Recently, I headed to Pastebin, wanting to quickly copy-paste a script I was working on to another computer. Pastebin is notorious for breaches, leaks and password dumps. So much so that there are lots of OSINT tools supporting Pastebin.

I casually look at the side panel of Pastebin.com, where I notice this little interesting title: "BTC Wallet Credentials have been reset"

For those of you who don't know, BTC stands for "Bitcoin". The title seemed to imply that someone triggered a "password reset" on a Bitcoin wallet.

When looking for scams, be skeptical of every sentence you read. Fact: Bitcoin wallets do not have passwords. The wallet data is derived from a seed phrase. The seed phrase cannot be changed, and knowledge of the seed phrase equals ownership of the Bitcoin in the corresponding wallet.

This led me to Red Flag #1: There are no "credentials" for a Bitcoin wallet, so this immediately started looking fishy to me. I further looked into the paste. Here's what I saw:

Dear User
We have received a request to reset the login information for your Bitcoin wallet. If you did not make this request, please disregard this message.
Your new login credentials will be 
romok12:xxaa on 18.233.156.139(SSH)
Regards

Oooh, we got a username, password and IP address! The word "SSH" indicates that I need to use the SSH protocol to connect to the "wallet".

For non-tech-savvy users, SSH is a protocol used by software developers and Linux system administrators to remotely connect to another (Linux) machine and manage it. SSH gives you the ability to run commands or manage a remote system as if you were sitting in front of it. You just need a username, password and IP address combination to manage the machine remotely.

Red Flag #2: The content of the message seemed to be formatted like an email, but I found the message itself on Pastebin. What is an email doing on Pastebin?

Anyways, I used the username, password and IP address to log into the remote server. It presented me with a nice colourful terminal. I recorded the entire terminal session as an asciicast which you can view by clicking on the image below:

It told me that the wallet I just logged into had a balance of 4.78 BTC (USD 111k, ₹19.3 Lakh). Look at Mr. Moneybags over here with 100k USD, casually pasting their Bitcoin wallet "password" into Pastebin!

As any completely honest human would, I tried to withdraw the funds from that "Bitcoin wallet" onto my Bitcoin wallet. Here's where the scam happens. As soon as you enter your address, it tells you that the withdrawal address is unverified. To verify the address, you will need to deposit 0.001 BTC (~ USD 20, INR 2000) from your wallet to the victim's Bitcoin wallet. Here's the exact message I got on my screen:

BTC Balance: 4.78102 ($111542.87)

Withdrawal amount [0.001 - 4.781]: 4.781
Enter the withdrawal address: xxxx
Re-enter the withdrawal address: xxxx

The entered address is either an invalid BTC address, or it is not a confirmed withdrawal address for your account.

If you would like to confirm this address you must deposit 0.001 BTC into your deposit address from the new withdrawal address.
The sending address will validate as soon as the transaction is confirmed. This confirmation is typically instant.
This process is an additional security measure for your account.

If you had gone ahead and done that and then retried the withdrawal, it would most probably still complain that the address is unverified. In other words, you won't be able to withdraw any funds from the wallet, irrespective of how much you deposit into the wallet. In other words, your money is gone forever.

Out of curiosity, I had a look at the actual balance of the Bitcoin deposit address that was on my screen. It had a balance of 0.00241139 BTC (USD 56.83), not the 4.781 BTC I was promised! The most likely scenario is that this wallet had no funds, to begin with, and two innocent people sent their funds to this wallet in hopes of making quick money.

I also Googled around to find traces of this scam elsewhere on the internet. Surprisingly, it only yielded this one result from a bitcointalk.org post. It would seem that this scam is not recognized widely enough, and victims also seem to be actively falling for it.

Stay sharp people!