Scam Alert : TimeToBit/timetobit.com Scammed 3.38 BTC

[BTCat]

Translate this in english (posted 20 june in India):
https://sangkrit.net/hindi/%E0%A4%85%E0%A4%AC-%E0%A4%AC%E0%A4%BF%E0%A4%9F%E0%A4%95%E0%A5%8D%E0%A4%B5%E0%A4%BE%E0%A4%87%E0%A4%A8-%E0%A4%96%E0%A4%A8%E0%A4%A8-%E0%A4%A0%E0%A5%87%E0%A4%95%E0%A5%87-%E0%A4%AA%E0%A4%B0-%E0%A4%91/#more-79303

[serializingme]

No, as per http://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

I have also been following a lead. I have made a local copy of the website (right before the site went down). The live chat functionality used in TimeToBit seems to be custom made because there isn't any copyright on it (javascripts, stylesheets, etc.) and there is a very limited set of sites using it (read, indexed by Google). I'm trying to find out who has developed the other sites and see if there is any match from what we already know.

The site archive can be downloaded here, http://www49.zippyshare.com/v/13484773/file.html You will need Burpsuite to open the file (http://portswigger.net/burp/download.html < free version will suffice). In Burpsuite, click "File" > "Restore State".

[BTCat]

found new IP, through http://mail.knows.nl/index.php?url=timetobit.com:

Your ipadress: 117.214.24.177

https://who.is/whois-ip/ip-address/117.214.24.177

[dekodoge]

can you dump the output of

http://mail.knows.nl/index.php?url=timetobit.com

I cant view blocked due to previous malware on that site.

[BTCat]

Your browser:   Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Your ipadress:   117.214.24.177
Google pagerank:   No data av
Thumbnail:   
Dmoz Description:   
Dmoz Category:   
Alexa Links:   1
Alexa Rank:   3825324
Alexa Reach:   4739792
Alexa country   rank
Whois:   
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: TIMETOBIT.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS1.TIMETOBIT.COM
   Name Server: NS2.TIMETOBIT.COM
   Status: ok
   Updated Date: 20-jun-2014
   Creation Date: 20-jun-2014
   Expiration Date: 20-jun-2015

>>> Last update of whois database: Mon, 18 Aug 2014 18:52:49 UTC <<<


Domain Name: TIMETOBIT.COM
Registry Domain ID: 1863693159_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-06-20 15:05:55Z
Creation Date: 2014-06-20 22:05:00Z
Registrar Registration Expiration Date: 2015-06-20 22:05:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: ok
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 5E4C19DA260C486B955F398E601C7807.PROTECT@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 5E4C19DA260C486B955F398E601C7807.PROTECT@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 5E4C19DA260C486B955F398E601C7807.PROTECT@WHOISGUARD.COM
Name Server: NS1.TIMETOBIT.COM
Name Server: NS2.TIMETOBIT.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-06-20 15:05:55Z

[dekodoge]

so that IP you posted is yours?

117.214.24.177 you located in india?

[BTCat]

so that IP you posted is yours?

117.214.24.177 you located in india?

No. It might have been used while registering timetobit.com.

It's probably a proxy. 

[dekodoge]

so that IP you posted is yours?

117.214.24.177 you located in india?

No. It might have been used while registering timetobit.com.

It's probably a proxy. 

sorry i was being a fool, just when it said your IP thought it was showing requesting IP (ie you)

[serializingme]

No, as per http://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

I have also been following a lead. I have made a local copy of the website (right before the site went down). The live chat functionality used in TimeToBit seems to be custom made because there isn't any copyright on it (javascripts, stylesheets, etc.) and there is a very limited set of sites using it (read, indexed by Google). I'm trying to find out who has developed the other sites and see if there is any match from what we already know.

The site archive can be downloaded here, http://www49.zippyshare.com/v/13484773/file.html You will need Burpsuite to open the file (http://portswigger.net/burp/download.html < free version will suffice). In Burpsuite, click "File" > "Restore State".

I was wrong, the chat functionality isn't custom made.

[BTCat]

Perhaps be carefull with what you download here. (not saying it's bad, i've no idea)

About the site, it's likely build by a freelancer since there are a lot of jobposts mentioning this:
Build a website similar to the following: Cloudhashing.com timetobit.com bitvestllc.com use weebly to build the site setup SEO etc.

https://www.google.nl/webhp?sourceid=chrome-instant&rlz=1C1DVCB_enNL430NL539&ion=1&espv=2&ie=UTF-8#q=Build+a+website+similar+to+the+following%3A+Cloudhashing.com+timetobit.com+bitvestllc.com+use+weebly+to+build+the+site+setup+SEO+etc.

[serializingme]

Not a lead, just a curiosity, from the spidering results I found the pending reviews (https://www.timetobit.com/starreviews/34eayghzrtdj56rtjsh/). Apparently the review system approval mechanism was unprotected. There are 157 pending reviews, all of which state the site is a scam. They seem to have be spammed since there is a lot of repetition on the review text and they were all done on the same day. Follows some examples:

- Leave immediately, and do not get scammed like I did.  No one answers support, no payout
- Do not throw your bitcoins down the drain of TimeToBit.  Once payment is received, they stop responding, and there are no payouts
- I made a terrible mistake joining TimeToBit, one of the biggest bitcoin scam ever.  Please do not lose your money too.  No payouts, no support
- (...)

Screenshot of the webpage http://i.cubeupload.com/m2AfU0.png

EDIT: Google Cache cached the page with some of the "it's a scam" reviews http://webcache.googleusercontent.com/search?q=cache%3Awww.timetobit.com&btnG=

[jdruiter]

If there's a link with India, please check on the following:

Anstele.com, registred by Prashant Powle, Mumbai India, +91.919322607034, ppowle@yahoo.com

This was hosted on the same server as TimeToBit:
192.64.118.151    -> server1.timetobit.com (ns1.timetobit.com)   

[mlnoone]

Not a lead, just a curiosity, from the spidering results I found the pending reviews (https://www.timetobit.com/starreviews/34eayghzrtdj56rtjsh/). Apparently the review system approval mechanism was unprotected. There are 157 pending reviews, all of which state the site is a scam. They seem to have be spammed since there is a lot of repetition on the review text and they were all done on the same day. Follows some examples:

- Leave immediately, and do not get scammed like I did.  No one answers support, no payout
- Do not throw your bitcoins down the drain of TimeToBit.  Once payment is received, they stop responding, and there are no payouts
- I made a terrible mistake joining TimeToBit, one of the biggest bitcoin scam ever.  Please do not lose your money too.  No payouts, no support
- (...)

Screenshot of the webpage http://i.cubeupload.com/m2AfU0.png

EDIT: Google Cache cached the page with some of the "it's a scam" reviews http://webcache.googleusercontent.com/search?q=cache%3Awww.timetobit.com&btnG=

Well, I can clear this up right now: All those reviews were posted by me, the same day I posted the scam alert, here on this forum. 

After getting no replies from the site support, and happening to note reviews are getting posted to the home page unfiltered, I posted these using random first name-last name-email combinations, and a set of around 6 reviews, just to see if they would react..

[statdude]

Some Blockchain research on the scam:

I think most of the BTC is now here (last transaction just 2 hours ago, so he's busy moving the money  ):
https://blockchain.info/nl/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It was previously on:
https://blockchain.info/nl/address/1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

This transaction for example, has five btc 0.47704704 payments, which was the price for the 150GH/s server that day.
https://blockchain.info/nl/tx/023f860b63e21e839cbd02bfefea238650df1e18e73abc68153c72bdaf6faa83

An interesting graph of the received payments:
https://blockchain.info/nl/charts/received-per-day?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

What is this address where it ended up 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL?

[dadj]

Some Blockchain research on the scam:

I think most of the BTC is now here (last transaction just 2 hours ago, so he's busy moving the money  ):
https://blockchain.info/nl/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It was previously on:
https://blockchain.info/nl/address/1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

This transaction for example, has five btc 0.47704704 payments, which was the price for the 150GH/s server that day.
https://blockchain.info/nl/tx/023f860b63e21e839cbd02bfefea238650df1e18e73abc68153c72bdaf6faa83

An interesting graph of the received payments:
https://blockchain.info/nl/charts/received-per-day?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

What is this address where it ended up 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL?

I lost 748.75 bitcoins on the 23rd of September 2014, most of which ended up at 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL. I'm very interested to know who controls it. I suspect the hack resulted from the bash bug. Attack vectors could be from using the public wifi of Puri Dewa Bharata Hotel & Villas in Legian, Bali, Indonesia or an employee at Blizzard slipping in code into the update, as coins were moved very shortly after updating StarCraft II.

My set up was Bitcoin-QT unencrypted on Mac OS X 10.9.4.

https://blockchain.info/tx/7c67634b40d85ae08a6300a0f8613455d5d687772f9b982a11597418d805dd3d

Yes, I probably should have used cold storage or multi-sig. Facepalm.

[marzalpac]

can everyone interested about some news about this address contact me via pm here? will send some new info

[Rubens2005]

Some Blockchain research on the scam:

I think most of the BTC is now here (last transaction just 2 hours ago, so he's busy moving the money  ):
https://blockchain.info/nl/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It was previously on:
https://blockchain.info/nl/address/1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

This transaction for example, has five btc 0.47704704 payments, which was the price for the 150GH/s server that day.
https://blockchain.info/nl/tx/023f860b63e21e839cbd02bfefea238650df1e18e73abc68153c72bdaf6faa83

An interesting graph of the received payments:
https://blockchain.info/nl/charts/received-per-day?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

What is this address where it ended up 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL?

I lost 748.75 bitcoins on the 23rd of September 2014, most of which ended up at 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL. I'm very interested to know who controls it. I suspect the hack resulted from the bash bug. Attack vectors could be from using the public wifi of Puri Dewa Bharata Hotel & Villas in Legian, Bali, Indonesia or an employee at Blizzard slipping in code into the update, as coins were moved very shortly after updating StarCraft II.

My set up was Bitcoin-QT unencrypted on Mac OS X 10.9.4.

https://blockchain.info/tx/7c67634b40d85ae08a6300a0f8613455d5d687772f9b982a11597418d805dd3d

Yes, I probably should have used cold storage or multi-sig. Facepalm.

Recently my 1.05 BTC were stolen in BITTREX.

The end address of the wallet that were sent BTC (1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL)

Recalling that this happened after I use the BOT Quatloo trader.

I remember not I enabled the API KEY to make withdrawals and still managed to break into my account to sell all the coins and had to withdraw my BTC.

Sorry my english.

[brand]

the question is how did someone even give 3.38 bitcoin.. to this site..

[notbatman]

Here we can see the scammers at Black Arrow posting in a thread about adding a time-lock feature to the Bitcoin protocol. In it they claim their BTC was stolen and sent to the following address:

Look at the size of this operation of stolen bitcoins:

https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

Yesterday there were 175k. Today 182k.

I guess this is the reason why bitcoin falls in price these days.

What makes you say that these coins are stolen?

We've chased our stolen coins here.

We suspect this is just an excuse to embezzle our money and that the convicted Romanian internet fraud artist Alexandru Ion Sovu (CEO of BA and the clown behind the BCT user blackarrow) is still in control of our BTC and the 1fsVc address.

If it's the case that 1fsVc doesn't belong to Alex then karma's a bitch motherfucker.

Some Blockchain research on the scam:

I think most of the BTC is now here (last transaction just 2 hours ago, so he's busy moving the money  ):
https://blockchain.info/nl/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

It was previously on:
https://blockchain.info/nl/address/1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

This transaction for example, has five btc 0.47704704 payments, which was the price for the 150GH/s server that day.
https://blockchain.info/nl/tx/023f860b63e21e839cbd02bfefea238650df1e18e73abc68153c72bdaf6faa83

An interesting graph of the received payments:
https://blockchain.info/nl/charts/received-per-day?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=1JvAoBTTgF36Xj7gJkpfcNHsBA8tMSyfHb

[campycoin]

Not sure how it is all connected but that addy.... 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL   is involved in this mornings localbitcoins theft

What is happening is someone owns locolbiticoins.co m <------------ don't go there

But it is the first link on google.  If you log in from there, someone is watching so they immediately see your user name, password and your 2FA so they immediately sign in on the real site and robbing the entire lbc wallet then the coins are going to 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL

Any info would be very helpful.