This program is stealing your private keys!

Update

I did some browsing around and managed to find this person on github. I reported the program as malware and used the post here and the research and reported it.

They have been banned on github after them investigation

4dd01202-6c8a-4113-b424-6de1f228cae41920×1081 154 KB

Good work man, tnx

Thanks man. I spent quite a few hours searching all sorts of forums (russian, german) and tried to gather clues and any information that would be deemed usefull.

This post has obviously not done anything to convince any of the hosts or other service providers that this crap is purely malicious. Almost every one of the sites listed on this page are currently back up and running. If anyone has any time to put into reporting these sites to the appropriate parties, please do so and if you know of the best way to do so, please post instructions so others can do it also.

Mainly, I am just posting again to bring this to the top so if anyone is stupid enough to fall into this, maybe they will see this before it is too late.

I think this is a wrong conclusion. In order to have any of those service providers do anything, a report needs to be filed, and potentially no one else bothered.

I have just contacted GoDaddy via phone; had a nice chat with a support person, but unfortunately, couldn’t escalate it, as based on what he said, the abuse department doesn’t have a direct line (so no transfers), and support cannot do much about escalating those incidents, so he urged me to report it once more. He also suggested that the more people report, the more seriously they take it. I filed the first report some time ago, and apparently not much happened.

So, I have opened another report (Report Abuse). Potentially, it would help, if other folks also report to GoDaddy. I wrote the following (so just copy/paste it to make it faster):

I am a member of chiaforum.com. This forum is oriented around Chia blockchain. One member has investigated a malware provided as a download (multi-threaded file downloader) on those websites. All those domain names are registered with GoDaddy.com. chiadb.co and chiadatabase.info are forwarded to chiadownload.net, which is fronted by CloudFlare.

Here is the thread from the forum, where one member analyzed that downloader: This program is stealing your private keys!

It would be appreciated, if you could suppress the registration of those three domains, to not have crime freely propagate.

Looking at those three URLs (medium.com has nothing to do with GoDaddy), chiadb and chiadatabase are forwarded to chiadownload.

Google is the SSL cert provider for chiadownload.net, so maybe someone could report it to Google to take that cert down (I don’t deal with google).

They use CloudFlare in front of their website (not sure who hosts it). I will try to report it there shortly (Providing specific URLs - Report abuse · Cloudflare Fundamentals docs). When you follow #3-5 bullets there, the DevTools should open right on the line that starts with

<a href="https://chiadatabase.info/Multi....

You will need to copy that URL from there (don’t copy “<a” as that may confuse the report - inject broken HTML formats).

As CloudFlare is not really hosting that scum website, at the bottom of the page there is a need to checkmark the first box (“forward my report to the website hosting provider”). It kind of looks like a scam to me, as apparently CloudFlare doesn’t want to deal with it even though they are fronting it, at the same time hides the info about the hosting side. Not really encouraging. However, I did file with them as well.

Also, if I remember from early days, Chia mentioned that they are not permitting anyone to use “Chia” name, and will eventually sue. I guess, this is potentially the best time where they could prove that they can also walk the walk. So, for those folks that frequent either keybase or their discord, maybe you could bring it up there. Both GoDaddy and CloudFlare have a special abuse path for copyright infringement, so that may be the fastest way to bring shit like that down.

EDIT:
I checked that medium page, and it gives 401 error, and there is a note that the page is under investigation. So, whoever reported it there, it worked better than GoDaddy. Maybe it is worth to bring it up with GoDaddy, that other providers can act in respectful way, so why not them.

I posted on the chia discord channel to sargonas (the one that responded via reddit for Chia saying they would work on it via legal channels). Just to check in and make sure it has the attention it deserves.

The main page (chiadownload) is down today. Also, nslookup is not finding that domain anymore. Looks like GoDaddy suppressed that domain registration.

However, chiadb and chiadatabase are still responding to nslookup queries. Although, on my box, most likely Edge forces forwarding to chiadownload (which is dead). As those domains are still active / properly registered, nothing stops those scoundrels from pointing those DNS entries to another hosting provider.

Checked back in on all these domains and all of them are down. Hopefully they didn’t just move to another location. If anyone sees this downloader somewhere else, post up here so everyone knows.