How I Registered a Domain and Stole Someone's Bitcoin

How I Registered a Domain and Stole Someone's Bitcoin

Over the weekend I was receiving some unusual emails from some cryptocurrency payment processors. Ones that I’ve never heard of let alone used. At first, I thought they were spam or phishing emails so I just ignored them. However, when BTC prices started rising the occurrence of emails also started to be more frequent.

More frequent emails about BTC payment processors.

As emails piled up I started to get more suspicious that this wasn’t a scam and someone was actually trying to recover their password. Inspecting the email headers I realized that I was receiving catch-all emails from a parked domain that I recently bought. Apparently the previous owner used the domain as his primary email when he signed up for those accounts. So right now the previous owner has forgotten their password and is attempting to recover their account. But there is one problem. They no longer own the domain, I do. There was no way for me to contact the previous owner and offer my help.

The next obvious course of action for me to was to see if I can actually change the password and essentially gain control to these accounts. If the previous owner actually knew the password, he/she would have changed the default email address by now. So it’s a fair assumption that any account still linked to my domain is long forgotten. So one by one I went and requested a password reset for the most popular cryptocurrency websites.

Service #1

I started with CoinPayments because it was the lowest hanging fruit due to the fact that I was still receiving emails from them. I expected this to fail because I had no knowledge about the previous owner, not even his/her name. To my surprise it was too easy. I was able to request a password reset and got an email to update my password in less than a minute. But as soon as I tried to log in I was face with a 2fa challenge.

2 Factor Authentication Challenge for CoinPayments

This was not a challenge because after all, I do own the email. After waiting for the 2fa code to arrive I was able to login and had full control of the account. I quickly tried to see how much BTC it had and was disappointed to see that it had none.

CoinPayments BTC wallet with zero BTC.

CoinPayments Recent Transaction

The transaction history showed that the last withdraw was in 2016 September 26. So this account has been inactive for a long time. I doubt the previous owner still remember anything about it.

Service #2

I moved on to the next website which was Coinsplit. Again the process was simple and I was able to gain control of the account within seconds of trying. This time there was no 2fa challenge and the balance was even more disappointing, it was actually negative.

Coinsplit Negative Balance

Service #3

For my third trick, I decided to try Confirmo. And you’ve guessed it. Recovering and gaining control of this account wasn’t hard at all. The only difference this time was that this account actually has some leftover BTC that hadn’t been withdrawn yet. At the time of writing BTC was worth $38k and Confirmo account had about $1k worth of BTC.

Confirmo Account with $1k worth of BTC at the time of writing.

Bingo! Now things got interesting. Now I’m faced with two choices. One I can leave the account alone and let the BTC get deleted and forgotten or I can try and withdraw the funds. I didn’t like option one because it would be a waste, and I really wanted to see how hard it would be to withdraw these funds. So I decided to create an empty wallet and try and withdraw the funds.

My first challenge was trying to add a withdraw address. Which required a physical address and a BTC address. I made up the physical address and used one of the BTC from the wallet I just generated.

Updating Confirmo settlement method

2fa Challenge for updating Confirmo settlement changes

There were some security measures of course. Before I can save the changes it required me to pass a 2fa. Again, because I own the email I had no issues getting pass this little challenge. And just like that I was able to add my own BTC address to the settlement account. Now I just have to sit back and wait for the funds to arrive.

Added my own BTC address to the settlement account

Other Services

I also looked at a couple more accounts. I was able to recover and login to all of them without any issues but they didn’t have any left over BTC. I don’t think 2fa was serious enough back in 2016 for this person to secure his/her account. So I do not blame them for not having their account properly secured with a 2fa outside of their primary email. None of the services are to blame either. They all had the user’s interest in mind and most of them actually tried to stop me by requiring me to verify my email. The only downside is if a malicious person has access to the email they pretty much have everything they need to wreak havoc. There really isn’t a good mechanism from protecting the user’s account.

How To Protect Your Account?

  • Sign up for accounts using a email address that you can control forever. Maybe a free service like Gmail isn’t bad after all.
  • Always user 2fa outside of your email. If they control one they are still missing the second piece to do any harm.
  • Use a password manager. It would be hard for me to guess every service that the previous owner used. This only pop up on my radar because he/she tried to recover the account password.
  • Email is very powerful. Make sure you protect it properly. I often hear people say their phone is their life. I opt to say say my email is my life.

Will I keep the BTC?

My plan is to try to give back the BTC to the original owner, but my only problem is I have no way of finding out who they are. That is why I need your help. I will encrypt the Electrum wallet with a password in the format of so if the rightful owner knows the username and email address he will be able to unlock the wallet. I can only afford to spend ~$1k time and effort into trying to find the original owner before it becomes diminishing returns.

Someone suggested that I contact the services to get information on the previous owner. I doubt that this will work because when I logged on to the accounts I saw no names or address of the previous owner. I also doubt that the company will be willing to disclose such information to a random person on the internet.

Updates

I contacted the previous domain owner, and he said he did not own any cryptocurrency assets. I’ve got one more person to ask before releasing the wallet for people to try to guess.

2021-12-01 After some research I’ve decided to not release the encrypted wallet. With a password format of _ can be easily cracked. So instead I will hold on to the wallet until someone emails me at the address and wants to claim it.

comments powered by Disqus