Read on Twitter
Yesterday, I prevented a $50k scam.
How do you recognize this scam with @exodus_io and why would it have been impossible thanks to one of @xPortalApp's great features ?
#HyperGrowthX
How do you recognize this scam with @exodus_io and why would it have been impossible thanks to one of @xPortalApp's great features ?
#HyperGrowthX
We often think that a good application should be able to switch from one functionality to another with a minimum of clicks. To anywhere? I promise you, there's one place you wouldn't want to have easy access to...
Yesterday I accompanied a friend who was to sell luxury watches to a person supposedly specializing in the field.
The transaction was to be carried out in crypto.
The transaction was to be carried out in crypto.
My friend has a good knowledge of crypto, but preferred my presence as he knew I was more experienced than him and better able to detect any dubious attempts.
Our interlocutor tells us that he's already had a bad experience with crypto transactions, telling us that he was scammed with a transaction on an ETH wallet, and had his entire wallet emptied an hour or so after the transaction had been carried out.
First redflag on my part, this is impossible, unless you interact with a smart contract and sign an approval allowing you to siphon a wallet.
This is where I come in, pretending to have already been the victim of a similar scam, saying that I'd been forced to create a new wallet, and that the man had taken a photo of my seed without my knowledge during the transaction.
An unsuccessful attempt to make him understand that any attempt on his part would be in vain.
Despite my subliminal message that the man didn't understand, after multiple justifications, he insists that we use a @exodus_io wallet.
Despite my subliminal message that the man didn't understand, after multiple justifications, he insists that we use a @exodus_io wallet.
It was at this point that I became completely convinced that this person was trying to scam us, so I paid close attention to his every move, because it was the wallet (Exodus) used in the scam I knew about and was careful not to reveal.
I then give a sign to my friend, telling him to be very careful and never to let his telephone out of his hands.
Despite my justifications that using a new wallet wouldn't change anything and that no one in their right mind would create a new wallet in a public place, nothing would change his mind.
So, my friend downloads an Exodus wallet.
So, my friend downloads an Exodus wallet.
Just as he was handing him the QR code of his mobile without giving it to him, the man received a call from his father (it was he who had contacted us first about the watches), saying he wanted to speak to my friend to make sure everything went smoothly.
During this time I do the same on my side to check what's going on, and bingo, the wallet is automatically created without asking for a pin code or faceID.
This is where the man tried to take my friend's phone, handing him his own (second phone) with his father's call.
This is where they hope you'll take your attention away from your phone, concentrating on the call, so that you'll give it to them naturally, without even really realizing it.
I stepped right in, preventing my friend from letting the scammer take his phone with the QR code displayed.
But why would you want to use an Exodus wallet and BTC transfer ? Here's why ⬇
Exodus has a design flaw: in just 5 clicks and less than 4 seconds you can switch from the payment QR code to the seed!
Exodus has a design flaw: in just 5 clicks and less than 4 seconds you can switch from the payment QR code to the seed!
While they take your phone to pretend to scan the QR code, they make sure to look you in the eye to talk to you, while they quickly take a picture of the seed.
Then, once you've received the transaction, they offer you a drink or a bite to eat to celebrate, while someone else siphons off your wallet, and then goes off with the watches as if nothing had happened.
You return home, and when you make the decision to transfer the funds to a more secure wallet, the wallet is empty, and you find yourself in total confusion.
So how did xPortal come up with this dual-purpose feature?
xPortal asks you each time you want to access your seed to type the message "if i share my secret phrase i will lose my money", and a faceID is requested when finished before before displaying the seed.
xPortal asks you each time you want to access your seed to type the message "if i share my secret phrase i will lose my money", and a faceID is requested when finished before before displaying the seed.
Making it not only time-consuming to get from the QR code to the seed, but also impossible for anyone but you to access it.
Having wallets that don't even have a pin code to display the seed phrase is a huge security flaw, so when it's displayed with just a few clicks, it's even worse.
@exodus_io, your wallet seems to be used extensively in this type of scam, you should definitely find a way to stop it.
The fact that password and FaceID creation have to be activated manually, and not requested just after download the application, is a flaw.
The fact that password and FaceID creation have to be activated manually, and not requested just after download the application, is a flaw.
It's a good thing I was aware of this type of scam, because even if I'd been positioned between the two men to check that no dubious attempts were being made, with enough skill and not knowing their modus operandi,
I could certainly have missed out as it seemed to happen so naturally.
I also think they had a more elaborate technique that they failed to make with an NFC hack because the person had an NFC tag on one of his Iphones.
By making you download a virus beforehand, they can hack your phone and retrieve your passwords and pin code.
By making you download a virus beforehand, they can hack your phone and retrieve your passwords and pin code.
They had asked my friend to download a pdf file few day ago which was a summary of the transaction, with the different watch models and their prices as an invoice to signed on the day of the transaction.
That's why they also suggested we use a Coinbase wallet when we refused to use Exodus, which has a pin code activated as soon as the wallet is created, but told us that the "transaction" would take about an hour because of network fees.
(which is also when I realized that something not quite right was happening).
Maybe they'd managed to install the virus, but it would have taken a long time to hack the phone and get the pin code to perform the same technique on Coinbase Wallet, but that's speculative.
Maybe they'd managed to install the virus, but it would have taken a long time to hack the phone and get the pin code to perform the same technique on Coinbase Wallet, but that's speculative.
I cut the negotiation short and we left.
Be careful when making large transactions with strangers, never be alone, never let someone take your phone when you've unlocked your wallet, and above all, never create a new wallet at someone's request.
Be careful when making large transactions with strangers, never be alone, never let someone take your phone when you've unlocked your wallet, and above all, never create a new wallet at someone's request.
Thanks to @HakimKorso, who told me about this scam a few weeks ago, otherwise we might have fallen into their trap.
Be careful friends 🙏⚡
Be careful friends 🙏⚡
• • •
Missing some Tweet in this thread? You can try to
force a refresh
