Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Service Announcements
Re: [ANN] The Hedge Coin Group - Bulk Miner Hosting & Sales - 50 MW - Fraud?????
by
alf5
on 22/01/2018, 15:53:53 UTC
My short analyses of TheHedgeCoinGroup:

I too have been exchanging a few emails with them looking for a new hosting location.

I also spent a bit of time researching anything I could find related to them on the web - looking for indications if it is legit OR fraud……

My conclusion is that there is a medium to high probability this is fraud.  Not conclusive, but highly likely. Would love to be proven wrong.

Below are my reasons leaning towards being fraudulent:

a. Only accepts bitcoins as payment and no wire transfer.
b. Domain registered only 3 months ago:  Creation Date: 2017-09-08T16:35:42.00Z
c. Domain with private registration. 
d. Elusive with photos/images.
e. Unable to verify identify of individuals I exchanged emails with. Very little on  linkedin, web  searches, china's version of linked in, etc
f. Large inventory of many machines types available when I inquired about purchasing machines.   No one has inventory like this sitting around.
g. Text on web site seems to be copied from other sites.
h. Claims to be in China with mining location in Mongolia, but a bit of forensic analyses on source email appears to indicate who ever emailed me did so on a browser from of Alberta, Canada.  This is the needle in the haystack.

I exchanged emails with Vince and analyzed everything I could in the header, writing styles, etc.
The email was generated using Microsoft office 365 and owa.

Emails originating from ip: 184.68.199.50
This is visible in the headers we can see:

   authentication-results: spf=none (sender IP is ) smtp.mailfrom=info@thehedgecoingroup.com;
   x-originating-ip: [184.68.199.50]

Ip 2 Location lookup on IP 184.68.199.50 indicates a physical location of  Canada, Alberta, Calgary, from Shaw Communications Inc.

A bit more research -- this is tied to  DSL line in Canada from Shaw Communications

A bit more search... isp ip also in an SFP record for www.patchingassociates.com
   "v=spf1 mx ip4:184.68.199.50 include:spf.protection.outlook.com -all"

A bit more research... ip 184.68.199.50 is running a public facing ftp server.

A bit more search the ftp server is running on plain text, no tls/sftp and appears to be an old version.  My guess this is how they got into the server.  A very common exploit pattern by guessing a uid/pwd OR  exploiting some unpatched vulnerability.  This is a good way to cover your tracks......

Conclusion:

If I were to guess, they are using a compromised server in Alberta, Canada belonging to PatchingAssociates.com to use Web Mail in office 365 to cover up their tracks.  Server in Alberta, Canada belongs to www.PatchingAssociates.com  which has nothing to do with mining operations and appears to lack security on their ftp server........too many steps have been taken to cover up and hide identity - private domain registration, cloud flare for web site hosting, using server/pc in Canada for web mail, and only accepting bitcoins for payment.   

Stay safe out there!!!!