Scammer Pretending to be from Koinex stole 4962 XRP, Tracked Down

Ashish (Name changed) became a victim to an email scam and lost about 4962 XRP (Ripple) in February. He was sent an email from [email protected] to transfer 6900 XRP tokens to activate his account. Ashish’s account was locked by Koinex genuinely as he had a due of 6900 XRP. The email reminder sent to him however was from a scammer who tried to bank on the opportunity.

Ashish then transferred 4962 XRP to the XRP wallet address given on the email hoping for Koinex to activate his account. Koinex never received the funds. Ashish had lost his crypto-assets and all hope of recovery. The news came to Coin Crunch and we began our investigation. This undercover investigation involved discreet conversations with community members and suspects, hunting for clues for 5 days and finally tracking down the scammer.

This is the story of a young scammer duping a young student of close to Rs. 3 lacs. This is the story for all of the community to remember and learn from. This is how it unfolded.

Contents

1 The Koinex Conflict
2 The Bitbns Issue:
3 The Scam email:
4 Ashish Made a partial transfer
5 Ashish Realises his mistake
6 Coin Crunch Investigation
7 Who is the alleged scammer?
8 What can we do to prevent future scams like these
- 8.1 If you have a story to share or are a victim to such a scam you can write to us at [email protected]

The Koinex Conflict

Ashish was one of the few victims of a recent issue of XRP transfers at Koinex. On February 6, due to a network issue XRP transfers weren’t processed from Koinex and the transactions were dropped from the network. Koinex created new transactions to transfer XRPs, that went thru. After a while the dropped transactions were reprocessed automatically by Ripple network. This resulted in double (triple or more in some cases) XRPs transferred from Koinex to same accounts.

Example: If I sent 50 XRP to XYZ account, there were 2 or 3 transactions done from Koinex, each of 50 XRP to XYZ account. Hence the duplication.

Koinex promptly locked the user accounts whose transactions were reprocessed and received ‘extra’ XRP. Users weren’t happy about it.

@pappu_channia My KOINEX account has been blocked since 5th Feb.All my assets r locked bcz I received 40 extra XRP at binance .It was not my fault. Everyday I m writing email & tweeting to your team. But no response. Pls help unlocking my account. ID- 10BFMT6

— ashish kumar (@bholu202) February 16, 2018

Ashish’s account was locked too and Koinex was owed 6900 XRP from Ashish. Ashish’s 6900 XRP were sent to his BitBns account in 3 extra transactions.

Intended Transaction:

13DCFC4617D365A52E3DECC0CD6A0EEC9F3ED68091413073E61306090C79E0B2

Extra transactions:

72A19E4B0AF0232B7CB38195CAF65668D8C1D37FE6F13B7100722232D385067E

13FD6088BBC8DE5C9AF87B92EBEEB7BBCF086D2663922FD02A697E411C451C33

C1B9580033D791E9EE8D3B5EF99593623E5AAA84955DF14B8B6D1686C0DEDA9A

But Ashish was fighting another battle with BitBns at the same time.

The Bitbns Issue:

At Bitbns Ashish had exploited a loophole in the exchange to buy cryptocurrency worth crores of INR and transferred it out of Bitbns. Bitbns was able to notice it eventually and demanded him to return the crypto. His balances were turned negative and he would only be let off the hook after the balances were made Zero. He had to return the crypto. Ashish had managed to exploit the loophole to make gather a balance of close to 12 crores. However Bitbns was alerted after he made purchases worth a fee lakhs and his balance went negative.

how bitbns scam worked — Ashish’s balances turned negative for the crypto he purchased using the loophole

The crypto he bought from Bitbns was now spread across his other accounts on different exchanges including one on Binance, Koinex and so on. He returned most of the crypto back to Bitbns, later Bitbns changed his wallet addresses. His destination tag was changed in case of XRP wallet. His wallet was reset to Zero to confirm his debt was repaid.

He still owed 2.5 ETH to Bitbns.

how did koinex and bitbns pull off the scam — All balances set to Zero with new wallet address

A part of his XRPs returned were sent from his Koinex account. That is when the Koinex tragedy hit.

Ashish sent XRP from Koinex.
Bitbns acknowledged and changed his wallet address /Destination tag
Due to the double credit issue at Koinex, Ashish’s old destination tag was sent 6900 XRP extra from Koinex.
Ashish has no access to this account now and cannot see it anymore.
Ashish contacted Bitbns to return these XRPs that was accidentally sent to them.
After a lot of heated conversations with Prashant, Gaurav and Arijit from BitBns team, Ashish was returned 4599 XRP. The remaining 2301 XRP were deducted for the 2.5 ETH he still owed Bitbns.
Bitbns issue was now finally closed and Ashish could breathe easy.

But he still had to pay Koinex.

The Scam email:

Ashish soon receives an email from [email protected] to deposit 6900 XRPs to re-activate his account. The mail gives an XRP wallet address and Destination tag to deposit the same. Ashish has no idea this is a scam. Every single detail about him in the email was legit and correct. Only if Ashish had noticed the email address correctly and the obvious spelling mistake in the subject line.

The first scammer email Ashish forwarded to Coin Crunch

A little digging revealed that this wallet address belongs to Bitfinex. This was our first clue. It wouldn’t lead us anywhere but we knew that if a scammer was dumb enough to use an exchange account, he would have left other crumbs for us to find. Indeed he did.

8 days after the email, Koinex warned their users on their Facebook page about a possible scam. But a lot had already happened in these 8 days.

Ashish Made a partial transfer

Ashish was intimidated by this email. He had just received 4099 XRP from Bitbns (Another 500 will be sent later), he had no extra funds. Hence he transferred 4099 XRP to the wallet address on the email.

how the bitbns employee scammed a user — 4099 XRP sent to Wallet address from email with this transaction

Ashish now waited for Koinex to activate his account. But Koinex had received not a single token from him.

The scammer on the other hand got greedy and demanded the remaining payment, still acting like on behalf of Koinex. He went a step ahead and copy pasted Koinex’s INR deposit account as well.

scam koinex, bitfinex, binance, bitbns scam — Email received for difference amount of XRP tokens

Being scared, Ashish made a couple more partial transfers to make the total amount transferred equal to 4962 XRP.

Ashish Realises his mistake

Ashish, still convinced he was paying his debts to Koinex called for help from Koinex. Koinex’s support is notoriously hard to reach but their social media has been active lately. Ashish stumbled through the Koinex scam warning on Facebook. He realised his mistake.

After a few days of running around, Ashish gave up. Ashish had reached out to us as well. We knew he was a victim to the scam and wanted to help. Hence we started our own investigation without letting anyone know. Secrecy was important in order to find the scammer.

Coin Crunch Investigation

It is hard to trace a Cryptocurrency owner. It is not impossible but with the limited resources we have, it seemed like a futile attempt. But we tried and eventually got somewhere.

Tracing the Ripple wallet:

The ripple wallet rLW9gnQo7BQhU6igk5keqYnH3TVrCxGRzm, where Ashish was asked to transfer the XRP belonged to the largest exchange in the world Bitfinex.

The scammer had used an exchange account. With the destination tag (3050145463), we thought we can track him down. Albeit it is not that easy. Bitfinex will not reveal the identity unless forced by authorities and Indian police have no authority over an international exchange.

Getting a Lead:

Over the next few days we discussed multiple possibilities with many users to get to the bottom of this. All was looking lost until one day a user came forward saying he might have an idea of who the scammer is. The alleged scammer had once discussed such a plan with the telegram user. We cannot reveal the identity of the user for his own protection.

Tracing the email address:

We hadn’t thought about hacking/tracing the gmail account because gmail is quite secure. However, we now had a faint idea of who could be behind all this so we can try to hack into the account. We reached out to our hacker friend to try and find details of the [email protected] account.

After a few hours he came back with nothing. Gmail is still very secure. But we had to try something. So we made a second attempt. This time with the help of another hacker. We got lucky. We were able to find and confirm the recovery email of the google account.

The account was deleted immediately:

Given the robust security system of google, the account holder must have been alerted of our unauthorised attempt to login. We had already been laying traps for the scammer to fall in. The terrified scammer than deleted the google account [email protected]. We had no intention to snoop into the email inbox so we didn’t care. We knew the next step to be taken.

Tracking down the Recovery email address

We were now tracking down the person who the recovery email address belonged to. The scammer had used his personal email address as the recovery address. It wasn’t very hard to track him down.

At this point you can ask “But anyone’s email address can be given as the recovery email right?”

That is correct. The reasons why we are so sure that this belongs to the scammer are:

When your email is added as recovery email address, you receive a notification and an option to unlink yourself. This was not done.
When we tried to reset the account with the recovery email address, obviously it did not work. However after few minutes, the account was deleted. That raised suspicion.
We tried to recover the deleted account and it worked using the same email address. Obviously we still can’t get inside the account but a recovery key was sent to the recovery email address.

Based on all of the above, we believe we know who the scammer is.

Disclaimer: It is important to note that while we have taken every effort to fact check and verify each and every point we made, we still have a chance of going wrong. Please read the following statements with a belief that we could or could not be correct.

Who is the alleged scammer?

After 5 days of investigation, we were finally able to be sure of who the scammer is at 01:35 AM on March 5, 2018. The alleged scammer is an admin of Bitbns Telegram group. Bitbns is a cryptocurrency exchange. We were able to find him on LinkedIn via the email address.

Update: Bitbns issued a statement via Telegram.

The above case mentioned case has been resolved. The involved person has returned back the corresponding XRP to the user involved. The said person is no longer admin of bitbns community.

Meanwhile, we are still working to determine if the alleged scammer worked alone or had any accomplice, there will be a part 2 to this investigation once we find out. We cannot reveal the identity until then.

What can we do to prevent future scams like these

Be vigilant. Check email addresses. Ignore emails from generic domains like gmail, yahoo, etc.
Always confirm with the community. You can reach out our telegram community for help as well.
Never ever share any of your personal information with anyone even if they claim to be an employee of the company without appropriate verification.
Do not be greedy. This issue would have never happened if Ashish had reported the bug to Bitbns in the first place. Audits will capture everything, if you see a bug, report it. Most exchanges reward people who report bugs.
Not all exchanges are fraud, not all employees are fraud. We must come together as a community and help each other out. Don’t label anyone just because you can.

If you have a story to share or are a victim to such a scam you can write to us at [email protected]

Update: The alleged scammer is not a BitBns Employee but an admin on the BitBns telegram group. The same was corrected after a communication from BitBns.

Bitbns statement was added, hence modified Coin Crunch stance.