Topic: eXch - instant exchange BTC / LN / XMR / LTC / ETH / ERC20 - page 7. (Read 15019 times)

ALERT! PHISHING!

We have found that a known .onion directory "dark.fail" currently lists an URL impersonating our service.

The domain "SWP[dot]CX" has been registered less than 30 days ago and somehow managed to get listed by DARK.FAIL - a popular .onion URL monitor that only lists well-known and reputable resources (perhaps not anymore).

This is an unusual phishing attempt when the scammer has ripped off our original design and HTML template assets used by us in the past along with our current template performing a slight "rebranding". Meanwhile it's still a confirmed phishing since this website got to our knowledge from some scammed user who thought it was our original website and explained to us how they found it.

As a preventive measure we have decided to use the same background image that was in our assets some years ago which the current scammer also uses, as well as restoring our previous "light" text-only logo version, which the scammer is also trying to impersonate.

Our current website design changes will remain while we are dealing with that scammer and till the situation is resolved.

However, during investigation of this issue we have also got very interesting findings where we were able to trace back this domain to someone who have made the first ever eXch phishing vanity-generated .onion domain and managed to scam a few of our users in the past, that caused the phishing alert at our original .onion domain: hszyoqnysrl7lpyfms2o5xonhelz2qrz36zrogi2jhnzvpxdzbvzimqd[dot]onion (WARNING: THE LINK ON THE LEFT IS A PHISHING LINK FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)

We were able to find hszyoqnysrl7...onion on some Tor listing directories earlier that we have managed to wipe by contacting admins of such resources directly, which apparently worked because we stopped receiving complaints of scammed users who accidently used phishing links.

However it seems this actor has returned under a new "brand", since after performing some brief OSINT we have found that the only other place on the Internet where both SWP[dot]CX and hszyoqnysrl7...onion are listed are here: github[dot]com/tarpetra/welcome-to-darknet  (WARNING: THE LINK ON THE LEFT IS A MALICIOUS GITHUB REPO FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)

What's even more interesting is that the username tarpetra behind that Github repo have managed to get ~1500 Github stars by supposedly using bots/fake accounts to create visibility and the fact he/she lists both scam resources (SWP[dot]CX and hszyoqnysrl7...onion) confirms that he/she is the operator of both resources (main indicator here is how recent SWP[dot]CX is and how fast it was added to a repo with "1500" [fake] stars)

We have tried to contact the DARK.FAIL admin regarding this incident but got no reply and hope other concerned users will have better luck on that in case they want to try.

We also suspect that DARK.FAIL admin might be involved in this scam scheme because we don't believe that such an experienced Tor user might have overlooked our service and .onion, since our actual onion link hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion is listed at least on the following popular resources: kycnot.me, monerica.com, tor.taxi, darknet-bible[.]net, darknetdaily[.]net, darkweblink[.]com

Another few important points:

- the scammer is reverse-proxying their domain via Cloudflare - something that eXch would never do, since we genuinely care about customers privacy.

- the scammer is using a third-party email provider (Protonmail) as their email server - something that eXch would never do, since we genuinely care about customers privacy.

This was an important announcement to make today but there is still work ongoing which we will update on during next days, depending on how long this issue will persist.

P.S. will communicate on other subjects later since this announcement had to be prioritized.



UPDATE:

We have managed to obtain ultimate confirmation that the SWP[dot]CX website belongs to and operated by the person behind the malicious Github repo containing phishing links to popular services.

We have compared server headers of the HSv3 addresses linked on the clearnet version of SWP[dot]CX (uicrmrl3...onion) and Github repo one (uicrmrtwpfy4y5...onion) and both domains appeared to be served by the same web-server.

There are at least 8 identical headers including "LINK" one containing the persistent data ";" and another one containing the same ETAG between 2 different hosts indicating that it's the same server responding on both domains. Anyone can replicate this and confirm themselves. We have also managed to find the real IP address behind the Cloudflare. Further work still in course.


UPDATE #2:

Turned out this scammer has created some considerable "ecosystem" of phishing cross-referencing system that apparently works very well in terms of SEO.

Just by googling the vanity-generated .onion they had for us, you will be able to find at least 7 other sites that appear like "legitimate" directories of .onion URLs representing dedicated phishing sites carefully built for each separate project.

We don't want their server shutdown yet because we are curious about their domain registrar's stance on this matter (sarek.fi / [email protected]) as well as DARK.FAIL's admin stance to understand the level of their involvement into this scheme. Given that today is a celebration day approximating a weekend, we'll give them 48 hours to answer before proceeding with action.


UPDATE #3:

Following up with the investigation, we have found there is a big probability of https://anir0y.in being a real scammer's personal website exposing himself as Animesh Roy from India, based on one of his blog posts named "Blog Tor Darknet Links" where he claims that "all the sites listed have been verified by DarkNetEye as being legitimate operations", where he links to some fake DarkNetEye copy with a domain registered only a few months ago, which on purpose provides phishing links of at least 3 known services mixed with other links that are valid onions of some other services.

- That list from both his blog and that fake DarkNetEye copy targets 3 specific legitimate resources related to crypto swaps and mixing with phishing: eXch, Majestic Bank and Coinomize mixer.
- The list provides a valid onion link to Infinity Exchanger which also raises another question - is Infinity is behind that or he listed it just to setup Infinity to look behind that in case all this scheme is exposed (which is happening right now), since we already know that the person behind this scam scheme is quite smart.
- All other links on the list are valid links.

The reason why we believe Animesh Roy might be behind all this is that in his blog post he lists at least 3 malicious resources in the same way they are advertised on other websites that make part of his quite sophisticated phishing infrastructure that targets eXch, Majestic Bank and Coinomize mixer:


All 5 domains (or 6 including SWP[dot]CX) above are registered with Sarek.fi (aka Njalla). Sarek resells Tucows for domain zones unreachable for him directly (I say "him" because Njalla is a one-man operation by Peter Sunde) so you might see WHOIS of those on Tucows to show KN as a country of registrant and the company named "1337 services" which is Njalla aka Sarek.

Abuse mail boxes to report all domains: [email protected], [email protected] (except for SWP[dot]CX)

We invite everyone to contribute by emailing abuse reports to the above mailboxes. Additionally, in case you got a Github account, you can also contribute by reporting 2 repos mentioned above.

https://i.gifer.com/B6NA.mp4

Fixefloat can't be compared with this exchange and they had a license like so many other centralized exchanges and it didn't help them a bit.
By your logic you can consider any exchange to be a mixer, and that is simply not the case.

You can get much faster reply from eXch support by creating support ticket or by email address:
https://exch.cx/support

I think this applies:

@OP: In your Bitcointalk Profile > Personal Message Options, you can allow Newbies to send you PMs.

Hello there some hours ago I sent ethereum on arbitrum instead of erc20 to your address, i cant send a dm to you, please ive been a long time customer

If I am not wrong, you can find these information and which permissions are necessary on the following link: https://f-droid.org/en/packages/io.github.pitonite.exch_cx/

I am coming back on this thread after a small discussion had with NeuroticFish in the Romanian translation of this topic. Among others, were wondering what information is using (and storing) the eXch app for Android. We understand that some information are forced to be accessed by the Android system itself, but other than that what information does the app collect and store (if any)?

If OP could come with such details it would be very nice.

True, but that's statistics. It's a matter of trust to send them your coins now and it becomes a matter of more trust to allow them to hold your coins for a definite period. That's how I see it.

And both sides are losing here, I think. Every time I send coins to the exchange only to have them returned, I lose in fees. I am assuming the exchange does as well for the return transactions, or do they take a piece of the original deposit to cover the mining fees?

You wouldn't be on a waiting list if they had the coin you wanted in their reserve. It should be on a first come first served basis like it is now. If my deposit confirmed before yours, I believe I should have priority over you regardless if I ticked the waiting list option or not.

True, but the odds are more in my favor if I choose to wait. It's more than likely that someone will come and deposit the amount I am looking for in the next x hours. That's what's happening every day.

If it was optional, I'm not sure how they would manage it. The moment XMR comes in, where will it be enabled first? On the regular exchange or the orders on the list will have priority?
The concept makes sense, but it looks more like a p2p model and I wouldn't add it to instant exchangers.


The same thing could happen if you are on the waiting list for too long and you want to give up and withdraw your funds.

The main difference is in the amount of money they'll be holding for that time. The 24h volume now shows XMR 24212. If a transaction takes 10 minutes (let's take the average Bitcoin confirmation time for this), it means they hold on average XMR 168 (or the Bitcoin equivalent) of their customer's money. If you add a 12 hour waiting list, this amount very quickly goes up a lot.

That's a good point.

Like I said, it would be an option for those who want to use it. Obviously, it shouldn't be the standard workflow. I don't see the problem with trusting the exchange as custodian of my coins for 12/24 hours (if I wanted to), if I already trust it as the custodian for instant exchanges. They still have the coins, only the period of time they are in possession of them changes. Many of us have and still are using mixers, and you probably know that some have options to "pay out" or provide you the private keys with a delay to make tracking even more difficult.

Sure, it would no longer be an instant exchange for users who are fine with that. Price swings could affect the final amounts, but that's already the case today. In the previous few days, we have seen bitcoin jumping between below $61k to $63k sometimes a couple of times a day. For the time it takes for your BTC transaction to confirm on-chain, you can, in theory get $2,000 less per bitcoin due to this volatility.

There is great demand for Monero. That's where this could be useful. There is also great demand for USDT now. Reserves sometimes show several tens of thousands of dollars. Then 10 mins later, it's down to 90 USDT, for example. Why shouldn't I have the option to be placed on a waiting list to prevent such situations if I wanted to? If there are no reserves for the coin I want, the exchange has to send back my deposit. I then have to deposit a second or third time if I am unlucky. That's throwing away money on fees.

What you're looking for is a "normal" exchange, where buyers and sellers fill the order book. Orders happen when buyers and sellers "overlap".
There could be a market for a trusted non-KYC exchange for Monero. That may lead to a higher price. If it's sold out most of the time, I'd say the price is too low.

This is another problem. I see that the balance is improving now, but I fear that it will be low when Bitcoin price skyrockets.
@eXch Wouldn’t it be better to display a reserve chart for the last 7 days or 30 days or more? This would greatly help those who want to predict your reserve.

This is wrong in many ways. Pre-selling something you don't own yet is always a bad idea.
It would oblige exch to keep user funds, an additional unnecessary security risk.
It would no longer be instant exchanges, functionally the same as other CEX, it is not what we users want. Funds somewhere without control, for an indefinite period
To manage the price, a significant up or down of the currency price can happen, so the customer will not receive the amount that was planned at the beginning of the swap process.
I assume that such a list would have to be public because you don't want to send Bitcoin without knowing that there are already 20 open orders pending. A public list on exchanges which prefer anonymity seems like an illogical solution.

Here's my brief review of eXch:

The very first thing that I noticed was its minimum limits being so low that it makes it the best ^{[and probably the only]} option for those who want to exchange smaller amounts, so I used a small amount to pay for a monthly subscription ^{[I do know it's the opposite of what we normally recommend to newcomers, but I wanted to see how they'd respond if I encounter a problem (FWIW, everything was buttery smooth)]}... My exchange involved sending Bitcoin and receiving Monero, so I was expecting some delays due to full confirmations of the UTXOs from previous orders but to my surprise, a few seconds before mempool.space displaying the next block on their website, eXch already had sent the transaction from their end ^{[I probably got lucky with little to no backlog, but still...]}.

---

Out of curiosity, is the 15-second auto refresh still accurate or there has been some changes that don't reflect on the order page?

• I noticed the confirmations shown on my order page were a confirmation behind, in comparison to what was being shown at the time on blockchair ^[screenshot].
  ^{Note: I did check the status of your XMR node and it was displaying the correct block height at that time.}

I just saw this post a bit earlier and I already registered the raffle!

Thank you eXch and icopress for making this possible! Thank you paid2 as well, for organizing the raffle! I tried to bring a bit more popularity to the raffle by announcing it also in the Romanian translation of this topic.

The prizes look very nice and I am sure the winners will be very happy

I have two questions that can also be suggestions to eXch.

1. What happens if there is only a partial amount in the reserve of the coin/token I want to buy? For instance, I want to swap $2,000 worth of BTC for ETH, but when it's time for the swap, there is only $1,000 of ETH left. Will the exchange swap the $1k and return half of my BTC or will everything be returned to me? You could add an option where the user could opt in to receive less than what they intended to swap if there isn't enough in the reserves. Then, if I am fine with getting a lower amount, I could get it.

2. Could you create a waiting list for swaps that users could opt in for if they wanted? For example, there is no XMR left, but I opt in to be placed on a waiting list for x amount of hours. I deposit the coin I wish to swap for XMR and then I wait to see if the reserves will fill up? When they do, I get my XMR 2/6/12/x hours later if my turn comes.

Happy to see my service is being used in the raffle, providing fair and easily verifiable results.
https://bitcoindata.science/giveaway-manager/



Users are probably dumping their BTC to convert to stablecoins. This might be an interesting strategy, if we see some correction ahead the person can just rebuy. I think I will do something liket that soon.

I've used it on BSC.
Recently, I was somehow forced to use the BSC network, so it all ended with a conversion to a USDT(BEP20) token. Honestly, quite cheap transactions, with almost negligible fees. Around $0.04. After that, Ethereum and ERC20 are tough shit if you ask me.


It's almost like that now. Currently, most of the reserves are in BTC and ETH, with an insignificant share of XMR and stablecoins.

So, it is probably the reserve will be zero in most cases.

If there is something that we learn from last year, then any service is linked to a hack and does not cooperate with the authorities or delete user data, then it will be on the government's radar, the easiest accusation that they are running an unlicensed platform and I think that what happened with Fixedfloat is a good reminder.

They are all crap stablecoin blockchains, but if you need to engage with them, then you are stuck using those that are the most popular among them. I have never used or heard anyone use USDT on Polygon or the BSC network. It's mostly the asset on Tron followed by the token on Ethereum. And the fees are cheaper on Tron. Even the source you linked to shows it. I never had any staked TRX, and the fees I needed to pay for USDT transactions were either 13 or 26 TRX. At the time I last used it, it was between $0.70 and $1.40/1.50. It surely costs more now with all cryptos up in value. 

But yeah, if you have some staked TRX, you can use the energy it produces and convert it into fees when engaging with smart contracts, which token transactions are.