alert [RESOLVED] - Scammed by hacker $3,000 btc pornography.com affiliate.org etc

[Investful]

The sale thread is in another forum.
https://bitcointalk.org/index.php?topic=1722533.msg%msg_id%
and these domain were also listed on hackforum and flippa.

I bought 2 domain from him, paid ~3k in bitcoin.

It went smoothly initially, he actually went first(I thought nothing could go wrong) transferred the domain into my account, and gave me a week to pay it off. A week later, I paid in full.

But few days later, I get a message from the domain company "namecheap/enom" telling me those 2 domain has been "Locked due to pending Transfer Dispute".

send payment to address:
1J8moCzzRg6rdoGv1aqoPJCqrkXhocwNtT
1NmBxpMrY1wqKsWD8HK6n9ZQF6WP5povFK
17An4YMbWeXhkg7nnPumdrgHSgVeut1jbY

Here's are the list of stolen or his domains(how does owner of $100k+ domain not have strong account security).
pornography.com
lurking.com
schoolteacher.com
automating.com
disturb.com
overpopulation.com
affiliate.org
affiliatemarketing.net
TMZA.com

many of these domains were listed in flippa.com a week back.

 

[MasterOfMyDomains]

Actually Bitcoin is not as anonymous as people think. because everything is recorded on the blockchain foir public inspection. It's even less anonymous if you register your address in various places, which is what I have done. It would be a simple matter for anyone to track a payment back to me.

This case was a bit different though, The scammer ran the payment through a mixer. A mixer is a site that takes a load of payments and splits them and jumbles the bits. It then pays the scammer with some of the bits that have come from various sources. It isn't possible to track the payment through the mixer.

If you are paying a large amount in circumstances such as this one, you should verify the address of the recipient, or use a multi-sig with a trusted third party.

BitcoinMixers?
Nope wont use paypal either
Sedo looking better every day

 

[Kuffy]

I think if you are honest, there is no disadvantage in posting your address publicly. This means that if someone is impersonating you, they can't verify the address they use. For the record, I associate this address with my Jet Cash persona.
167YShzmzSRZcfoFjAv8JBx31v6DwGwCtt

That's the one I will be using to accept payments for domain sales.

Some people suggest that you use a different address for every receipt, but I think that overcomplicates things. I have got other addresses for savings, so there isn't much associated with that address of mine.

Maybe it would be useful for NamePros members who use Bitcoin to register their addresses in a thread here.

 

[ison]

Please reprt this to one of the global moderators there. to stop others being scammed.

I started a thread in Meta that links to this thread.

Just recently, a staff and a global moderator there tried to extort a member (he would later claim it was a sting operation to expose a criminal - irony at its best). Anyway, after being exposed, it took days before she/he was stripped of his/her positions - and even then, only after people started asking why Theymos wasn't doing anything. The person's account remains pristine though. In fact, the only sure way to get banned there is to dox Theymos.

 

[creataweb]

Simple, don't use scammy sites like the one mentioned above. Always think hard and be careful with what you're doing online.

 

[Kuffy]

Bitcoin talk is great for tech discussions, and opinions about Bitcoin and its prospects. Unfortunately there are a lot of sig spammers and promoters of ponzis and gambling sites. Use it for the tech discussions, and ignore the rest.

 

[4better]

What I don't understand here is that where's the real owner of those domains. When those domains have been "handled" by that anonymous scammer for quite some time, the owner was sleeping all along? Didn't the owner ever receive any message or notification from Namecheap about the domain transactions? Could it be that there's some sort of "relationship" between the scammer and the real owner which allow the scammer to access the domains worth hundreds of thousands of dollars. There are just a lot of possibilities here. It's just shady!

 

[wayne wooldridge]

What I don't understand here is that where's the real owner of those domains. When those domains have been "handled" by that anonymous scammer for quite some time, the owner was sleeping all along? Didn't the owner ever receive any message or notification from Namecheap about the domain transactions? Could it be that there's some sort of "relationship" between the scammer and the real owner which allow the scammer to access the domains worth hundreds of thousands of dollars. There are just a lot of possibilities here. It's just shady!

It's also plausible that if the scammer had the original owners account credentials, he could mark any account alerts as "read", as well as control messages in his email account if he also had access to that.. It would then probably take awhile for the owner to notice any changes, especially if he has a large portfolio.

 

[hostnesta]

I only purchased 2 domains from that list.

The signs were all there, I got caught off guard when the scammer went first.

Without me paying a penny, he pushed the domain into my account and gave me a week to gather the bitcoin and to pay it off. I thought it was secured under my account since it's been there for a week, so I paid him in full.

But few days later, I get a message from enom/namecheap about this 2 domain under "transfer dispute lock" and under investigation by risk department.

The new domain transfer policy by ICANN now creates this lapses as it has to be confirmed by both parties.
I am sure that was still within the window period up for any changes or challenge.

 

[Grilled]

I did some digging.

FLIPPA

AffiliateMarketing.net - ended unsold 1/14/17 on Flippa with one bid @ $2,250 by now suspended seller Brennvn < link to flippa seller account

Lurking.com - cached flippa listing from 1/15/17 HERE. Domain was brokered by Flippa Broker Daniel Errecart

SchoolTeacher.com - cached flippa listing from 1/14/17 HERE. Same Flippa broker. DE

Automating.com - cached Flippa listing from 1/17/17 HERE. Same Flippa broker. DE

Disturb.com - cached Flippa listing from 1/16/17 HERE. Same Flippa broker. DE

OverPopulation.com - cached Flippa listing from 1/16/17 HERE. Same Flippa broker. DE

WHOIS Updates

On 12/3 and 12/7, there are individual updates clustered to within one hour. Anything here?

12/7/2016 8:13:17 - OverPopulation.com - WHOIS updated: eNom registrar. Email changed to [email protected]

5/30/16 OverPopulation.com, The email changed to

. Still registered at DNC Holdings

3/21/16, OverPopulation.com, belonged to registrant name JP Suave -

. Registered at DNC Holdings

Related domains once registered to

Automating.com
Lurking.com
OverPopulation.com
Disturb.com

Related domains once registered to

TMZA.com
Lurking.com
OverPopulation.com
AffiliateMarketing.net
Affiliate.org
SchoolTeacher.com

Other recently updated domains belonging to JP email addresses registered at DNC Holdings. Depending if / when account was hacked, these domains might be affected.

Below three domains are now under Privacy (once belonged to JP email) . Unlike the private domains listed by OP, below domains are still with DNC Holdings.

Looks like @Zandibot used to own disturb.com.

@Zandibot used to own SchoolTeacher.com as well.

Hypothesis
Currently inconclusive to me. Assuming an email hack.

@Investful - Did you email the WHOIS email of the domains you buying the domains? Was the WHOIS email you corresponded with either the privacy proxy email or [email protected]?

If you haven't unconvered any of this already with Ali, I'd shoot an email, or telephone call to the prior owner of the domains you "bought." See if they sold the domains to your seller, or if they say they were stolen. Not real sure how to get your money back given it was BTC, if anything you might be able to track IP address or real identity by working with connected companies. ie Flippa and the affiliated registrars. Not sure if you'd have to file a theft report for them to release the info or what not.

Does pending transfer dispute mean, the last owner filed a theft dispute?

Hope this helps, and sorry if I went overboard; I like puzzles.

 

[Kenny]

Hope this helps, and sorry if I went overboard; I like puzzles.

Dude, nice work. You got skillz. Have you met @TheLegendaryJP ?

Peace,
Cyberian

 

[Investful]

Here's some more additional information,

Current resting place of Bitcoin stolen. showing 45k(I lost 3k, I know at least another person lost 2k), 1 transaction, dated 1/28/2017.
https://blockchain.info/address/1AN4MKDNoLDzBnzskDvjqbGbEo2Jf4e8fr

Whois
The original owner might be "jp sauve", he is the CEO of MaxBounty, maybe someone tipped him off when it was listed on flippa.

Flippa
I initially ignore him, because the red flag was all there. But once I saw it was listed on flippa, by a reputable broker. It definitely did it for me, and take him seriously.

@Investful - Did you email the WHOIS email of the domains you buying the domains? Was the WHOIS email you corresponded with either the privacy proxy email or [email protected]?

I didn't need to email the Whois. The transaction took place Skype screen share and voice chat, I watched him log into that exact email and log into namecheap with username "adomainholder".

He did that to "prove" he own those domains, and I saw all those listed, including pornography. That's what caught me off guard. He had email, namecheap, listed on flippa, had possession from 12/3 to my purchase date 1/15 and this pornography.com alone is worth 500k(to right end user).

When I agreed to pay bitcoin, I was fully aware that's no chargeback. I only posted here to alert the domain community of the stolen domains and to make aware of the vulnerabilities and domain transfer security.

 

[Investful]

Does pending transfer dispute mean, the last owner filed a theft dispute?

I'm not sure, but all the domains are currently registry locked(so can't transfer out or change info) and the status is under investigation by enom risk department.

wheres the risk department when the hacker login and out from 12/3 to 1/28(about the time when registry lock) occurred.

 

[Jv1999]

Please don't keep trashing Bitcoin. Bitcoin offers one of the best and safest payment methods if it is used properly. It wasn't Bitcoin that was the problem here. In fact the payment went through a Bitcoin mixer, but I'm not sure how you can discover this before you make the payment.

PayPal is the scammers chosen method of payment, and Bitcoin offers a way to escape from this, and at a lower price. Would escrow have worked in this case, if the the payment was released after a succesful transfer that was subsequently reversed.. A time delayed multi-sig Bitcoin payment would have been safer if the seller was prepared to wait. Obviously he wouldn't in this case.

Obv, if you're a seller don't trash btc

but if you're a buyer, trash btc,

you can't be one-sided about this. PayPal offers buyer protection, btc doesn't.

 

[MANNYKURSH]

Bitcointalk.org is runing by iresponsable people.. they will ban your account for nothing but they will never ban the scammers...everydays we scam ppl up to $20.000.. we should report this site to the Top online site scams used by criminals. now i know my account will ban forever....

 

[Ali]

@Zandibot used to own SchoolTeacher.com as well.

If you haven't unconvered any of this already with Ali,

Definitely used to own 3 of those names. Been helping OP behind the scenes. Hoping he gets this resolved.

 

[Kuffy]

Bitcointalk.org is runing by iresponsable people.. they will ban your account for nothing but they will never ban the scammers...everydays we scam ppl up to $20.000.. we should report this site to the Top online site scams used by criminals. now i know my account will ban forever....

Just stick to the technical boards, and ignore the ponzi and gambling boards then.

 

[catchmesleeping]

Anytime I have the slightest doubt that a seller has 'hot' domains, I always verify the ownership history. In a case like this, trace it back to the last owner who held the domain names for an extended period of time. Call them or email them and ask what happened to the domain name.

 

[RBCDNs]

Another red flag, no one push domains first without securing payment.

This is where making use of an escrow service becomes even more relevant. Speaking of escrow service, do you guys know a few trusted ones?

 

[eurorealtor]

Speaking of escrow service, do you guys know a few trusted ones?

escrow.com, Sedo, eCop

 

[Kenny]

This is where making use of an escrow service becomes even more relevant. Speaking of escrow service, do you guys know a few trusted ones?

NP member @Brandon Abbey is now at Payoneer.com
Check them out.

Peace,
Cyberian