address:
https://www.blockchain.com/btc/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h it holds 35016.15030071 BTC

That address is a Binance hot wallet.

What was the path of coins from your wallet to this Binance address? Obviously they have been deposited to Binance at some point, but that does not mean the person who deposited them to Binance was the person who stole from you, and even if it was, it doesn't mean they were deposited under the scammer's account or name.

[DaveF]

...
Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.

Because at times you want to hand a piece of paper to somebody. The Opendime  / Satodime have a real cost to them and as I found out can fail. Yes a piece of paper with a private key can be damaged or destroyed too.

In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.

They should not be using an *online webpage* to create a wallet. Bitaddress running on an offline PC from a bootable CD is not a major security risk.

-Dave