Simplified Privacy

Nostr Phising: Avoid Getting Your Bitcoin Stolen

Nostr’s privacy flaw is that anyone can see the metadata in real time of who is messaging who. Ameythst client currently lets you literally login as them, just the DM itself is jibberish. When you combine this with the fact that most Nostr users have Bitcoin and are constantly downloading or trying out new clients, this makes Nostr the ultimate place for phishing scams. Even if Bitcoin is not gotten directly, simply tricking someone into entering their private key into a scam client can be used to make them pay Bitcoin to not wreck their account.

In this article, I will give you some example scams I came up with, so you can immediately recognize real ones in the wild.

Scam #1) Target Developer accounts
Hacker watches the incoming messages of a developer account. For example if I were doing this, I’d target Lume, since his code has bugs and people are likely writing him to complain about it. Then when the incoming message comes in, I’d write from a different account claiming to be the dev on the desktop, not mobile, and link them to a scam download link with the bug fix.

Scam #2) Fake SimpleX
Many people on Nostr list their SimpleX URL in the profile. Whenever this person sends an OUTGOING message, I’d fake being the recipient and immediately message them on SimpleX saying to talk here it’s safer.

Scam #3) Snowden’s DMs
Edward Snowden is among the most popular Nostr influencers. I’d watch Snowden’s incoming DMs. Literally anyone that contacts him, I’d immediately message from a different account saying that I’m trying to avoid surveillance with this burner account and let’s talk on SimpleX. Then after a lot of back and forth, I’d tell them about a new privacy client to download.

Conclusion
Spread the word to prevent this kinda stuff before these scams are real. Consider subscribing to find out about new content by Session messenger, via RSS feed, follow on Nostr, or by email.

Related Articles

Leaked Lies at Google

Google accidentally leaked their search API on Github, giving everyone insight into that they: –Lied that they track users clicks as a factor for search

Read More »