Keypoints
- Multiple phishing sites impersonate privnote.com and behave like the real service while altering cryptocurrency addresses in notes to attacker-controlled wallets.
- Victims discover address swaps via screenshots and testing; MetaMask maintainers confirmed privnote[.]co replaced crypto addresses in test notes.
- Phishing domains are registered under various names (e.g., Andrey Sokol, Alexandr Ermakov) and some registrations list the organization “BPW” and “Tambov district.”
- The operators host sites with providers such as DDoS-Guard (notably IP 186.2.163[.]216) and reuse infrastructure tied to other abusive sites like hkleaks[.]ml.
- Operators boost visibility through search-engine manipulation and legitimate-seeming content (e.g., Medium posts), rotating payment addresses roughly every five days.
- Targets include users of cryptocurrency wallets and underground cybercrime marketplaces; swapped-in payment addresses have collected substantial funds (nearly $18,000 over four days for one set of addresses).
- Related malicious domains include tornote[.]io, pirvnota[.]com, privnode[.]com, privatemessage[.]net, and several MetaMask-phishing variants.
MITRE Techniques
- [T1566.003] Phishing: Phishing via Service – Clone sites mimic a legitimate messaging service to trick users into creating notes; quote: ‘…erect Privnote clones that function more or less as advertised but also quietly inject their own cryptocurrency payment addresses…’
- [T1036] Masquerading – Attackers register and use lookalike domains (e.g., tornote[.]io, privatenote[.]io) to impersonate privnote.com; quote: ‘…websites that mimic privnote.com.’
- [T1583] Acquire Infrastructure – Operators obtain numerous domains and hosting (via registrars Nicenic/WebCC and providers like DDoS-Guard) to run phishing sites; quote: ‘…registered through one of two registrars — Hong Kong-based Nicenic and Singapore-based WebCC…’
- [T1565] Data Manipulation – The phishing sites modify user-submitted note contents by swapping cryptocurrency addresses with attacker-controlled addresses; quote: ‘…showing the site did indeed swap out any cryptocurrency addresses.’
Indicators of Compromise
- [Domain names] Phishing and impersonation domains – tornote[.]io, privnote[.]co, and other lookalikes such as privnode[.]com and privatemessage[.]net.
- [IP address] Hosting/infrastructure – 186.2.163[.]216 (DDoS-Guard hosting used by tornote[.]io and related domains).
- [Registrant names/organization] Registration metadata tied to phishing clusters – Andrey Sokol, Alexandr Ermakov, and organization “BPW” (Tambov district) associated with many domains.
- [Related abusive domains] Other malicious sites sharing infrastructure or registration patterns – hkleaks[.]ml, rustraitor[.]info, and multiple MetaMask-phishing variants like metarrnask[.]com.
- [Cryptocurrency payment addresses] Swapped-in payment addresses used to collect funds – four malicious addresses shown in screenshots that together moved nearly $18,000 between March 15–19, 2024 (specific addresses shown in source screenshots).
A technical summary of the attack procedures: Operators register numerous privnote lookalike domains and host them on shared abusive infrastructure (notably DDoS-Guard IP 186.2.163[.]216) to run fully functional clones of the self-destructing message service. These clones reproduce the expected UI and behavior so victims create notes normally, but the server-side logic detects and replaces any cryptocurrency wallet addresses in new notes with attacker-controlled payment addresses before presenting the note link or content.
To increase victim traffic and trust, the attackers use SEO techniques and legitimate-seeming content (for example, Medium posts) to push phishing domains high in search results for “privnote,” and they rotate the injected cryptocurrency addresses periodically (roughly every five days) to frustrate tracking and blacklisting. The infrastructure and registration patterns (registrars Nicenic/WebCC, registrant strings including “BPW” and names like Andrey Sokol/Alexandr Ermakov) are reused across multiple phishing, doxing, and credential-harvesting sites, and the stolen funds are consolidated and moved out, with at least one set of swapped addresses moving nearly $18,000 in four days.
Defensive takeaways: block or flag lookalike domains and the hosting IPs, monitor for server-side data manipulation on third-party messaging services, treat any privnote-like link with caution (verify domain and payment addresses out-of-band), and track registrant/registrar patterns and rapid cryptocurrency-address rotation as indicators of coordinated phishing campaigns.
Read more: https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/