Oddbean

Nostr Phising 101: How to Avoid Getting Your Bitcoin Stolen Nostr’s privacy flaw is that anyone can see the metadata in real time of who is messaging who. Ameythst client currently lets you literally login as them, just the DM itself is jibberish. When you combine this with the fact that most Nostr users have Bitcoin and are constantly downloading or trying out new clients, this makes Nostr the ultimate place for phishing scams. Even if Bitcoin is not gotten directly, simply tricking someone into entering their private key into a scam client can be used to make them pay Bitcoin to not wreck their account. In this post, I will give you some example scams I came up with, so you can immediately recognize real ones in the wild. Scam #1) Target Developer accounts Hacker watches the incoming messages of a developer account. For example if I were doing this, I’d target Lume, since his code has bugs and people are likely writing him to complain about it. Then when the incoming message comes in, I’d write from a different account claiming to be the dev on the desktop, not mobile, and link them to a scam download link with the bug fix. Scam #2) Fake SimpleX. Many people on Nostr list their SimpleX URL in the profile. Whenever this person sends an OUTGOING message, I’d fake being the recipient and immediately message them on SimpleX saying to talk here it’s safer. Scam #3) Snowden’s DMs Edward Snowden is among the most popular Nostr influencers. I’d watch Snowden’s incoming DMs. Literally anyone that contacts him, I’d immediately message from a different account saying that I’m trying to avoid surveillance with this burner account and let’s talk on SimpleX. Then after a lot of back and forth, I’d tell them about a new privacy client to download. </end> Spread the word to prevent this kinda stuff before they are real.