A cybercriminal has been caught setting up fraudulent websites that imitate the popular self-destructing message service, privnote.com. The scam was exposed when the criminal threatened to sue a software company and inadvertently revealed a network of phishing sites designed to mimic Privnote. These fake sites alter any messages containing cryptocurrency addresses to include the scammer’s payment details instead.
Privnote, established in 2008, uses encryption technology to ensure message privacy, making it a frequent target for phishers. The real Privnote does not store messages but generates links for one-time viewing before disappearing forever after being read.
The reveal came when a user on GitHub named fory66399 complained about their site, privnote[.]co, being flagged as malicious by MetaMask, a cryptocurrency wallet platform. When challenged with screenshots showing the fraudulent behavior of their site, the user backtracked and mentioned other suspicious domain names.
Further investigation uncovered a network of deceitful websites registered to names like Andrey Sokol and Alexandr Ermakov. These sites, including pirvnota[.]com and privatenote[.]io, operate similarly by replacing cryptocurrency addresses in messages with their own.
Phishing domains like Tornote utilize search engine optimization to attract visitors searching for “privnote,” redirecting them to deceptive sites. These sites rotate cryptocurrency addresses periodically, with some linked to the same IP address that hosted a doxing website targeting pro-democracy activists in Hong Kong.
Additional domains tied to the scam include rustraitor[.]info, which doxed Russians assisting Ukraine during the Russian invasion. These domains focus on stealing credentials for dark web marketplaces, all accepting payment in virtual currencies.
The exposure led to the discovery of MetaMask phishing domains like metarrnask[.]com, affirming the effectiveness of revealing the scammer’s activities. Analysis of the fraudulent payment addresses used by the cybercriminals showed transfers totaling nearly $18,000 in cryptocurrencies within a few days in March 2024, highlighting the profitability of these phishing operations.
