Every once in a while an attack comes along that is so simple to set up, and yet so effective, that it makes your jaw drop. Here’s one: fake bitcoin QR generators. According to cryptocurrency enthusiast and Director of Security at MyCrypto, Harry Denley, a wily scammer has been operating a network of fake bitcoin QR code generators to dupe people out of their bitcoins.
Bitcoin uses addresses as conduits to send and receive bitcoin payments. To improve anonymity (which was a fundamental design principle for bitcoin), these addresses are disposable. You’re not supposed to reuse them. You can imagine how many bitcoin addresses you’d need to support a massive cryptocurrency network ad infinitum. It’s a lot. That’s why each address is up to 35 alphanumeric digits long. They’re not something you’d want to write down or type in manually.
Instead, people use QR codes – the blocky squares invented by Masahiro Hara – to represent them easily to others. Invoicing and payment software will often generate these automatically. Someone making a payment can scan them and send bitcoin to that address.
Denley explained on Twitter that he had found sites offering to generate QR codes for people if they typed in a bitcoin address:
⚠️ Be careful of fake #Bitcoin QR code generators - these ones have had ₿4.9 gone through the current activate addressfree-bitcoin-qr-codes[.]combitcoinaddresstoqrcode[.]comAddress: 343CXYVBKXT2VgELCdjEeMyPpfiKwkzUNg ($BTC)
IP 18.104.22.168 hosting suspicious domains pic.twitter.com/y4DEezQmN1