Category: Alvosec

This is a follow-up to our initial research, uncovering that ProtonKiwi was operating two BPs, which goes strictly against XPR Network rules. ProtonKiwi’s decision to engage in more lies and deception is a significant misstep, moving away from a constructive solution. In this article we will reveal even more lies from this ex-BP.

Someone from users brought up in the chat that keys were later updated. The valid concern raised deserves a detailed response.

Let’s make a chronology of DankBP’s keys:

October 2, 2023 – From the video it’s evident that he had access to DankBP’s private keys since October 2, 2023.

October 7, 2023 – Sarn uploaded video to his channel titled “Telos Proposal: Telos Voting Reform”, where he is logged into DankBP wallet.

Update

The DankDollar Telegram group and the YouTube video from ProtonKiwi are now private, while the website is in “maintenance mode.”

Video Clip with the Title: “Telos Proposal: Telos Voting Reform”

October 16, 2023 – He created producer key and registered with that key on mainnet.

October 18, 2023 (15:54 UTC) – His BP (DankBP) entered into top21 and started to miss rounds. I informed him to investigate the issue with the node.

October 18, 2023 (16:40 UTC) – An hour later, he unregistered from the mainnet, changed the active key, and then registered the node using the updated active key.

As per Sarn’s comment, it’s completely illogical. Why would “Troy” choose to change the active key in this specific scenario rather than doing so earlier?

October 19, 2023 – I warned him to not use an active key in node registration.

January 17, 2024 – After being exposed that he was running 2 BPs, he claimed that he changed keys. So he had access to those private keys since October 2, 2023 until October 18, 2023 for whole 16 days and later he changed active key, not to revoke or return access to “Troy”, but BECAUSE HE WAS MISSING ROUNDS and he thought that will solve the issue.

And a similar claim on the Telegram channel, but with an interesting detail where he said, “I changed access.” He didn’t say that “he (Troy)” changed access. The point here is that when people are truthful, they express themselves accurately, the opposite of being untruthful where you have to pay attention to every single detail to avoid exposing yourself. So, if Sarn changed access (keys), wouldn’t that mean Troy’s private key is no longer private?

https://t.me/XPRNetwork/1/948872

Now let’s take a look how ProtonKiwi registered as BP in May 17, 2022. He firstly created producer key:

Following that, on May 21, 2022, he registered on the mainnet using the producer key, repeating the same mistake made during the registration of DankBP.

Indicating that both keys structure were setup by same pattern.

In X space, Sarn claimed that he did not mint the token. Despite the fact that the metadata of the token image used in the minting process explicitly indicates his involvement. Sarn clearly doesn’t understand that peace of evidence and its common use in forensic analysis.

Sarn is unaware that nearly every platform automatically removes metadata when sharing images with others. So the question here is; how he shared that image with Troy, and how it was used in the minting process?

(TX)

Ultimately, Sarn doesn’t feel any guilt for his actions, viewing the provided concrete evidence and details as mere assumptions.

More details will be uncovered in third part of this investigation.

Note: No information was obtained in an unethical way; all information used in this article is publicly available.

Welcome to the shadowy world of online deception, where the allure of quick riches often collides with the harsh reality of scams.

Presenting our latest research of DankDollars and its ties to DankBP, a block producer on the XPR Network, as well as their relationship with ProtonKiwi. Over the past few days, we’ve come across information that contradicts the accurate description of DankBP, particularly concerning ownership. Let’s begin by examining the details.

From this given website that is related to DankBP: https://dankdollars.co/ownership.txt, it’ says that owner is Troy Sleep aka sleepcie. This is his username in some other social accounts.

The problem is that we don’t have clear information about the supposed owner. Also, our check of publicly available information didn’t show any obvious links between this owner and knowledge about cryptocurrencies, especially any involvement in XPR Network.

After checking various social media accounts belonging to him, we couldn’t find any messages or posts indicating his participation in Web3.

We came across to this account: explorer.xprnetwork.org/account/sleepcie, which was created on September 22, 2021, with minimal activity since its creation. On October 10, 2021 it had interaction with Sarn from ProtonKiwi. It’s essential to highlight that ProtonKiwi has never claimed, as far as we know, that he (Sarn) and Troy Sleep are friends or partners in this project. Even when DankBP was removed from the mainnet, he never took any action, which is quite unusual if someone considers them a “close friend” facing trouble. He stayed quiet, didn’t discuss DankBP much, wasn’t actively participating in their chat group, and didn’t share many of their posts. Yet, strangely, he invested the most in “their” token.

Here is a Facebook profile of Troy Sleep and among his friends is also Sarn from ProtonKiwi.

After that, we examined the website of DankBP at https://dankdollars.co/ and found several similarities with Sarn’s work. We’ve discovered that dankdollars.co is hosted on the same server as all of Sarn’s other projects and websites, including his site bp.kiwi. The dankdollars.co website closely mirrors a similar approach, as evidenced by comparing the source code with another website created by Sarn. They share almost identical structure in terms of plugins, website builder, and technology.

Both domains has been registered at same provider.

Here we can see what domains are hosted on the same server.

Public information of server where Sarn’s websites are hosted as well as dankdollars.co:

IP of server: 154.26.158.161
Reverse name: vmi1222854.contaboserver.net

Another example of error page, from Sarn’s personal website and dankdollars.co.

DankBP website was made by Sarn and there is no doubt about this.

After checking the website, we investigated accounts, keys, and blockchain data to understand the connection between DankDollars and ProtonKiwi. As there is an abundance of unnecessary information, we won’t include them in this article. Instead, our focus will be solely on the relevant details.

Here is an interesting transaction.

This transaction is linked to electronteam, the individual who minted a token named DANK. This token was minted on August 7, 2023. One particular interesting info is inside that iconurl (token logo image), after checking meta data of the picture, we found the author of picture was Sarn Elliott, owner of ProtonKiwi.

Screenshot that shows that Sarn made logo of DankDollars and pushed transaction to mint that token.

Also the file name has identical structure name, which is usually a specific habit of the user.

bp.kiwi/wp-content/uploads/2022/04/Untitled-design-93.png

i.ibb.co/HHjH1fh/Untitled-design-97.png

Keep in mind that, as far as we know, ProtonKiwi has not stated any connection to DankBP or involvement in token minting. Nevertheless, the following accounts are among the top 15 holders:

@sleepcie
@protonkiwi
@sarn

In their Telegram group, someone asked about the creator of $DANK token, and the owner Dank Dollars said it would stay anonymous.

Further undeniable evidence suggesting that ProtonKiwi is operating DankBP as a second block producer, which goes against the primary rules of the XPR Network, can be found in a video uploaded to his channel titled “Telos Proposal: Telos Voting Reform” on October 7, 2023.

Here is a video:

(Keep in mind that he is connected to the DankBP account through a WebAuth wallet, not cleos.) While cleos can simulate login without a private key, which is not the case with WebAuth.

We are sorry to notice that certain individuals are leaning towards engaging in unethical activities, but hopefully this will be a valuable lesson for those considering such paths.

Note: No information was obtained in an unethical way; all information used in this article is publicly available.

In the last two weeks, the 𝕏 platform experienced a series of account takeovers affecting well-known accounts like Phantom, Mandiant, SECGov, Coingecko, and Certik. This surge in unauthorized access had serious consequences on multiple users, leading to multiple draining wallets. Shockingly, one user even incurred a substantial loss of around 2 million dollars.

It is essential to exercise caution and skepticism, particularly when faced with something out of the ordinary. Users should be wary of any unexpected changes or activities on their accounts, such as unauthorized login attempts, suspicious posts, or alterations to account settings.

Implementing a golden rule in online security — “if it sounds too good to be true, it probably isn’t” — is crucial. Attackers often exploit users’ trust by employing sophisticated tactics, such as phishing schemes or social engineering, to lure them into divulging sensitive information. By questioning the authenticity of seemingly lucrative or enticing offers, users can fortify their defenses against potential threats.

Here are additional tips to enhance security and guard against social account takeovers:

1. Multi-Factor Authentication (MFA): Enable MFA on your X platform account to add an extra layer of protection. This ensures that even if login credentials are compromised, unauthorized access becomes significantly more challenging.
2. Regular Security Audits: Periodically review your account settings, connected apps, and permissions. Revoke access for any third-party applications or services that are no longer in use or seem suspicious.
3. Stay Informed: Keep abreast of the latest security updates and announcements from the X platform. Platforms often provide security features and recommendations to help users safeguard their accounts.
4. Educate Yourself: Familiarize yourself with common phishing tactics and social engineering techniques. Be cautious when clicking on links, especially those sent through unsolicited messages.
5. Report Suspicious Activity: If you notice any irregularities or suspect unauthorized access, report it immediately to the X platform’s support or security team.

By implementing these proactive measures and remaining vigilant, users can fortify their defenses against the escalating threat of social account takeovers on the X platform.

The purpose of this article is to raise cybersecurity awareness, and this is the real example of how users get compromised.

During my daily X scroll, I came across an ad for a mint website, something I often see. But this time, I wanted to dig deeper to find out what was happening with this verified account in the background.

I soon figured out that this account was authentic, not fake. While looking at some of his posts, I saw he was talking about “hack.” I used a translation tool to understand the messages. He mentioned that his YouTube and Facebook accounts had been hacked, making it clear that he was a victim of a cyber attack. 😱

I can’t confirm whether the attackers used his credit card for ad promotion, but if they did, he might end up with a fat bill. I’ve checked his Facebook profile and found that he was talking about being hacked. 😱

Then I went to his blog, which was also hacked. It was evident that hackers utilized a black-hat SEO technique through the compromised website to promote some of their own sites. 😱

I’ve also checked if his email was in any hacked databases. 😱

Once more, I discovered that he owned an old website, taxicoin.com. Upon checking the website, it came as no surprise that this one was also hacked. 😱

Now you can see how hackers target verified accounts to promote scams and steal more money from people. Stay safe!

Ethereum co-founder Vitalik Buterin’s account on X (formerly Twitter) was compromised late at night on Sept. 9. Vitalik’s hacked account was used to promote a domain that hosted drainer which was designed to steal crypto and non-fungible tokens (NFTs) from wallets that interacted with it. According to latest data, the hacker has drained around $691,000 of assets from victims.

The method through which the attackers gained access to Vitalik’s account remains undisclosed. However, our primary concern should be understanding how these attackers executed the attack. Many cryptocurrency news websites have not yet analyzed this, and consequently, users may not comprehend how to defend against such attacks in the future unless we provide explanations.

Below is a screenshot of the malicious post that was promoted during the attack. What’s particularly noteworthy is that the embedded link appeared legitimate: https://consensys.io/

Google search result of consensys.io:

Surprisingly, this website was not a phishing domain. However, when a user clicked on this embedded post, it redirected them to consensys.fi.

The attacker spoofed the embedded URL as a x (Twitter) card, assigning various destinations depending on the user-agent.

When X attempts to embed and generate a post card with a preview image, it verifies the location of the posted URL. What we’ve created is a script that identifies the User-Agent crawling that page and responds with a distinct location, as shown in the image below.

This means that when we post our URL: https://alvosec.com/metamask on X it will create preview such as this one:

X post is available here.

But when user clicks on this link it will lead him to https://alvosec.com/ and not on https://metamask.io/.

Now let’s go back to Vitalik case, what we know so far is that attackers purchased these 3 domains:

• consensys.fi
• consensys.it
• consensys.digital

Because the post was quickly removed, we couldn’t thoroughly examine all the redirects that occurred upon clicking. It’s possible that the attackers set up a host to act as proxy, guiding users to one of the three domains. This could have been a backup plan in case one of the domains was blocked due to user reports.

Once again, this underscores the severity of attacks within the cryptocurrency community, often concealing their true intentions. We strongly recommend that all users use one of our tools, https://xprotect.org/scan, to scan any website before linking their wallet to it. In this particular case, scanning these domains using our tool would have yielded a remarkably low trust score. Firstly, because all domains were hosting malicious files (drainer), and secondly, because they all fell into the NRD category, indicating that newly registered domains typically have very low trust scores.

As the InterPlanetary File System (IPFS) gains popularity, it also introduces new risks. Initially developed in 2015 with Web 3.0 technology, IPFS adoption is primarily driven by concerns about data privacy and reducing reliance on centralized tech giants like Google, Microsoft, and Facebook. However, this increased adoption has attracted the attention of malicious actors who have rapidly adopted IPFS for their cybercriminal activities. This article aims to provide an overview of IPFS, explain how malicious attackers are exploiting it for phishing attacks, and offer best practices for safeguarding your organization against IPFS phishing threats.

What is IPFS?

IPFS, short for the InterPlanetary File System, is a modular set of protocols designed for organizing and transferring data. It is an open-source technology with various implementations, primarily used for decentralized data publishing, including files, directories, and websites. In simpler terms, IPFS revolutionizes how information is shared and stored on the internet, emphasizing efficiency, reliability, and decentralization.

Unlike traditional methods reliant on centralized servers, IPFS connects individual computers in a network, enabling them to collaborate and directly share information. When you access a file or website via IPFS, the system divides the data into smaller fragments and distributes them across multiple networked computers, referred to as nodes. Each fragment is assigned a unique fingerprint, known as a hash, for identification and retrieval. Rather than requesting the entire file from a single server, your computer retrieves these fragments from various sources within the network, enhancing speed and resilience to failures.

This decentralized approach reduces the risk of data loss or censorship and optimizes resource utilization, as computers share data directly among themselves, reducing the burden on centralized servers. IPFS employs cryptographic hashes to validate the authenticity and integrity of files, thwarting attackers from tampering with or deleting files. However, this decentralized nature also poses challenges for defenders trying to remove phishing sites or malicious content.

How Attackers Exploit IPFS in Phishing Attacks

While open-source technologies encourage collaboration and innovation, they also offer opportunities for threat actors to expand their attack vectors, and IPFS is no exception, especially in the realm of phishing attacks.

IPFS phishing attacks operate similarly to phishing attacks on centralized networks. Attackers employ social engineering tactics, email and messaging platforms, and cloned websites to impersonate legitimate brands, aiming to steal users’ credentials and access networks. A significant difference, however, arises from IPFS’s characteristics. Once content is published on the IPFS network, it becomes accessible to anyone who can then republish it on their own node. Leveraging this distributed file system, attackers can easily create permanent and untraceable phishing sites that can remain active even after the original source is removed.

Accessing the IPFS network can be accomplished through various methods, including desktop applications, the IPFS Command Line Interface (CLI), browser extensions, web app integrations, or public gateways. In the context of IPFS phishing attacks, threat actors frequently utilize public gateways as proxies, enabling victims to open file access links, irrespective of whether they use any of the previously mentioned applications.

IPFS Phishing Attack Example

The following image shows an example of IPFS phishing attack. As seen in this example, the phishing page impersonating a Microsoft login page is relatively straightforward and lacks complexity – most observed IPFS phishing attacks are similarly basic.

Similar to most phishing sites, distinguishing between a fraudulent site and a legitimate one can be exceedingly challenging for end-users.

While the URL clearly indicates that the content is hosted on the IPFS network, this fact alone does not signify anything inherently good or bad about IPFS content.

In conclusion, as IPFS continues to gain popularity, it also becomes a target for malicious actors seeking to exploit its decentralized nature for phishing attacks. Understanding how these attacks operate and implementing effective security measures is crucial to protect against IPFS-related threats.