alert Coinbase Wallet APP exploit is being used in combination with a network of newly registered domains for rampant scams/crypto theft.

[Chris Hydrick]

Hi Everyone ---

I had a recent discussion regarding a crypto mining pool, and what stood out to me is when the other person clicked their coinbase "wallet app" it opened a url containing randomnumbers/letters.Eth-Fun.com. ((the url looked similar to the URL in this twitter profile))

Apple iPhone "Wallet app" : https://apps.apple.com/us/app/coinbase-wallet-store-crypto/id1278383455


If any crypto specialists out there could look into this, and comment or DM findings, I'd greatly appreciate it. Crypto is not my expertise so I can only look at this from a domain perspective.

Being a domainer, my first go to was to check the WHOIS for Eth-Fun.com, and noticed it was only recently registered at GoDaddy on November 29th, 2021.

I can't find much online regarding this domain besides a report in the ETH_Liquidity_Scam section of reddit:

https://www.reddit.com/r/eth_liquidity_scam/comments/rrp81w

 

[Lox]

Eth-Fun .com & Fun-Eth .com, both are fake / scam.. (f.e. suspended phishing eth-base .org )
Twitter handle has been hacked. The user profile image (the code) contain "Robin" , img uploaded @ Pinterest

Regards

 

[Clover]

never sign in with a link someone sent you, it is likely a phishing scam (copy of site)

 

[Chris Hydrick]

Eth-Fun .com & Fun-Eth .com, both are fake / scam.. (f.e. suspended phishing eth-base .org )
Twitter handle has been hacked. The user profile image (the code) contain "Robin" , img uploaded @ Pinterest

Regards

Can you or any other crypto savvy members elaborate on how these scams work?

I'm not too familiar with the eth-base.org example but learned this based on a reddit post:

https://www.reddit.com/r/EtherMining/comments/qnwph7

"It’s a scam. The connected wallet gives them permission to remove funds anytime. Once they wipe clean the wallets they open new operation under different url Eth-base.net .org .co all registered at godaddy and hosted there. Based in Hong Kong. These rings have Been busted in past. All the transactions are on etherscan"

 

[Chris Hydrick]

Unless I'm mistaken, the scam website used in this crypto scam prevention video looks oddly similar to this website in question.

Be safe folks!

 

[Lox]

Can you or any other crypto savvy members elaborate on how these scams work?

I'm not too familiar with the eth-base.org example but learned this based on a reddit post:

https://www.reddit.com/r/EtherMining/comments/qnwph7

"It’s a scam. The connected wallet gives them permission to remove funds anytime. Once they wipe clean the wallets they open new operation under different url Eth-base.net .org .co all registered at godaddy and hosted there. Based in Hong Kong. These rings have Been busted in past. All the transactions are on etherscan"

mostly, they're interested in a hot wallet private keys

 

[Chris Hydrick]

mostly, they're interested in a hot wallet private keys

From what I understand of the video posted above, there is a exploit in Coinbase wallet app or something that allows your Coinbase wallet to be connected to third party domains.

Once connected through the app, and on a third party domain, selecting something such as get eth voucher, or mine for eth, will activate a third party connection to your Coinbase wallet, and by default the wallet allows the third party unlimited withdraw control. Apparently the fix is moving funds out of your Coinbase wallet and to a new wallet, or using a service such as DappStar.io (can anybody confirm or deny this) to change the settings from unlimited withdraw approval to 0 withdraw approval. This will stop your "mining profit" as a scammer can no longer have access to your eth, but it will also protect your wallet from being drained by a third party, and thus likely lost forever once drained, unless the wallet recipient returns the funds as the victim expects instead of choosing to scam.

Maybe I'm mistaken but that video seems quite informative and very similar to the story of what led me to questioning the Eth-Fun domain. Unfortunately, as others have stated in the video comments, some folks have lost their life savings, and led down the stray of depression. I'm fearful somebody I know might be going through this scam now, lots of empathy and confusion on how to be there for somebody who goes through this.

 

[Lox]

... exploit in Coinbase wallet app

that's nothing compared to what's coming ... metaverse scams

 

[Chris Hydrick]

This video that is near identical to the experience somebody I know very recently experienced includes 40 tags that are URLs, assuming to be associated with this new rampant scam.

The earliest WHOIS is the scam @Lox had referenced earlier eg eth-base.org/eth-base.io registered at GoDaddy on August 21, 2021. The latest WHOIS of the list was registered on December 7, 2021. None have expiration dates beyond 2022.

Breakdown of the registrar usage of the 40 domains included in the youtube video tags:

Alibaba Singapore: 2
Amazon: 2
Dynadot: 2
GoAustrailiaDomains: 1
GoDaddy: 19
Name.com: 1
Namesilo: 8
WebNic.cc: 1
Xin Net: 1
Inactive: 3

The domains that affected the person I know were not included in the youtube video tags, so hard to say how many throw away domains is associated with this scam and how many ring(s) are involved.

Domains not tagged in the video that were attempting this on somebody I know:

Fun-Eth.com registered November 29, 2021 at GoDaddy
Eth-Fun.com (seems to be a mirror of Fun-Eth.com) registered most recent January 15th, 2022 @namesilo

The person who introduced the person I know to this domain was somebody they never met in real life, only video calls. At one point she shared a screenshot that the person I know said looked a little different than screen, namely the URL difference included the domain name etc-defi909.xyz which was registered at GoDaddy January 8th, 2022.

 

[namesilo]

Namesilo: 8

Thank you for detailing the abuse and including the list of domains. These domains have been taken down on our end.

 

[namezest]

Have you been mining? You only want the legit chain miner. Lots of third party ui have exploits virus etc.

 

[bahaba]

Two months ago, the same thing happened to me on Twitter. I doubted it from the start and knew he was trying to phish. But I said I will go with him to the end to reveal his trick