Cybersecurity firm Group-IB has seen a five-fold increase in the number of domains used in crypto giveaway scams featuring fake YouTube streams in the first half of 2022.
Alongside Vitalik Buterin, Elon Musk and other crypto celebrities, scammers started exploiting the name of Nayib Bukele, the President of Salvador.
Since Group-IB first reported on the scheme, crypto giveaways have emerged as an illegal market segment with multiple services aimed at facilitating fraudulent operations.
According to Group-IB, 63% of new rogue domain names were registered with Russian registrars, but the fake websites are primarily designed to target English- and Spanish-speaking crypto investors in the US and other countries. The researchers also compiled a list of the most popular keywords used by scammers in fake domain names.
For the first time, the 24/7 Group-IB Computer Emergency Response Team (CERT-GIB) observed a sharp increase in the number of fraudulent YouTube streams featuring big names like Elon Musk, Brad Garlinghouse, Michael J. Saylor, and Cathie Holz in February of this year . The scammers used footage of famous entrepreneurs and crypto enthusiasts to encourage users to visit a promotional website to double their crypto investment by transferring crypto to the provided address or by exposing the seed phrase of their crypto wallet to get even better terms.
Group-IB experts found that the program scaled significantly in just half a year. In the first six months of 2022, CERT-GIB identified more than 2,000 registered domains that were expressly intended to be used as fake advertising websites. This figure has almost quintupled compared to the second half of 2021 and increased 53 times compared to the first half of 2021. As previously reported, in the first quarter of 2022 (January to March), Group-IB researchers discovered 583 fake websites involved in the scheme. During the second quarter, the Group IB team found more than 1,500 other new domains set up by scammers to advertise fake giveaways.
Scammers keep up to date with the latest headlines. One of the most recent names used as bait was Nayib Bukele, 43rd President of El Salvador.
Scammers also promoted promotional pages featuring soccer player Cristiano Ronaldo.
Both names were chosen for a reason. In 2021, largely on the initiative of its President, El Salvador became the first country to adopt Bitcoin as its national currency. Cristiano Ronaldo became the first soccer star to be paid with cryptocurrency: the player received a bonus of 770 crypto tokens from his club Juventus, one for each goal scored in his career. In June 2022, Binance, a crypto trading platform, announced an exclusive partnership with Christiano Ronaldo.
According to Group-IB, over 60% of the fraudulent domains involved in the scheme were registered through Russian domain name registrars. However, such resources usually use generic top-level domains since they are designed to steal cryptocurrency from English-speaking users. All content on fake websites is in English and sometimes in Spanish. The top five most popular domain zones used by rogue websites promoting crypto giveaways are .com (31.65%), .net (23.86%), .org (22.94%) and .us (5th place). .89%).
After analyzing the domain names, GroupIB experts made a rating of the keywords most commonly used by scammers. At the top of the list are ETH (Ethereum), Ark, Elon Musk, and Shiba.
YouTube account hijacking
The main source to drive traffic to rogue websites is YouTube, followed by Twitch and crypto streaming platforms. On average, fake streams are viewed by between 10,000 and 20,000, including bots. To set up a fake stream, threat actors either hijack YouTube accounts themselves using special stealing tools, or buy/rent accounts on underground forums for a percentage of the stolen funds, which in most cases ranges from 10% to 50% of the streamer’s earnings. The price of one ticket on the account exchange largely depends on the number of subscribers. The more subscribers a channel has, the more complaints the platform needs to block it. Among the accounts recently compromised or hijacked by crypto scammers, one was created in 2011 and had over 50,000 subscribers.
After gaining access to a legitimate account, a fake crypto streamer renames the channel, deletes all previously uploaded videos from the playlist, changes the avatar, adds new design features, and uploads relevant crypto-related content. When scammers start a stream, they use viewer-boosting tools to make it their audience’s recommendation. On average, it would cost scammers $100 to attract a thousand viewers, while five thousand would cost $200.
A crypto scam marketplace
The phenomenal growth of fake crypto giveaways can be explained by a vastly improved arsenal and tool availability for crypto scammers, even with low technical skills. In July, Group-IB Digital RiskProtection experts recorded up to five streams per day promoting fake crypto giveaways.
Group-IB revealed that forums used by scammers constitute a full-fledged marketplace that can help even non-technical first-time scammers to run a crypto scam scheme. It should be noted that most of these forums are Russian-speaking. Scammers have at their disposal: a hacked YouTube account exchange platform, viewer boosting services, manuals, website editors, admin panel developers, domain names, bulletproof hosting, and tools and people who can create deepfake videos. These mentors, designers, advertising specialists, and other contractors require an upfront payment plus a percentage of the stolen funds.
The most popular service is crypto stream design. The average price is between $100 and $300 depending on the size. A deepfake video showing a celebrity would cost around $30 to produce.
Another service in high demand is the development of fake promotional websites designed to show visitors the mechanism behind a fake giveaway. The price of a landing page can range from $200 to $600 depending on the relevancy of the design.
Manuals typically start at $100. In some cases, the award is a combination of a flat rate and a percentage of earnings. There are also two-in-one deals that sell both manuals and training for a percentage of the amount stolen. Scammers can also purchase toolkits designed to automate fraudulent operations. An advanced toolkit subscription costs between $500 and $1,500 per month.
Scams targeting crypto enthusiasts are becoming more common and increasing in scope and sophistication, comments CERT-GIB. Crypto giveaway scams have emerged as a profitable illicit segment of the market. Smaller scammers and more advanced cybercriminals are teaming up, allowing them to automate and streamline operations.