Bad security practices from Hotbit

It’s well known that there are a lot of scammers in the cryptocurrency business. You need to be very attentive to all incoming offers in order not to fall into the scammer trap.  Scammers didn’t even pass by the leading cybersecurity company Hacken.

Cybercrimes in the cryptocurrencies market is not a rare. According to Chainanalysys crypto crime report after drop in scam revenue in 2018, scammers more than tripled their revenue in 2019, bringing in $4.30 billion worth of cryptocurrency from millions of victims. 

As a case study to this article, you will find out the importance of having a SPF record especially when you are working with client’s funds like crypto exchanges. Absence of SPF record allows attackers to spoof your domain name for phishing and whaling attacks, potentially leading to ransomware, malware, and financial loss.

What happened?

On March 21, Mr. Budorin, Haсken CEO, received a message from a man who said that he works with Genesis Capital and that he has a group of investors interested in the HakcenAI project.

After that scammer said they raise the trading volume of projects they are partnered with. And also he said that their “most recent” project is Nyzo. Likely, he just gave a link to the project which is the closest in the queue for listing at Hotbit.

Then conversation has been moved to telegram and Mr. Budorin got a message from a fake Hotbit listing coordinator. 

Fake emails & Listing

At the same time scammers sent email to Mr. Budorin from [email protected] address. Since this exchange does not have an SPF record, anyone can send letters from hotbit.io domain. Therefore, it is extremely important to have an SPF record so that scammers could not use your exchange for their purposes. 

As a result of reconciliation of letters we found that the server from which letter was sent does not coincide with the one from which the hotbit usually sends letters. You may check it by yourself:

• Server used by frauders: Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net. [173.201.192.106]) 
• Hotbit server: Received: from ucmail156.sendcloud.org (ucmail156.sendcloud.org. [106.75.79.187])

We found that email has been sent from 5ymail.com service. Because email with such a domain is indicated in “reply-to” section.

In the second email scammers sent us a “Hotbit listing agreement”. 

According to this document listing fee equals 3 BTC. This is not a big price in the realities of the cryptocurrency market. Scammer admitted that normal Hotbit listing fee costs 8 BTC but they will make a “special” discount due to good relationship of a Hotbit with Genesis Capital.

But after the “emergency E-meeting” listing fee has been decreased 2x times. And the final cost was 1.5 BTC! This is a tempting offer if it were not clear that this person is a 100% fraudster.

Conclusion

The number of fraudsters and hacker attacks in the crypto business is increasing every year according to Chainanalysys crypto crime report. Therefore, all incoming offers must be checked for fraud. 

Also, using Hotbit as an example, we want to indicate to all exchanges that they should not neglect the security of their service.  In this case, scammers used lack of SPF record to sell fake listings. This is not the only security problem of this crypto exchange, but because of this vulnerability fraudsters can use Hotbit for their purposes. 

We recall that users may find actual security ratings of crypto and balances of crypto exchanges on cer.live website. Also exchanges representatives can get details about their exchange rating by leaving a request in our contact form.