Topic: [20BTC bounty] Bitcointalk phishing site, max para.vn , impersonation scammer - page 2. (Read 747 times)

Quoting this post, 0nc3forg0tt3n had also pretended to be another CL user so they may be related, or they may be another person.

In any case, the email communications of the maxpara phisher did not demonstrate solid English. English is definitely a very second language for them; there is no reason for them to use broken english while trying to pretend to be me and communicate with a CL user.

I wouldn't overestimate the technological ability of random Vietnamese business owners. It is highly likely that: a.) they are technologically uninclined b.) started the website for their business legitimately as they still list it on their Facebook page to this day even though it's not currently in use

They probably were using a vulnerable version of some publicly available software  which then allowed someone to upload a shell to the website. The owner then likely probably set the entire website to the current default page as a remedy to the problem. If the vulnerable software in question was something like an online store to sell their kitchen hardware, they could have deleted that but the shell could have given them SSH access to the entire system or worse. The alternative is the website could have been vulnerable to some other remote exploit due to outdated server software which would mean the attackers still got SSH access and owned the server.

By your logic, a bunch of Vietnamese kitchen hardware dealers (who own a physical building apparently???) are using their own website which was hacked at least once before to scam people. The business is registered in Vietnam and it's listed on their Facebook page and on the domain registration so I think it'd be a little dumb for them to use that as a platform if the culprit was they themselves.

The phishing pages aren't extremely sophisticated but by the looks of it they were probably created from scratch or using a program and the ICO page has an advanced mechanism that a.) only allows 1 registration per IP to prohibit bot spamming or the like and b.) requires passwords of 8 characters. The website also uses fairly good English and punctuation which it is evident the owner of the website or whoever is operating their social media does not have.

The person who executed the scam seems technologically savvy and is at least familiar with the English language which it doesn't appear the people at Maxpara are. All evidence points to the website being used by external people to run their scam to avoid getting caught. Someone who is smart enough to code their own phishing page that shows a relative familiarity with computer programming probably isn't using their own domain name with no whois protection to run a scam. It'd be funny if it actually was Vietnamese kitchen dealers but unfortunately if it's probably not

Considering that the domain is still being used as a phishing site to steal login credentials, I would say whoever currently is in control of the domain is the culprit.

Contact someone from the following lists:

- Recommended bitcointalk escrow services
- ⛓LIST⛓ BitcoinTalk's Escrow Providers: Ranking & Blacklist ☠ Avoid Scammers ☠

---

Don't contact me (unavailable until August 12 + IIRC, I never held $100k or more).

If you google the domain it looks like it was compromised by some guy who owns the instagram account mwr and goes by 'SLNTAR' as seen in a mirror of the website from May 18 2018. It looks like the owner of the website has regained control but it's possible the website is still under the attackers control.

Keep in mind it's possible that the person using it now isn't the same person as SLNTAR as it appears SLNTAR just runs a bot and hacks websites en masse by the looks of it.

edit: also looks like there was another scam on this website pretending to be an ico preregistration

If the website owner isn't the culprit it's likely he can still get the server logs and send the IP of the operator accessing it -- however, by the looks of it he is some Vietnamese dude selling illegal clothing dupes, so that's fun

extra edit: It actually looks like the website might be owned by a Vietnamese company that sells kitchen appliances based on the whois information. It appears this is a legit business with a physical location in Vietnam. If you can somehow get someone who knows Vietnamese to help you get them on board your investigation it is likely that there are log files which will COULD give you more information on whoever is doing this. They have a facebook page @ https://www.facebook.com/maxpara[dot]vn and the email listed on the facebook is [email protected]

Looking for an escrow for this bounty, 0.25 to 1 BTC payment:

https://bitcointalksearch.org/topic/escrow-needed-20-btc-phisher-arrest-bounty-up-to-1-btc-payment-4627105

It seems that your attacker deposited 0.7BTC to whatever service owns this wallet.

I believe this case is associated:

https://bitcointalk.org/index.php?topic=4304199.msg%msg_id%

A google search of [email protected] reveals a password dump paste, which contains that email.

Please note that the email account could be a fake name, or a hard amount, and the username in the dump should not be presumed as the scammer (at this point).

This email was sent to me, but the link actually pointed to a phishing site:

http://maxpara[dot]vn/login/?u=TradeFortress&r=4589356.0 << DO NOT ENTER LOGIN DETAILS ON THIS PAGE




I didn't fall for it, however I have reasons to believe that the same scammer was responsible for successfully impersonating me and being the 'man in the middle' between a CoinLenders user.

The scammer originally emailed me, claiming to be a CoinLenders user. They used a different email address to the actual user, being [email protected]

When I asked the user to email me from their registered email, they were able to convince the actual user to do so, by emailing them from [email protected] (which is fake). The actual user sent evidence that allowed me to verify the claim.

A reimbursement of 50.625732 BTC was made to 1Aztzs1qHqKiVuZaoa7s23KoHCjeBSeqrT. The funds are currently residing in 1B5b3CcSG5YP9JavrKv8UwV3dcgpT4g3wV


I believe a good starting point to track down this scammer is the domain name maxpara[dot]vn ; I believe it is a website operated by the scammer (and not a hacked website) given its content.

A reward of 20 BTC will be offered to anyone who provides information that leads to the arrest of this scammer. I'm not super expecting this bounty to be filled, however I'm sure this scammer has put his hands in many pots before; and it looks like there is lots of info to track him down using maxpara[dot]vn

Escrow can be arranged.