I was recently trying to access the site of a known vendor when I've stumbled upon this:
hxxp://pushikklyjb5qnb2 DOT onion
As you can see, it's a reverse proxy phishing site that cleverly replaces the original HS content (http://pushingtabu7itqj.onion) bitcoin addresses with it's own. Doing a quick analysis yielded pretty curious results:
- it replaces every occurance of "pushingtabu7itqj.onion" with it's own fake address
- when you proceed with checkout, on the final step it replaces bitcoin addresses for it's own
- I've observed that the replacement takes place as such: first 2 chars of bitcoin address (1__blahblah156354) are taken as reference & replaced with corresponding bitcoin address that starts with the same 2 characters but the rest is different eg. 1XYbcdefQqblahblah becomes 1XYghgHblahblah. You can test it yourself while providing your pgp pubkey and navigating to "Orders" page of your account after placing an order. You should notice that the "pushikkly" site shows different address than the one you will get when decrypting your order's details.
I've contacted the vendor and what we ended up in discovering:
- some 3364 (582) bitcoin addresses of the attacker
- total receiving balance of all of the above is 1697.39949769 BTC
- there were 2315 transactions involving the attackers addresses
You can find the full address list here: http://hastebin.com/raw/orumawiwaf
I hope this helps some people in avoiding getting scammed.
If you wonder how did I encounter the scammer's hidden service - I've simply encountered and evil tor exit node that stripped SSL down to unencrypted connection and changed the real .onion address to the link this thread is about.
[deleted]