An email attack visualization of a rusty hook catching an envelope.
Image: RareStock/Adobe Stock

Helsinki-based security firm WithSecure has unearthed a kudzu-like network of fraudulent content aimed at getting people to invest in fake cryptocurrency investments.

Run by what WithSecure characterized as a group of around 30 threat actors, the network encourages participation in web-based apps posing as investment schemes using the cryptocurrency Tether. The company estimated that the fraudulent apps it discovered were able to generate just over $100,000 in revenue from approximately 900 victims.

Jump to:

How the YouTube cryptocurrency scam works

WithSecure, which garnered data for the report in the latter half of 2022, claimed the malefactors disseminated thousands of videos garnering engagements from viewers across hundreds of YouTube channels.

The group uses Telegram, which was a vector used by the Keona Clipper malware last June, as a communications channel and deploys copy-paste automation to add comments to the videos to camouflage them as legit, per the security firm.

The investigators found 700 URLs hosting fraudulent web apps associated with videos and served by the network, but parallel data from cryptocurrency wallets “implicated the possible involvement of thousands more,” said the report.

SEE: FBI warns of phony cryptocurrency apps aiming to steal money from investors (TechRepublic)

According to the report, victims transfer money from an existing cryptocurrency wallet to one of the apps in a one-way transaction. The researchers said there was no movement of crypto back to the victims (Figure A).

Figure A

A node-edge graph of interactions between channels captured in the one of the Tether datasets, showing that many of the videos received comments from entirely separate groups of accounts, with activity in the middle of the graph showing overlap between commenters.
Image: WithSecure. A node-edge graph of interactions between channels captured in the one of the Tether datasets, showing that many of the videos received comments from entirely separate groups of accounts, with activity in the middle of the graph showing overlap between commenters.

Victims are required to create an account in the advertised app delivered as web pages, mobile applications or even automation that interacts with users on Telegram. The victim must then deposit a small amount into the app — tens of dollars, which is immediately filched by the scammers.

WithSecure said many of the videos encourage victims to invite friends and family to participate, dangling a small amount of money for each person invited. The apps also include bonus “VIP” structures that unlock better “investment” options that boast higher returns. These demand a larger deposit commitment.

SEE: Visa breaks down $9 billion investment in security, fraud initiatives (TechRepublic)

“This network seems to be targeting existing cryptocurrency investors with low-quality videos in different languages without localizing them to reach different regions, so I’d say it’s a pretty opportunistic approach,” said WithSecure Intelligence Researcher Andy Patel. “Typically, this results in a large volume of small transactions.

“But as that volume increases, so do the odds of them getting lucky and finding someone able and willing to invest more substantial amounts.” (Figure B)

Figure B

Presenter talking about the mobile app's withdraw functionality
Image: WithSecure. Presenter talking about the mobile app’s withdraw functionality.

He said the darker picture, the scams’ relative unprofitability notwithstanding, is that the scammers have gamed YouTube’s recommendation algorithms and that description fields attached to the videos also employ a unique style of SEO designed to game YouTube’s search functionality.

“Moderating social media content is a huge challenge for platforms, but the successful amplification of this content using pretty simple, well-known techniques makes me think that more could be done to protect people from these scams,” Patel said in the report (Figure C).

Figure C

Splotches of purple, green, orange, and blue on a black background forming a web of sorts
Image: WithSecure. Node-edge graph of interactions in another dataset tracked by WithSecure. Nodes are labeled by weighted out degree: the higher the number, the more comments the account published.

FTC: Crypto scams posted small numbers but lucrative in aggregate

In a June 2022 note, the U.S. Federal Trade Commission said that crypto is proving a lucrative scam channel, with more than 46,000 people reportedly having lost a total of over $1 billion in crypto to scams since 2021.

The note said cryptocurrency was identified as the payment method for 24% of reported dollar losses in fraud reports to the FTC, and that the median individual reported loss was $2,600. The top cryptocurrencies that people reported using to pay scammers were Bitcoin (70%), Tether (10%) and Ether (9%).

Crypto scams to watch for in 2023

Financial software firm Abrigo, in a 2023 report, reiterated FTC warnings about an additional nine crypto scams that institutions and individuals should watch for this year:

  • Romance scams: Preying on relationships and can have both an investment and payment angle. In a recent note, the FTC reported that last year nearly 70,000 people reported a romance scam, and reported losses hit $1.3 billion, with a median loss of $4,400.
  • Business, government or job impersonation scams: Threat actors present themselves as trustworthy online sources and convince users to send them funds by buying crypto.
  • Rug pull scams: Investment scammers propose a new crypto opportunity or NFT that requires funding.
  • Phishing scams: Emails (or “smishing” text messages) carry malicious links that gather details like a user’s crypto wallet and other key information allowing access to the victim’s crypto.
  • Social media scams: These begin with an ad, post or message on social media, particularly Instagram, Facebook, WhatsApp and Telegram.
  • Ponzi schemes: Scammers collect funds from new investors via cryptocurrencies.
  • Upgrade scams: Consumers, accustomed to upgrades, can easily be scammed into giving up their private keys as part of an “upgrade.”
  • SIM-Swap scams: Theft of a cell phone’s SIM card can allow access via DFA to the victim’s crypto wallets.
  • Fake crypto exchanges and crypto wallets: Inexperienced crypto users may be lured into investing in a new high-value cryptocurrency exchange opportunity or a “cheap” Bitcoin that doesn’t exist.

Patel of WithSecure told TechRepublic that while there are no obvious business implications that relate to this particular scam, “both individuals and businesses should always be wary of investment schemes that look too good to be true. This is especially the case when considering anything related to crypto currencies.”

Blockchain, for better or worse, is here to stay. If you are interested in learning more about the fundamentals of the technology behind cryptocurrency, check out these blockchain development fundamentals.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday