Anatomy of a cryptocurrency scam

5 min readAug 7, 2018

This blog post analyses a really common cryptocurrency scam that has been widely reported on, and presents a number of open source intelligence tools that can be used to investigate such a scam. It’s not anything ground breaking, but is intended to provide an easy-to-understand overview of the technique and a simple introduction to tools that can be used for analysis.

If you’ve been a victim of a cryptocurrency scam you should contact local law enforcement to report the incident and obtain guidance. In the UK contact Action Fraud, and in the US contact the FBI’s Internet Crime Complaint Center.

The scam

Preparation

The first step is to build an online profile to disseminate the scam; in this instance we’re looking at Twitter.

Cryptocurrency scammers have recently been focusing on compromising verified accounts on Twitter; this is either to target those following the accounts (which may often have a high number of followers), or to add legitimacy to whatever their display/user names are changed to.

In this instance, the account of a Spanish rower has been compromised, and the display name and profile picture changed to mimic a prominent Twitter user (Elon Musk in this case).

Drawing victims in

Once establishing a fake profile, the scammer will then reply to a post from the user they are impersonating and use fake accounts and Twitter bots to maximise its prominence. This reply will encourage potential victims to visit an external website, holding the details of the scam.

In this instance, clicking on the link in the scam Twitter reply takes victims to a falsified Medium post (again purporting to be from Elon Musk), encouraging users to go to participate in either an Ethereum or Bitcoin “promotion”. Both of these are linked from this first page.

Falsified Medium article directing victims to the scam, and encouraging them to take part

A selection of (again falsified) comments at the bottom of the page provide additional encouragement for victims to participate.

Comments on the falsified Medium article encouraging victims to take part in the scam

Execution

Following the link through to the Ethereum scam page shows the below.

Ethereum scam page instructing victims to send Ethereum to a wallet address

This page encourages victims to send Ethereum to the wallet address provided, assuring them they whatever they send will be multiplied by 10: “for example, to get 7 ETH, send 0.7 ETH”. The page uses a number of techniques commonly employed by scammers to gain the trust of their victims and increase their success:

The scam first of all uses an existing, well-known identity and brand to encourage trust, by showing the Tesla logo at the top of the page.
The scam makes participating easy, providing clear and simple directions, and multiple ways of doing so.
The scam reassures victims that it isn’t a scam: “you won’t lose anything”.
The scam introduces a sense of urgency, showing that there are only a small, and ever decreasing, number of Ethereum left that they can obtain (yet, enough to still make participating worth their while).

Analysing the scam

There are a number of basic tools that can be used to aid an investigation into such a simple scam (and other, more advanced scams).

Analysing the scam website

URLscan.io can be used to initially perform reconnaissance on any pages linked by the scammer, without directly connecting to the their infrastructure and potentially putting your computer at risk. This will provide details of the underlying infrastructure, the content of the page, and a screenshot.

In this instance the URLscan.io results show outbound links which victims are encouraged to follow; additional scans can be performed to investigate these.

VirusTotal can then be used to scan the website to identify any potential malware hosted or linked to. This does not identify any malicious content served, which is the expected result in this instance; the purpose of the scam is to encourage victims to send cryptocurrency, and not to infect them with malware.

PassiveTotal can be used to investigate the infrastructure involved in the scam; while there are paid features, free (limited) accounts are available. Searching for the domains identified as involved in this scam shows the following:

The domain musk-surprise[.]org was registered on 30 July 2018 with NameCheap, does not have any WHOIS information provided publicly, and resolves to 162.144.100[.]203. This IP address is linked to 38 domains in total, nearly all of which are likely to be involved in similar scams (e.g., elon-giveaway[.]org, coinbase-corporation[.]fund, and elon-has-surprise[.]com). This IP address is, however, linked to a small number of domains related to the Basics Brands pet food brand which are likely to be legitimate; it is possible that this server belongs to this organisation and has been compromised without their knowledge.
The domain elon-official-promo[.]com was registered on 28 July 2018 also with NameCheap, also does not have any WHOIS information provided publicly, and resolves to 162.144.47[.]96.

Where necessary, additional information about the underlying infrastructure can be obtained by searching in Shodan and Censys. In this instance, this identifies a number of open ports on the server, none of which provide any information of particular value.

Identifying blockchain transactions

Because all blockchain transactions are public, the wallets shown on both the Bitcoin and Ethereum scam pages can be easily analysed. This will show both payments into the account (likely from victims) and payments out of the account (likely the criminals transferring money elsewhere).

The cryptocurrency wallet addresses shown during the analysis period (additional addresses have likely been shown to victims as well) are:

Ethereum: 0xe0Db6CC64619DB87Dd3a4477364858BD6B876363, 0x1D7BC400d3c6d9D37EC54D0e729cbaDD06dc0390
Bitcoin: 1GQakToxJHx2RVzknDXRpQYqHyBRMxoFUM, 15xd99WKi98JK9bUPp4AZEc2gZ5y7bBMCQ

Etherscan.io shows the two Ethereum wallets identified as having received a total of 88.25620884 ETH, equivalent to around $34,000 USD at current rates. It shows 61.96563483 ETH as having been moved into another wallet (0xA61a7A92cb7Fb9be465a199f666eC5d3ae62F5CE, likely also controlled by the scammer).

Similarly, the Bitcoin Block Explorer shows the two Bitcoin wallets identified as having received a total of 2.15460352 BTC, equivalent to around $15,000 USD at current rates. It shows 1.89868857 BTC as having been moved into another wallet (3P2bhn4WoFPXLc5Dx8vXZxt7h367pU7F8R, again likely also controlled by the scammer).