More than $3.3 million has been stolen as part of an elaborate scam that took advantage of bitcoin users seeking to claim their share of the newly created cryptocurrency bitcoin gold.

Perpetrated by the operators of a website called mybtgwallet.com, the scheme prompted users to submit their private keys or recovery seeds as a means to generate bitcoin gold wallets, as seen on an Internet Archive snapshot. Shortly after users did so, however, the cryptocurrency holdings in their wallets were sent to different addresses.

At least $30,000 in ethereum, $72,000 in litecoin, $107,000 in bitcoin gold and more than $3 million in bitcoin were confiscated, according to self-reported numbers verified by CoinDesk.

In an interview, victims blamed the association of the website with the official bitcoin gold project as a source of the effectiveness of the operation.

One of the victims, Mikel Martin, explained to CoinDesk:

“I reached this site by following the link at [the] bitcoingold.org official website so I trusted it. Yesterday afternoon I noticed both my BTC and BTG stored in that wallet were gone.”

Safety assurances?

Before the thefts became apparent, the team behind bitcoin gold – an effort to create a new version of bitcoin that would restrict the types of hardware that can be used for mining – promoted mybtgwallet.com on their Twitter account, assuring users that it was safe to use on multiple occasions.

The person behind the service was, to an extent, ingratiated in the nascent BTG community, including its Slack channel. The website was developed by a user named John Dass, though it is unclear whether this is the developer’s actual name or a pseudonym.

Further, the Bitcoin Gold website also included a balance checking tool based on code that was shared on GitHub on their website for a brief period of time, though the window only asked for a wallet address and included a disclaimer that users shouldn’t share private keys. The Bitcoin Gold team has clarified that the malicious code itself was never present on their official website.

Yet once the thefts became apparent, the news quickly spread.

An analysis of the site’s code by Reddit user Uejji four days ago found that the site stored the recovery keys, which were later sent to the site’s owner. The site claimed to be open-source, but all of the source code was changed on GitHub after the scam was initiated, said Torsten Sandor, a spokesperson for Exodus, a digital wallet whose users lost funds in the scam.

Some of the victims of the scam used this wallet, which allowed the company to put together how the scam operated for one of their users, he said.

“The user gave his recovery seed to the site and his wallet emptied,” he told CoinDesk, adding:

“This only happened with bitcoin gold. It’s a very interesting fork … I think it’s extremely unfortunate that new investors, people who know little about crypto, started buying into it.”

Scam response

Representatives from the bitcoin gold say they’re moving to figure out a remedy to the situation.

After first being made aware of the scam, the launched an internal investigation, according to spokesperson Edward Iskra. In a published statement, Bitcoin Gold developers said they were “working with security experts to get to the bottom of this issue,” but did not clarify who these experts were.

Iskra told CoinDesk that, initially, John Dass claimed innocence during this investigation.

“The investigation increasingly indicated that the original developer, ‘John Dass,’ was responsible for the fraud all along … He has dropped out of touch with us, as well,” he said.

While Dass was in the bitcoin gold Slack channel with a “developer” tag, he was not a part of the project’s formal team, Iskra said.

There was “no formal relationship at all. He did interact with our devs in the Slack regarding developing his open-source code [and] his web site,” he told CoinDesk. “The BTG Twitter account was simply supporting an individual in the community who was supporting BTG – that was their sole intent, at the time.”

The Bitcoin Gold team will make a further announcement about their investigation within the next few days, Iskra said.

Mybtgwallet image via Nikhilesh De / CoinDesk; Car with boot via Shutterstock

Correction: A previous version of this article inaccurately indicated that the fraudulent BTG wallet was embedded on their official website. This report has been updated for clarity.