Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime

YouTube Scammers Made $1.6 Million in Fake Crypto Giveaway

Scammers Exploited YouTube Streams Attracting Over 165,000 Viewers
YouTube Scammers Made $1.6 Million in Fake Crypto Giveaway
Fake social media postings used to entice victims (Source: Group-IB)

Researchers have found that a group of fraudsters made more than $1.6 million in 281 transactions in a massive scam using fake cryptocurrency giveaway YouTube streams attracting more than 165,000 viewers. The campaign also exploited the names of Vitalik Buterin, Elon Musk, Michael Saylor and other crypto enthusiasts (see: $960K NFT Scam Affects Nearly 1,200 Victims).

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

This attack is against individual cryptocurrency owners, however enterprises need to stay appraised of the increasing sophisticated use of social media channels to "hack the human" as the divide between employees' work and home online lives collide when working from home.

The Campaign

"Between February 16 and 18, 2022, the scammers ran 36 fabricated cryptocurrency giveaway YouTube streams promising immediate high returns on cryptocurrency investments," according to a report by cybersecurity firm Group-IB. "The scammers used the footage of famous entrepreneurs and crypto enthusiasts from legitimate events to create their own fraudulent streams."

On average, researchers say that these YouTube streams attracted between 3,000 and 18,000 viewers. One particular stream featuring footage of Vitalik Buterin, co-founder of Ethereum, drew more than 165,000 viewers who were promised that their crypto savings would be doubled.

"The names of the YouTube channels that ran these fake streams usually had names associated with the speaker from the rogue video. All these channels have supposedly been either hacked or purchased on the underground market," the researchers say.

Group-IB Computer Emergency Response Team experts retrieved links to 29 interconnected websites featuring the guidelines on how to double cryptocurrency investments. The scammers used stream descriptions to spread the links to the websites designed to show visitors the mechanism behind a fake giveaway.

These websites also used an eye-catching design and high-quality images related to cryptocurrency and several domain names often displayed the same crypto wallet address.

"In total, the experts detected more than 30 crypto wallets used for the scheme, with a total remaining balance of $933,963. The most popular cryptocurrency used by fraudsters as part of the scheme was Ethereum," the researchers say. "Within three days of monitoring, (from February 16 to 18, 2022) all detected crypto wallets controlled by the scammers received 281 transactions in total, amounting to more than $1,680,000."

Through further analysis of the scammers' domain infrastructure, the researchers found that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022.

There were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year, the researchers say.

Attack Technique

"When analyzing scam websites promoted during the fake streams, CERT-GIB experts detected an unusual technique. Depending on the cryptocurrency and type of crypto wallets, scammers asked visitors to their fake giveaway website to enter seed phrases to connect their wallets," researchers say.

Researchers found that whenever a victim shared their seed phrase, the fraudsters gained control over their wallet and were able to withdraw all funds from it.

They say that the exact number of victims and the total amount of stolen funds remains unknown, but some victims could not resist taking the bait.

The researchers warn users to be vigilant about free giveaways, not to share confidential data on rogue websites and to double-check the legitimacy of the streams and the websites they visit, using the official sources only.

"If you cannot find any information about the promotion taking place, you are likely being deceived. Seed phrases must be kept secret and stored securely. To do so, use password management tools. To minimize the risk of leakage, prioritize desktop solutions over cloud-based ones," the researchers say.

Rising Crypto Scams

Earlier this year, in a series of crypto giveaway scams, cybercriminals targeted the official Twitter accounts of the Indian Medical Association, the Indian Council of World Affairs and Mann Deshi bank. The incidents highlight why social media accounts need better access management strategies.

The Indian Medical Association, with more than 334,000 members, is a national voluntary organization of physicians in India. The Indian Council of World Affairs is the country's first independent international affairs think tank. And Mann Deshi Bank is a cooperative bank that aims to financially empower rural women in the country (see: Indian Medical Association's Twitter Account Compromised).

The first fraudulent post following the account takeover of the Indian Medical Association appeared at 0155 hours, Indian Standard Time. The hacker, posing as Elon Musk, wrote: "We here at Tesla HQ came up with a nice idea: to hold a special airdrop event of 5000 BTC for all crypto fans!"

This was followed by hundreds of positive tweets being posted every other second - each one egging users to click on a Telegram link advertising giveaways of Bitcoins, Ether, Dogecoins and Shiba Inu coins.

Cybercriminals commonly use giveaway scams to defraud unsuspecting victims. Research by Elliptic shows that in the aftermath of the July 2020 crypto scam that targeted Twitter accounts of international celebrities, fraudsters stole $121,000 in bitcoin from 400 victims.

Although it is evident that the tweets promising bitcoin giveaways on the three targeted Twitter accounts were phony - "Elon Musk" is misspelled, and there is a gray tick in place of a blue tick - blockchain analytics site Blockchair shows that 31 victims sent a total of 5.75 bitcoins, or $273,848, to the fraudulent Bitcoin address.

On Dec. 12, the official Twitter account of Prime Minister Narendra Modi was compromised for the second time. Cybercriminals tweeted that India had officially adopted bitcoin as a legal tender and that the government was distributing 500 bitcoins among citizens.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.