Crypto scams continue to escalate

Group-IB has noted a fivefold increase in the number of domains used for encryption scams involving fake YouTube streams in the first half of 2022. In addition to Vitalik Buterin, Elon Musk and other crypto celebrities, scammers began exploiting the name of Nayib Bukele, the president in El Salvador.

The evolution of crypto giveaway scams

Crypto scams have evolved into an illegal market segment with multiple services that aim to facilitate fraudulent operations. According to Group-IB, 63% of the new fake domain names were registered with Russian registrars, but the fake websites are primarily designed to target English- and Spanish-speaking crypto investors in the US and other countries. The researchers have also compiled a list of the most popular keywords used by fraudsters in fake domain names.

Researchers observed an increase in the number of fraudulent YouTube streams “featuring” big names such as Brad Garlinghouse, Michael J. Saylor and Cathie Wood in February this year. The scammers used the recordings of famous entrepreneurs and crypto enthusiasts to encourage users to visit a promotional website to double their crypto investment – ​​by transferring crypto to the specified address or revealing the seed phrase of their crypto wallet to get even better terms.

Group-IB experts have discovered that the scheme has been scaled significantly in just six months. In the first six months of 2022, they identified more than 2,000 domains that were explicitly registered to be used as fake advertising websites. This number increased almost fivefold compared to the second half of 2021 and 53 times compared to H1 2021. As reported earlier, in the first quarter of 2022 (January-March), researchers discovered 583 fake websites involved in the scheme. In the second quarter, the team found more than 1,500 more new domains set up by fraudsters to promote fake giveaways.

According to Group-IB, over 60% of the fraudulent domains involved in the scheme were registered via Russian domain name registrars. However, such resources usually use generic top-level domains because they are designed to steal cryptocurrency from English-speaking users. All content on fake websites is in English and sometimes in Spanish. The top five domain zones used by scam websites promoting crypto giveaways include .com (31.65%), .net (23.86%), .org (22.94%) and .us (5.89%) .

Hijacking of YouTube accounts

The primary source for attracting traffic to scam sites is YouTube, with Twitch and crypto streaming platforms following suit. On average, the number of viewers of fake streams is between 10,000 and 20,000, including bots. To set up a fake stream, threat actors can either highjack YouTube accounts themselves using dedicated theft tools or buy/rent accounts on underground forums for a percentage of the stolen funds, which in most cases is between 10% and 50% of the streamer’s revenues. The price of a lot on the account exchange largely depends on the number of subscribers. The more subscribers a channel has, the more complaints it will take for the platform to block it. Among the accounts recently compromised or hijacked by crypto fraudsters, one was created in 2011 and had over 50,000 subscribers.

After gaining access to a legitimate account, a fake crypto streamer renames the channel, deletes all previously uploaded videos from the playlist, changes the user image, adds new design features and uploads relevant crypto-related content. When scammers start a stream, they use viewership tools to follow the recommendations of their target audience. On average, attracting a thousand viewers will cost scammers $100, while five thousand is priced at $200.

A crypto scam marketplace

The growth of fake crypto gifts can be explained by a significantly improved arsenal and availability of tools for crypto fraudsters, even with low technical skills. In July, researchers recorded up to five streams promoting fake crypto gifts per day.

Group-IB revealed that forums used by fraudsters constitute a full-fledged marketplace that can help even first-time non-tech-savvy fraudsters carry out a crypto-fraud scheme. It is worth noting that most of these forums are Russian-speaking. Scammers have the following at their disposal: an exchange platform for hacked YouTube accounts, viewer boosting services, manuals, website editors, admin panel developers, domain names, bulletproof hosting and tools, and people who can create deeply fake videos. These mentors, designers, marketing specialists and various contractors demand an advance plus a percentage of the stolen funds.

The most popular service is crypto stream design. The average price varies between $100 and $300, depending on the scope. Producing a deep fake video featuring a celebrity will cost around $30.

Another in-demand service is the development of fake advertising websites designed to show visitors the mechanism behind a fake giveaway. The price of a landing page can vary from $200 to $600, depending on the relevance of the design.

Manuals usually start at $100. In some cases, the price is a combination of a flat rate and a percentage of the income. There are also two-for-one offers that sell both manuals and training for a percentage of the stolen amount. Fraudsters can also purchase toolkits designed to automate fraud operations. A subscription to an advanced toolset ranges between $500 and $1,500 per month.

“Scams targeting crypto-enthusiasts are becoming increasingly common, and their scale and sophistication are growing,” comments CERT-GIB. “Crypto giveaway scams have evolved into a profitable illegal market segment. Small-time fraudsters and more sophisticated cybercriminals are teaming up, allowing them to automate and streamline operations.”

Users are advised to be wary of free giveaways and not share confidential data on rogue websites. Double-check the legitimacy of the streams and sites you visit by only using official sources. If you can’t find information about the promotion taking place, you are probably being scammed. Seed sets must be kept secret and stored securely. To do that, use password management tools. To minimize the risk of leakage, prioritize desktop solutions over cloud-based ones. You risk being cheated twice if you have already transferred your crypto to scammers and want your money back. People who message victims on forums offering help often turn out to be scammers.