Fraudulent Site Impersonates Encrypted Messaging Service to Steal Bitcoins

Cointelegraph By Felipe Erazo

Cybercriminals have reportedly created a fake site version of the legitimate encrypted self-destructing notes service privnote.com. The fake version can be shared with other users to steal Bitcoin.

According to a June 14 report from KrebsOnSecurity, the creators of the encrypted notes service complained about a fake clone site, privnotes.com, whose scam scheme consists of the following:

“Any messages containing Bitcoin addresses will be automatically altered to include a different Bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same.”

Privnote.com said in the report that the phishing site does not apply encryption systems. Instead, the cybercriminals can read and/or modify all messages sent by users, in addition to using an automated script that scours messages for Bitcoin (BTC) addresses, and replaces them with scammers’ wallet address.

A ”smart” scam

On the fake site, Allison Nixon, chief research officer at cybersecurity firm Unit 221B, said the scam is “pretty smart,” explaining: 

“Because of the design of the site, the sender won’t be able to view the message because it self destructs after one open, and the type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes.”

One of the factors that alert the company is the fact that because both URLs are similar, when doing a Google search with the term “privnotes,” the user will see the first shot of a Google’s paid aid, which is the phishing site. The second result is the legit website.

Representatives from Privnote.com wrote Cointelegraph highlighting Google’s role:

"What's important to know is the used of the Google Search services by the scammers, as that's the way they manage to get some audience. Although we notified Google multiple times they let the scammer site be position even above use because they were paying for Ads. People trust Google so most do not have second thoughts by the search results give them something that looks like our service."

Recent Bitcoin-related scams

In May, Harry Denley, a crypto-security researcher, discovered almost 22 Google Chrome web browser extensions built to steal their users’ cryptocurrencies. The extensions he found impersonated well-known crypto firms such as Ledger, KeepKey, MetaMask, and Jaxx.

Cointelegraph reached out to privnote.com but received no reply as of press time. This article will be updated should a response come in.

Update (18:53 GMT): Added Privnote.com’s official statement on the phishing incident.

Office Address
240 Kent Ave, Brooklyn,
NY 11249
Working Hours
Mon-Fri : 10am to 5pm EST
Saturday & Sunday: Closed
For All Forms Of Inquiries
Phone: +1 855-558-6580
Email: Support@paydepot.com