An online scammer has been setting up a website that mimics a self-destructing messaging service privnote.com Recently, they accidentally exposed the scope of their business when they threatened to sue software companies. The disclosure reveals a profitable phishing website that behaves and looks like the real Privnote, except that any message containing a cryptocurrency address is automatically changed to contain a different payment address controlled by the scammers.
The real Privnote, at privnote.com.
Launched in 2008, privnote.com uses technology that encrypts each message so even Privnote itself cannot read its contents. And it doesn’t send or receive messages. Creating a message only generates links. When the link is clicked or visited, the service warns that the message will disappear forever after being read.
Privnote’s ease of use and popularity among cryptocurrency enthusiasts has made it a long-term target for phishers, who build Privnote clones that function more or less as advertised, but create a Your own cryptocurrency payment address will also be quietly injected when you invoice.
Last month, new users GitHub named Furui 66399 File a complaint on the Issues page Metamask, a software cryptocurrency wallet for interacting with the Ethereum blockchain. Fory66399 insists their website— private notes[.]common — Incorrectly flagged as malicious by MetaMask’s “eth-phishing-detect” manifest.
“We are filing a lawsuit against our attorney for dishonestly adding the site to the blacklist, damaging its reputation, and ignoring the review department and ignoring answers!” fory66399 threatened. “Produce evidence, or I will pay compensation!”
MetaMask Chief Product Manager Tyler Monaghan Posted a few screenshots of privnote in reply[.]co shows that the website does exchange any cryptocurrency addresses.
After being told where he could send a copy of the lawsuit, Fory66399 seemed to get flustered and went on to mention a few other interesting domains:
You sent me screenshots from other sites! It’s red! ! ! !
The tornote.io website has completely different colors
privatenote,io websites also have different colors! What’s wrong? ? ? ? ?
Search privatenote on DomainTools.com[.]io shows that it has been registered under two names over the years, including Andrei Sokol from Moscow and Alexander Yermakov From Kyiv. There is no indication that these are the actual names of the phishers, but the names help point to other websites that have targeted Privnote since 2020.
DomainTools indicates that other domains registered by Alexandr Ermakov include first note[.]com, private information[.]net, private notes[.]ioand Tonot[.]io.
Screenshot of the phishing domain privatemessage dot net.
registration record of pirvnota[.]com was once updated from Andrey Sokol to “BPW” as a registered organization, and “Tambov District” in the Registrant State/Province field. Searching DomainTools for domains containing these two terms will reveal pirf notes[.]com.
Other Privnote phishing domains also call the same web address as pirwnote[.]com includes private node[.]com, private[.]comand you will be reborn[.]com.pirfnot[.]com is currently selling security cameras made by Chinese manufacturer Hikvision through an online address in Hong Kong.
Looks like someone went to great lengths to make tornote[.]io looks like a legitimate website. For example, this Medium account has written more than a dozen blog posts over the past year praising Tornote as a secure, self-destructing messaging service. However, testing shows that tornote[.]io will also replace any cryptocurrency address in the message with its own payment address.
These malicious note-taking sites lure visitors through game search engine results, allowing phishing domains to appear prominently in search results for “privnote.” Searching Google for “privnote” currently returns tornote[.]io as the fifth result. Like other phishing sites associated with this network, Tornote will use the same cryptocurrency address for approximately 5 days and then rotate to a new payment address.
Tornote changes the password address entered in the test record to an address controlled by the phisher.
Throughout 2023, Tornote is hosted by the Russian provider DDoS-Guard at 186.2.163[.]216.A review of the passive DNS records associated with this address revealed that in addition to the subdomain dedicated to tornote[.]io, the primary other domain for this address is Hong Kong leaks[.]ml.
In August 2019, a series of websites and social media channels known as “HKLEAKS” began conducting human flesh searches for the identities and personal information of Hong Kong pro-democracy activists. According to a report (PDF) Citizen LabHong Kong leaks[.]ml is the second domain that emerged as the perpetrators began to expand the list of people being doxxed.
HKleaks, indexed by The Wayback Machine.
Address 186.2.163[.]216 is also the home page of the website rust thief[.]informationa website established in the aftermath of Russia’s invasion of Ukraine in early 2022, conducted doxing of Russians believed to be aiding Ukraine’s cause.
Archive.org copy of Rustraitor.
DomainTools shows there are more than 1,000 other domain names whose registration records include the organization name “BPW” and the location “Tambov District.”Almost all of these domains are registered through one of two registrars – based in Hong Kong Nisnik and Singapore’s Network CC – Almost all of them seem to be related to phishing or pill spam.
In keeping with the overall theme, these phishing domains appear to be focused on stealing usernames and passwords from some of the cybercriminal underground’s busiest stores, including Brian’s Club. What do all phishing websites have in common? They all accept virtual currency payments.
It looks like MetaMask’s Monahan made the right decision in forcing these phishers to come to their aid: The DDoS-Guard address hosts multiple MetaMask phishing domains, including metalasco[.]com, Meter stick[.]comand net mask[.]com.
How profitable are these private note phishing sites?Examining four malicious cryptocurrency payment addresses that attackers exchanged for notes via privnote[.]co (shown in Monahan’s screenshot above) shows that between March 15 and 19, 2024, nearly $18,000 in cryptocurrency was transferred into and out of these addresses. This is just one of their phishing sites.
