We spent several months researching a new and very smart crypto scam, where the victims were slowly, craftily encouraged to install a malicious crypto management app. However, the ones who got scammed were only nominally victims, because the operators, like some digital Robin Hoods, targeted… other pilferers. Take an in-depth look at this scam with us and learn how to protect your cryptocurrency.
Table of Contents
The initial bait
It all started with my receiving a fairly trivial forwarded Telegram message about cryptocurrency. Others might have ignored it, but being the web content analysts’ team lead at Kaspersky, I smelled a rat and decided to look into it. To evade detection, the message was presented as a five-second-long video clip, which contained a screenshot showing a hasty, heavily discounted sale of two lucrative crypto projects with respective links thereto. Likely designed to give the recipient a false sense of security, the first link led to a real second-tier crypto exchange — albeit a small one. The real bait was hiding behind the other link.
A convenient server malfunction
Contrary to what could be expected, following the other link didn’t bring up any malicious content. Things were far more interesting: if you entered the address expecting to see a home page, the browser displayed a root directory listing with some enticing file names in it. It appeared as if the server had been misconfigured, or the home page accidentally had been deleted, revealing all of the unsuspecting domain owner’s data. You could click any file in the list and view its contents right in the browser, because, conveniently, all of them had common, easy-to-handle formats, such as TXT, PDF, PNG or JPG.
This made a visitor feel like they’d landed inside the personal data folder of a rich but dimwitted owner of some crypto project. The text files contained wallet details complete with seed phrases, and the images were screenshots showing proof of a large amount in cryptocurrency being successfully sent, substantial wallet balances, and the owner’s lavish lifestyle.
One of the screenshots had a YouTube video in the background, explaining how to buy yachts and Ferraris with Bitcoin. A PDF catalog of these yachts could easily be found in the same directory. In a nutshell, this was seriously juicy bait.
Real wallets and cash
What’s smart about this scam is that the wallet details are real, and one indeed can access the wallets and view, say, the Exodus transaction history or the assets in the other wallets, worth nearly 150,000 US dollars, according to DeBank.
You wouldn’t be able to withdraw anything, though, as the funds are staked — that is, basically tied up in the account. Nonetheless, this makes the visitor far less skeptical: the whole thing seems to be someone’s carelessly leaked real data, not spam or phishing. Besides, there are no external links or malicious files to be seen anywhere — nothing to be suspicious about!
We monitored the site for two months, seeing no changes whatsoever. The scammers seemed to be waiting for a critical mass of interested users to build up while tracking their behavior with web server analytics. It was only after this lengthy warm-up period that they proceeded to the next stage of the attack.
A new hope
The dramatic two-month pause was at last ended with an update: a fresh Telegram screenshot purportedly showing a successful Monero payout. If one took a closer look at the screenshot, one would notice an “Electrum-XMR” wallet app with a transaction log and a sizable balance of almost 6000 Monero tokens (XMR), worth about a million dollars at the time of publishing this.
By a lucky coincidence, a new text file with the seed phrase for the wallet popped up right next to the screenshot.
At this point, anyone dishonest enough rushed to download an Electrum wallet to log in to the careless dupe’s account and grab the remaining money. Tough luck: Electrum only supports Bitcoin, not Monero, and it takes a private key (and not a seed phrase) to regain access to an account. When attempting to restore the key from the seed phrase, every legitimate converter said the seed phrase format was invalid.
Yet greed was clouding the users’ judgment: after all, there was a million dollars at stake, and they needed to hurry before someone else stole it. The fast-buck artists went googling “Electrum XMR” or simply “Electrum Monero”. Whichever it was, the top result was a website ostensibly about an Electrum fork that supported Monero.
Its design resembled that of the original Electrum website, and, in typical open-source fashion, it featured all kinds of descriptions, links to GitHub (the original Electrum repository, though — not Electrum-XMR), a note that explicitly said this was a fork to support Monero, and handy direct links to macOS, Windows and Linux installers.
Which is when the hunter unwittingly becomes the prey. Downloading and installing Electrum-XMR infects the computer with malware identified by Kaspersky as Backdoor.OLE2.RA-Based.a, which provides attackers with covert remote access. What they do next is probably scanning the contents of the machine and stealing crypto wallet data and any other valuable information.
Our security solution would have blocked the malicious website, let alone an attempt to the install the Trojan, but crypto hunters eager to lay their hands on other people’s money are hardly among our users.
All of a sudden, a second iteration
Some time later, when we were done investigating this feat of social engineering, we received another bit of bait, which was hardly a surprise. This time around, the scammers switched from slow steaming to searing. The screenshot showed a fake wallet with a large balance next to an open text file containing a wealth of personal information and a thoughtfully added link to a malicious site. It looks like this scam has apparently proved to work well, and we’re in for lots of similar attacks.
Recognizing the attack
Victims of the scam we discussed above evoke no sympathy at all, seeing how they took the bait by trying to steal other people’s money. However, the scammers keep coming up with new tricks, and next time, you might be offered an ostensibly ethical way of making money. For example, you might accidentally get a screenshot advertising a lucrative airdrop, with the link right in the address bar…
So, stay alert, and take any information with a large pinch of salt. Each stage in the attack was suspicious in its own way. The website sale ad was presented in the form of a video clip with a screenshot, obviously to get around anti-spam algorithms. A website that contains nothing but unencrypted text files with crypto wallet data in these looks too good to be true. The domain purportedly hosting the crypto wallet fork had been registered just two months before the attack. Most importantly, however, the scam-filled crypto landscape makes using little-known wallet apps an unacceptable risk. Thus, follow these steps:
Leave a Reply