As the title of this post suggests, a considerable amount of coins were recently stolen from me following a combination of a well-orchestrated scam and my own naivety. I am posting my experience here as a warning to anyone who has anything invested in this space – it truly is the Wild West and people are out to get your money, simple as.
My experience started when I posted in the TokenPay Telegram group that I was having issues with staking my coins. I had close on 5000 TPAY coins from the ICO, which if they had sold next day at ICO price would have been about $25,000 worth. I was getting a couple of coins per day in staking, but they had suddenly stopped a day or so before, and I posted that the issues had started once I had installed a VPN (ironically I had done this as part of my recent efforts to increase security). Within a few minutes I received a DM from someone we’ll call Bill who announced himself as an admin and asked what issues I was having. Before replying I searched his name in the TG and found that, indeed, he was an admin and he had helped plenty of people in the past. He even had the same avatar that only the admins had, so that put my mind at rest.
The conversation was based around the issues I was having and he started by asking me to look at the debug file and let him know if there were any orphan files, if the wallet was flushing regularly…all technical things that didn’t strike me as being odd. After a day or two of back and forth in this vein, he sent me some code to put into the wallet.dat file. The code looked harmless (I’m no expert, mind) but I couldn’t find where to put it, so he offered to do it. This was the first alarm bell – he was asking for my wallet file. I didn’t like the sound of this so I asked another admin in the group via PM if this was safe but didn’t get a reply. Why didn’t I ask in the group? I don’t know – maybe I didn’t want to offend Bill by questioning his authenticity. Still, I figured, if I ask someone to hold my coins then he can’t steal anything from an empty wallet, then I can see how it looks when it comes back. So I sent a friend my coins and sent Bill the empty wallet file.
A few hours later Bill sent the wallet file back asked me to stake for 24 hours, and to not forget to change the wallet password. At this point I should have looked at the file as it would have revealed to me the code was very different to the original file I sent him, but I didn’t. He was in no rush to get me to install the file, and indeed throughout all our exchanges there was no sense of urgency to get me to do things quickly. So I replaced the old file with this new one and launched the app. Everything seemed fine, and nothing happened to the tiny fraction of a coin I had left, so I assumed all was well. I asked my friend to send me back two coins as a test, and these came through pretty quickly, which was where I made my third mistake; I didn’t wait to see what happened to these coins after they confirmed. Instead my friend and I shared the following exchange:
So I saw these two coins arrive and confirm, followed by the other 4996…and felt my stomach fall through the floor as I saw them go straight out to again to an address I had never seen in my life before. Of course I knew immediately what had happened and equally I knew there was nothing I could do, but still I closed down the app and deleted the wallet, acting out of sheer panic and desperation. By this point the adrenaline had kicked in and my body was preparing to fight…but there was no one to be angry at except myself. There was nothing I could do except sit there with the blood pumping in my ears, on the verge of vomiting, knowing that in about a minute’s time about $25,000 worth of coins were on their way to someone who, with my consent and help, had slowly scammed me over three days.
I loaded up the Telegram conversation Bill and I had shared, scanning up and down for God knows what, until his profile picture suddenly changed, his side of all our conversations vanished, and I knew he had deleted his account in a final act of severance. He had walked off with a healthy chunk of my money. I found the address he had sent the coins to, looked it up on the blockchain, and there they were – my 4998 coins in his account, freshly arrived. And nothing I could do about it. I told the friend who harboured the coins for me and emailed TokenPay, even though I knew there was nothing they could do, then spent the next three hours failing to go to sleep and going through every step in my mind, wondering how I could have been so stupid and why I hadn’t at any point gone with the conviction that I had had the entire time that something wasn’t right. My friend did some investigation on my behalf and found that the scammer’s username, which you would only see if you looked at his profile, was a barely detectable letter different than the username of the genuine admin by the same name. This is something else I should have checked but I just didn’t think to do. Again, no one else to blame but me.
Seeing as blockchain is blockchain there are no Police I can inform, so I just have to suck it up and hope that either TPAY doesn’t do very well or that I can perform some kind of home lobotomy to remove all references of it in my mind. My experience has taught me a number of valuable lessons and I will naturally be much more sceptical of anyone who I interact with inside the space. It was an expensive lesson, but I have to accept what has happened, move on and learn from it.
Below I’ve listed the lessons I have learnt from my experience that will hopefully help you avoid the same fate. It relates to Telegram as that’s how my scam originated, but the same theories can apply elsewhere:
- If anyone contacts you via a communication channel (social media, Telegram group etc.) first, be immediately wary. Admins of groups will usually not make the first communication to you.
- If you want to speak to an admin, confirm their identity before contacting them – admins will have ‘admin’ next to their name in the chat.
- If someone contacts you claiming to be an admin, compare their username with the username of the actual admin by clicking on their name and viewing their username. Copy and paste the usernames of the genuine admin and the one that has contacted you into notepad or Word to rule out any letter/number swaps that look similar in a different font (i.e. 1, I, I, L). This can sometimes be the ONLY difference between the two identities.
- Admins should NEVER ask to see any private keys, passwords or wallet files. If anyone asks for this, don’t under any circumstance give it to them as you have NO IDEA what they are doing to the file.
- Apply real world trust to online ‘authorities’. I heard of a genuine, long-term TG admin who walked off with a huge sum of money when someone trusted her enough to use her to facilitate a coin purchase. Treat people online as you would on the street – you don’t know anyone you met online from Adam, and even people who seem respectable are under no obligation to not steal from you, especially when potentially life changing sums of money are at stake. Remember, they know they can’t get caught.
- Get another opinion. Throughout this whole thing I didn’t ask anyone’s advice, trusting my own instincts until the point where I talked myself round to it being legit. Someone else might have spotted the different username, or warned me that sending a wallet file under any circumstances was a bad idea.
So there we go. I hope this prevents someone else from getting scammed so some good can come of this nightmare. In the meantime, I guess you can put me in the same league as people who sold Bitcoin at $100 and thought they were getting out on top. I’m trying to stay philosophical, but if TPAY does well in the next bull run I know I’m going to be reaching for that calculator. I just hope I’m not near a bridge at the time.