Topic: Pishing alert: Fake EXODUS e-mail (Read 186 times)

I tried to check that theory using the link posted in the OP, but I only get a blank page. I think your theory makes sense, although the one who exposes his seed in this way will not be less suspicious if someone asks for only 6 or all 12 words.


I suspected that it was a big number when it comes to the time for brute force, which completely removes any doubt that this scammer can do something with only 6 words. However, some people are quite convinced that making a winning combination of 2048 words is more likely than winning the lottery, which is of course far from the truth.

I think the most likely thing here is simply that after entering those 6 words, you may very well end up on a page asking you for the other 6. The switched up order is probably just a poor attempt to make it seem more "official" and less scammy.

Brute forcing 6 words, while theoretically possible, would require a huge amount of computing power and cost. Here is an example of someone who managed to brute force 4 words in 30 hours by spending $350 renting GPUs. His benchmark was 143,000 seed phrases per second, which is very similar to the 134,000 seed phrases per second btcrecover says it can manage on some modest hardware: https://btcrecover.readthedocs.io/en/latest/GPU_Acceleration/

To brute force 6 words using these numbers, you would need to multiply those numbers by 2048². However, they ask for the 12th checksum word, so that would reduce the computational requirements as you could reject 15/16 seed phrases for failing the checksum and not have to turn the seed phrase in to an address to check for balance, which is the computational expensive part of the process. Even so, some very rough calculations puts that at ~$100 million over 900 years, or a far higher cost to rent better/more hardware and do that in anything approaching a reasonable time frame. So unless they know for a fact your Exodus wallet is holding hundreds of thousands of bitcoin, then only an idiot would attempt it.

So if anyone has given out 6 of their words to this scam, then the good news is your coins are probably not about to be stolen provided you have never and will never reveal any of your other words. You should still set up a new wallet and seed phrase and move everything across, though.

@Pmalek, I personally don't know if there is any possibility that the person behind this phishing knows something that we don't (which I really doubt). The choice of words that are being searched for is definitely interesting, and maybe that is the key to trying to brute force the other words in some way.

I think @o_e_l_e_o could help us clarify if there really is something here, or if someone simply messed up because they didn't simply look for all 12 words.

I agree with you that it's an amateurish phishing attempt but I think whoever is behind this knows about Exodus seed lengths. If you take another look at the second picture in OP,  you will notice that they are asking for the following words from the seed: 1st, 5th, 10th, 12th, 2nd, and 4th. But I still don't understand why they want only 6 words in total. Someone messed up creating this thing. 

It doesn't seem like a mystery to me, but like a bad and amateur phishing attempt, considering that there are also very obvious grammatical errors that point to a very low level of knowledge of the English language. The person who made this page obviously does not know that Exodus has a seed of 12 words - which means that some kid played a little bit in the hope that he will succeed in scamming someone.

Do not share your seed with anyone and all such attempts will not pose any danger to you.

It really is a mystery, why the hackers attempt with only 6 words, if it's not possible to brute force more than 4 missing words, the hacker is putting on a joke, or is he really that good if he can do really hack six missing words through brute force, but back to OP's topic, all we have to do is stick to the basic and rule of the thump do not give your keywords to anyone and always double or triple check, this basic will save us.

Not with today's technology surely. People much more knowledgeable than me have explained that it is possible to bruteforce a few missing words if you know their locations. But I don't think you can bruteforce more than 4 missing words in our lifetime. 

I also noticed that did the hacker already have the other seed words that they are only asking 6 seed words there's no way the hacker can access a wallet with uncomplete seed words, I have seen hackers asking for seed words but never uncomplete seed words, maybe if OP has given the six words he will ask again for the other six words later.
I wonder what's going on in the hacker's mind or if he has a method where he can hack a wallet with incomplete seed words.

The email itself is so suspicious so hopefully no guys in right mind will put their back up phrase to that scammy mail since for sure the legitimate exodus will never ask such important details like that to their costumer. People need to be more careful upon their mails receive because there are so many phising attempt like this that's why its good to use dummy mails to avoid any possible another method of attempts conduct by criminals.

They couldn't even spell "changes" correctly on the button. It says "chagnes".

I wonder why you even clicked on that link. Did you initially think that it was a legit email, or were you just curious to see what will happen? It's clear from what they wrote in the email that they want your recovery phrase, even though they call it a "keystore phrase". You were lucky this time. Maybe next time there will be malware attached to the link that executes when you click on it, and you will infect your device playing around like that. Just delete the email and don't gamble with you money and security if it happens again.

What kind of dumb recovery method is that? Only six words. Why didn't they ask for all 12/24 (not sure what the length of Exodus seeds is) lol.
Even if you entered 6/12 or 6/24 words, they wouldn't be able to bruteforce the remaining ones and gain access to your coins. 

Always check the email header and if it not from any official email you can safely ignore the email and mark it as a case of spam. In this case it is very clear that the email came from a throwaway or similar and looking to scam some innocent user.

Such mass emails are very commonly done to catch that one in a hundred flock of users and in crypto this is very common. Good for you to report this but I am sure the scammers have already had their catch, since only few of these actually get reported and the scammers keep doing it over and over again because that one catch is all they need to fuel their rush of stealing money.

If you're a long-time user of Exodus you should be aware of this, they always alert or remind their users that they never ask for unsolicited emails like that, every time you receive emails like that even from other wallets' support you should ask support and verify if they have emails like this, you can easily contact them they are responsive and some of them have social media presence, any emails that will ask your private key are phishing email regardless of the source.

All communications coming from Exodus and all other sites should have their domain on their email like admin@domain obviously this is a spam email because it is using a different domain name it's coming from https://webmail.optusnet.com.au/ the user is from Australia using email provided by optusnet.com.au.
Never entertain emails that asked your private key, it's a trap your private key is your alone and it should be shared with trusted sources or very close relatives, your wealth is all here.

Scammers always try to steal crypto users' wallet information by sending phishing emails. Since you have started receiving such emails, it can be assumed that the scammers will continue to send more phishing links targeting you. So you should be careful while using this email to be safe before any untoward incident happens. You posted here about this website which will make many crypto users careful. Thank you OP.

I received this email today:



I clicked on the button and I was redirected to a website with a strange domain name: i4tprol8ckgjwhlysqxabacf.alimentaegypt.com

And see what they asked me to do:



It is very certain it was made to steal Exodus wallets.


And this official page from the real Exodus app alerts:

https://support.exodus.com/article/638-i-received-an-email-from-exodus-asking-me-to-provide-my-12-word-phrase-password