Author

Topic: bitcoinpaperwallet.com - scam still alive? (Read 483 times)

legendary
Activity: 2268
Merit: 18711
June 18, 2022, 04:38:46 AM
#31
@shYter90, there are also block explorers that tags these known addresses from exchanges e.g. walletexplorer.com however it's not privacy friendly if that is something you care about.
I find oxt.me and breadcrumbs.app to be better for this purpose. They are both much easier to use, and walletexplorer tends to be quite out of date and does not correctly identify most newer addresses which belong to various exchanges and services. Both the sites I mentioned clearly identify this address as a Binance hot wallet:
https://oxt.me/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h
https://www.breadcrumbs.app/reports/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h/2
hero member
Activity: 2786
Merit: 902
yesssir! 🫡
@shYter90, there are also block explorers that tags these known addresses from exchanges e.g. walletexplorer.com however it's not privacy friendly if that is something you care about.
legendary
Activity: 2380
Merit: 5213
May I ask you how have you indicate this address bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h as binance hot wallet?
The address in question has been used many times for consolidating deposits and sending the payments to binance users. So, it's known that the address is owned by binance.
newbie
Activity: 19
Merit: 0
One interesting transfer was to this address:
https://www.blockchain.com/btc/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h it holds 35016.15030071 BTC
That address is a Binance hot wallet.

What was the path of coins from your wallet to this Binance address? Obviously they have been deposited to Binance at some point, but that does not mean the person who deposited them to Binance was the person who stole from you, and even if it was, it doesn't mean they were deposited under the scammer's account or name.

May I ask you how have you indicate this address bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h as binance hot wallet?
legendary
Activity: 2268
Merit: 18711
February 27, 2022, 04:08:18 AM
#27
Fair enough. Far be it from me to dictate how you use bitcoin, but I still think such a set up is sub-optimal at best. Handing a paper wallet to someone means they must trust you completely - both your honesty and your technical competence. As I said, if I trust someone that much, then I trust them enough to just pay me properly at a later date when it is more suitable. Or even better, I just carry around a copy of a few addresses from my hardware wallet or other cold storage. If I don't want to receive the funds to my mobile wallet, then I can just give you one of my cold wallet addresses there and then.

I do agree that the cost and single use element of OpenDimes are a significant drawback.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 26, 2022, 12:07:23 PM
#26
The benefit of the OpenDime though is that the receiver can be pretty confident you don't know the private key. Handing someone a paper wallet is incredibly insecure for the receiver. If I was accepting a paper wallet from someone it would have to be someone I trusted enough not to scam me, and in such a case I would trust them enough if they said "Give me your address later and I'll send you what I owe you."

I have them more for people who don't have phone wallets or don't want to have that much BTC in their hot phone wallet.
If you don't have the ability or the desire for me to send it to you right then and there you take what I give you :-)
Somewhat of a hardass attitude I know, but I think you get the idea.

Not to mention opendimes and the like have a significant cost to them.

If I have to give you BTC0.0051 ($200) at the current price and you don't want it on your phone for whatever reason, do I give you $180 and you eat the cost of the opendime or do I give you the full $200 and a tip of a $20 piece of equipment.

-Dave
legendary
Activity: 2268
Merit: 18711
February 26, 2022, 05:15:10 AM
#25
Because at times you want to hand a piece of paper to somebody. The Opendime  / Satodime have a real cost to them and as I found out can fail.
The benefit of the OpenDime though is that the receiver can be pretty confident you don't know the private key. Handing someone a paper wallet is incredibly insecure for the receiver. If I was accepting a paper wallet from someone it would have to be someone I trusted enough not to scam me, and in such a case I would trust them enough if they said "Give me your address later and I'll send you what I owe you."

Interesting approach. I've never sweeped a paper pallet, I've imported it if needed.
It's fine to import your own paper wallet to an airgapped device, but if the paper wallet was given to you as per Dave's example, then you should absolutely sweep it so the other party can't steal the funds and so you don't have to trust how securely they created the paper wallet in the first place.
hero member
Activity: 2408
Merit: 584
February 23, 2022, 04:58:00 PM
#24
Not everyone uses MetaMaks..

What I see the guy still hold coins, and he scammed already hundred and hundres of dollars. No way to withdraw them, so it just matter when authorities will start investigate this case. Also all victims can make one money pool and just hire lawyer to start proceeding him.
Yep, not all people uses meta mask but the some of them uses trust wallet but if I am not mistaken, there is also a warning when you visit some website inside the trust wallet. One of it is when you use pancakewap. You will see a warning above the url that says always check the address if its correct to avoid  getting phished.

We do not need to depend our safety in these wallets. It is not about the wallets that we use but it was about researching the website first if its legit or not before we use it. I think its pretty obvious that scams can happen with a site like this because I think requires your private keys to generate a paper version wallet. Wonder why people take a risk with this things.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 22, 2022, 10:35:36 AM
#23
Making an example of myself, I have a stack of pre-printed unfunded paper wallets. Sealed with just the BTC address and it's QR code showing.
If I want to give someone BTC0.01 for something. I scan the QR and send the BTC to it and hand it to them.

Interesting approach. I've never sweeped a paper pallet, I've imported it if needed.
And I've never denied that paper wallets have their use (still most widely compatible, I know), but unlike the average user, you know how to generate them safely.

Imho for an average user the seed is easier, he doesn't need any shady website for it, just a wallet application, he doesn't need a printer for it, pen and paper will do... all can be done easy enough even offline.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 22, 2022, 10:24:36 AM
#22
...
Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.

Because at times you want to hand a piece of paper to somebody. The Opendime  / Satodime have a real cost to them and as I found out can fail. Yes a piece of paper with a private key can be damaged or destroyed too.

I guess that I was not clear enough, so I'll say it a bit different: why generate a paper wallet with private key when one can as easy generate a HD seed, which is less prone to errors too?

Ease of use and importing.
Making an example of myself, I have a stack of pre-printed unfunded paper wallets. Sealed with just the BTC address and it's QR code showing.
If I want to give someone BTC0.01 for something. I scan the QR and send the BTC to it and hand it to them.
They can then use just about any phone app to sweep the BTC into that wallet on the phone, or if they have a desktop wallet (including core) all they have to do is import that private key.

No they are not for day to day use and no they are not the best for everything. But they do have their use. At least for me....

-Dave
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 22, 2022, 10:08:04 AM
#21
...
Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.

Because at times you want to hand a piece of paper to somebody. The Opendime  / Satodime have a real cost to them and as I found out can fail. Yes a piece of paper with a private key can be damaged or destroyed too.

I guess that I was not clear enough, so I'll say it a bit different: why generate a paper wallet with private key when one can as easy generate a HD seed, which is less prone to errors too?
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 22, 2022, 08:07:30 AM
#20
...
Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.

Because at times you want to hand a piece of paper to somebody. The Opendime  / Satodime have a real cost to them and as I found out can fail. Yes a piece of paper with a private key can be damaged or destroyed too.

In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.

They should not be using an *online webpage* to create a wallet. Bitaddress running on an offline PC from a bootable CD is not a major security risk.

-Dave
legendary
Activity: 2268
Merit: 18711
February 22, 2022, 06:20:06 AM
#19
One interesting transfer was to this address:
https://www.blockchain.com/btc/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h it holds 35016.15030071 BTC
That address is a Binance hot wallet.

What was the path of coins from your wallet to this Binance address? Obviously they have been deposited to Binance at some point, but that does not mean the person who deposited them to Binance was the person who stole from you, and even if it was, it doesn't mean they were deposited under the scammer's account or name.
newbie
Activity: 19
Merit: 10
February 22, 2022, 03:47:04 AM
#18
Ok all stolen money was moved from scammer's address to a bunch of addresses:
https://www.blockchain.com/btc/address/19YJVYZyuYvx9U3e6oGYsN4gqeRZeCKgje

One interesting transfer was to this address:
https://www.blockchain.com/btc/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h it holds 35016.15030071 BTC

It is hard to follow all transfers from just explorer, I believe there are some tools that can visualize and identify where funds were moved..
legendary
Activity: 3472
Merit: 10611
February 21, 2022, 11:22:52 PM
#17
But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?
If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.
There is also this thing called deterministic or reproducible builds that only a handful of wallets like bitcoin core and Electrum support which is when anybody who builds the same source code following the same steps will always end up with the same binaries. This is useful for those who can't build the binaries from source themselves and it gives the additional security assurance that the source code was not modified when building the software.
legendary
Activity: 2268
Merit: 18711
February 19, 2022, 03:28:25 PM
#16
Common smartphone users don't actually do this
Absolutely. But common smartphone users all do a bunch of other widely insecure things, such as using biometrics, keeping their 2FA app on the same device which has all their passwords saved, installing a bunch of apps which track everything they do, using terrible closed source wallets and then storing significant amounts of coins on them, back up sensitive information to cloud storage, and so on. And even among people who use good open source wallets, very few of them actually properly verify those wallets, and even fewer of them have ever actually looked at the code or tried to build the wallet themselves.

But the question wasn't "What do people commonly do?". The question was how to ensure that the app you are installing is doing what you think it is doing. The answer to that is as I described - download the code, review it personally, then build the app yourself from that code. Unfortunately lots of people take risky shortcuts and often end up paying the price for doing so.
hero member
Activity: 1554
Merit: 880
pxzone.online
February 19, 2022, 12:32:45 PM
#15
If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.
And that's a knowledge to consider not just from crypto but to all who used to download and install from this mobile distribution services such app store and play store.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.
Common smartphone users don't actually do this, idk if they know such thing exist, even most of the users here probably and that's quite alarming.
legendary
Activity: 2268
Merit: 18711
February 19, 2022, 06:22:43 AM
#14
But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?
If you install something directly from the Apple app store or Google play store then you are right - you have absolutely no way of verifying what you are installing. This is the wrong way to install things, though.

The better option is to download the app directly from the developer, verify its signatures or hashes, and then transfer the .apk file to your phone to be installed.

The best option is to download the source code, build the binaries yourself, and then use them to install the wallet on your phone.
hero member
Activity: 1554
Merit: 880
pxzone.online
February 19, 2022, 05:45:38 AM
#13

There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.
Yes, I know the advantages of open source compare the other one. But how you can assure that the app you're going to install is the one or have full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?

Coz what I have in mind is, the developers  or anyone can update the code (with malicious or not) of the app and then upload it on this mobile distribution services using their compromised accounts, without updating the code in github of course.
Is this possible? How it can be avoided without downloading the app fist just to try it and become the first victim?
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 19, 2022, 02:39:19 AM
#12
So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.
There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.

Truth to be told many most have no idea what they also install. Even in the rare cases the program has its source code at hand, they won't read it, clearly won't build it themselves. And the compiled binaries may or may not be from the source code you'd expect. Verifying the traffic one program makes is something also very few people do.

Indeed, there's still a big step, since a website can offer different page for a while and steal information and deny it, while 90% of the time operating clean. This is much less likely with installed programs. But most people don't understand software and don't care much either.

Some will look whether this or that is labeled as legit or scam, and that's all. I fear that we're expecting too much from the average Joe... (hence I am happy when this kind of questions pop up - they give a chance to a few more get on the right track).



Something more: I fail to understand why are people still focused so much on classical paper wallets when they can run Electrum (either safely installed and verified, either from Tails OS), generate a seed and a few addresses and.. done.
legendary
Activity: 3472
Merit: 10611
February 19, 2022, 02:16:56 AM
#11
So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.
There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.
newbie
Activity: 19
Merit: 10
February 18, 2022, 05:30:33 PM
#10
What I see right now it is literally wild west - none of those companies even get back to me and acknowledged the problem.
They guy even has PayPal for his [email protected] account and PayPal doesn't give literally a shit.

And here what he replied via his contact form:
Quote

Bitcoin Paper
Thu, Feb 10, 10:46 PM (8 days ago)
to me

Hi,

When you create a wallet, you, and only you have control/knowledge of your address and private key.

Keys are generated in your browser locally.

There is a few things I can recommend checking:

1. Do you have an up to date antivirus?
2. Do you have any browser extensions?
3. Are you sure you were using our domain and not a phishing site?
4. We're you using TOR to access the website?
5. Are you sure that you and only you had access to your private key?
6. Did you run the website offline?

I know of a website out there phishing on google called PaperWalletBitcoin.com that steals your private key. I have already reported them to google but no action has been taken. If you inspect element on the page when you generate a key on their website you can see your private key being sent out 5-10 seconds later to their server. Did you by chance click on this website and not the official BitcoinPaperWallet.com?

I hope you can find out what happened to your coins,

Regards,

BPW Team

So we know his: PayPal, Domain, Hosting, Cloudflare account, Gmail and can't do anything with that.
hero member
Activity: 1554
Merit: 880
pxzone.online
February 18, 2022, 03:35:55 PM
#9
Good idea. Google is best for this coz they are the most common search engine used by ordinary people who doesn't have an idea about these websites and to avoid it appearing in the search query as well. Well, as long as many people report it.
In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.
So when and how bitcoin wallets in mobiles and desktop is considered to be insecured too? The difference is only the latter needs  installation.
legendary
Activity: 3472
Merit: 10611
February 18, 2022, 04:50:21 AM
#8
The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.
What I don't understand is why canton handed over such a sensitive and popular website to new owners who reputation was still unknown?

Why didn't he just put down the whole project if he could not proceed, supporting it?
I mean, that's a honeypot for scammers. It was a just a matter of spending a few thousands of dollars to buy it and then later scam the hell out of some many users who used the site
To make some money from a project they had made!
But it wasn't really popular though, bitaddress.org was popular and is still around. This other site came later and tried gaining some popularity by duplicating the same service but couldn't succeed as much. Then the developer abandoned it while trying to make some money from his work.

In any case people shouldn't be using a website to create their bitcoin wallets in first place! That's just silly and extremely insecure regardless of what website you are using or who controls it.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
February 17, 2022, 06:07:16 PM
#6
It seems the website is 9 yrs old alive and kicking and they keep scamming but we do not know if the owner is already dead or not. As you said your client lost funds and the transfer amount has still not been transferred to another wallet yet.

I'd like to suggest you try if you want to know the name and address of the owner of the website try to contact this https://www.enom.com/reseller/contact-us/
Because the domain is registered on that site.

I think that you can able to get the real name and address of that scammer on enom.com because they only accept these payment methods credit cards, PayPal, check, or wire transfers.
Just try to ask them about the name, address, and contact number of the owner of that website. Let's hope that the domain provider will cooperate and don't forget to tell them that the owner is a scammer send some proof.
newbie
Activity: 19
Merit: 10
February 17, 2022, 04:25:13 PM
#5
Not everyone uses MetaMaks..

What I see the guy still hold coins, and he scammed already hundred and hundres of dollars. No way to withdraw them, so it just matter when authorities will start investigate this case. Also all victims can make one money pool and just hire lawyer to start proceeding him.
legendary
Activity: 2338
Merit: 1261
Heisenberg
February 17, 2022, 03:56:34 PM
#4
The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.
What I don't understand is why canton handed over such a sensitive and popular website to new owners who reputation was still unknown?

Why didn't he just put down the whole project if he could not proceed, supporting it?
I mean, that's a honeypot for scammers. It was a just a matter of spending a few thousands of dollars to buy it and then later scam the hell out of some many users who used the site
legendary
Activity: 2380
Merit: 5213
February 17, 2022, 03:06:49 PM
#3
The website in question turned into a scam after its ownership was changed in 2018 and is probably still owned by the same scammer.

Maybe here more people who lost their money?
Yes, Visit the following topics.

bitcoinpaperwallet[.]com is a scam
Why has my newly created Bitcoin address already been used?

staff
Activity: 3500
Merit: 6152
February 17, 2022, 02:45:39 PM
#2
Apparently, CoinDesk tried to dig into it and to reach out to the new owner, but he's denying that they're responsible for people losing their funds...

https://www.coindesk.com/tech/2021/02/24/bitcoinpaperwallet-back-door-responsible-for-millions-in-missing-funds-research-suggests/

The good thing now is that most people use MetaMaks nowadays, and since the site is added to their domain warning list, people shouldn't be able to access it. Not without seeing a warning anyway.
newbie
Activity: 19
Merit: 10
February 17, 2022, 02:38:26 PM
#1
Hey people, I found some posts from the last year.. Recently one of my clients also lost their funds via that "safe paper wallet".
Based on the transactions where coins were moved I see more victims - so probably the owner still alive and that website still working. However coins are not moving anywhere and still on that address.

Maybe here more people who lost their money? Or maybe someone dig into it?

I don't believe that community can't stop him and he can keep doing his phishing.
Jump to: