ZenGo, makers of the “first keyless crypto wallet” have released a report into Bitcoin QR code generation websites, and have concluded that a huge number are scams designed to steal crypto. QR code generation websites are simply sites that portend to create a random QR code for you to use for any purpose to collect BTC to a specific address, only the fraudulent codes send the BTC to the scammer’s address instead. QR codes are visual representations of a piece of blockchain data such as an address, which mobile devices and scanners can use for everything from checking product legitimacy to paying for goods and services.
We have unmasked an important crypto scam on Bitcoin QR codes.
Be careful out there.
ZenGo does not have (yet) QR reader.
But when we do, we will make sure it is simple and secure.https://t.co/dACHWneBel pic.twitter.com/rZocYPSgG8— ZenGo (@ZenGo) August 29, 2019
Simple but Effective
The ruse is fairly simple and can be easily replicated. ZenGo for example visited the website of ‘Bitcoin QR Code Generator’ and created a QR code using their chosen address – 18Vm8AvDr9Bkvij6UfVR7MerCyrz3KS3h4. When the resultant QR code was analyzed however they found that a different address had been used to create the code – 17bCMmLmWayKGCH678cHQETJFjhBR44Hjx. This means that when the QR code is displayed, anyone sending BTC to it will unwittingly be sending it to the doctored address, meaning free BTC for the scammer.
“Tip of the Iceberg”
This is not the only trick that scammers use. Bitcoin supports numerous addresses formats – regular addresses begin with a ‘1’, pay-to-script with ‘3’, and Bech32 addresses with ‘bc’. Some scammers are creating QR codes in the same format as that of the requested address, which ZenGo says is “probably to escape detection if the victim lightly verifies the address.” Other scammers are manipulating the clipboard feature on the victim’s computer, meaning that if the victim opts to verify the QR code by pasting it into the clipboard, thinking it’s the address they copied earlier and requested the QR for, it will match. These tricks are clearly successful, as the addresses ZenGo found to have been substituted had some $20,000 worth of crypto in them, which they state is probably “the tip of the iceberg”.
In terms of how to protect yourself, ZenGo makes three suggestions:
- Don’t use Google to find your QR code generator, as many of the top sites are fraudulent
- Verify your address is the same as the generated one before publishing it
- Use a threat intelligence service that can alert you about scammy sites and known fraudulent addresses