When cryptocurrency value rises, we can expect a parallel rise in crypto-related crime, including phishing, fake brokers, and scams impersonating exchanges and other legitimate services. As expected, the recent surge in the global cryptocurrency market has made it a hot target for cybercrime.
While the blockchain technology that protects cryptocurrency investments is robust, widespread fraud on social media and across the web circumvents those protections, targeting the general public directly to fool and ultimately rob them. As a result, keeping the pulse of the crypto-threat landscape requires an always-on, internet-wide view. At RiskIQ, we've been tracking crypto-threats to understand their prevalence and how they're evolving.
Below, we've outlined the most prevalent that we see, including infrastructure analysis via our Internet Intelligence Graph to drill down into the mechanics of each threat and show how they work and why they're effective.
Social Media Scams
Twitter has recently been an epicenter of cryptocurrency fraud, with many incidents involving phony investment opportunities and giveaway scams that manipulate celebrity and business accounts across platforms.
In July 2020, teenage fraudsters used an internal Twitter tool to bypass security measures, giving them access to dozens of high-profile, verified business and celebrity accounts. They then used these accounts to peddle their scheme, tweeting get-rich-quick Bitcoin scams from the trusted victim accounts, requesting that readers send Bitcoin to an address included in the tweet:
The scam worked, and over USD 118k in Bitcoin was stolen in the attacks.
RiskIQ actively tracked the infrastructure used as the situation evolved. You can also find the list of domains we identified while the attack was ongoing here.
Similar cryptocurrency scams continue to abuse verified accounts on Twitter. During a single week in February 2021, @malwrhunterteam reported 48 verified accounts attempting to trick users into sending cryptocurrency to scammers. The scam works by gaining control of various verified accounts that are no longer in use or poorly secured. The accounts are then made to look like they belong to a well-known individual, such as Elon Musk.
In this example, the compromised account tweets a domain, elon-musk[.]life. A RiskIQ crawl captured the scam page hosted on that domain, which uses Tesla branding and promises a "5,000 BTC Giveaway!" to anyone who sends bitcoin to the wallet address listed on the page:
Looking at the crawl more closely, we can see the scam domain loads content from several interesting hosts. One of these hosts associates with over forty other cryptocurrency scam domains, many related to Elon Musk. The scale of these social media scams targeting cryptocurrency investors shows that they continue to be successful— even after the sensational, widely reported attacks in 2020.
You can see RiskIQ's full infrastructure analysis of this campaign by visiting our Threat Intelligence Portal.
Scams: E.G., Initial Pips
One of the most common cryptocurrency scams involves fraudulent cryptocurrency brokers, miners, and services. These scams lure victims with guarantees of impressive returns on investment, free crypto-mining hardware, or promises to recover stolen funds. The malicious actors will develop lure pages mimicking services of well-known investment firms and crypto-mining businesses to appear legitimate, safe, and helpful to victims.
'Initial Pips' is a shady service at the center of a cryptocurrency scam campaign that masquerades as a legitimate cryptocurrency broker. The platform and its connected domains appear legitimate and advertise lucrative opportunities that trick users into sending cryptocurrency as an investment. The operators behind these scams have created multiple lure pages that impersonate legitimate companies or services:
A RiskIQ crawl shows associated malicious pages are being mirrored from initialpips[.]com using HTTrack, a free and open-source web crawler and offline browser that can be used to copy web pages. The associated domains look almost identical, with minor changes in imagery, logo, and branding.
Other cryptocurrency scams like the Initial Pips campaign can be seen on the Crypto Scam List: 2021 provided by Scam News Channel.
Cryptocurrency Phishing
Phishing targeting credentials for users of cryptocurrency services is another prevalent threat. Cryptocurrency phishing pages mimic a wide range of different services, and it wasn't hard to find examples. The instance below impersonates the MyEtherWallet service:
Here, we see the form on the page that steals the user's credentials:
You can investigate some other recent MyEtherWallet phish domains in RiskIQ Community here, here, here, here, and here.
This next example targets Ledger, a maker of hardware cryptocurrency wallets. Clicking the "Connect" button shown in the snapshot above leads to the credential-stealing page:
This domain shares infrastructure with several financial scam pages on the same IP address. These include mining-station[.]uk, which purports to be a crypto-mining service that promises "profit up to 56% per month!" and trustfundcredit[.]com, which is built from a template and pretends to be a credit union or bank.
Many of these sites use templates copied from other sites using HTTrack.
You can investigate all the indicators used in these examples and more by visiting our full analysis in RiskIQ’s Threat Intelligence Portal.
Be Crypto-Vigilant
Even before the recent boom, the COVID-19 pandemic invited its own crypto-related cybercrime, and RiskIQ has been tracking crypto-scams and threats for several years. These threats continuously evolve as the market evolves and matures, requiring constant vigilance and analysis.