Early in 2018, Proofpoint researchers observed a rise in so-called “cryptocurrency giveaway scams.” The scams often target users of Ethereum and Bitcoin and typically request that victims send a small amount of the currency in exchange for a much larger payout in the same cryptocurrency. While threat actors frequently distribute coin mining malware or engage in credential phishing for cryptocurrency wallets and exchanges, the giveaway scams represent a new tactic for cryptocurrency theft reminiscent of the “419” scams common 10 to 15 years ago. The success of this scam shows that threat actors continue to look for new ways to exploit the human factor -- and people are inclined to fall for scams that can net them hot commodities like cryptocurrencies.
Cryptocurrency giveaway scam activity appears to have peaked in April of this year, but given rebounding cryptocurrency values and ongoing interest in these currencies, we will continue to monitor related schemes. To date, we have identified a number of patterns that may be of use to those tracking this and similar activities as many actors appear to be engaging in these schemes.
The scam usually begins with a tweet or email enticing the victim to send cryptocurrency to a wallet with the promise that more will be sent back. We frequently observed these tweets originating with fake accounts designed to generate clicks and retweets. Figure 1 shows Twitter conversation threads laying the social engineering groundwork for nearly identical scams run by two threat actors.
Figure 1: Twitter conversation threads demonstrating the similarity of scams among multiple actors
A Twitter search for “eth left” or “sent 5 got 50” demonstrates the sheer number of actors engaging in these scams.
Figure 2: Fake Twitter accounts promoting their scam landing pages
Many accounts will impersonate exchanges, currencies, cryptocurrency founders, developers, celebrities, and products to try to get users to click. Below, fake accounts respond to tweets from legitimate accounts to insert themselves into conversations and confuse Twitter users who might accidentally click on replies from fraudulent accounts with the same avatar.
Figure 3: Fake Twitter accounts attempting to steal clicks from legitimate accounts
Some scammers still opt to use link shorteners like bit.ly, which currently show very low click volumes. Others may chose to use an image to show users where to go in an attempt to evade restrictions Twitter imposes on some URLs linked directly in tweets (Figure 4).