Cryptothrift is one of those amazing platforms where anyone can buy and sell goods and services in exchange for Bitcoin and/or Litecoin. The service itself has undergone some changes over the past few months, including the removal and reactivation of their escrow service after a malicious attack against the escrow wallet. However, these changes do not rid of the platform of scammers, as you will see below.
Cryptothrift : Brief History
We started looking into Cryptothrift a while ago, as it was a new platform offering an eBay-esque familiarity. Items can be bought for a fix price or through bidding, there is a reputation system in place to leave feedback after (un)successful transactions, and you can simply find anything and everything on their platform at any given time.
Even though there are plenty of categories to choose from, most of the action on Cryptothrift seems to revolve around physical coins, stickers, digital games, and gift cards. As you might have expected, most of these things are right up my alley, hence why I have taken a huge liking to the Cryptothrift platform over the past few months.
However, Cryptothrift has also seen its share of dark snow, as they had to suspend their escrow service in early October of 2014. According to an official statement on their blog, the platform’s security was breached, which led to the hot wallet (which stores some of the funds held in escrow) being compromised. When all was said and done, roughly 15 Bitcoin were stolen, which were reimbursed by the Cryptothrift team in due time.
Apparently, the attack vector was to be found in a third party plugin used by the Cryptothrift platform. Due to this issue, SQL injection was made possible and the amounts on transactions being released from escrow were manipulated. Furthermore, the team has to rethink their security and cold/hot storage options, which lead to the suspension of the escrow services for the time being.
Fast forward to December 8th 2014, a date on which Cryptothrift users could rejoice as the escrow system came back online. Granted, it took two months to fix and properly test the new system, but you have to keep in mind that Cryptothrift is run by two people who also have “regular” jobs. Either way, escrow is back, customers are happy, no more scamming attempts! Or…not?
How Someone Tried To Impersonate The Cryptothrift Escrow Service
Before I tell you what happened, there are two things you need to know. One, this is in no way to blame on the Cryptothrift team, as their escrow service is perfectly fine. Secondly, even though my user account has 0 feedback, that doesn’t mean I never used Cryptothrift to make a purchase in the past. I know how their escrow system works, which did give me an advantage in this situation.
Late last night, I came across an item on Cryptothrift which I could use. A Destiny Playstation 4 bundle, including a white PS4 , two games (Destiny and Infamous : Second Son) , and at a rather cheap price of US$250. It wasn’t the first time I saw this console for sale, as I have been keeping an eye out for it since early December 2014.
As that listing was coming to a close, I decided to make the seller a low ball offer, to see if he/she would pick up on it after listing this item for the umpteenth time. My offer of US$150 (excluding shipping) was very low, but maybe we could come to terms somewhere in the middle, around the US$200 mark. You never know, right?
Big was my surprise when I received an email from Cryptothrift saying the seller had accepted my offer. Maybe this would turn out to be a lucky night after all, and as the escrow service protects me until the item actually arrives, I am safe from losing funds regardless. So I went ahead, filled in the form, including US$ 21 for shipping, 1% for the escrow fee and paid in Bitcoin.
Shortly after that, something strange occurred. I received an email claiming to come from “Fraud Security” with the email title of “Escrow Authentication”. Eve though I had used the Cryptothrift escrow system before, maybe the new solution wants me to confirm some details? So i opened up the email and this is what I saw :
The Fake Cryptothrift Escrow Authentication Email
Needless to say, even at a quick glance you can see this is an absolute pathetic attempt by the seller to scam me into giving up my Cryptothrift password. First of all, check the email address where this email is originating from : “firstname.lastname@example.org” . Big, big, biiiiig red flag in my book, and that’s the first thing anyone will see if they know where to look.
Secondly, they can’t even spell the name of the company properly throughout the entire email. First it’s “Crypto Thrift”, then “CryptoThrift”, and in the “signature” it’s “Crypto Thrift” once again. Sloppy work, although these are things you can easily glance over and not notice. Take it from someone who has been victim of multiple scam attempts, you learn to pay attention to detail rather quickly.
Last but not least, it asks for the password to my CryptoThrift account. The reason they are doing so is because, once logged in to my account, there is a button to release funds in escrow to the seller. If the scammer managed to access my account, he or she could simply released the funds to him/herself, and I’d end up with nothing.
However, this email is one of the more convincing ones I have ever seen, simply because it mentions the following : “So if you are unable to provide us with this information go to http://www.cryptothrift.com and request a refund from our escrow service.” The same message is repeated in the area where it asks for my password : “ (If you have a problem or suspect Fraud of your own, simply cancel the payment and ask for refund.)”
Unsuspecting victims will see this as a reassurance that this email is actually coming from the Cryptothrift escrow service, as it tells them they can easily get a refund if they do not feel secure. Why would a scammer go through the lengths of making such a remark? They just want your money and they are usually far more straightforward. That, ladies and gentlemen, is called social engineering.
Aggressive Communication from the Cryptothrift seller
While the email itself is rather well done, the seller kind of gave it away in the internal communication on the Cryptothrift platform. When you start blowing your own horn, people will definitely grow wary of what you are trying to accomplish. I’ll let the following image tell you the entire story, and you can see why it throws another red flag :
However, as I was asleep at the time that email was sent, I couldn’t even reply to the message. Things kept unfolding over the next 30 minutes, as the seller decided to mark the item as “Shipped” on CryptoThrift, and sent me another message shortly thereafter. Slowly getting desperate if you ask me though :
First of all, you try to trick me with a fake email, to which I do not respond. All of a sudden, you change your mind and “ship” the item anyway. Then you send me a message without tracking information and threaten to get the item back if I don’t release escrow funds before the item arrives. At least try to keep up appearances a bit, dear scammer? You seem very desperate and are grasping at straws….
In the end, I did what anyone should do. The first thing I did was ask for a refund from Cryptothrift, which is currently being processed by their team. After that, I left the seller a negative feedback, which you can see here. Last but not least, I wrote up this article to inform anyone out there about these scam attempts.
Once again, none of the above is the fault of the Cryptothrift team. I really enjoy using their platform, and will continue to do so in the future. This article just serves as a general warning for unsuspecting buyers.
Have you ever used the Cryptothrift platform? And what was your experience like? Leave a comment below!
Website : https://cryptothrift.com