Dissection of the scammer site (case)

btconline.io is a fraudulent site. His legend is that you enter your Bitcoin wallet address there and Bitcoins immediately start to be mined for you. Everything is very simple – you do not even need to register. There is only one problem – Bitcoins are dripping slowly for you, and the minimum sum for withdrawal is high. But, of course, there is a way out: you can buy paid packages and your Bitcoins will be mined faster – the more expensive the package, the faster Bitcoins will be mined! When it comes time to pay, you are told about the “restrictions”, they are asked to verify (send photos of your passport, bank card, etc.), or simply say - “an error has occurred, try again later”.

There is someone who does this, sends them money, spreads information for “referral deductions” (in quotes, since no one will receive anything) …

Sometimes these “projects” operate on the principle of a financial pyramid (for the former they make some kind of payments), but more often this is just a fraud.

Part 1. Analysis of the history of changing the IP addresses of the web site

This is the most elementary – many sites fails this way, they worked under their real IP, then they set up CloudFlare and consider that they were “hidden”…

Therefore, if among the previous IPs belonging to the target site there are not IP CloudFlare, then there is a high probability that this is the real address of the site. In any case, it is a new thread that can lead to a lot.

So, the History of IP addresses of the site shows this result:

securitytrails showed this result:

Everything is bad – these IPs belong only to CloudFlare.

Part 2. Checking with CloudFail

By the way, CloudFail manual is here.

The online service “Disclosure of the real IP site behind the CloudFlare network using incorrectly configured DNS and the database of old records” - but it did not find any useful information.

And now it would seem – there is no way to find out the real IP address of the site behind CloudFlare. Everything is bad.

Part 3. Modus operandi

Modus operandi is a Latin phrase, meaning “course of action”, often used in criminology under the meaning of “method of committing a crime”.

In simple terms – if we do something, then every time we do it about the same way, in our actions contain similar features.

I looked at the btconline.io fraudulent site, read the texts and realized that they were hardly written by a native speaker – most likely a machine translation. But if this is so, then he needed to write texts:

  • come up with his own long texts (there are questions and answers there, and there is a lot of text on the landing page, and so on)
  • translate these texts

And it takes effort.

Such fraudulent sites, in fact, very rarely bring something to their creators. However, often the first crafts especially unsuccessful – there may simply be something not work. Since almost certainly the owner of this site has more sites – and in the case of his last child, he did everything for conspiracy, but did he do everything correctly for the previous sites?..

So I just took quite large pieces of text, put them in double quotes and did a search on Google and Yandex. Fragments of the text I used:

"Our service make Bitcoin mining absolitely easy for every person! You don't need to buy expensive equipment and loose your time to configure mining servers"

AND:

"Your email address will be used to send login codes when suspicious or unusual activity is detected, to remind you of your account bitcoin address login"

See also:

I was looking for sites in which there is an exact entry of these phrases, as a result I have compiled a list of the following sites:

  • btconline.io
  • maxminer.net
  • hashmax.net
  • www.cryptominingz.com
  • gsumining.com
  • btc-online.org
  • minerbitcoin-ru.net

IP history maxminer.net gave the following results:

Including sites:

  • litemine.site
  • ethermine.site
  • dogemine.site
  • btcclix.io
  • bitfly.pw
  • bitcomine.site

There you can "mine" Lightcoin, Dogecoin, Ethereum – and why not? If you can mine the main Shitcoin, why not mine the minor Shitcoins?!

The maxminer.net site has an IP address 64.235.33.68, let's look at the information for it in securitytrails:

New domains:

  • adbtc.fun
  • bitsmine.net
  • btcclix.io
  • probtc.biz

Let's look at the history of probtc.biz:

We see there, including, the IP address 162.255.119.234.

I showed a direct path to the address 162.255.119.234, in fact, it was branched out – I looked at the history of domains I know and collected IP addresses, for these IP addresses I collected new domains and again looked at the history of their IP addresses, each of these IP addresses I checked if it belongs to btconline.io. I did this using cURL with a command like this:

curl IP_TO_CHECK -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: btconline.io'

Instead of IP_TO_CHECK, I set the real IP address. If I received something interesting, I did a control check with the same IP command like this:

curl IP_TO_CHECK -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: FAKE.HOST'

That is, to compare the results obtained, the host btconline.io is replaced with FAKE.HOST (that is, any other host that was not related to this web server).

In the end, the command with 162.255.119.234:

curl 162.255.119.234 -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: btconline.io'

It gave the following result:

Pay attention to the lines:

< Location: http://www.btconline.io/
< X-Served-By: Namecheap URL Forward
<
<a href='http://www.btconline.io/'>Found</a>.

That is, the server responded to this host and wants to redirect us to the address http://www.btconline.io/. But there are web servers that are configured to redirect anything. Check it with another host:

curl 162.255.119.234 -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: ya.ru'

For the host ya.ru just nothing was found.

To confirm in the /etc/hosts file:

sudo gedit /etc/hosts

I add a line

162.255.119.234 btconline.io

Save and close the file. And now I’m trying to open btconline.io in a browser – it redirects to https://www.btconline.io/ (to subdomain www), the layout is broken, but the site opens!

That is, the creator of btconline.io did for the conspiracy "all correct":

  • WHOIS - closed
  • after creating the btconline.io website, it never worked on real IP – it was immediately added to CloudFlare

But it didn’t help him at all – this site revealed the entire net of domains and all the IPs currently in use or earlier, each of which is a new lead and a thread leading farther and farther away.

Part 4. Answers to questions that this site can cause

Real Time Payouts – payments in real time, someone really paid? There after all there are links to blockchain.com – these are real wallets and real payments!

Yes, the wallets are real and the payments are real, only the order is different, the fraudulent site parses the data from blockchain.com and, on the basis of them, “draws” its payments.

Proof of:

  • there are wallets in payments that have never sent money to anyone, although it is stated in the payments that they work at a certain marketing plan – if these wallets did not make transfers, then this is impossible.
  • the script has a funny bug: if you enter the address of a Bitcoin wallet, get your referral link, then follow this referral link, and then sign up with a wallet that has already been paid, everything will work out! That is, the one who seems to have already received the payment becomes your referral! Although re-register with the same wallet is impossible in principle.

Pop-up messages about purchased packages?

JavaScript file contains a list of countries and function to display them randomly with a random selection of a marketing plan…

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *