Addresses in the main bitcoin network ("mainnet") start with either "1" or "3". Addresses starting with "m" or "n" are from one of the so-called testnets, where programmers test new features/ideas and fix bugs before they are integrated in the mainnet. You can get large amounts of testnet bitcoins in many faucets without paying a single penny for them, thus they have no resell value. Not knowing these things has been making quite a few people victims of scams.

A new friend I just made told me the following story: this random guy on Facebook was advertising 3 BTC for 30,000 BRL -- almost 40% cheaper than the price on the major brazilian exchanges at the time, which was hovering above 16,000 BRL per bitcoin. He contacted the guy, who later replied he should install the Copay wallet "because it allows you to confirm I sent you the bitcoin but have it locked until I confirm your bank deposit." My friend installed the wallet, sent him the address and in a few seconds here's what he saw:

Would you have noticed the "TESTNET" box if I hadn't warned you? Well, neither my friend -- it's so easy to miss. But to "play it safe", he tapped in the transaction history, then on the "see it on the blockchain" button and got this:

If I hadn't told you that real bitcoin addresses start with "1" or "3", would you have thought something was wrong? Would the "test-insight.bitpay.com" in the upper bar ring any alarm bells? Well, my friend thought everything was fine, made the bank transfer and showed all this to me a few days later when we met. It's sad that my first conversation with him was to inform he was scammed.

(By the way, I'd like to thank my friend for the actual screenshots of the incident and for allowing me to use them in this post. You know who you are and I'll uphold your request to remain anonymous.)

There are so many wrongs with this story that I have a hard time choosing where to start, but here it goes anyway:

Buying things -- anything, not just bitcoin -- from random people who you know nothing about is risky. That's why sites like Ebay or MercadoLivre exist -- and even they become rife with scams sometimes. For bitcoin, prefer well established marketplaces -- here in Brazil, try the ones listed at bitvalor.com.

If it looks like too good/cheap to be true, it probably is. (That's actually the most defensible part of my friend's story; the spot price here in Brazil often has a +30% premium over the overseas prices, so someone selling at -38% was not entirely implausible.)

A key mistake in this case was installing a specific version of an app from an URL sent by the scammer. That was how my friend was tricked into using the testnet version of the Copay wallet. Never install an app you know nothing about from someone you know nothing about. There is rarely a need to use anything but the bitcoin wallet you are already comfortable with.

Many bitcoiners, even seasoned ones, have no idea that the testnet exists and its addresses have different prefixes.

The only thing my friend could do was to call his bank and report the issue. I encouraged him to do so even as I thought his chances to see the 30 KBRL back were slim at best, given it all had happened a couple days earlier.

I was somewhat surprised to learn a few days later that he did get some compensation -- the bank contacted the guy on the other side, who obviously denied everything, but the bank took upon itself to seize the scammer's balance (slightly less than 5,000 BRL) and send it back to my friend. The original 30,000 BRL was, obviously, long gone, but there had been a more recent deposit.

The incident left me wondering: who and what is right and wrong in all this? My friend's gullibility and lack of knowledge about bitcoin? His/her eagerness to jump into what superficially looked like a bargain? The scammer who takes advantage of such gullible people? Is the Copay wallet to blame for having its testnet operations so visually similar to the real mainnet? Should the bank really have the power to seize people's money at their own discretion and adjudicate at a mere report with little evidence? Were they justified in doing so? What if they hadn't? Would they be justified in not doing so? What if the whole story was itself a scam and my new friend (remember, I just met him/her) was in cahoots with the supposed scammer? Is it fair to say that "bitcoin is not secure" because of incidents such as this? I have my opinions, but I'd love to hear yours.