Should you protect your Bitcoin address like your credit card number?

3

Today, I recieved this scam email:

We have reached the biggest milestone in our history – over a million wallets.

https://[removed] will celebrate with some big prizes.

In October 2013, the lucky user who created the 500,000th wallet was rewarded with 10 BTC.

Read more about this: http://[removed]

We have discovered that you created the wallet with number 1.000.000

[removed] want to reward you with 50 BTC.

To prove that you are the rightful owner of the lucky wallet, please reply to this email and send us your mnemonic ( the long string of words generated randomly when your account was created)

After verification, your wallet will be credited instantly with the 50 BTC.

Thank you that you have chosen https://[removed]

I am guessing this is a scam as (a) it was sent to two separate email addresses I have, (b) the sender's email is in no way affiliated to the websites listed in the email and (c) I don't think anyone is willing to just give away 50 BTC which is close to $42,000 USD. I was wondering if I were to give them my Bitcoin address, what would happen next? Would they be able to use it like a credit card number? Or would they just be asking for more personal information?

ub3rst4r

Posted 2014-01-30T19:42:00.773

Reputation: 141

Answers

10

A bitcoin address is not like a credit card number. You can safely give your bitcoin address out publicly.

What the email is asking for is something you should never give out publicly: the mnemonic that you use (e.g. if you use Electrum, they have a 12-word mnemonic code), from which you can calculate your private keys. With this, they can easily steal all bitcoins on any address that was generated using that mnemonic.

If they actually wanted to know that you are the owner of an address, they could ask you to sign a message. There's not normally much of a reason to do this, though: I don't see a scenario in which a signed message is needed in order to give you money, instead of just the address.

If they actually just wanted to send you money (as they claim), all they need is your address.

Tim S.

Posted 2014-01-30T19:42:00.773

Reputation: 4 249

A legit reason for verifying the adress first is to prevent sending 50 BTC into nirvana, when you don't have the private key for the adress anymore. – ZeissS – 2014-01-30T20:55:53.820

-1

Giving away your public address wouldn't be the same as giving away your credit card. But what I think the sender of this email is might be trying to do is the following:

  1. Collect BTC loaded public addresses.
  2. Run (with brute force) common phrases, or even with common words to crack it
  3. Collect any BTC with addresses which have weak private keys.

If I would have done this, I would have used vanitygen to verify the common passwords (private keys), against the public addresses. Given that you can check 60k-300k private keys per second (with an i5 core), it'll be fairly easy to check all of the submitted addresses.

-Besir

Besir Kurtulmus

Posted 2014-01-30T19:42:00.773

Reputation: 199

4Even simpler, the scam is simply asking for the original seed used to generate a deterministic private key. No brute force needed, they'll simply steal your money if you give them what they ask for. – Greg Hewgill – 2014-01-30T20:23:40.097