Steemit users need to be extra careful.

in steem •  6 months ago

With Steem and steemit code being open source we have seen a number of sites bases on Steem and Steemit launching.

New ones are launching at regular intervals.

STEEM users are familiar with the model and are, somewhat understandably, eager to get in on the ground floor hoping for lightning to strike twice.

That, however is not necessarily the best choice.

Bad actors can just as easily set themselves up with a STEEM/steemit clone in a matter of days or weeks and get up to all kinds of antics.

For instance, not many users were around when the infamous steemit "Hack" happened.

Steemit nor the STEEM protocol was actually hacked but a hacker found a loophole to bypass some of the site security features. This enabled the hacker to upload images with malicious JavaScript, which forwarded keys stored in the browser, to the hacker.

Long story short, over 200 accounts were compromised, in a matter of hours, simply by opening one of the posts that had one of these malicious images, in one of the comments, on that page.

As a result we now have the account recovery feature implemented on the STEEM blockchain.

Right now, we are currently witnessing the meltdown of one of the newest STEEM/steemit clones.

Already it appears that keys are compromised. So far these are just bearshares keys... but what is to stop a bad actor from creating a clone, luring steemit users over to it and then having malicious key stealing code embedded somewhere in the site that steals stored keys?

STEEM users should be very aware of what sites they visit on the same device that they log in to steemit with and should be using their posting keys in most instances.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Yes there are many bad individuals out there and we should just be careful especially for sites that wants us to put sensitive steemit keys @gavvet because we really do not know the people behind some steem sites or similar.

Just to be clear, (your first chosen image), and have nothing to do with the subject matter at hand.

I know you used them as a reference for "steem forks", but it is unfortunate you decided to use these examples in this public service announcement.


I completely agree with you @intelliguy regarding smoke and whaleshares, and these communities might not exist if steemit did not have so many injustices.

Thanks for the heads-up. It's of utmost importance to always check the url before entering the private keys into any site.

And never use your password unless it's absolutely necessary. The password should be stored in a safe place offline.

If you're technical capable, you can also run a local version of Steemit (condenser) on your computer.

Maybe some of these clones can become succesful like the WoW private servers?

More competition = more action = more quality in the end?


But we should also be aware of bad actors here on steemit . industrial scale flagging done by some users in order to increase their own profits is major fraud that is happening as we speak . Steemit audit is well overdue


I hope my proposal of a forum-like landing page for Steemers with divisions as

  • Steemit for dummies
  • report abuse
  • ...

will make it in the end. That way these abusers can no longer hide from the masses, as their names are there for everybody to see and more important, WHY these abusers are being reported.

Once such a feature is introduced, the spambot vermin will quickly crawl back into their dark crevices.

Malicious and abusive witnesses, would very quickly get thrown out of the Steemit-eco-system.

Very instructive and, also, the making of a best selling 'cyber thriller' in there somewhere, or what? thanks gavvet.

A lot of hackers are around and missing with people's hard efforts and money.
Few days ago my Account on C-cex ecchange was hacked and my LTC there was stolen, in the time I realised that it's better to sell those LTC and power it up on Stemit I found everything is gone.
And the exchange did not give back anything yet to me and still waiting hopefully I could get just some of it back.
This was the first time It happened to me, and was a very hard feeling honestly. However, I believe Steemit is more secured that lots of platforms around but always bad things could happen.

Luckily I decided not to use any of those shitty clones

Every user is responsible for his account in steemit
very good post

Great post, extremely useful and truthful 👊😊

What's stopping someone from creating a clone instead of a spoof? I'd say that we should be worried about spoofs not clones.

Posted using Partiko Android

I first heard about this clones some time ago. Spreding awernes is realy important. I'm glad people are talking about it

The biggest pain in the steem/steemit design, to me, is that we each should be dealing straight with the chain.

Our keys should never leave our computer.
In fact, the keys should only be exposed to a program that is wholly on the computer and guaranteed/guaranteeable. That programs should sign the interactions, and then send them to the blockchain.

But, we do not have the infrastructure on computers yet.
And it would make steemit seem really weird to use.

No one has properly designed an all encompassing network security yet.
... but we are working on it.


You're basically trusting the website/app developer to not take your keys. It's technically possible for your to run your own local copy of the steemit frontend and then audit the code to ensure your private keys stay 100% local, but yeah, not such an easy thing to do. There are efforts afoot to make the weight of the frontend you'd need to run much lighter. It'll take some time.


keychain is a good first step

Thats why im actually very glad that keychain appeared to save our asses in the future. ;)

desafortunadamente en el mundo hay muchas personas malas que busca del mal en beneficiarse acosta de los demas, debemos tener mucho cuidado

“Bear shares”..... 🤣

Posted using Partiko iOS

I was there for his arrival and demise on Steemit and I made a post about it long ago:

Even if he did nothing wrong in the bearshare world (highly unlkely), don't sign up to sites with this kind of character running it

Thank you for your information Sir.We wi be very careful about this.

Hmm...very helpful tips
We see new sites popping consistently maybe clone of Steem

It is very interesting what you say because sometimes we do not carefully review the publications we read and enter unreliable links that end up being for malicious purposes, thanks for this information!

Thanks for the information, when I heard about Weku and went to read their white paper on something, I could say it completely steemit clone, copy to copy system, almost everything the same, teams behind the project are Listed there as well... I was thinking many things could this be scam or what, have seen some Steemians powering down and invest on Waku because they believe in it, I don't condemn anyone opinion coz its a choice, been trying to create an account with Weku but it was not successful so I give up and focus on Steemit, this called for alarming with your warnings here I hope others could read too and be extra ordinary careful of new clone platform..

Thanks for share.


Smoke is listed as a Steem-based Dapp on even though it is not part of the Steem blockchain @gavvet.

I think that should be removed from to avoid confusion since Smoke is basically getting free promotion at the expense of @steemit and potential users @therealwolf @ned @blockbrothers.


Outstanding post, gavvet(77); thanks for the heads-up and information. socky(67) posted a very good article 2 months ago for us new people about the care and use of the steemit keys...Hope this helps somebody.