There is a huge market for wallet.dat files on the web, where people don't know / forgot the password. I wanted to know if they are fake and checked them, asked the sellers what they know about their files. Most didn't know anything, but they bought it, let's say for 0.01 BTC with a 50 BTC balance and are trying to find the password. After a while sell it to someone else and so on.
My question:
Is it possible to create an encrypted wallet.dat file, that shows a balance and the corresponding address (you don't have the private key) after a rescan with Bitcoin Core, but that is fake?
EDIT:
The answer is: YES
The wallet file isn't fake per se, nor are the transactions it shows. What's fake about it is that it doesn't contain the private keys it claims it does.
The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.
It actually is not that complicated. You don't need to check any data consistency, time, etc. You don't need to check any of the things you mentioned. You also don't really need to look at the wallet code because the data that they are manipulating doesn't change frequently, if ever. In fact, the specific database fields that are being modified will likely never change in order to maintain backwards compatibility with older wallet versions.
What the authors have done here is simply add fields which represent encrypted keys. These fields contain the pubkey and the encrypted private key which will typically just look like random data (because that's the point of encryption). What the authors have done is just create a field that contains the pubkey and random data (or in this case, a string) as the private key.
It is impossible for anyone (technical or not, professional or not) to identify that the wallet is "fake" by simply looking at it (besides the fact that common sense tells you its a scam). If done correctly, the supposed encrypted key will be garbage data and its veracity cannot be determined without knowing the decryption key. Of course, if it's just zeroes or some other obvious non-random data, then it can be easily determined. You can inspect the data of a wallet.dat file using BDB 4.6's db_dump tool.
Yes, it's possible. In fact, there are many people who fell for such scam tactics.
But what they actually they do are modifying unencrypted part of the wallet.dat to show address which doesn't have it's private key pair.
recently someone is selling fake bitcoin wallet.dat file containing 3050 BTC (
https://www.blockchain.com/en/btc/address/1Lg5pJRaWKw6n2J4CBjoEJY5ZdLwBu21U2)
that wallet is my friend wallet and he immediately moved all bitcoin to different address.
scammer send small amount of btc in all such cold wallet and check if wallet is active or not,
if wallet is inactive then they create fake wallet.dat file and fool other
example wallet.dat:
https://bitcointalksearch.org/topic/walletdat-sale-on-the-forum-5240701