Scam or Hack? Freewallet App Reportedly Sending ETH to a Single Address
There are reports today that users of an Ethereum wallet from Freewallet.org are seeing their balances drained. Ethereum blockchain explorers show thousands of ether (ETH) all being sent to a single address. However the company says it’s nothing to worry about.
The incident comes as ETH continues to hit record price highs. At press time 1 ETH is worth around $393 USD. If there is indeed a theft underway, it’s a very lucrative one netting its originator millions of dollars.
Posters on BitcoinTalk, Reddit and Twitter reported claims of lost funds, and pointed to the Etherscan blockchain explorer. This showed about a hundred ETH transactions all going to one address over the past couple of weeks.
Bitsonline is still trying to confirm that the sending addresses are Freewallet.org accounts. There also appears to be another unrelated, open-source Bitcoin wallet project also named Freewallet.
At press time, the address’ total value stood at 21,627 ETH (worth over $8.37 million USD).
[Update: 13th June 2017, 7:15AM EST] Freewallet founder Alvin Hagg responded to the thread on Reddit, saying:
“Freewallet stores funds in a multi-signature cold storage with a bank level security grade. From time to time there are rebalancing procedures between different cold storages and hot wallets. There’s no need to worry, this is an ordinary and planned procedure for cryptocurrency systems. All user assets are completely safe. We offer more than 14 wallets and all of them are operating fine.”
Given the nature of cryptocurrencies though, and the fact Freewallet retains full access to all private keys, it’s not surprising people are nervous about seeing their balances move in this way.
Previous Cautions Against Using Freewallet
This isn’t the first time Freewallet has faced accusations of being insecure or a scam, however. The company, which maintains a website and social media accounts, claims to produce wallets for at least 15 digital currencies. It also includes bitcoin and altcoin purchasing services via an exchange partner.
The company has also paid to post press releases on multiple popular cryptocurrency news sites. Most of these are still online and easy to find — and usually feature poor English grammar.
Freewallet’s Twitter account shows no new posts after 9th June, and no posts addressing the current situation.
One of the wallets Freewallet produces is for Monero. However the Monero community has stressed that no official mobile wallets exist for the coin — and any app claiming to be one should be treated with suspicion.
Searching for “Freewallet.org” on Google autocompletes with “scam” in the first few results. There are posts on reddit from as far back as one year ago cautioning users not to use its Ethereum wallet, with several reports of missing funds.
Freewallet products are still openly available on both Google Play for Android and iOS app stores, where they all have high rankings. If the app is untrustworthy, it again raises questions over those app stores’ vetting process — especially Apple’s.
Posters on Reddit claimed to have downloaded and used Freewallet due to its high star rating. Notably, each 4-star ranking also includes hundreds of 1-star reviews, many reporting missing coins or using the word “scam”.
Oddly, even the 3- and 4-star reviews also describe missing fund problems.
Contacting Freewallet and Related Support
On Freewallet’s support page, two of the most popular questions are “Why did I receive a different amount?” and “Can I request a refund?” For exchange issues the company advises users to contact a partner called Indacoin, registered since 2014 at a London, U.K. address.
Refund instructions also include this unusual request: “If Indacoin agrees that your situation is exceptional – they will provide an address where you will need to send bitcoins you received.” It does not explain why asking for a refund involves sending bitcoins.
An Indacoin spokesperson clarified to Bitsonline the relationship between the two companies:
“We help Freewallet process payments with credit/debit cards. If their clients need to purchase bitcoins or any other crypto, they use Indacoin as a payment gateway. So we are not responsible for the storage of digital currency. As for your question, we haven’t heard about such troubles from our customers, otherwise we won’t be able to process VISA and Mastercard transactions. We’ve been working with Freewallet for more than half a year and consider them as an extremely reliable partner.”
However our attempt to contact Freewallet itself via its online support email form was unsuccessful. The form we tried was unresponsive and did not appear to send the message.
Freewallet’s site also does not include any information about company founders, staff or development team. The “History” and “Fundamentals” sections talk about the wallet in vague and non-technical terms. The wallets are also centrally-hosted, with users having no access to private keys.
In the cryptocurrency industry, these conditions are not necessarily proof of scam, but are considered red flags.
The project’s Wikipedia page says the company is based in Tallinn, Estonia, and has over 15,000 users.
Bitsonline will continue to monitor this developing story.
Do you use any Freewallet apps? Have you been affected by this issue? Please leave a comment or contact Bitsonline directly.
Images via Freewallet.org, Google Play, Pixabay