Encrypted Messaging Site Privnote Cloned to Steal Bitcoin

The free web service, which lets users send encrypted messages that self-destruct once read, has been copied with the reported aim of redirecting users' bitcoin to criminals.

AccessTimeIconJun 15, 2020 at 9:18 a.m. UTC
Updated Sep 14, 2021 at 8:51 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Privnote, a free web service that lets users send encrypted messages that self-destruct once read, has been copied with the reported aim of redirecting users' bitcoin to criminals.

In a Sunday post on cybersecurity blog KrebsonSecurity, journalist Brian Krebs warned users of a phishing scam that lures unsuspecting victims to a near-identical version of the privnote.com website known as privnotes.com.

However, the fake site doesn't fully encrypt messages, as Krebs discovered in tests, and can "read and/or modify all messages sent by users."

Just as worrying, it contains a script that hunts out messages containing bitcoin addresses and changes the original address into the bad actor's own address in the sent message. This would mean any funds sent would arrive at the bitcoin address owned by the criminal, not the one intended by the message sender.

"Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same," Krebs said in the post.

"Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear," he said.

Krebs explained he'd been notified by the owners of privnote.com that someone had built a clone version of their site and that it was tricking users of the legitimate site.

"It’s not hard to see why: Privnotes.com is confusingly similar in name and appearance to the real thing, and comes up second in Google search results for the term “privnote.” Also, anyone who mistakenly types “privnotes” into Google search may see at the top of the results a misleading paid ad for “Privnote” that actually leads to privnotes.com," Krebs wrote.

A Google search for “privnotes” pulls up a paid advert for the phishing site privnotes.com
A Google search for “privnotes” pulls up a paid advert for the phishing site privnotes.com

A quick Google search by CoinDesk verified this finding.

Making the scam harder to spot, the self-destructing nature of these messages means victims are unable to go back and check on the bitcoin addresses the script alters: they are sent, read and deleted. According to Allison Nixon, chief research officer at Unit 221B, who helped identify and test the phishing scam, said the script appears to only alter the first instance of a bitcoin address if it's repeated within a message.

"The type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said in the post. “It’s a pretty smart scam.”

Bitcoin-related scams have been on the rise in recent months, particularly with concerns relating the coronavirus pandemic. U.K residents were warned in late March that scams were being used to exploit fear and uncertainty through text messages and emails posing as an official health organization.

"Even if you never use or plan to use the legitimate encrypted message service Privnote.com, this scam is a great reminder of why it pays to be extra careful about using search engines to find sites that you plan to entrust with sensitive data," Krebs said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.