Mycelium Wallet Scam Alert: Built-in Gift Card Store

[Serenato1]

Very disappointed to have to write this post but unfortunately my favorite wallet which i have used for years has betrayed me. They have integrated directly into the wallet UX a dangerous gift card module which can trick a user into sending way more crypto than they realize they are sending.

We'll start with the fact that purchasing gift cards directly within the app doesn't come with any terms and conditions nor customer support options. The only option is to email mycelium themselves and they can't do much it seems because it's all through some shady third party company. It's all very opaque and for good reason as you're about to find out.

Before I get to the main issue, allow me to share one of mycelium's great features, built in Tor onion routing for privacy. The problem is that it seems to be the case that when purchasing gift cards it doesn't route your traffic through tor rather directly through your normal internet connection which means this gift card company knows the IP address as it relates to the purchase. There is no warning that the wallet is communicating over non tor traffic whereas when activating the option it is defined as a global setting, leading to a major privacy concern. What else in the wallet may be leaking sensitive information?

On to the real issue. Mycelium normally presents you with a live exchange rate for BTC or ETH from an exchange of your choosing when sending crypto. It's very clear. However the gift card module (which is well advertised in the wallet) presents a fake rate, much higher than the real price. If it weren't bad enough that they are tricking the consumer into thinking all they are paying is the value of the gift card, this is also extremely dangerous as wherever this price feed is coming from it can be manipulated and someone could end up sending 100x more than they thought they were.

When actually making a gift card purchase payment it does so entirely through this fake UI skipping over the normal payment screen where the user knows what is really happening. Apart from not knowing how much you're actually sending in $ terms, when making a payment you're not even sure from which sub wallet you're paying. These are dangerous practices meant to trick the user into a non standard payment screen which avoids all the integrated safeguards in the normal payment screen.

In the attached screenshots you can see what I'm talking about. The price of Ethereum is currently reported by Binance as $3483.63. You can see that the normal wallet payment section gives you the option to see all exchange prices in a pull down menu. However when ordering a gift card for 1/10th that current price per ether ($348.36) the wallet reports what should be 0.1 eth as 0.1133 eth, a 13.3% premium. I personally was duped many times as only in retrospect realized I was paying between 13% and even up to 15% higher than the market rate in many instances.

Other gift card websites like bitrefill.com don't manipulate the market price, charge exactly what the gift card face value is, and even give rebate points. Now should mycelium be able to charge a premium? Sure, but don't use slimy and dangerous tactics within what I once considered a reliable and secure wallet to do so. Be transparent about it and don't manipulate the user into thinking he's using the normal and trustworthy interface to make a payment.

I really hope they fix this and honestly I would be very careful using this wallet despite it being a great wallet with advanced features and being fully open sourced. If anyone wants to look at the source code and contribute some feedback to what's actually going on please do so.