Encrypted Messaging Site Privnote Cloned to Steal Bitcoin

The free web service, which lets users send encrypted messages that self-destruct once read, has been copied with the reported aim of redirecting users' bitcoin to criminals.

AccessTimeIconJun 15, 2020 at 9:18 a.m. UTC
Updated Sep 14, 2021 at 8:51 a.m. UTC

Privnote, a free web service that lets users send encrypted messages that self-destruct once read, has been copied with the reported aim of redirecting users' bitcoin to criminals.

In a Sunday post on cybersecurity blog KrebsonSecurity, journalist Brian Krebs warned users of a phishing scam that lures unsuspecting victims to a near-identical version of the privnote.com website known as privnotes.com.

However, the fake site doesn't fully encrypt messages, as Krebs discovered in tests, and can "read and/or modify all messages sent by users."

Just as worrying, it contains a script that hunts out messages containing bitcoin addresses and changes the original address into the bad actor's own address in the sent message. This would mean any funds sent would arrive at the bitcoin address owned by the criminal, not the one intended by the message sender.

"Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same," Krebs said in the post.

"Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear," he said.

Krebs explained he'd been notified by the owners of privnote.com that someone had built a clone version of their site and that it was tricking users of the legitimate site.

"It’s not hard to see why: Privnotes.com is confusingly similar in name and appearance to the real thing, and comes up second in Google search results for the term “privnote.” Also, anyone who mistakenly types “privnotes” into Google search may see at the top of the results a misleading paid ad for “Privnote” that actually leads to privnotes.com," Krebs wrote.

CoinDesk - Unknown
A Google search for “privnotes” pulls up a paid advert for the phishing site privnotes.com

A quick Google search by CoinDesk verified this finding.

Making the scam harder to spot, the self-destructing nature of these messages means victims are unable to go back and check on the bitcoin addresses the script alters: they are sent, read and deleted. According to Allison Nixon, chief research officer at Unit 221B, who helped identify and test the phishing scam, said the script appears to only alter the first instance of a bitcoin address if it's repeated within a message.

"The type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said in the post. “It’s a pretty smart scam.”

Bitcoin-related scams have been on the rise in recent months, particularly with concerns relating the coronavirus pandemic. U.K residents were warned in late March that scams were being used to exploit fear and uncertainty through text messages and emails posing as an official health organization.

"Even if you never use or plan to use the legitimate encrypted message service Privnote.com, this scam is a great reminder of why it pays to be extra careful about using search engines to find sites that you plan to entrust with sensitive data," Krebs said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.