A complicated bitcoin (BTC) phishing operation is underway involving a storied Wall Avenue establishment and Mt. Gox.
This week, a Salomon Brothers-branded web site started internet hosting a webform demanding the Mt. Gox-era proprietor of 79,957 BTC give up their private data.
First flagged by BitMEX Analysis, somebody is depositing small quantities of BTC into among the wealthiest wallets on the Bitcoin community.
Utilizing OP_RETURN outputs to publish a human-readable message to house owners of wallets reminiscent of 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF which holds 79,957 BTC value over $8 billion, somebody is asking the proprietor of that pockets to go to salomonbros[.]com/owner_notice.
That harmful webpage — which Protos doesn’t suggest visiting — calls for that the pockets proprietor submit personally figuring out data. It leads with the textual content, “This digital wallet appears to be lost or abandoned. Our client has taken constructive possession of it and is [sic] seeks to determine if there is a bona fide owner.”
Constructive possession is a authorized time period. It’s statutorily outlined as “the right to obtain physical control and/or a variety of rights over someone else’s physical control of that property.”
The demand is curious for a number of causes, not just for its odd messaging alternative — OP_RETURN is on the heart of a minor civil conflict inside the Bitcoin group — and complicated webpage quotation.
As well as, the 1Feex pockets focused by the phishing try is well-known for stealing its 79,957 BTC trove in March 2011 from Mt. Gox, Mark Karpeles’ failed Japanese BTC trade.
Lastly, the webpage message incorporates an elementary grammatical error — an pointless “is” — which is one other pink flag.
Somebody used OP_RETURN knowledge to publish a extremely suspicious authorized demand.
On February 6, 2022, Bloomberg employees wrote about Salomon Brothers’ revival, citing its web site on the time in reference to its advisory board. Bloomberg’s hyperlink, salomonbrothers[.]internet/advisory-board, at the moment makes an attempt to obtain a file, which Protos declined.
Relying on the browser, makes an attempt to go to the salomonbrothers[.]internet homepage, which now not helps trendy HTTPS safety, redirect to an middleman web site, salomonencore[.]com, and eventually to salomonbros[.]com.
Importantly, Salomon Brothers, which as soon as owned the area salomonbrothers[.]com, determined to rebrand on March 4, 2022, to Salomon Encore after Citigroup refused to relinquish that area.
Protos is unable to confirm any subsequent rebrand of Salomon Encore again to Salomon Brothers. Though Salomon Encore owned the area salomonencore[.]com as of March 4, 2022, salomonencore[.]com now not helps HTTPS and redirects to salomonbros[.]com.
Don’t go to suspicious hyperlinks
Protos has reached out to the proprietor of salomonbros[.]com and requested them if they’re conscious of their subpage /owner_notice. We didn’t obtain a response previous to publication time.
BitMEX Analysis is skeptical that salomonbros[.]com is at the moment managed by the unique firm. Protos is unable to find out whether or not the corporate owns the area or its /owner_notice subpage.
The motivation for the demand is equally unclear and fairly harmful.
If the webpage is inauthentic, any data inputted or used throughout its entry might carry authorized ramifications or gasoline social engineering or wrench assaults.
As with all suspicious hyperlink, Protos doesn’t suggest viewing or visiting any unsolicited webpage.
