A bitcoin gold (BTG) wallet scam recently managed to net over $3.2 million after taking advantage of bitcoin users looking to claim their BTG tokens. A link to the fraudulent MyBTGWallet was, before the scam came to light, placed on bitcoin gold’s website, but was quickly removed once users started noticing their balances were missing.
According to various reports, the website containing the fake wallet essentially encouraged users to upload their private keys or recovery seeds to claim their bitcoin gold, as an archived screenshot of the webpage shows.
The result was a $3.2 million theft, as the scammer behind the website managed to obtain at least $107,000 worth of bitcoin gold, $72,000 of litecoin, $30,000 of ethereum, and $3 million of bitcoin. As one Reddit user put it, when he went to check his balance, he found that all of his funds on an Electrum wallet were gone, just like the MyBTGWallet website.
“Yesterday I wanted to check my BTG balance on https://mybtgwallet.com/ today I see that all my BTC from my electrum wallet is gone! Even the website is completely gone! I am honestly a bit heartbroken, and of course, I know if it is my fault for giving out my 12-word seed…. didn’t think it would go down this way.”
Users trusted the website with their private keys – despite security experts advising against it – partly due to bitcoin gold’s support for the wallet, and to the website’s code being open source. Through their twitter account, bitcoin gold’s team assured users the wallet was safe on multiple occasions, and even listed it on its website as a resource.
The website’s code on Github was then changed after the scam was initiated. An analysis by Reddit user Uejji found that the website essentially encoded users’ security seed in Base64 and stored it on the website cookie, which was later transmitted to Google. There, the scammer was free to decode it and use it steal the person’s funds.
The MyBTGWallet website was reportedly developed by a user named John Dass. A transaction links his wallet to that of the scammer’s, meaning he either is the scammer, or was a victim as well. It is, however, unclear whether this is the individual’s actual name or merely a pseudonym.
Bitcoin gold representatives promptly issued a statement on the wallet scam, clarifying that they are figuring out a way to remedy the situation, and that an internal investigation has been launched. The statement says the team is “working with security experts to get to the bottom of the issue,” but doesn’t clarify who these experts are.
The statement further adds that the findings will be disclosed to the public as soon as it is “appropriate to do so,” and that the team will cooperate in every possible way to find out exactly what happened.
Bitcoin gold has been somewhat controversial. As covered by CCN, the project’s website has previously been hit with a DDoS attack after the hard fork that created the cryptocurrency, and then launched on November 12 to little fanfare. Later on, it was revealed that one of its developers allegedly added a hidden 0.5% fee into a BTG mining pool, sending the funds directly into his wallet.
In its statement, the team stated that it worked with various platforms – including Google, Facebook and Twitter – to stop scammers from taking people’s funds, but added that their influence is limited, and encouraged users to report scams whenever they see them.
At the end of the announcement, bitcoin gold’s team added some advice for cryptocurrency enthusiasts:
“It’s worth reminding everyone that it will never be truly safe to enter your private key or mnemonic phrase for a pre-existing wallet into any online website. When you want to sweep new coins from a pre-fork wallet address, best practice is the same as after other forks: send your old coins to a new wallet first, before you expose the private keys of the original wallet. Following this basic rule of private key management greatly reduces your risk of theft.”
Featured image from Shutterstock.
Last modified: May 20, 2020 9:25 PM