A network of Bitcoin-to-QR-code generators has stolen more than $45,000 from users in the past four weeks, ZDNet has learned.
The nine websites provided users with the ability to enter their Bitcoin address, a long string of text where Bitcoin funds are stored, and convert it into a QR code image they could save on their PC or smartphone.
Today, it's a common practice to share a Bitcoin address as a QR code and request a payment from another person. The receiver scans the QR code with a Bitcoin wallet app and sends the requested payment without having to type a lengthy Bitcoin addresses by hand. By using QR codes, users eliminate the possibility of a mistype that might send funds to the wrong wallet.
Sites tried to hijack BTC transactions via tainted QR codes
Last week, Harry Denley, Director of Security at the MyCrypto platform, ran across a suspicious site that converted Bitcoin addresses into QR codes.
While many services like this exist, Denley realized that the website was malicious in nature. Instead of converting an inputted Bitcoin (BTC) address into its QR code equivalent, the website always generated the same QR code -- for a scammer's wallet.
This meant that if a user shared the QR code with someone else, or placed it on a website to request donations, all money would be sent to the scammer's Bitcoin address.
From the initial website, Denley said he found eight other sites, all sharing the same interface, suggesting they were created by the same scammer:
Denley told ZDNet that the nine websites generated QR codes for five different Bitcoin addresses, which had received funds totaling more than 7 BTC ($45,000) -- most likely from tricked users.
Using PassiveTotal, a threat intelligence platform from RiskIQ, Denley said he tracked down the nine malicious sites to three web servers:
Using the same PassiveTotal, Denley found that the same servers were also hosting more than 450 other websites, all with shady-looking domains, containing terms like Gmail, coronavirus, and the brands of other cryptocurrency-related entities.
- 188.8.131.52 (List of hosted domains)
- 184.108.40.206 (List of hosted domains)
- 220.127.116.11 (List of hosted domains)
Most of the sites hosted on the three web servers weren't active, but merely contained ads for cryptocurrency gambling sites, where users can place a bet for the chance to win a bigger prize.
Such websites are broadly considered as scams, as they mostly tend to keep all bets, without yielding the promised winnings back to betters.
But besides the QR code generators and websites showing ads for the gambling sites, the same three servers also hosted a so-called "Bitcoin transaction accelerators."
These types of sites ask users to enter the ID of a Bitcoin transaction and promise to "accelerate" the transaction's approval process on the Bitcoin blockchain.
The sites Denley found were requesting a 0.001 BTC ($6.5) fee, and according to Denley, the BTC addresses where fees were collected had received more than 17.6 BTC, which accounted for a whopping $117,000.
"I am still unsure on where these sites were advertised to get so many funds," Denley said.
But the MyCrypto's researcher's finding isn't the only one of its kind. Networks of shady Bitcoin-to-QR-code generators have popped up in the past. For example, cryptocurrency wallet company ZenGo found another one last year, in August. According to ZenGo, the scammers managed to steal more than $20,000, at the time.