"A Cryptocurrency Scam Utilizing Thousands of Fraudulent Websites Exposed by Trend Micro"

 

Trend Micro researchers recently uncovered a widespread cryptocurrency scam that has been operating since January 2021, utilizing over 1,000 fraudulent websites. The scam, attributed to a Russian-speaking threat actor known as "Impulse Team," has likely defrauded thousands of individuals worldwide.

The scam operates through an advanced fee fraud scheme, luring victims into believing they have won a certain amount of cryptocurrency. However, to claim their rewards, victims are required to pay a small fee to open an account on the scammer's website.

The scam begins with direct messages sent via Twitter, enticing potential targets to visit a decoy site. Although the account responsible for these messages has been closed, the scam continues through other means. The message prompts recipients to sign up for an account on the website and apply a promo code to win a cryptocurrency reward valued at approximately $20,300.

Once users create an account on the fraudulent platform, they are asked to activate it by making a minimal deposit of around $258 to confirm their identity and complete the withdrawal process. Despite the promised returns, victims never receive anything in return after making the activation payment.

Trend Micro's investigation revealed a public Telegram channel that records all payments made by victims. It disclosed that the scammers amassed over $5 million between December 2022 and March 2023.

 

The researchers identified numerous domains associated with this fraud, some dating back to 2016. These fake websites are affiliated with a crypto project called Impulse, advertised on Russian cybercrime forums since February 2021. Similar to ransomware-as-a-service operations, Impulse requires affiliate actors to pay a fee to join the program and share a percentage of the earnings with the original authors.

To appear legitimate, the threat actors created a counterfeit version of ScamDoc, a trusted anti-scam tool that assigns trust scores to websites. This tactic aims to deceive users into believing the scam crypto services are reliable. The affiliates also employ various methods such as private messages, online videos, and ads on social networks like TikTok and Mastodon to promote their fraudulent activities.

The threat actor streamlines operations for its affiliates by providing hosting and infrastructure, allowing them to run the scam websites independently. This enables affiliates to focus on other aspects, such as running their advertising campaigns.

 

In parallel with this scam, a threat actor known as Pink Drainer has been seizing control of victims' Discord and Twitter accounts, posing as journalists to promote false crypto schemes. ScamSniffer data revealed that Pink Drainer compromised over 2,300 accounts, stealing more than $3.29 million in digital assets.

These revelations coincide with Akamai's recent identification of a renewed Romanian cryptojacking campaign called Diicot (formerly Mexals), which employs a Golang-based SSH worm module and a LAN spreader for propagation. Additionally, Elastic Security Labs exposed the usage of an open-source rootkit named r77 to deploy the XMRig cryptocurrency miner in several Asian countries.

The r77 rootkit's primary purpose is to conceal the presence of other software on a system, making it an ideal tool for cybercriminals seeking stealthy attacks. Its incorporation in SeroXen, a variant of the Quasar remote administration tool, is sold for as little as $30 for a monthly license or $60 for a lifetime bundle.

These findings shed light on the prevalence of cryptocurrency scams and the ongoing efforts of threat actors to exploit unsuspecting individuals in the digital landscape.