in LeoFinance2 years ago (edited)


It looks like the usual phisher that has been plaguing Hive for months is still using the hacked account with high reputation @nachomolina to spread phishing.

Since he was not successful spamming phishing links through comments, he now started sending out waves of phishing memos into your wallet. WATCH OUT!



There was not a Hive database hack (of course, hive is decentralized).. it's just phishing!

@keys-defender (after a delay caused by a [now fixed] bug) has been automatically replying to all users that received such phishing memos.



The memo-autoreply occurs automatically for any phishing link that gets reported using my !PHISHING command (eg. "@keys-defender !PHISHING").

Furthermore, thanks to the newly introduced "moonwalk scan" improvement, older memos (and comments) in previous blocks will also be auto-responded to soon after a new phishing link is reported. So keep doing your part and report anything suspicious!

Take care and keep your private keys safe!


Keys-Defender features:

- Keys protection [live scan of transfers/posts/comments/other_ops. Warnings (reply and memo), auto-transfers to savings until fully restored, auto-reset of keys, ..] {see automatic posts on leak and monthly reports}
- Phishing protection [live scan of comments and posts to warn users against known phishing campaigns and compromised domains or accounts, scan of memos and auto-replies, anti phishing countermeasures - eg. fake credentials]
- Re-posting detection [mitigates the issue of re-posters]
- Code injection detection [live scan of blocks for malicious code targeting dapps of the Hive ecosystem]
- Anti abuse efforts [counteracts spam from hive haters and milking campaigns]

To support this project..
- Delegations:
10, 50, 100
500 HP, 1000 HP
- Curation trail: Follow my curation trail on to upvote all my posts with a fixed weight.

UPDATE 06/07/21 00:50
About 1 hour ago the phisher went full-blast on steem


New link now blacklisted in case he starts spreading it on Hive too.

UPDATE: (07/07 9pm)
the attacker must have tested a phishing link and once figure out that it did not receive my auto-reply (@keys-defender was temporarily down due to a connectivity issue) it went full blast on hive too with this new PHISHING message:
Old blocks now being scanned in parallel with new blocks added to the Hive blockchain.

UPDATE: (08/07)
New phishing wave being counteracted and targeting Leo users again.


The thing that bothers me the most about this, is how awful that lie is. What the fuck is a "Hive Email Database" even supposed to be? Even if there was one, why would that put an account's keys at risk? How many people signed up with an email anyways? Of those people, why would they think their key is attached to it?

Unfortunately, I know some people may still fall for this, but god damn I hate when scams seem to not even try. For instance, their whole scam is just a ploy to get you to enter your private key into a fake HiveSigner page:


Look legit, right? (well, expect for that domain, which by the way hosts a fake steemconnect app on it's main page) Here's where their lack of efforts reveal themselves. Click on any of those links in the footer (Apps, Accounts, etc.), and you'll see the scammers didn't even bother implementing something for them:


It's truly bottom of the barrel effort here, and even then it's still so pathetic.

By the way, when you enter a key into that fake HiveSigner app, for those curious, it submits your username & key to the scammers database, so they can harvest them & presumably lock you out of your account before draining all of the funds, and then responds with:

Which basically just ends up redirecting your browser to show this:


No actual account -> key verification checking... So... I'm not saying you should flood their fake HiveSigner app with a bunch of fake username + key combinations... I'm just saying if one were to write a script that just submits fake data every second & runs in non-stop... Technically, it would be very hard for the scammers to wade through the bullshit data to find the real data. Unless they wrote a script themselves to auto try all the data they get... Which would mean we'd want several good guys to run the fake-data script all day every day... Anyways, I'm just pointing out the obvious here, and totally not suggesting anything...

Thanks for you work in fighting this.

  • I already posted such a script a few months back: ;)
  • The attacker is so lazy that always uses the same fake hivesigner page so that code should still work. It just needs to point to the new endpoint + “/submit.php”
  • I have been running already a version of it improved in time, as mentioned in other comments down here =]
    I do run it every time and noticed that when I do their next attack starts later because they spent more time trying the thousands of credentials (script, multiple people manually? Not sure).
    In other attacks they were trying to collect people’s username and passwords to do credentials stuffing into their email provider. I suspect that’s how they found a private key of a user that unfortunately lost 200 k 😌

How many people signed up with an email anyways?

Right, I forgot about the sign up emails. I created my accounts through code and paying 3 HIVE :)

I’ll tell you more (since this is not sensitive anymore). A few months back their profile ID leaked into their phishing page code so I was able to programmatically poll that profile every 30s to found out immediately when they published a new phishing site. That way multiple times their attack stopped immediacy because they were already discovered. I must have driven them crazy because eventually they stopped (or at least for a couple of months - until now that they started using a different hosting provider).

There is also great work by other people like @guiltyparties and @louis88 that immediately contact the hosting services to take the phishing site down!

We are collecting more intel on them as they keep making mistakes. Stay tuned 😉

Ah, I see you're way ahead of me on that one 😅

Yeah, I noticed this recent domain is being hosted on which I believe is a Google hosting service, so hopefully it'll be easy to send in phishing reports.

Again, great work fighting against these attacks. Cheers! 🍻

Thanks, and thank you for the delegation as well!   =]

Thanks for what you are doing, you helped me to avoid this scam on a post a while back. I probably wouldn't have fallen for it, but who knows. Keep up the good work :-)

I think @peakd and other front ends should allow hiding all messages as default. This helps newcomers a lot IMO.

Because how many are really useful for average?

Yeah, I agree

Thank you for getting the word out. I love fish but I do not care much for phishers.

Leo Finance Phishing Threats

Image above borrowed from

Posted Using LeoFinance Beta

I’m gonna steal one from @nonameslefttouse

I love fish

Your comment made me imagine if fish is good on !PIZZA! 😁😅



@sgt-dan! I sent you a slice of $PIZZA on behalf of @savvyplayer.

Learn more about $PIZZA Token at (1/10)

Thanks for the job you do exposing these bastards.

Posted Using LeoFinance Beta

Appreciate the info. my stuff seems fine .

What do you mean? How did you check??
I hope that you did NOT use the link you received in your wallet that invited to do so on their phishing website.
As usual I am submitting into the phishing site thousands of fake private keys so that should give us some time but If that’s the case, reset your keys immediately!

Oh no I know there's nothing in my wallet it's the same as it was a month ago. There's no links and then you're talking about below the wallet of course I'm going to ignore those 100%

We appreciate your efforts to recognize those links.

Doing my best to improve @keys-defender when I have time. Slow and steady wins the race.

The truth

they are exploring new ways to do that. This is really bad I hope no one has used their link.
thanks for the information

thanks, have a great day and weekend 🙏

Yeh hopefully they’ll read my memo on top first.
Thanks, you too.

Thanks so much for this reminder.

Thanks for such an important info will definitely be avoiding such link.

Thanks for all you do.