Anatomy of a cryptocurrency scam

The scam

Preparation

The first step is to build an online profile to disseminate the scam; in this instance we’re looking at Twitter.

Drawing victims in

Once establishing a fake profile, the scammer will then reply to a post from the user they are impersonating and use fake accounts and Twitter bots to maximise its prominence. This reply will encourage potential victims to visit an external website, holding the details of the scam.

Falsified Medium article directing victims to the scam, and encouraging them to take part
Comments on the falsified Medium article encouraging victims to take part in the scam

Execution

Following the link through to the Ethereum scam page shows the below.

Ethereum scam page instructing victims to send Ethereum to a wallet address
  1. The scam first of all uses an existing, well-known identity and brand to encourage trust, by showing the Tesla logo at the top of the page.
  2. The scam makes participating easy, providing clear and simple directions, and multiple ways of doing so.
  3. The scam reassures victims that it isn’t a scam: “you won’t lose anything”.
  4. The scam introduces a sense of urgency, showing that there are only a small, and ever decreasing, number of Ethereum left that they can obtain (yet, enough to still make participating worth their while).

Analysing the scam

There are a number of basic tools that can be used to aid an investigation into such a simple scam (and other, more advanced scams).

Analysing the scam website

URLscan.io can be used to initially perform reconnaissance on any pages linked by the scammer, without directly connecting to the their infrastructure and potentially putting your computer at risk. This will provide details of the underlying infrastructure, the content of the page, and a screenshot.

URLscan.io results for the scam website
  • The domain musk-surprise[.]org was registered on 30 July 2018 with NameCheap, does not have any WHOIS information provided publicly, and resolves to 162.144.100[.]203. This IP address is linked to 38 domains in total, nearly all of which are likely to be involved in similar scams (e.g., elon-giveaway[.]org, coinbase-corporation[.]fund, and elon-has-surprise[.]com). This IP address is, however, linked to a small number of domains related to the Basics Brands pet food brand which are likely to be legitimate; it is possible that this server belongs to this organisation and has been compromised without their knowledge.
  • The domain elon-official-promo[.]com was registered on 28 July 2018 also with NameCheap, also does not have any WHOIS information provided publicly, and resolves to 162.144.47[.]96.

Identifying blockchain transactions

Because all blockchain transactions are public, the wallets shown on both the Bitcoin and Ethereum scam pages can be easily analysed. This will show both payments into the account (likely from victims) and payments out of the account (likely the criminals transferring money elsewhere).

  • Ethereum: 0xe0Db6CC64619DB87Dd3a4477364858BD6B876363, 0x1D7BC400d3c6d9D37EC54D0e729cbaDD06dc0390
  • Bitcoin: 1GQakToxJHx2RVzknDXRpQYqHyBRMxoFUM, 15xd99WKi98JK9bUPp4AZEc2gZ5y7bBMCQ

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gabriel Currie

Gabriel Currie

2 Followers

Head of Cyber Security at the UK Government’s @Cabinet_Office