Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

MAJOR SECURITY FLAW in Metamask... Discovered By 'Good Hackers', Fixed Before Bad Ones Could Use It!

Metamask security hole

The world's most popular Crypto wallet Metamask announced they have patched a security hole that potentially could have been a DISASTER.

Thankfully, it was first discovered by 'good hackers' who immediately informed Metamask of the flaw, and told them how to fix it.  Going by the name 'The United Global Whitehat Security Team' (UGWST), the organization was able to claim a $120,000 reward for finding the vulnerability.

Metamask tells us that there were no users affected by this vulnerability. UGWST seems to be the first and only to discover it, and they only shared their findings with Metamask.

The strategy consists of camouflaging malicious code on a site so that the user clicks on it without realizing it. For example, if you fall into clickjacking , by clicking "Play" on a video you could be conferring access to your funds in a wallet.

Metamask developers immediately fixed it...

Only users of the browser extension were ever at risk, but this is the most popular method of accessing Metamask wallets.  The hackers demonstrated launching Metamask an iframe (that is, a website within another website) and setting it to 0% opacity, in other words in a completely transparent window - user would have no idea it existed.  Then it's a matter of tricking the user to click specific locations on their screen, unaware they're actually pressing an invisible button that confirms a transaction.

It could look like a pop-up ad, but the 'X' to close it is actually the button to confirm sending all your Ethereum to someone, for example.

Make Sure You're Up To Date...

By default Metamask automatically updates, but double check yours to be safe.  Open Metamask, go to 'settings', then 'about', and make sure you have version 10.14.6 or above.

If any of those numbers are lower, you need to update. 

Hacking for good can be a profitable venture...

Metamask awarding the bug finders $120,000 is a very common practice, virtually all major players in tech offer a 'bug bounty' giving hackers an alternative, completely legal way to turn their discoveries into profit. 

UGWST, the organization that discovered this has also helped Apple, Reddit, Microsoft, and performed security audits for and OpenSea. 

Author: Oliver Redding
Seattle Newsdesk  / Breaking Crypto News / Dimefi Review

$25 Million In Crypto HACKED, Stolen... And RETURNED!? Inside The Recovery Operation...

Crypto Loan Site Hacked

Decentralized cryptocurenncy loan platform 'Lendf.Me' suffered a security breach on April 18th, around $25 million worth of cryptocurrency was stolen.

Using an exploit in the DeFi smart contracts, the callback mechanism enabled the hacker to withdraw ERC777 tokens repeatedly, this exploit allows them to drain the account without the new balance being immediately updated and showing the theft, until it's too late.

Upon discovering this, things couldn't have looked any worse, as the CEO publicly made this depressing statement while sharing the news:

"This attack not only harmed our users, our partners, and my co-founders, but also me personally. My assets were stolen in this attack, too.

This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down."

While it sounded like the company was down and out, possibly forever - this was just the beginning of the story.

The site's CEO Mindao Yang wanted to try negotiating, so he had his team leave a note for the hackers on the blockchain, saying "Contact us. For your better future" along with their direct contact information.

An Aggressive Counterattack...

Here's where they got it right - instantly their team sprang into action, bringing in security firm SlowMist, which specializes specifically in blockchain based cybersecurity, along with the Singapore Police.

They then announced on their social media that the process of tracking down the hackers had begun.

While we don't know what (if anything) was left behind as far as clues that could lead to the hackers, the company began a campaign to put them in a state of paranoia, stating on their site that there were 'traces left by the hackers before and after the attack' allowing them to 'cross-check with the resources of various parties at home and abroad to obtain breakthrough clues, getting closer to the hacker'.

At the same time, they began contacting other exchanges and making them aware of the hack, getting them to blacklist and freeze any wallets receiving the stolen coins.

The Hackers Couldn't Handle The Heat...

The stress was too much, and the hackers began to crack - the combo of a security firm in the process of tracking them down, and the coins becoming hard to spend as more exchanges blacklisted them, led the hackers to deciding it just wasn't worth it anymore.

They began returning some of the stolen crypto, then something must have really spooked them - the following day they sent back everything they had left.

Amazingly, Nearly All Of the $25 Million Was Recovered...

While the company stated 'all' the assets had been recovered, we were only able to verify $24 of the original $25 million as being returned. But we won't bother getting hung on a tiny $1 million lost, this was still a job well done!

Any users with funds stolen have been promised 100% will be returned.

The company is now bringing in 3rd party experts to both analyze what went wrong here, and what needs to be done to fortify their security in the future.

It's safe to assume this is was part of the deal with the hackers - the company has withdrawn their request to press charges with the Singapore Police. 

Author: Ross Davis
E-Mail: Twitter:@RossFM

San Francisco News Desk

Crypto Thief Arrested in US After Stealing $1M+ From 75 Victims in 20 States...

Crypto news
While mainstream media reports are making this kid sound like a mastermind, the truth is, this trick takes virtually no skills whatsoever.

That's why it's so disturbing.

19 year old Yousef Selassie was arrested and charged with first-degree grand larceny and identity theft when authorities traced 75 victims back to him as he began to spend his earnings.

“He sought them out based on the industries they were involved in” said Brooklyn Assistant DA James Vinocur, explaining how Yousef targeted people in tech believing they were more likely to own high amounts of cryptocurrency.

A search of his residents found 9 phones, 3 flash drives, and 2 laptops - all containing evidence against him.  He plead not guilty.

Shockingly simple...

Authorities say he used a "SIM swap" to pull it off, and when you hear how easily this is done, it will shock you.
  • Get a blank SIM card (available on Ebay and hundreds of other sites) 
  • Put it into a cellphone.
  • Call the target's cellphone provider.
  • Pretending to be the target or someone close to them, say you recently lost your phone, you ordered a new one, and need it activated.
  • They will ask for the SIM card's ID number.
  • If everything went correctly, your phone is now on the victims account, you control their phone number, you receive their calls and texts.
  • Using the 'I lost my password' feature everything from crypto exchanges to online banking has, have them text a code to reset it.
  • Since the text messages now go to you, you're now able to reset the passwords to whatever you wish.
  • That's it, you have full access to everything. 
Some tricks used to get the customer service rep from the cell phone company to comply include pretending to be someones personal assistant, which would explain why you may not be able to answer every question they ask you.

Or, pretend to be elderly, make every step take way longer than usual, make the customer service rep frustrated and by the time they figure out what you need them to do, they'll rush to get you off the line.

Who's to blame?
Absolutely, it's the cellphone providers.  In almost every case a rep from the company doesn't go through the process of verifying they are talking to the true account owner, or, as mentioned above when they believe they're speaking with someone's personal assistant, they will forgive not knowing things like the mothers maiden name.

The solution? This can be tough, because sometimes we forget what we chose as our passwords or pins. I've never had to do this process myself, and I have no idea what answers I gave to the security questions when I signed up... 8 years ago now.

But frankly, if I forgot, it's my fault.  So perhaps a foolproof system where the customer service reps cannot change SIM information without first entering information given by the customer is the way to go. 

If they forgot, a verification code will have to be mailed to the customer's home address. It could be sent overnight (for a fee) and people will have to accept this is being done in the name of protecting their data.

These days, so much of our lives are on our phones.  It's a change that happened without much thought behind it, but most people don't feel like losing their phone is the same as losing their wallet with their credit cards in it.  But really, it's exactly like that.

Could someone call a bank and get someone else's login information by saying they are their personal assistant? Would the bank reps forgive not knowing a few pieces of personal information? Hell no.

Now keep in mind, through someones cellphone you can access that same account! That's why cellphone providers need to operate with the same security standards as the bank. 

Author: Ross Davis
E-Mail: Twitter:@RossFM

San Francisco News Desk

Facebook's Libra Cryptocurrency HACKED - Major Security Flaw Discovered in Early Version of Libra Code...

A security hole was discovered in Facebook's soon-to-launch cryptocurrency, the 'Libra'.

The vulnerability was discovered by OpenZeppelin, a firm that has conducted security audits for many of the major players in the cryptocurrency industry including Coinbase, the Ethereum Foundation, Brave, Bitgo, Shapeshift and more.

The exploit allowed for text that appeared to be harmless inline comments, to be executed as code. The firm provided some examples of how a bad actor could use this vulnerability, including:

  • A faucet that mints assets (Libra Coins or any other asset on the Libra network) in exchange for a fee can deploy a malicious module that takes a fee but never actually provide the possibility of minting such asset to the user.
  • A wallet that claims to keep deposits frozen and release them after a period of time may actually never release such funds.
  • A payment splitter module that appears to divide some asset and forward it to multiple parties may actually never send the corresponding part to some of them.
  • A module that takes sensitive data and applies some kind of cryptographic operation to obscure it (e.g. hashing or encrypting operations) may actually never apply such operation.

But this is hardly a complete list, when discussing a security hole that allows for someone to execute code, the possibilities are endless - it all depends on how creative, or malicious, the person writing that code is.

What's normal here, and what isn't...

Discovery of security holes while a project is in the development phase is beyond common - it's standard.

The only thing we found surprising - the large gap of time between when OpenZeppelin said they informed Facebook on Aug 6th, and the date Facebook had finally fixed the code, Sept 4th.

Even odder, changes were made to this section of code during this time, but those changes left the security hole open for another 3 weeks.

Facebook says security a top priority...

Speaking to one of my contacts inside Facebook, they said Libra "has and will continue to go through some of the most intense security auditing/testing imaginable" adding "we're letting a lot of hackers take a stab at Libra, and it won't be launched without consensus among the developers that it's fully secure, and ready for the masses".

In all fairness, while I can't say i'm convinced Facebook entering the crypto space is a good thing - it is good they're letting outsiders put Libra's security through rigorous testing.

Nothing is more dangerous than a group of developers so sure their code is flawless, they don't see the need to test that claim before releasing it to the public. That's how insecure software ends up opening security hole on thousands, or millions of computers.

Author: Ross Davis
E-Mail: Twitter:@RossFM

San Francisco News Desk

UK Government: £15 million ($19M USD) taken by crypto scammers over the last 12 months...

UK Government has just released findings saying that over the last 12 months, citizens have lost £15 million ($19M USD) to crypto scams...

Before we dive in let's remember that in the same period of time, over £2 BILLION worth of credit card fraud was committed - a leap of almost 40% higher in just over a year.

The answer to 'why does this happen?' is simply 'if it's money it's a target' and even then lately it seems the word is out - Bitcoin is traceable. In countries like UK and US it's become a huge challenge to take that final step of converting crypto to fiat without first having to confirm your identity with an institution that will do it.

The stats come from Action Fraud, which is where UK fraud victims are asked to call and report scams they encounter.

People getting scammed is hardly a surprise to anyone in the cryptocurrency world, as you cannot participate in the online communities on Reddit, Twitter, Telegram, Discord, or Facebook without seeing scams daily. It was actually a surprise that the numbers aren't higher!

I believe the key reason is: most people tend to only get scammed once in the crypto world - then become so paranoid it doesn't happen again (with the exception of the ultra-dumb, which I will mention below).

Unlike getting your credit card stolen, no one reimburses you for stolen cryptocurrency.  Because of this, the first time stings, and it will be remembered.

A couple of other interesting pieces of information - many could have been avoided becoming a victim with a simple Google search of the name of the website they were sending money to. Scammers have been pushing the same garbage for awhile now and a search will bring up more results saying it's a scam than pages from the scammers themselves.

Also, some people say they were DOUBLE SCAMMED!  After being tricked into sending the thief their money, someone contacted them saying they can recover it, for a fee.  That fee was then stolen and the person disappeared.

You may ask, why wouldn't someone say 'i'll pay you a percentage of the funds you recover"?  Well, because we're not talking about the brightest people with that one.

If you're ever skeptical, put the community to work for you - ask people with more experience.  They're easy to find.  Just make sure you aren't talking to another scammer by posting it publicly somewhere like Reddit or BitcoinTalk.

Author: Mark Pippen
London News Desk

Group tricked Bitcoin ATM's in Canada to give cash for unverified transactions, now over 100 times! But forgot ATM's have camera on them...

A group of at least 3 people in Canada have discovered a way to trick Bitcoin ATMs into releasing cash by stopping the transfer of BTC before it's gone through all authorizations, but after all the money has been dispensed.

A clever trick, but they weren't smart enough to realize - they're on camera. Canadian law enforcement posts photos of all of them on their website.

Arrests are expected soon. 

Security Alert - Samsung Galaxy S10 facial recognition is EXTREMELY easy to hack...

When it comes to storing cryptocurrency on mobile devices, too many people rely on their phone's security to act as the only safeguard to accessing the wallet within.  Not to mention, if someone is in your phone, your 2-factor authentication is likely compromised as well.

Not just wallet apps, but even exchanges like Binance and Coinbase will verify your transactions by sending a text message... to your unlocked stolen phone.

Those of us who follow the 'never leave funds on an exchange' rule probably have a billing method saved with our exchange of choice, so the person in control of your phone could simply purchase coins, then transfer them. There would be nothing to stop them from reaching your daily buying limit.

That is, if you rely on facial recognition.

While already considered to be the least secure of all methods, it's still alarming to think that somehow it's gotten even less secure with time.

Unlocking the new Samsung Galaxy S10 with facial recognition is this easy:  with another phone play a video of the phone owner and hold it up to the front camera of the S10 (Pictured above).  That's it, you're in.

Sure, you need a video of the phone's actual owner - but I feel like I could one for the majority of people I know.

Watch how easy it is in this video from Unbox Therapy:

So what's the solution? Only use the fingerprint scanner to unlock, and disable facial recognition completely.  While Samsung deserves some criticism for this, they also deserve some credit for an extremely secure, and hard to fool fingerprint scanner.

Author: Mark Pippen
London News Desk

US Government recovers and returns stolen BTC to Bitfinex... but only 28 out of the 120,000 total.

Back in August of 2016 Bitfinex fell victim to one of the worst hacks among the more 'mainstream' exchanges when the hackers got away with stealing a total of 120,000 BTC.

Today the US Government returned (almost) 28 of them (27.66 BTC) as the result of "law enforcement efforts". No additional details have been provided from US officials.

My best guess at what happened - they arrested someone who sold something to the actual hackers, but not the hackers themselves.

At it's peak the tokens would have been worth nearly $228 million.

Bitfinex has just shared the following press release:

Since the well documented hack in 2016, Bitfinex has collaborated with international law enforcement agencies to provide intelligence and assist with investigations. Bitfinex was alerted in November 2018 that the U.S. government had obtained bitcoins believed to be proceeds from the 2016 hack.

Bitfinex has now retrieved 27.7 BTC and, further to the recovery strategy outlined in the aftermath of the hack, this is being converted to USD and paid to RRT (Recovery Right Token) Holders.

RRTs and Bitfinex’s Hack Recovery Plan: Following the theft on August 2nd 2016, Bitfinex took a unique approach, generalising the losses across all accounts and crediting BFX tokens to customers at a ratio of 1 BFX to 1 dollar lost. Bitfinex honoured its commitment to repay the losses. Within eight months of the security breach, all BFX token holders had their tokens redeemed at 100 cents on the dollar or exchanged their tokens for, directly or indirectly, shares of the capital stock of iFinex Inc. All BFX tokens were destroyed within this process. Additionally, Bitfinex created a tradable Recovery Right Token (RRT) for BFX holders that converted BFX tokens into shares of iFinex.

The benefit to RRT holders is that in the event of any retrieval of the stolen property, and after any outstanding or unconverted BFX token holders have been reimbursed, recovered funds are distributed to RRT holders, up to 1 dollar per RRT. As all BFX tokens have been redeemed and destroyed, the full amount of recovered bitcoins today is being distributed pro rata to the RRT holders.

“Over two years following the hack of the Bitfinex platform, today we see the results of a clear and robust response strategy and the efforts of the U.S. government. It gives us great pleasure to be able to reimburse our traders that were loyal to us and believed in us at a very difficult time. We would like to thank U.S. federal law enforcement agencies for their ongoing efforts to investigate the security breach and their commitment to seizing and returning stolen assets.

We will continue to assist law enforcement with their inquiries, and also once again extend an open invitation to the hackers, or anyone harbouring information pertaining to the breach, to make contact in whichever medium they feel most secure with, to finally resolve the situation in a mutually beneficial manner.” says Bitfinex CFO Giancarlo Devasini

Author: Mark Pippen
London News Desk

Leaked images of the Samsung Galaxy S10 show a built-in cryptocurrency wallet!

Leaked images show the ability to create/import wallets (click image to enlarge)
Coming from German site "All about Samsung" the leaked images are described as "prototypes" - so assuming they're legitimate, it's worth noting this is far from the final version.

While there's no shortage of wallet options for mobile devices, there's one fairly huge advantage to the manufacture building it as opposed to using a downloadable app - this cryptocurrency wallet can use Samsung's hardware biometric security.

So far (as you can see in the image above) the only cryptocurrency listed as 'supported' is Ethereum.  Safe to assume this includes all ERC20 tokens, so that's several thousand to begin with.   Also safe to assume that Bitcoin will be supported by launch.

For now the big question is - what other coins will be supported? 

Any number of cryptocurrencies can be added eventually, but being included at launch will come with some clout.

Samsung has sold a total of 295 million smartphones in the most recent 4 quarters (1 year) on record. This is a quick way to having a world with a lot of people with crypto wallets in their pocket.

Release date is less than a month away - Feb 20th!

Author: Mark Pippen
London News Desk

The next generation of hardware cryptocurrency wallets is here - a look at the fresh new features, and big improvements...

We spoke with Kenny Fok, Founder and CEO of FLXWallet, an innovative hardware cryptocurrency wallet to find out what we can expect from the next generation of this technology...

What was your motivation to build the FLX Wallet? What have the others been missing or doing wrong in your opinion?
The main motivation, I would say, came from the difficulties and complexity of crypto wallets. There’s a steep learning curve for less tech savvy people who want to get into cryptocurrency. We used some of the mainstream wallet offerings out there and basically said “this is really difficult”. Being an engineer for almost two decades, I immediately thought - we can make this easier. I guess that leads into what’s been missing with crypto wallets - ease of use and convenience.

Tell us a bit about your background in the cryptocurrency world, and the tech/hardware sector.
After working at Qualcomm as Director of Engineering for over 17 years, I founded eSmart Tech Inc. in 2015 for providing world-class product design and engineering services. Our team, with a combined 44 granted and 10+ pending US Patents, is constantly devising innovative ideas. We have delivered over 10 embedded product designs such as Smart IoT devices to our customers. In 2018, I founded FLX Partnership for cryptocurrency projects. FLX has leveraged eSmart's engineering team for building FLX One.

I imagine there's not a whole lot of people with prior experience in building hardware cryptocurrency wallets. With that in mind, tell us about your team, how did you go about finding and recruiting them? What special skill-sets of your team show in the final product? 
That’s true, it’s a relatively new type of device. Basically, a hardware crypto wallet is an embedded system. Embedded systems and mobile devices is what I specialized in during my years at Qualcomm. That certainly gave me an edge on finding people with the right skill-sets to make a successful product. I think the speed of our development definitely highlights the skill-sets of the team. We’ve been able to overcome many challenges and add great features to the FLX One, very quickly. There’s a good synergy with this team.

Of course, when it comes to a cryptocurrency wallet in any form - security is the top concern. How has FLX Wallet addressed those concerns? 
Security was definitely a big concern from the start of the project. Every decision we made for the hardware and software on the FLX One, security was at the forefront. During development we purchased tools to help us find holes in the design and attempt to hack the FLX One. We also regularly test our firmware and mobile apps to make sure it stays secure. Details like a hardware cutoff for Bluetooth on the wallet, the transaction signing process, the FLX Key, firmware tamper detection, and many other features, were all part of making the FLX One as secure as possible.

Walk us through the process of recovering a lost wallet?
This is probably one of the most exciting features of the FLX One. We wanted to offer something new and easier to the way existing crypto wallets implement back up and recovery. The standard backup method for wallets is writing down a bunch of phrases on a piece of paper, which we also offer as an option on the FLX One. Every FLX One does come with an additional piece of hardware, the FLX Key. This key, which we actually shaped to look like a key, is integrated into the setup of your wallet. During setup, you’re instructed to insert the FLX Key into the FLX One, via the integrated USB connector. The FLX One generates the information needed to backup your wallet and copies it to the FLX Key, all offline, for security. This backup is encrypted and the FLX Key is permanently locked. You store the FLX Key in a secure location in case you lose or break your FLX One. If you need to restore, it’s as simple as plugging in the key during a new wallet, under the restore option. In a matter of a few seconds, your FLX One is restored. This patent pending design makes backup and recovery on the FLX One much more convenient, and we think, almost expected with modern tech users.

Tell us about the iPhone and Android apps...

The iPhone and Android apps are basically the way you use the FLX One to send/receive crypto, use the built in exchange, set your active coins list, and many additional features. The FLX One connects to the mobile app via an encrypted Bluetooth connection. Some individuals hear wireless, and may feel uncomfortable with having a wireless signal for someone to grab. We have taken this potential security concern into account. With the FLX One, nothing a thief can use is transmitted over the air on the FLX One. We like the mobile phone app approach for convenience, and to make using crypto more pragmatic for mass adoption. If crypto is going to be a method of everyday purchases in the future, it needs to be mobile. You don’t exactly want to bust out a full laptop at the counter and connect cables to make a transaction. More people have access to a mobile phone over a laptop in today’s world as well. A mobile app, just makes sense.

Which tokens is the wallet currently compatible with? Any new additions on the horizon?
Currently, the FLX One supports most of the major tokens out there. Our recent release has Ripple and DASH support and the integrated Exchange feature. We are developing support for Monero, which will be released soon as well. There’s about 25 tokens supported, at the moment. We also support any ERC-20 token. These tokens are all natively supported on the FLX One. If you’ve used some of the mainstream wallets out there, this is definitely an advantage. This means that all you need, is the FLX One and the mobile app, no 3rd party apps required. As far as new additions on the horizon - definitely! We have lots of exciting things on the FLX roadmap. Luckily, you can update the firmware on the FLX One, so you can stay up to date with all future features. You can also visit, or join one of our social media platforms to stay up to date on what we are working on.

Where can the FLX hardware wallet be purchased? 
The FLX One can be purchased on Amazon and direct from our website,

Author: Justin Derbek
New York News Desk

Binance CEO calls out scammers posing as his employees on LinkedIn...

For those who may not know, exchanges typically charge cryptocurrency startups a fee to list their new coin - and of course the exchange they all want to get on is Binance, which currently has the highest daily trading volume.

That's why scammers have taken to LinkedIn to contact the people behind these new coins, or better yet - bait them into getting contacted by them by listening their employer as Binance with job titles like "listing coordinator'.

They then guide them through an entirely fake application process, which of course ends with them being approved to get their coin listed - all they have to do is finalize it by sending over that listing fee.  That's when the scammer disappears with the funds.

The scam isn't new by any means, but it's gaining popularity, and that caused Binance CEO Changpeng Zhao, known to most as 'CZ' to post this public warning on Twitter saying "Most of the 500+ “Binance employees” on LinkedIn are FAKE. "

Just a few weeks ago another reporter here at the Global Crypto Press covered a different scam story also involving Binance (among others) except in this one, the people posing as employees distribute a very legitimate looking toll free 'support' phone number, and when someone calls for support they actually get scammed into giving away their login information.

Author: Mark Pippen
London News Desk

Blockchain Spies: The US Government sets out to take the privacy out of 'privacy coins'...

I have to admit, the timing seems odd.  Earlier this year I published an article in response to the DEA sharing their findings on cryptocurrency titled "DEA Special Agent: 90% of crypto transactions used to be for illegal purposes - today that number is just 10%."

But even with illegal cryptocurrency usage at an all-time low, and more legitimate entities entering the market every week, the US Department Of Homeland Security sees the small number of bad apples as a priority.

Perhaps, just to 'get in front' of a problem, before it even becomes one.

A just-released document on the DHS website invites private businesses to contact them if they believe they can help when it comes to finding solutions to the problems they outline within.  One section of this document dedicated to blockchain is titled "Blockchain Applications for Homeland Security Forensic Analytics".

They begin by mentioning two of the top privacy coins by name:

"This proposal seeks applications of blockchain forensic analytics for newer cryptocurrencies, such as Zcash and Monero."

They explain their reasoning as:

"A key feature underlying these newer blockchain platforms that is frequently emphasized is the capability for anonymity and privacy protection. While these features are desirable, there is similarly a compelling interest in tracing and understanding transactions and actions on the blockchain of an illegal nature." 

If a person or company thinks they can do it - they'll need to explain how, build a prototype, and then show it in action.  Pull it off - and you'll land a valuable government contract.

Now the question is - how private are those privacy coins?  The motivation to find holes in their security just got a lot stronger.
Author: Ross Davis
E-Mail: Twitter:@RossFM
San Francisco News Desk

Scammers launch toll free 'customer support' numbers posing as Binance, Coinbase and others - stealing the crypto of those who call...

I've covered a variety of scams in the cryptocurrency world, more than I wish I had to, and one thing i'm noticing is - they just keep getting bolder.

Until now things have missed that 'personal touch' - awhile ago the big hustle they had going was just making fake exchange sites and when someone entered their login info, it would really just send the victims username and password to the scammers - just those old phishing tricks that have been around since the internet.

Then they moved on to posing as celebrities on Twitter, and running fake "crypto giveaways" - but of course to receive your free crypto, for some reason you had to send them some first... I still don't know how anyone falls for that.

There's a variety of others, too many to list here, but my point is they were all done by some guy hiding behind a computer screen, who was never seen or heard.

But now - they're getting their victims to actually call them on the phone!

So here's how it works - the scammers now have real, toll free phone numbers, and they're posting them everywhere they can.

I've found these numbers showing up as the customer support lines for a variety of well known cryptocurrency exchanges and blockchain based products and services  - Binance, Coinbase, Ledger, Tezos, Bittrex, Kraken and others.

Then to insure the phone numbers that belong to them show up when someone does a Google search, they've created pages on a variety of popular social networking sites including Facebook, LinkedIn, and GitHib - many that appear to have been operating for weeks now...

Fake CoinBase support on LinkedIn.

Fake Binance support on LinkedIn.

Fake Binance support on Facebook.

Fake Binance support on GitHub.
So then, to find out exactly how the scam works - I had to call them myself.

Once I dialed some kind of automated system picked up immediately and placed me on hold, classical music then began to play - to their credit, it really was feeling like a typical customer service call experience. But after sitting on hold for about 15 minutes, I just hung up.

I figured I would try again the next day... but to my surprise - they called me!

The first call I placed to them was around 1pm in the afternoon here in San Francisco.  But the return call I was receiving came in at 2:20am - a pretty clear sign that these guy's aren't in the USA.

I answered and they informed me they were with "blockchain support" - which makes sense because they can't say which exchange they're from, because they don't know which exchange I was calling them for - they spam out the same phone number for all of them!

I stayed on the line just long enough to get the rundown of how they pull it off - first they have you download TeamViewer, for those who aren't familiar with it, it allows two people to connect to each other and one to control the other persons computer.  It's a program used for a variety of legitimate reasons, but it's a dangerous tool in the wrong hands.

What they then do it have someone log in to their account, seize control of the computer, and while under the scammers control they will send all of your cryptocurrency to their wallets.

The most popular numbers associated with this scam I discovered are:


I'm only putting them in this article for one reason - now when someone does a Google search to see if the phone numbers are legitimate - they'll find this.

Be careful out there and remember - never find contact info for an exchange anywhere except their official site.
Author: Ross Davis
E-Mail: Twitter:@RossFM
San Francisco News Desk

Funds disappear from Canadian exchange - users then 'hunt down' the CEO after company deletes their social media...

We've been tracking this story since yesterday, and as soon as we think it's reached a point where we could publish an article - the story takes another wild turn.  There's surely more to come, but what we know so far is pretty interesting.

The exchange is called "MapleChange" and is based in Canada, and the problems all began yesterday when users of the exchange noticed all of their tokens were gone.

That's when they made the following announcement on Twitter:

At this point, while their users weren't happy, they seemed to be patiently waiting to see what MapleChange would do next, and find out what the results of their 'investigation' would be.

But before receiving any updates on what happened to their funds they noticed MapleChange deleting their social media accounts, starting with their Discord chat channel. At this point their Twitter account was still active and users started publicly slamming the company.

Accusations varied from saying MapleChange was simply trying to run away from the problem, to saying they were the ones behind the whole thing, that MapleChange stole the funds themselves, and were currently in the process of executing an "Exit Scam" - something both ICO's and small exchanges have been caught doing in the past, where they raise funds, then fake being victims of hackers as an excuse to then steal those funds.

MapleChange responded to these accusations on Twitter with:

Then - their Twitter account disappeared as well.

I thought this was all we would hear for awhile, but things took another turn - as Reddit users got on the case and tracked down the personal information of the exchange's CEO and began posting it everywhere MapleChange was being discussed, as shown in this Tweet from a Twitter account created just to troll MapleChange:

Suddenly, MapleChange re-activated their accounts - both their Twitter and Discord channel were now back online.

Many are saying it's more than a coincidence that as soon as the CEO was 'hunted down' - MapleChange suddenly returned. But MapleChange offered this explanation:

This brings us to what's happening now - it appears all Bitcoin and Litecoin are gone forever, the rest will be returned once they can "properly identify customers and hand back the proper amount" according to MapleChange.

Still unknown is the value of Bitcoin and Litecoin stolen. While initially accused of losing 919 BTC, MapleChange insists "We have NEVER had 919BTC in our wallet".

Also still unknown is what happens next as far as Canadian law enforcement, and civil actions against MapleChange that will surely follow. 

Here in the US, the FBI would be examining the exchange's servers, and users would be preparing their lawsuits. But this is a first for Canada and we'll soon be learning how they respond to such incidents involving cryptocurrency.

If anyone has additional information, contact us or reach out on Twitter @GlobalCryptoDev.

Author: Ross Davis
E-Mail: Twitter:@RossFM
San Francisco News Desk

Cryptocurrency exchanges quick to shift blame from incompetent employees, to North Korea - following massive amounts of stolen funds...

Every year respected cybersecurity outlet Group-IB releases an annual report, and according to TheNextWeb which obtained an advance summary of their latest - North Korea is to blame for the majority of major cryptocurrency exchange hacks.

The date range covered is Feb 2018 to Sept 2018, where $882 million worth of cryptocurrency was stolen, and North Korea is getting credit for $571 million of it.

Problem is, as soon as the words "North Korea" come up, everyone focuses on who did it, instead of how they did it.

Chart of recent hacks. "Lazarus" is a NK hacker group. 
The most alarming part is - the methods used aren't very sophisticated.

“Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam that has a malware embedded in the document, After the local network is successfully compromised, the hackers browse the local network to find work stations and servers used working with private cryptocurrency wallets.” the report says.

Let's be clear at what we're looking at here - incompetence within the exchanges, and poorly trained employees.

Every method listed above involves a human within an exchange making amateur-level mistakes - not actual security holes in their networks.  Whether it be opening an e-mail attachment that turns out to be malware, or "social engineering" which is a nice way to say - someone simply talked someone within the exchange to let them into someone else's account.

Which makes me wonder - sure, i'm convinced North Korea has state funded operations dedicated to stealing cryptocurrency - i'm definitely not arguing their innocence.

But when the exchanges are falling for old, simple scams leading to massive amounts of stolen funds - you have to wonder if they'd even admit it if the suspect was actually a 14 year old wanna-be hacker.  A quick way to distract the public from where they went wrong, would be to switch the conversation to the hot topic of North Korea.  Remember, it's in-part these exchanges "internal investigations" coming to these conclusions.

But the fact is, blame here falls directly on these exchanges which clearly have employees with high levels of access, and low security training. 

Even if North Korea was behind all of these - at best, they just happened to do it first.  If getting past exchange security is truly this easy - someone was going to do it eventually.
Author: Ross Davis
E-Mail: Twitter:@RossFM
San Francisco News Desk

Dumb criminals are finally learning what we've always known: Bitcoin transactions ARE traceable!

Global Crypto Press Editors Note: If you're like me, you've spent the last few years laughing at mainstream media coverage of Bitcoin, and how in every report they falsely said it was "anonymous" or "untraceable".  Now the criminals who didn't do their research and believed them are paying the price.

What this report leaves out is that there are methods of making that Bitcoin a lot harder to trace, and of course, entirely separate privacy coins.

Video courtesy of VICE News.

Scammers who set up fake cryptocurrency exchanges now arrested in Ukraine...

The scam worked like this - setup websites that looked like known and trusted exchanges, trick people into clicking links to them, then steal their login information.  Once they had that, they could log into the real exchanges and drain their wallets.

According to a statement from the Ukrainian government:

"Receiving operational information about the activities of fraudsters, police began criminal proceedings under Part 3 of Art. 190 (fraud) of the Criminal Code of Ukraine. Within it, employees of the cyberpolice carried out a complex of operational measures, the results of which established the persons involved in this crime. They were inhabitants of the city of Dnipro from 20 to 26 years old."

After stealing the victims cryptocurrency, they would cash out using exchanges which convert cryptocurrency to fiat cash, transferring the funds to bank accounts opened with other stolen identities.

Ukrainian cybercrime investigators say a total of 6 fake exchange sites were created by the 4 people they arrested.
Author: Mark Pippen
London News Desk

Japanese police raid 16 people behind plot to mine Monero using secretly installed malware on victims computers...

16 people are under arrest in Japan - suspected to be behind an amateur online criminal organization which created both the malware to secretly use victims computers to mine Monero (which trades under XMR) and a variety of websites to lure the victims in and get them to unknowingly install the malicious software.

The arrests quietly began last month, with the final 3 suspects arrested this week. Local news outlet Asashi reports:

"The case against the 16 men aged between 18 and 48 was announced on June 14, although the first arrests were made in March. The suspects all operated their own websites, and they allegedly sent programs to the computers of site users without their consent.

The programs kicked into action on the users’ computers to conduct the often tedious and time-consuming task of mining to earn cryptocurrency."

If you're picturing a highly organized group of criminal geniuses I should also mention - they only made about $1000 total between the 16 of them.
Author: Adam Lee 
Asia News Desk