Encrypted messaging site Privnote cloned to steal Bitcoin

Journalist Brain Krebs recently warned Privnote users about a phishing scam that lures victims to a fake website, privnotes.com.

Rather than fully encrypting messages, the fake site enables others to read and/or modify users’ messages. The cloned site also contains a script that finds messages with Bitcoin addresses and allows the hacker to replace the sender’s address with their own. Any Bitcoin funds sent by the original user would go to the modified address instead.

“Any messages containing bitcoin addresses will be automatically altered to include a different Bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same,” said Krebs.

“Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear.”

The owners of the legitimate website privnote.com notified Krebs someone built the clone website to trick its users. The two websites are similar in name and appearance, and privnotes.com comes second in a Google search of “privnote.” Typing “privnotes” will bring up the fake website first in a Google search.

Since Privnote messages self-destruct after they are sent and read, victims of the scam cannot go back to check the Bitcoin messages when they are altered. According to Allison Nixon, chief research officer at Unit 221B, the script seems to change just the first appearance of the Bitcoin address when it’s repeated in the email.

“The type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said. “It’s a pretty smart scam.”

Bitcoin scams have been increasing in frequency over the last few months. Many are tied to the coronavirus pandemic.