Skip to content

How to avoid being scammed

Developer Impersonation Scam

Scammers.
There are many different kinds of scams going on these days. Twitter bots that promise to send you 10 ETH if you send them .1 ETH, people who try and give “tech support” over Teamviewer and end up stealing all your coins or private keys, and the main topic of today’s post, people impersonating Altcoin Developers or Community Moderators to gain someone's trust and then having them send them their unencrypted private keys. The tips I'll try and give you today will focus on Bulwark and our Social Media but the overall theme can be applied to any coin.

This scam comes in several forms but most commonly happens on chat platforms like Telegram and Discord. In the most common case, someone creates an account and joins a channel or group. They wait for someone to ask for tech support with their wallet. The issue doesn’t matter, but an issue with their wallet of some kind. Masternode setup, staking, simple questions about syncing, anything that the scammer can use to get someone to run a command in their debug console. The scammer then changes their profile pictures to match an Admin, Moderator, or a generally “trusted” community member as well as their display name. The scammer then private message the person who is asking for tech support with a command string for them to run in their debug console. That command string invariably contains the dumpwallet command in it, and the wallet dump file is output as a plain text document named something containing help, debug or log. The dumpwallet command, for those who do not know, outputs a text file containing all of the decrypted private keys for all of the past, present, and future addresses in your wallet.dat’s keypool. Once you send this file to the scammer, your coins are as good as gone.

So now that we got the description of the scam out of the way, let's talk about how you can keep this from ever happening to you.

First, The easiest way to make sure you aren’t talking to a scammer is to verify the identity of the person who is helping you, and do not accept help in private help from someone who isn’t an official representative of Bulwark. Additionally, be suspicious of anyone who private messages you first, no one on the Bulwark Team, Moderator or Developer, will ever contact you first. We will attempt to troubleshoot everything in public and will not initiate PM’s unless you either request that it be done privately or we tag you publicly, letting you know that we are going to PM you. This goes for both our Discord and Telegram. On Discord the best way to do this is to publicly tag whoever is contacting you and see if they respond by right clicking on their name in the member list. If the user responds publicly that they are in fact the person talking to you in your private messaging, then you have an answer to your question. If they say no it’s not them that is talking to you, then you also have your answer.

Next, if the person you're interacting with checks out and they are who they say they are, you will want to be careful to keep your Private Keys safe. A brief explanation of Private Keys for those who are making their first journey in to securing their Cryptocurrency; your private keys are the key that verifies that you own the coins stored in a public address on the blockchain. Having the key allows you full access to the funds within. Even if you delete your Bulwark wallet off your computer entirely, the private key can be used as a backup to allow you to access them from another computer. They are both incredibly powerful and incredibly dangerous, and must be kept an absolute secret if you wish to maintain the security of your coins.

If someone wants the output of a command that contains the word dump do not give it to them. I can only speak for Bulwark, but no command that we would ever want the output of in reference to troubleshooting contains dump. These commands will output either a full dump of all of of the private keys for all past, present, and future addresses for your wallet in the case of dumpwallet or the private key for a single address in the case of dumpprivkey address. If you run the command and send them the file, you will be sending them the unencrypted private keys to your coins. The entire contents of your wallet will be in jeopardy, and you will have little to no time to react and move your coins somewhere else. I cannot stress enough how important it is to not send your private keys to anyone, ever.

We've done many things to attempt to protect our community. Our Discord bot kicks anyone who changes their name to match one of the Developers or moderation staff. The bot also posts warnings every 12 hours, warning people about the dangers of scammers and how they use "Tech Support" as a cover. most of us leave our Private Messages open so anyone can contact us if they feel the need to, and someone is always online to help if you need it. But in the end you need to have the knowledge to protect yourself.