Every once in a while an attack comes along that is so simple to set up, and yet so effective, that it makes your jaw drop. Here’s one: fake bitcoin QR generators. According to web developer and cryptocurrency enthusiast Harry Denley, a wily scammer has been operating a network of fake bitcoin QR code generators to dupe people out of their bitcoins.
Bitcoin uses addresses as conduits to send and receive bitcoin payments. To improve anonymity (which was a fundamental design principle for bitcoin), these addresses are disposable. You’re not supposed to reuse them. You can imagine how many bitcoin addresses you’d need to support a massive cryptocurrency network ad infinitum. It’s a lot. That’s why each address is up to 35 alphanumeric digits long. They’re not something you’d want to write down or type in manually.
Instead, people use QR codes – the blocky squares invented by Masahiro Hara – to represent them easily to others. Invoicing and payment software will often generate these automatically. Someone making a payment can scan them and send bitcoin to that address.
Denley explained on Twitter that he had found sites offering to generate QR codes for people if they typed in a bitcoin address:
⚠️ Be careful of fake #Bitcoin QR code generators – these ones have had ₿4.9 gone through the current activate address
free-bitcoin-qr-codes[.]com
bitcoinaddresstoqrcode[.]comAddress: 343CXYVBKXT2VgELCdjEeMyPpfiKwkzUNg ($BTC)
IP 207.244.100.245 hosting suspicious domains pic.twitter.com/y4DEezQmN1
— harrydenley.eth ◊ (@sniko_) March 21, 2020
He told ZDNet that he found several domains pulling the same scam.
Typing in an address – any address – spat out the same handful of QR codes, which had nothing to do with the addresses entered. Instead, they pointed to the attacker’s own addresses. So when anyone used that QR code as a payment address, the person sending them bitcoin would have sent it to the attacker’s account rather than their own.
The address he quoted in the tweet held 4.9 bitcoins (a little over £25,000) as of yesterday, received via 473 transactions.
Cryptocurrency phishing scams are common. We’ve reported on sites that fooled users into entering the private keys to access their cryptocurrency wallets. Recently, this fraudulent Chrome extension duped customers into handing over their Ledger hardware wallet keys.