Topic: Need Help Please, I think this guy SCAM ( fool me ) .. (Read 2273 times)

Impressive - excellent investigation! Do yourself and the community a favor by helping to spread the word that he's a scammer

Yup,

there's complete link, this scammer totally AS****E

https://twitter.com/DefuseSec/status/407219888780873728

https://eprint.iacr.org/2013/734.pdf

http://bitcoinstats.com/irc/bitcoin-dev/logs/2013/04/26

https://bitcointalksearch.org/user/hyperreal-101868

https://bitcointalk.org/index.php?topic=252674.0;wap2

https://drive.google.com/file/d/0BxLEEYjCKBuoaDhXRzhra0ZWQjQ/edit?usp=sharing

Cheers,

That's the spirit! Welcome to the world of bitcoin.

I get it now

https://github.com/jim618/multibit/issues/403

thanks both of you rock !!, this will not make my out from BitCoin,

Cheers,

ironmask,

I'm certain English isn't your first language, so I'll try to translate what's going on:

The address is not creating coins. It's on the blockchain because all transactions are listed. You are correct. The scammer cannot spend the coins, no can spend them. Ever. Coins are sent to bitcoin addresses. So the address can still accept coins, but no one will ever be able to send the coins out of that address.

Honestly, I don't know enough about the technical part to break it down, but I can tell you that it doesn't happen often. Using bitcoins is safer than using your credit card. The problem isn't with vulnerabilities or other security features of bitcoin, the threat comes from regular who don't understand how the system works.

FenixRD,

What actually address zero ?  is this address create illegal coin that the protocol cannot accept it ?, why still recorded on the blockchain ?

And how this guy can have the coin ? He said got it from mining ... or it has another way to get coins ?, are he bought it ?

When it's said not possible to create a valid Tx signature its mean that this guy also cannot spend it right ?, but the dangerous thing that he able to make same SCAM scenario again and again, because the coins will always there.

If this so, BitCoin  .. still have big vulnerability due this kind of bug, regular guy like me will be very careful to have any interaction with BitCoin , there still so many threat that us not yet have any clue due security and network protocol.

No doubt!
****
dang it... I just read my previous post. I know the difference between you're and your. I hate when my fingers think for me, lol.

Heh. Of course, sorry. I've never been very good at accepting compliments based on effort alone. It is a character flaw of mine. Thank you for the kind words.

Indeed, this scam was completely off my radar. Granted, adopting the recommended policy of *always* sweeping funds before completing a deal, rather than accepting an exposed privkey, negates this threat; but, I would not have been looking for this type of thing specifically. And I've been around for a good while. It's a useful reminder to keep the guards up and not make exceptions to the "best practices".

Oh take the compliment for what it is, seriously! I'm not talking about you're know how to solve this - but you would be hailed as a genius if you succeeded.    What I meant to convey is how refreshing it is to read this thread. I enjoy reading the scams (no pun intended OP, it's so I won't get caught with my skirt up again; learn from others' mistakes), but your willingness to help and the fact that you're obviously not trying to pull a scam within a scam, brings things back into perspective a bit. If that makes any sense

I don't rock nearly enough. I can think of no way to resurrect these coins. People have been wanting to for years.

I PMed a couple fellows more  knowledgeable than I to make sure I'm not missing something, just in case.

Okay. So, although the way the Android Blockchain app errors out is new to me, the facts are unfortunately unchanged. Hopefully this thread will help to explain this better:

https://bitcointalk.org/index.php?topic=50206.10

It's about this exact address. It's been collecting funds for several years now. As I was saying before, it's address zero, which is a unique thing in the  protocol. I'm not a SCRIPT expert, personally, but in the thread Theymos and others make it clear that this address is unable to be spent from due to the way the hashing works — it's just not possible to create a valid TX signature for it, even with the "right" private key. This is a very unique phenomenon and yes, by the guy convincing you to accept the coins without Tx, that's how you were scammed.

That said, now that 2.2 BTC is a significant thing, this might deserve to be added to the list of scams to watch for. It's certainly not well-known (there's only ONE zero address, out of the uncountable numbers that exist) I don't think. But again, and someone is welcome to explain how I'm wrong and clarify what Themos means, but if seems pretty straightforward. He says they're unspendable.

I'd have thought a custom client would allow them to be spent, as can happen with pretty much every other nonstandard keypair introduced to the raw blockchain ledger. But it seems zero is unique.

It's things like this that keeps my faith going in this community. FenixRD, you rock! I know you haven't recovered the coins yet (I hope you do), but thanks for setting a good example

Okay, now that is weird. This is something that only is occurring for me on the android app.

Lemme look into this a bit more.

Thanks i will make some learning about what you mention earlier.

I send video to you how i scan , and import the private key also.

No, the QR Code and WIF_PrivKey you showed me are for a private key, in hex form, of *ALL ZEROES*. Blockchain.info does not parse that properly (it will tell you "Error importing private key: TypeError: this.x is null"). Which is pretty irrelevant, because even if it could, the addresses associated with that private key are https://blockchain.info/address/1MsHWS1BnwMc3tLE8G35UXsS58fKipzB7a and https://blockchain.info/address/1Q1pE5vPGEEMqRcVRMbtBK842Y6Pzo6nK9 (uncompressed, and compressed, respectively; the compressed WIFprivkey would be KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73Nd2Mcv1 btw, but blockchain.info will error out on that one as well), neither of which is the address you're talking about, and neither of which currently has coins.

Edit: public addresses based on list at database.io; perhaps the nature of that site didn't require complete  protocol compatibility. The ones I listed may not be (or at least not the only) addresses for this privkey.

The public address you showed us all way earlier has a couple BTC, yes. However, none of the information you've showed since (QR code, private key, etc) grants you spend power over those coins, and there is nothing we can do about that. If you were scammed, that is truly unfortunate and I am sorry about that, but unless the guy gave you any other QR codes or something, we can't do anything I'm afraid.

Also, to your question, that I think you're asking about QR scanning... no, if it "scans" and gives you characters, it is very rare for it to have been a "mis-scan". And if it did misscan, which I have been occasionally, it is unfathomably improbable that it would become a privkey of all zeroes! It doesn't mess up by a letter or two, it'll turn a string like KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73Nd2Mcv1 into something like a few letters, weird ASCII symbols, that kind of thing. QR codes don't have to be flat. Either they scan or they don't. That's part of the crazy pattern on them, to allow for the correction of skewed and off-axis camera angles.

Anyway, bottom line is, if that's the QR code he gave you, while you thought your coins were at the address you gave way earlier, yes, it seems you were scammed.

Thank you for the analysis, i saw the QRCode of private key is  likely not flat, can it make the problem ?, i send to you the original QR Code which he send to me

I can import the QRCode to the blockchain wallet perfectly, and get the coins (2.2 BTC ) without addressing the public key at all.

*sigh*

Yes, you've been had. How did you get the public address? The private key you sent me does not correspond to it, and is one of a small handful of "valid-looking" WIF strings that, after the checksum is decoded, result in garbage. In this case, the supposed actual private key is all zeroes:



That key has been published before during the directory.io bit back in the day: http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/

Many different odd errors arise from trying to use it, depending on the client. C's address verifier completely crashes if I try to check it a certain way. You can however look at what I'm talking about here: http://gobittest.appspot.com/PrivateKey

That presents the most accurate answer. It's not included in my screenshot, but if you test it yourself, it's at the top of the page in red: Private key is not on curve

It's a deliberately-chosen "private key" coordinate that does not have a coordinate pair. It is not a point in the elliptical curve used in Bitcoin at all. (According to most client interpretations.) You can actually send coins there with certain clients and retrieve them also, but, as you can see here: http://directory.io/0 yours is the very first one, and has been used before, and is definitely not the key to the address you were expecting, with 2.2~ish BTC.

I send it the private key already, please find out what happened

If importing the private key gives makes 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh appear in a brand new wallet, you definitely have the coins. They're still there, and the private key won't generate that address out of nowhere otherwise.

When you imported the private key, it should have given you the option to "import directly" or "sweep". It would also have shown a balance. In fact, if you begin a new wallet on blockchain.info, it will do this now as well, if you try to again import it. I'm not convinced you were scammed yet, but you may have your funds stolen soon, since you posted your private key with only a few characters missing from it. There are a bit less than 11.5 million combinations to complete the key you posted, and probably only 1 is a valid WIF-type, if we assume that it is one. (The probability of an accidental WIF is pretty incredibly low.)

At this point, you might want to take your chances and PM me the missing characters. I'll recover your BTC for a 5% finder's fee, if I'm able to do so. You can't wind up any worse off than you are now. It's your call, but consider that if I were motivated I (and many others on this forum, so you should figure out what you want to do pretty soon) could write a quick script to run through those 11.5 million combos and check for one that zeroes out to a valid WIF key. In fact, if I don't hear from you soon, I will prooooabbably do it anyway, because if I don't do it someone else soon will. If I collect them that way, I'll give them back for 10% (for the extra work involved writing the script).

I'll also be happy to show you where you went wrong, if it turns out that was the case.

Yes ..  I already ask my money back, and the guy disappear now after his SCAM  is exposed. So I plan  to make report for Police department .