Millions stolen in crypto scam impersonating HitBTC exchange, SlowMist warns

Four addresses were flagged by a crypto compliance platform, which also received messages from the scam victims asking for help

A thief sitting on a pile of dollars
HitBTC impersonators steal millions while users cannot withdraw money from real crypto exchange

On Monday, MistTrack, a crypto compliance platform operated by SlowMist, posted a disturbing scam alert on Twitter. According to the data collected by MistTrack, a malicious actor has been impersonating the crypto exchange HitBTC since at least June 2022 to mislead users and steal their money.

The unsettling fact is that HitBTC itself has not gained a good reputation among users despite its decade-long presence on the market. According to MistTrack, the exchange impersonator has nevertheless managed to steal over $15 million worth of cryptocurrencies. The hitbt2c.lol website is a fake clone of hitbtc.com, set up to transfer funds deposited by scam victims to one of the addresses mentioned by MistTrack.

The Bitcoin address on this list, 3JMjHDTJjKPnrvS7DycPAgYcA6HrHRk8UG, was reported nine times at the time of publication, as per Bitcoin Abuse Database, and received a total amount of about 60077.55 BTC.

Read also: Hackers have stolen over $30 billion of crypto since 2012

Unfortunately, the scammers related to this address have significantly progressed with their criminal activity since the first report, which was filed more than two years ago, and called for action to be taken "to stop this crime."

"Connected to the Chinese pig slaughtering scams, this is where all the money seems to go. The fake websites appear to be an exchange called "BiUP." I'm shocked at how much money has been through this scam account," and "The address is linked to a romance trading scam operated in South East Asia," the follow-up reports from 2021 said. Ransomware and blackmail scams were also mentioned in the reports.

One of the theories the SlowMist team came up with during the investigation is that the final recipient of the money stolen through the Bitcoin address belongs to an authorized wBTC custodian on the official proof-of-reserves list for Wrapped Bitcoin.

The Ethereum address mentioned in MistTrack's tweet has received over 11.5 million worth of stablecoins in a year and a half, including USDT, USDC, and DAI.

The fake HitBTC is not the only example of a phishing website that tricks users into making deposits that cannot be withdrawn. SlowMist warns that the Coinone exchange has its malicious clone as well.

More problems with HitBTC

Interestingly, with a daily trading volume of $436.2 million reported by CoinGecko at press time, HitBITC itself does not enjoy a high rating on review websites. For instance, at press time, it received 1.6 out of five stars on the consumer business review platform Trustpilot.

In addition, many users who left reviews believe the exchange is itself a scam. Many customers claim that HitBTC has changed their passwords and it is practically impossible to access their accounts and funds again, while others have problems with withdrawing their money even if there are no complications with the logging process.

The exchange has not published any information about fraud attacks reported by MistTrack.

"I would give them 0 stars if I could. They are clearly a fraud. Changing customer passwords so people can't log in and then taking forever to get the details again. Charging inactivity fees without any notification. Withdrawals don't work. The whole system is designed so they benefit from your money. Avoid them," Trustpilot user Julian wrote on April 30.

Other review platforms have similar opinions about HitBTC. For example, an anonymous user of the business software and services website g2 complained that the company introduced a $10 monthly fee for inactive users, which was not officially communicated to customers. This particular user had stored the LOC token since 2018 and regularly checked the deposit, only to find out this year that the cryptocurrency worth $150 had disappeared.

"Turns out HitBTC introduced 'inactivity fees' in 2021, which gave them the 'right' to help themselves to inactive users' funds to the tune of $10 per month, but conveniently 'FORGOT' to email users to inform them of this," the HitBTC customer explained.

Such reviews, especially those coming after 2022, raise certain suspicions about the possibility that unlucky users have been dealing with the exchange impersonator. However, judging by HitBTC's active responses on Trustpilot, customers might have indeed had problems using the real version of the crypto exchange.

Still, despite these issues, the wide range of tokens that can be traded was often cited by HitBTC's customers as its advantage over many other crypto exchanges.