1,000+ fake cryptocurrency sites trap users in bogus rewards scheme

scam hacker security Bitcoin

A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021.

“This massive campaign has likely resulted in thousands of people being scammed worldwide,” Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named “Impulse Team.”

“The scam works via an advanced fee fraud that involves tricking victims into believing that they’ve won a certain amount of cryptocurrency. However, to get their rewards, the victims would need to pay a small amount to open an account on their website.”

The compromise chain starts with a direct message propagated via Twitter to lure potential targets into visiting the decoy site. The account responsible for sending the messages has since been closed.

The message urges recipients to sign up for an account on the website and apply a promo code specified in the message to win a cryptocurrency reward amounting to 0.78632 bitcoin (about $20,300).

But once an account is set up on the fake platform, users are requested to activate the account by making a minimal deposit worth 0.01 bitcoin (about $258) to confirm their identity and complete the withdrawal.

“While relatively sizable, the amount necessary to activate the account pales in comparison to what users would get in return,” the researchers noted. “However, as expected, recipients never get anything in return when they pay the activation amount.”

A public Telegram channel that records every payment made by the victims shows that the illicit transactions have yielded the actors a little over $5 million between December 24, 2022, and March 8, 2023.

Trend Micro said it unearthed hundreds of domains related to this fraud, with some of them being active as far back as 2016. All the fake websites belong to an affiliate “scam crypto project” codenamed Impulse that’s been advertised on Russian cybercrime forums since February 2021.

Like ransomware-as-a-service (RaaS) operations, the venture requires affiliate actors to pay a fee to join the program and share a percentage of the earnings with the original authors.

To lend the operation a veneer of legitimacy, the threat actors are believed to have create a lookalike version of a known anti-scam tool known as ScamDoc, which assigns a trust score for different websites, in a plausible attempt to pass off the sketchy crypto services as trustworthy.

Trend Micro said it also stumbled upon private messages, online videos, and ads on other social networks such as TikTok and Mastodon, indicating that the affiliates are using a wide range of methods to advertise the fraudulent activity.

Read more: thehackernews.com