Author

Topic: [RESOLVED] Bitherium.cc not a full decentralized exchange - PrivKey leaks (Read 607 times)

hero member
Activity: 1138
Merit: 574
Hello,

I did my investigation since the exchange is now back online.

I can say that the privatekeys are not sent anymore to the server. Every cryptographic stuff seems to be handled by the webclient.

You can now connect only by MetaTask or a Keystore file.
The wallet generation is now through MEW.

Here the page to connect: http://web.archive.org/web/20200303094050/https://dex.bitherium.cc/unlock_wallet
And the script that is sending data to the server: http://web.archive.org/web/20200303103619/https://dex.bitherium.cc/resources/assets/front/pageJS/unlock_wallet.js

You can notice that the old AJAX functions (importKey_old() & importKeystore_old()) that were used to send the privatekeys to the server are still here (but seems not used anymore).

To me the case is resolved as they reworked the scripts to operate as a real DEX.

What now for Bitherium.cc ?
Maybe stop insulting peoples (they are your users),
stop creating shill accounts &
remove the old functions.

That is my statement. I can't say if they are or will be honest, or if I missed something. It's to them to show proof of solvency from now.

Archive of that thread: http://web.archive.org/web/20200303104953/https://bitcointalk.org/index.php?topic=5228661.0&all=
Archive of the official thread: http://web.archive.org/web/20200303105444/https://bitcointalk.org/index.php?topic=5226563.0&all=
legendary
Activity: 3010
Merit: 8114
If you think you are safe behind your PC
A letter from a lawyer to Namecheap
with all the information I've gathered here

and we know the domain owner

After that everything goes very quickly, trust me
Disclosure of your IP data and email address

Internet provider query

The same applies to Mallyx

This conversation will not be continued here, but will be recorded and followed up in any case. Wink

Nope. You would need a court order issued in the U.S. for this information to be released.

As far as I know, theymos has only complied with the most serious of law enforcement requests involving the investigation of major, federal crimes. Exposing a fake DEX for having a shitty backend does not fall into this category. What's far more likely is he would tell your lawyer to go fuck themselves.

If you now operate as a DEX should be, I will remove my complaint. Else I will keep showing proof of inegibility.
It's best for you to comply with you own engagements.

Waiting to hear your next review.

Even if the exchange did fix their problems, I still would not trust it until the smart contract which interacted with Metamask or whatever was thoroughly scrutinized.
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Who is this WE?

I had the same question towards TOAA, at some point.

In that case, and also in this case, I think the answer given by nullius is the best:

Quote
My guess:  Something related to the earlier origin of the term “Sybil”, as later used in the term “Sybil attack”.

What do you think? Smiley
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
Keep in mind that we are currently logging all of this information about your lies, allegations and fud

Oh no sir.
I am so scared now, what am I going to do? Sad

If you think you are safe behind your PC
A letter from a lawyer to Namecheap
with all the information I've gathered here

and we know the domain owner

After that everything goes very quickly, trust me
Disclosure of your IP data and email address

Internet provider query

The same applies to Mallyx

This conversation will not be continued here, but will be recorded and followed up in any case. Wink

Oh my....

Clown criticalknow is threatening to expose us all.
Lawyer army is ready.
I am so scared...
Everyone run and hide...    Roll Eyes

and we know the domain owner
Oh, and one more thing...
Who is this WE?
newbie
Activity: 12
Merit: 0
It is sad to see how criticalknow is invested in this topic.
It makes you wonder why...

I am calling more DT members to check out this topic.

Do you know what is sad
that they have no expertise
You are a follower who only tries to attract attention

You have not yet expressed anything constructive
Allegations only without evidence
When you're so sure of what you're saying
Please provide your real name and we will both have everything checked legally

Is this a fair offer?
Keep in mind that we are currently logging all of this information about your lies, allegations and fud

You don't even notice that you are completely affecting the credibility of Mallyx.
By now we all believe that you are the same person


Domain name: BITCOINTALK.ORG
Registration domain ID: D162601474-LROR
Registrar WHOIS server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated on: 2019-11-24T14: 01: 10Z
Creation Date: 2011-06-24T05: 19: 00Z
Registration expiration date: 2029-06-24T05: 19: 00Z
Registrar registration expiration date:
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar abuse contact email: [email protected]

If you think you are safe behind your PC
A letter from a lawyer to Namecheap
with all the information I've gathered here

and we know the domain owner

After that everything goes very quickly, trust me
Disclosure of your IP data and email address

Internet provider query

The same applies to Mallyx

This conversation will not be continued here, but will be recorded and followed up in any case. Wink
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
It is sad to see how criticalknow is invested in this topic.
It makes you wonder why...

I am calling more DT members to check out this topic.
newbie
Activity: 12
Merit: 0
Maybe you should just visit the Telegram channel

There you can directly reach the founder.
I want to make a note

It is a small team.
However, all work is carried out by an external company
and if you have any suggestions for improvement for the future, visit the channel

The founder can then forward your suggestions and ideas directly to the company via the official route.

If you really help and pursue the same goal, you are very welcome there
But if you only want to put the project in a negative light, please wait until the project has been checked by two other companies and the exchange has been released for trading.

Not point to speak. If you now operate as a DEX should be, I will remove my complaint. Else I will keep showing proof of inegibility.
It's best for you to comply with you own engagements.


I tried to explain it to you
The founder wants the same thing as you

He places an order with a blockchain company and that company does the job
The question now is how this company does its job
To make sure everyone is safe, a 2 and 3 company should review the entire project before it is actually released
This was planned from the beginning and is still being carried out, but the project is not yet complete
The transition from a hybrid to a decentralized exchange is not yet complete. (Creation of Smartcontract)

As I said, the founder was actually grateful for this tip. But he actually thought that your criticism can only be explained because the project has not yet been reviewed and completed.
When the founder heard your criticism, he directly minimized the risk of his exchange. Registration with a private key has been completely prohibited, even if it can be validated in the frontend
and he directly ordered that wallets should only be created externally and that the ledger login should be added

He had invited you at any time and you could have directed your questions directly to the developer.

Thank you for your feedback !
hero member
Activity: 1138
Merit: 574
Maybe you should just visit the Telegram channel

There you can directly reach the founder.
I want to make a note

It is a small team.
However, all work is carried out by an external company
and if you have any suggestions for improvement for the future, visit the channel

The founder can then forward your suggestions and ideas directly to the company via the official route.

If you really help and pursue the same goal, you are very welcome there
But if you only want to put the project in a negative light, please wait until the project has been checked by two other companies and the exchange has been released for trading.

Not point to speak. If you now operate as a DEX should be, I will remove my complaint. Else I will keep showing proof of inegibility.
It's best for you to comply with you own engagements.
newbie
Activity: 12
Merit: 0
Maybe you should just visit the Telegram channel

There you can directly reach the founder.
I want to make a note

It is a small team.
However, all work is carried out by an external company
and if you have any suggestions for improvement for the future, visit the channel

The founder can then forward your suggestions and ideas directly to the company via the official route.

If you really help and pursue the same goal, you are very welcome there
But if you only want to put the project in a negative light, please wait until the project has been checked by two other companies and the exchange has been released for trading.
hero member
Activity: 1138
Merit: 574
The site is back online.
Will check soon if the issue has been resolved and if they are now operate as a real DEX (=cryptographics stuff is managed by the client).
newbie
Activity: 12
Merit: 0
@criticalknow
You emerged from your egg few days ago and you can't stop to lie and produce crap from your mouth.
You are advocate of bitherium.cc scam and thief like they are

Deleted criticalknow post:
http://loyce.club/archive/posts/5393/53936987.html

Quote
Hello Mallyx,


I have read some of your French posts and found that you are not a troll.


I also don't think you are a fud creator
Be so far-sighted and end this comedy.

The Bitherium project is in the development phase and has done everything necessary to change the things you want.


This project is no less bad than you
Please end your complaint
You have signaled to end this senseless campaign
The team also invited them to discuss other possible things. In my opinion everything has been corrected

end this drama

Thank You




You saw well, but since you have little intelligence and don't understand why I deleted it, we'll leave it at that.

Leave everything here. Everyone should see this campaign
You will see where it takes you both

to spread falsehoods !

 
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
@criticalknow
You emerged from your egg few days ago and you can't stop to lie and produce crap from your mouth.
You are advocate of bitherium.cc scam and thief like they are

Deleted criticalknow post:
http://loyce.club/archive/posts/5393/53936987.html

Quote
Hello Mallyx,


I have read some of your French posts and found that you are not a troll.


I also don't think you are a fud creator
Be so far-sighted and end this comedy.

The Bitherium project is in the development phase and has done everything necessary to change the things you want.


This project is no less bad than you
Please end your complaint
You have signaled to end this senseless campaign
The team also invited them to discuss other possible things. In my opinion everything has been corrected

end this drama

Thank You
newbie
Activity: 12
Merit: 0
Again my question, are you retarded?  Roll Eyes
or just a poor unemployed troll with no schooling who wants to earn pocket money here now?

This is a question. Hopefully you understand the difference between a question and an accusation. No, you don't understand that.
But you could really perform in the circus, we laughed a lot
Oh my God . We can't get out of laughing.  Cheesy Cheesy Cheesy

In summary: we are neither related nor the same person
That is also a pure claim.
Next I am Batman and the social media manager is Robin and therefore a black flag is raised
In fact, your entire campaign was designed from the start to spread only fud and negative publicity against the project.
All I've read so far has been accusations or unsubstantiated claims
First, you say that there is a private key leak
Where? When you see your own, where's the leak?
Then you claim that private keys are collected or stored
These are nothing but statements without evidence
The best thing about this smear comedy
That you all supposedly know how all decentralized exchanges work.
And you confirm that all decentralized exchanges work the same way
It is your dream of a decentralized exchange
You do not know whether the validation takes place in the backend or frontend.
And you also have no right to tell others how their exchange should work
It would be like telling you how to drink your coffee.
And even though you haven't done anything other than accusing and blaming the whole time, the project responded appropriately to you and disclosed everything
But that was never your intention to do anything good as you can easily see.
The real scam is knowingly harming someone else by making false claims
But you will not be successful with this because luckily the project was able to clear everything up.
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
I created a red Flag for bitherium.cc:
https://bitcointalk.org/index.php?action=trust;flag=1415

Everything said and showed in this thread is enough for everyone.
Their other advocate account criticalknow should also be tagged:
https://bitcointalksearch.org/user/criticalknow-2771296


Don't answer anymore.
You did everything you could.


It looks like these people are not about security, but just portraying you as a scam to get attention


forget it

 Roll Eyes Roll Eyes Roll Eyes Roll Eyes

Honest

A blind man sees that there is no fraud here

If this project wanted to scam, they would have implemented encryption beforehand

and not afterwards, really hard to read

Now among adults and developers,

Have you ever tried to contact this project?
to find out if this company actually wants to cheat

or whether there was a technical problem or whether there was a problem at all?

A company works for this project
they are in the process of optimizing some things.

Privatekey login is completely deactivated. Not because of the Exchange but because it is a danger for the user to have the Prvatekey on the computer.

This Guys have also completely outsourced the creation of wallets.
You are wrong if you say there is a scam.

Think about it before you say these things and it would have been professional to contact the project first, they are fighting for the same thing as you 1

they're both stupid or just retarded, or both  Huh Huh Huh

They both got too little love ?

He has stated that the exchange is currently development phase
and a decentralized smart contract is in development progress

Don't you understand what that statement means?


that it was a hybrid exchange before and everything went well

they make themselves completely ridiculous

 Roll Eyes Roll Eyes Roll Eyes Roll Eyes Roll Eyes Grin
copper member
Activity: 24
Merit: 0
We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.
Exactly. You were sending it to your backend. Like I said, if you were only checking if its valid or saving them, it's not up for me to say. A DEX would not need any of these to reach the backend after all.

But your answer was:
The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.
The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!
The bolded part is a lie. If it reached your backend, you could supposedly have seen it all and saved them. If you admitted it was sent to the backend, then how is it only on the browser session? Again, if you saved or not, we can't know. But you COULD have been saving them. That's the point of OP's thread.

We would not say "lie" but "not true". Yes, that was the first reaction (of social media manager) we thought is right, we should have examine it at first.
newbie
Activity: 12
Merit: 0
Don't answer anymore.
You did everything you could.


It looks like these people are not about security, but just portraying you as a scam to get attention


forget it

 Roll Eyes Roll Eyes Roll Eyes Roll Eyes

Honest

A blind man sees that there is no fraud here

If this project wanted to scam, they would have implemented encryption beforehand

and not afterwards, really hard to read

legendary
Activity: 2758
Merit: 6830
We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.
Exactly. You were sending it to your backend. Like I said, if you were only checking if its valid or saving them, it's not up for me to say. A DEX would not need any of these to reach the backend after all.

But your answer was:
The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.
The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!
The bolded part is a lie. If it reached your backend, you could supposedly have seen it all and saved them. If you admitted it was sent to the backend, then how is it only on the browser session? Again, if you saved or not, we can't know. But you COULD have been saving them. That's the point of OP's thread.
copper member
Activity: 24
Merit: 0
As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.
That's a lie. The page was sending a POST request with the private-key and its password in plain-text to your server.

If you saved the private-key or not, that's something we can not confirm since it was handled by your server, and we do not have access to it. But saving it was as simple as taking the body data from the request and saving them anywhere you wanted. So it was definitely possible. Do not lie saying this data was handled in the client, on his own browser, because it was NOT.

We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.
legendary
Activity: 2758
Merit: 6830
As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.
That's a lie. The page was sending a POST request with the private-key and its password in plain-text to your server.

If you saved the private-key or not, that's something we can not confirm since it was handled by your server, and we do not have access to it. But saving it was as simple as taking the body data from the request and saving them anywhere you wanted. So it was definitely possible. Do not lie saying this data was handled in the client, on his own browser, because it was NOT.
copper member
Activity: 24
Merit: 0
I can understand that the platform is in a beta stage.

No DEX wallet needs anyway to send your private keys to the server, even for a check. That's a major failure, or a scam attempt.
Plenty libs exists to handle that client side though Javascript (eg. https://github.com/nakov/client-side-ethereum-wallet).

If you show honesty and fix that issue, I'll remove my complaint.

Hello Mallyx,

As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.

The other thing is that you accused us of collecting / storing private keys. There is a difference between checking in in the backend or frontend and saving a private key. A private keys was never stored. We can assure you of that. We evaluated all bitcointalk feedback in the past few days and our developers had to answer questions and provide evidence. I would also like to thank you for your indirect help. Based on your campaign, we checked again if the availability of log in with private keys makes sense for users. And after lot of talks we decided to turn it off regardless of whether the validation in the front end is carried out via web3.js and thus externally. Instead of that option we are working to ensure that the user can soon log in with their Ledger hardware wallet.

For security reasons, we also decided that the users be only able to create their wallets externally, to dispel any doubts. Another note for you. Before we open our exchange for trading, the code will be checked by 2 independent companies.

If you have any further comments or concerns, please let us know at [email protected] or join our telegram channel and we can talk more about the project.

-The Bitherium team



legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
You are insulting people here,
and the way you are speaking it is obvious you are same person as your other account bitherium.cc

registered yesterday  Roll Eyes
newbie
Activity: 12
Merit: 0
Now among adults and developers,

Have you ever tried to contact this project?
to find out if this company actually wants to cheat

or whether there was a technical problem or whether there was a problem at all?

A company works for this project
they are in the process of optimizing some things.

Privatekey login is completely deactivated. Not because of the Exchange but because it is a danger for the user to have the Prvatekey on the computer.

This Guys have also completely outsourced the creation of wallets.
You are wrong if you say there is a scam.

Think about it before you say these things and it would have been professional to contact the project first, they are fighting for the same thing as you 1

hero member
Activity: 1138
Merit: 574
I can understand that the platform is in a beta stage.

No DEX wallet needs anyway to send your private keys to the server, even for a check. That's a major failure, or a scam attempt.
Plenty libs exists to handle that client side though Javascript (eg. https://github.com/nakov/client-side-ethereum-wallet).

If you show honesty and fix that issue, I'll remove my complaint.
newbie
Activity: 12
Merit: 0
they're both stupid or just retarded, or both  Huh Huh Huh

They both got too little love ?

He has stated that the exchange is currently development phase
and a decentralized smart contract is in development progress

Don't you understand what that statement means?


that it was a hybrid exchange before and everything went well

they make themselves completely ridiculous

 Roll Eyes Roll Eyes Roll Eyes Roll Eyes Roll Eyes Grin
hero member
Activity: 1138
Merit: 574
The screens are only showing the XHR request with all the data, that was sent to the server. The data contain your private key, password.
On most browsers it's easy to track the network activities.

Not even technicaly speaking, a real DEX just don't need your private key. It only need your sign to commit an action to the blockchain. The smartcontract do the job.

1. You send the private key to the server.
2. Then you identify the user though a token to commit an order (like buying), which mean that the private key is stored server-side.

It's not how work a DEX.



 Wink
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
Thank you very much for your non constructive and totally useless post. Your words are saying much more about you now.

Your actions and lies say much more about you.


You can use your private key, keystore file, metamask  to log into our exchange, just like every decentralized exchange offers this login, similar to myetherwallet.
We can't collecting or saving anything from this details.

Our hired developer company got questions about security and we will inform you as soon as possible. If dev company have created any security issues we will publish their name immediately. For now it looking like the users can see their own private keys only in their own web browser and the exchange only authorize them.

We never have and will never collect or keep private keys from wallets.

Some users seem to be trying hard to spread fud, thanks for that.
However, we do not accept any dubious offers from you to receive positive fake posts here in Bitcointalk. We are a hard working project. We do not need this and will not respond to your offers.

If we were Scammers, we wouldn't program Dex. We would also not be transparent in our external communication. All accusations are nothing more than accusations and defamations

The accusations that the privatekey is read by users completely invented.

We immediately end the possibility that the user can log in to us with his private key. It only works with the metamask, Keystore file and we will work on it to connect to the general ledger.

Why did you stop your shit if everything is 'invented' ?
copper member
Activity: 24
Merit: 0
Here he is with his feelings hurt now....oh poor little clown worried about imagined evil 'campaign' against their circus.
It would also be good to learn proper English language when you write, but it will not help you.

Thank you very much for your non constructive and totally useless post. Your words are saying much more about you now.
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
Here he is with his feelings hurt now....oh poor little clown worried about imagined evil 'campaign' against their circus.
It would also be good to learn proper English language when you write, but it will not help you.
copper member
Activity: 24
Merit: 0
Hello Bitcointalk,


It took a little longer because we had to reconstruct and evaluate things first.

To the allegations

We never have and will never collect or keep private keys from wallets.

Some users seem to be trying hard to spread fud, thanks for that.
However, we do not accept any dubious offers from you to receive positive fake posts here in Bitcointalk. We are a hard working project. We do not need this and will not respond to your offers.

If we were Scammers, we wouldn't program Dex. We would also not be transparent in our external communication. All accusations are nothing more than accusations and defamations

We are completely in the development phase. Deposits and withdrawals are deactivated.

Here you can see that we are working on the development of our smart contract (which is not yet finished): https://ropsten.etherscan.io/address/0x8b1c480428038e93f9e99fc9e34194a5f4c1fc60#code

The accusations that the privatekey is read by users completely invented. This screenshot only shows that the user can see his own private key in his own browser session!

Here is a report from our developer team:





The consequences:

We will immediately end the ability to create wallets directly about our exchange. We will add a link to MyEtherWallet with a note on creating a Keystore wallet.

Now we are on the next topic
We immediately end the possibility that the user can log in to us with his private key. It only works with the metamask, Keystore file and we will work on it to connect to the general ledger.

Thanks a lot for this organized, negative campaign it made sure that we will make bitherium even safer.
sr. member
Activity: 1218
Merit: 251
It turns out that there are still many scamers who continue to commit fraud and that is the average claiming to be a fully decentralized exchange, even though they want to find users by importing their private that has been saved by scamer. This is an extraordinary catch in my opinion.
legendary
Activity: 2086
Merit: 1282
Logo Designer ⛨ BSFL Division1
Great work OP
This is multiple way scam.
Now I expect to see their clown account to come here and write a bunch of stupid things
sr. member
Activity: 1419
Merit: 275
Community built, Privacy driven
Well this is going to be interesting. I knew it is scam from the first moment I have seen it. Too much nice talk about it and not much proof about who is who. That paper from Seychelles Certificate of Incorporation can be faked.
legendary
Activity: 1834
Merit: 1208
Domain : bitherium.cc
Registrar : DYNADOT, LLC
Registered On : 2019-04-05
Expires On : 2020-04-05
Updated On : 2020-02-25
Status : clientTransferProhibited
Name Servers : liv.ns.cloudflare.com
                        mario.ns.cloudflare.com

I using this site to find the WHOIS https://www.whois.com/whois/bitherium.cc



I also don't understand about his invest plan, it's like a certain level to earn more profit. Maybe a ponzi? But I'm not sure.. just my suspicion
hero member
Activity: 1138
Merit: 574
Resolved here: https://bitcointalksearch.org/topic/m.53954607
Archive of that thread: http://web.archive.org/web/20200303104953/https://bitcointalk.org/index.php?topic=5228661.0&all=
Archive of the official thread: http://web.archive.org/web/20200303105444/https://bitcointalksearch.org/topic/ann-bitheriumcc-full-decentralized-exchange-with-profit-share-token-5226563&all=

tldr;
1. I accused them to send the users privatekeys to the server.
2. They goes to maintenance mode, then back online.
3. It seem they resolved the issue.




Accusation:
Bitherium claim to be a full decentralized exchange, but your private key and password are sent plaintext to the server.


Proof:
You can try by yourself, but here a screenshot of the XHR POST request when you create an account:






And when you want to unlock your wallet:






Obliviously, everything is managed server-side. A token is bind to you. It mean that your private key remain on the server somehow:




Other red flags:
  • Hidden team.
  • Very hard to verify the Seychelles Certificate of Incorporation.
  • Many low accounts are enjoying Bitherium on the main thread.
  • Hidden WHOIS.


Official thread: https://bitcointalksearch.org/topic/ann-bitheriumcc-full-decentralized-exchange-with-profit-share-token-5226563
Jump to: