Huang Siliang, 8btc columnist, reveals an OTC fraud via his most recent article. He is recently engaged in the booming OTC market and learned the following story from a fraud victim. It’s a Man-in-the-middle attack.

MITM attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

With some social engineering skills, scammer may easily score as many newbies flush into the OTC market without proper risk-control measures.

Chapter 0 Introduction

With the Bitcoin OTC booming, OTC traders become the targets of scammers. This article describes a scam plot that took down several OTC traders. To pull off the job, one doesn’t need much expertise in computer. It’s more of a social engineering attack, in which the lack of vigilance of the seller and the buyer are exploited.

It’s a real story.

Chapter 1 The usual OTC trading process

Before we get into the scams, let’s have a look at the normal OTC trading process.

Buyers and sellers are required to register on OTC trading platform. Then they need to log in to conduct buying or selling.

Sellers will list selling orders in the platform and the buyer accepts the seller’s pending order via trading platform. For example, buyer accept the seller’s order of ¥ 9000 / 1BTC.

After the buyer accept the ASK order, the platform will freeze the amount of bitcoin to be traded plus the trading fee. For example, the platform will lock 1BTC + 0.003BTC fee from the seller’s balance.

Next step is the fiat payment.

Buyer may pay via bank transfer or other method to send money to the account designated by seller.

After the payment is done, buyer shall finish the payment confirmation process on the platform and inform the seller to release BTC.

Seller shall confirm if the payment is received to release BTC. Then the platform will transfer BTC to buyer’s account and take the transaction fee.

It’s the normal trading process but things could go wrong.

The first scenario is that the buyer does not pay, but he informs the platform and the seller that he has delivered the payment. At this point, the seller can choose not to release coins and request arbitration. The platform will step in to finish arbitration based on the evidence provided by both parties.

The second scenario is that the buyer did pay the money, but the seller deliberately refuses to release coins. In this case the buyer can initiate arbitration on the platform. In general, the buyer has substantial evidence to support his claim as the bank transfer receipt could be self-certifying. But this kind of thing will cause the buyer extra time cost.

Below is the scam plot.

Chapter 2 Man-in-the-middle attack

Step 1:to match trade with fake identity

Say John is a scammer. He needs to locate the Buyer (Bob for example) and the Seller (Sally for example). He sends friend request to their Wechat account, which should goes smoothly.

Step 2: Man-in-the-middle identity

John pretends to be a buyer when chatting with Sally and a seller with Bob. To get trust from Bob and Sally, the scammer may even present real IDs of Bob to Sally and vice versa.

How to get real IDs of Bob and Sally? It’s easy. John may initiate a real trade with Bob and Sally via OTC exchange and ask for IDs in the name of KYC. It’s a sound request and will be accepted. Besides, John may ask for another messaging contact info, such as skype.

Step 3: Negotiate with buyer pretending to be the seller

John start negotiate price with Bob to understand price and amount. In this case, let’s say Bob wants to buy 100 BTC.

Step4: Negotiate with seller pretending to be the buyer

John send buying request to Sally and settles down the price and amount. Here comes the best part, John propose the trade should be conducted via OTC exchange custody.

To be more specific, I will take Bitkan APP as instance. John asks to buy 100 BTC from Sally at the price of 9000 CNY/BTC and the trade should be conducted via the APP. (Bitkan APP has a built-in OTC feature).

Below is the detail of the trade. Sally, the seller, will receive 900,000 CNY and submit a 0.3 BTC transaction fee to Bitkan (0.3%), which is a lot in fiats.

Step 5: Propose to trade without custody by saving the transaction fee

John, the scammer, will interrupt the normal process and propose to seller that the trade could be conducted without custody by saving 0.3 BTC fee. John propose to split the 0.3 fee into halve and everyone is happy.

Step 6: John propose the same thing to the buyer with saving the 0.3 fee as bait.

Step 7: Switching the Bitcoin receiving address

John provides his own Bitcoin receiving address to the seller and forwards the Sally’s fiat-receiving account to Bob.

Step 8: By-pass the KYC

With such amount of transaction, discretion must be taken by both Bob and Sally. They will ask for KYC almost for sure at the highest level: one must hold ID and verify via video chat.

Most scammers cannot go through the process as Wechat video chat cannot be routed. This is the most critical step to pull the trick: by-pass video verification.

John must get Bob’s another messaging account like skype and push it to Sally. Meanwhile, John demands to verify through skype video chat, saying that we only use skype and don’t have Wechat account, or camera not available on PC etc. The point is that Sally and Bob must not verify each other through Wechat video chat.

Then Sally will make a video chat request to Bob. They chat with each other and verify each other’s ID. For some busy traders, they couldn’t afford too much time to chat. If they fail to detect the existence of John, they are almost sure to fall for the trap.

Step 9: by-pass platform custody

With a transaction of such amount, Bob and Sally must have other concerns even they verify each other via video. John will take further actions to enhance trust from both parties.

John tell Sally(the seller) that in order to protect his interest, the trade shall be conducted in the following process: Bob(the buyer) will place an order to buy 100 BTC from Sally. Then Sally’s coins will be put in custody. After the off-exchange deal is concluded, Bob will cancel the trade and coins will return to Sally’s account without incurring any fee.

If Bob don’t want to cancel the trade, Sally may initiate arbitration and present chat log as evidence. Then Sally could get her coins back.

Sally’s last uncertainty is resolved.

John will tell the same thing to Bob. Then they are ready to trade.

Step 10: Exit

Bob place an order to buy 100 BTC from Sally. Sally’s BTC is locked by the platform. Then Bob send money to the account provided by Sally. Sally gets the money and sends 100.15 BTC to the address provided by John (Sally now believes that it’s Bob’s receiving address). Then Sally ask Bob to cancel the trade on platform.

As far as John is concerned, he gets 100.15 BTC and it’s time to abandon the Wechat account and disappear.

Chapter 3 The aftermath

At this point the scam is exposed and Bob and Sally find they are scammed.

Sally’s BTC has been sent to the scammer’s address and cannot be reversed. Bob’s money are now sitting in Sally’s account, which is impossible to reverse.

The only asset that is negotiable is the BTC in custody.

Sally will not release coins and Bob will request arbitration to ask the platform to transfer coins to him.

Then Bob and Sally will provide chatlog for arbitration.

It’s now up to the platform to determine the fate. As far as I understand, the platform usually decide that coins belong to the buyer as Bob actually send the money. Also there is no incoming record on the Bob’s BTC address. It’s none of the platform’s obligation to determine whether Sally have sent coins to John’s address.

But the platform may restrict BTC withdrawal on Bob’s account if there are still disputes. The asset may be finally determined by legal lawsuits.

At the end of the story, Bob pays 900k CNY (at 9000/btc) and gets 100BTC. Sally receives the 900k CNY but he sends 100.15 BTC to the scammer, 100 BTC to Sally and another 0.3BTC to the platform.

The seller suffers a heavy loss.

Chapter 4 If seller plans to suit buyer

The seller will certainly take further measures to recover the loss. This kind of man-in-the-middle attack is probably not the sole responsibility of the seller. Because both sides have been scammed. The seller can prove hat the buyer’s payment does not belong to the BTC being held in custody on platform. Legally speaking, both parties are likely to be asked to bear some responsibility.

Of course, if you can find this scammer, then the seller’s loss can also add the majority.

The problem is how to locate the buyer?

Chapter 5 MITMA 2.0

There is a upgrade version of such attack.

First the buyer is the scammer. He could pull off the job even better. The buyer conjure a scammer’s identity and communicate with the seller (in the name of buyer) via another Wechat account. At the end, the buyer can double his BTC with one payment.

Another twist is that the scammer fake wechat account with avatar and nickname from the buyer and seller to create fake chatlogs. This is even harder for the platform to find out the truth.

Chapter 6 How to defend Man-in-the-middle attack in BTC OTC trade

Seller must not conduct trade off the platform. The seller are exposed to much greater risk by saving a small amount of transaction fee.

Use only one messenger to communicate throughout the trading process, including video verification. This will rule out the scammers. Both parties shall take extra caution when one requires to switch to another messenger and find out why. Poking for the true intention will always leave evidence for future reference.

Verify BTC receiving address while video verify identification. Besides verifying ID, bank account, BTC address is another item on the list when two parties are verifying each other. The BTC receiving address is no less important than a bank account.

Chapter 7 End

Happy trading.