Update Feb 11, 2021
Internet.bs, the registrar initiated a Whois Verification on the domain when we opened the ticket two days ago and informed us yesterday that it had passed. Registrars frequently use this method when suspicious sites are reported, because scam sites are typically registered by people using bogus contact details and thus, when they fail a Whois Verification the registrar has grounds to suspend them.
Yesterday they told us the end user passed the Whois Verification process, which bolsters our original suspicion that the domain did not expire or get direct transferred by the registrar, somebody has access to the original registrar account for the domain. (Perhaps via a credential stuffing attack? Gerald Cotten had at least one extremely weak password in the past which can be found in dumps like Exploit.in or antipublic).
Hostinger, for their part, asked for further info or proof that people were being scammed. After forwarding them the Coindesk article citing that Ernst & Young were the court appointed trustees who were warning the public about the fake site, we got word this morning that the account has been suspended.
It was brought to my attention today that what looks to be a fake version of the QuadrigaCX website has setup on their old domain of quadrigacx{.}com.
QuadrigaCX was the Canadian crypto-currency exchange that infamously failed in early 2019 after its CEO, Gerald Cotten reportedly died while in India, taking the private keys to the exchange’s cold wallets into the beyond with him.
Whether that’s really how it played out or not has been open to speculation ever since. There is some conjecture that Cotten faked his own death or was possibly even murdered. There has been pressure to exhume his body but the RCMP haven’t talked about whether they will or have.
Our proximity to this story is just some general weirdness around the fact that Cotten and I exchanged emails twice in the days leading up to his death. The emails were completely routine in nature and conveyed no signs of anything being out of the ordinary on Cotten’s end. Considering Cotten reportedly died of complications surrounding Krohn’s Disease I’ve always found that odd (QuadrigaCX was an early client of our Domainsure service, and I duly reported my contacts with Cotten to the RCMP once the circumstances around his death and the failure of the exchange were under investigation).
The website a near replica of the original, with what appears to be captures (possibly from the Wayback Machine) of previous versions of the site since the BTC ticker crawl at the top of the screen is static and very outdated.
At first I thought that the domain must have expired and been grabbed by snipers, but looking at the Whois history via Domaintools shows that the name was always with this current registrar (Internet.bs out of Bahamas), which I remember from my notes and working with them back in 2018. (It also shows the domain as being listed for sale via Godaddy’s aftermarket and a WaybackMachine snapshot from January 17th shows a standard issue PPC / domain for sale page.
So it would appear as if somebody has access to the domain’s original registrar account and modified the nameserver settings from there (they were originally on Cloudflare and now point to a parking service.)
We have an abuse ticket open with Internet.bs and Hostinger, the domain’s current hosting provider.
At the moment neither the “login” nor the “register” functions seem to do anything, but sure looks as though somebody is in the early stages of trying to pass off this site as the real deal.
Judging by the expiry date: 2021-09-17T05:52:24Z it seems to me that the domain in question isn’t past it’s expiry date and thus wasn’t renewed by the registrar.
Will be interesting to watch.
By “renewed” I meant to say “resold” (i.e the practices of *some* registrars to resell certain expired domains before they drop at the registry)