Busting CryptosLabs: a scam ring targeting French speakers for millions

Introduction

With the economic slowdown and sluggish market momentum, we’re all in trying times. If people are presented with an opportunity to build additional wealth through investments, chances are they’ll take it. Unfortunately, not all opportunities presented are legit.

In recent years, investment scams have become a significant threat to businesses and customers, moving up the rank as the top-earning cybercrime category (costing victims over $3.3bn in 2022), according to the FBI.

Needless to say, businesses that scammers impersonate are hard hit, as their brand name is misused to perpetrate fraud. This can tarnish a brand’s reputation and cause distrust among customers. Additionally, there are legal and financial implications that follow, such as being obligated to reimburse victims of fraud and scams (unless a customer acts fraudulently or shows “significant negligence”), spending resources in fraud investigations, and being subjected to the scrutiny of regulators.

Previously, Group-IB investigators documented the scope and scale of the well-organized illicit business of CryptosLabs. In this latest blog post, Group-IB’s investigators reveal previously unknown details about their scam ring such as the early stages of the syndicate, the scammer’s side of the scheme, a detailed analysis of their major weapon (CryptosLabs scam kit), and demonstrate how to mitigate the impact caused by the scheme.

What is CryptosLabs?

CryptosLabs is a threat group discovered by Group-IB in late 2021. In late 2022, Group-IB’s team of threat analysts provided technical insights about the group’s massive fake investment schemes running since 2018, exploiting victims for millions of euros.

The scam syndicate targeted French-speaking individuals in France, Belgium, and Luxembourg by mimicking well-known banks, fin-techs, asset management firms, and crypto platforms for years.

Their investment scam network infrastructure had over 350 scam domains hosted on 80 servers, operated by a hierarchy of kingpins, sales agents, developers, and call-center operators who collectively could have earned as much as €480 million since its launch, according to Group-IB European Cyber Investigations team’s estimates.

Fig.1: CryptosLabs profile

CryptosLabs scam campaign highlights (Key findings)

• CryptosLabs targets French-speaking victims in Europe
• The scheme impersonates over 40 well-known brands from France, Belgium, Luxemburg, Germany, and the Netherlands
• CryptosLabs have been operating for over 4 years
• 480 million euro estimated losses
• Group-IB detected 350 scam resources and over 80 servers hosting the campaign
• The gang’s major weapon is a customizable “scam kit”
• Group-IB investigators share their findings about the group with the law enforcement

Lucrative investment schemes: how does CryptosLabs scam people?

When someone extends investment offers that sound ‘too good to be true,’ one should be suspicious. CryptosLabs chose this very conventional yet potent technique to run their scam operation. They reach out to the victims through advertisements on various platforms (from black hat SEO to social media, including certain forums dedicated to online investments) and assure them that they are an “investment division” of the impersonated organization and present them with lucrative investment plans.

To build social proof and win victims’ trust, the cybercriminals use a custom fake investment platform imitating the client’s investment environment and demonstrating “phantom earnings,” to encourage victims to register on the platform. 

Once the victim is tricked into giving out their contact details, they are contacted by call-center operators who verify the information and clarify further steps, explaining how the platform works, and providing credentials to start trading.

After logging in, the victims deposit funds on a virtual balance. They are then shown fictitious performance charts that trigger them to invest more for better profits until they realize they cannot withdraw any funds even when paying the “release fees.”

This is when the scam ends, with the victim losing significant amounts of money in the process.

Schematically, the victim’s fraudulent journey looks like this:

Fig.2: A victim’s fraudulent journey in the CryptosLabs scheme

Why is the CryptosLabs scam so successful in Europe?

There are several reasons why CryptosLabs was able to victimize many French-speaking Europeans. Firstly, there is low awareness among the population about the various types of fraud, thus reinstating the need for a stronger push for vigilance and improved awareness around cybercrimes.

Secondly, CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as “managers” and creating fake landing pages, social media ads, documents, and investment platforms in the French language. They even impersonated French-dominant businesses to resonate with their target audience better and be successful in exploiting them.

Thirdly, the barrier to entry for cybercriminals is generally low, as there are many tools and kits available that do not require sophisticated expertise. Fourthly, cybercriminals can easily attract victims through advertisements on social media, search engines, etc., as victims seeking investment opportunities often assume that these advertisements are legitimate and do not question them. This gives the scammers leeway to generate illicit gains, just like CryptosLabs, who played on the gullibility of the victims to rob them of millions of euros.

Lastly, brands often face challenges when it comes to fighting scams. Factors such as lack of expertise and resource constraints can hinder their efforts. However, with Group-IB’s Digital Risk Protection, organizations gain access to scam intelligence that goes beyond just detecting scams but uncovering scam schemes, scammers’ behavior, and tool development – all to improve detection, build concrete evidence, and fastrack takedowns.

The right knowledge combined with the solid investigation and evidence-building capabilities of Group-IB cybercrime investigators can combat the most persistent risks targeting businesses, by revealing their scam enterprise and assisting organizations in bringing perpetrators to justice.

Caught in the act: Group-IB unraveled CryptosLabs’ scam ring

In the summer of 2021, upon Group-IB’s first encounter with CryptosLabs, it was observed that the threat actor used its own scam kit to set up websites that impersonate European companies primarily from the financial and asset management sectors. At first glance, some of the detected resources looked like phishing, but in fact, it was just a piece of a different puzzle.

Fig.3: A fake investment platform created by CryptosLabs

Upon deep diving into the details, it turned out that those pages were not phishing, but login interfaces of scam investment platforms – fake websites run by fraudsters to deceive victims and feed them with an illusion of good investment results to just pull money out from their pockets.

Victims would think the sites were legit and use them to keep an eye on their “investments,” interact with “investment managers” and transfer their investments directly to the criminal’s pocket. Furthermore, network infrastructure research showed that those pages were part of a large-scale investment scam campaign launched back in 2018.

The early days of CryptosLabs

CryptosLabs wasn’t always a scam enterprise. Analysis of the connected network infrastructure and other assets allowed us to understand when and how it came into conception.

The first signs of their activity were retraced to 2015. From 2015-2018, CryptosLabs operators were still exploring their niche in the diverse world of cybercrime. We observed many of their unfinished projects: CRM, email, landing pages, and other services connected to the malicious infrastructure used in the investment scam campaign later.

Fig.4: Connections between legitimate infrastructure and fraudulent CryptosLab domain names

Fig.5: One of the unfinished threat actor’s projects

Establishing a firm footing in the world of cybercrime

CryptosLabs’ recourse towards investment scams was in April 2018, when they found their path and started preparing for the campaign: deploying controlling panels, testing investment terminals, and registering domain names. Group-IB analysts identified dozens of test interfaces and investment platforms having precisely the same indicators as the ones from the CryptosLabs campaign but without signs of brand impersonation. All of it was forgotten and abandoned by the threat actor and came in handy during the research and attribution.

Fig.6: Test interfaces created by CryptosLabs with the same indicators as their scam campaigns

In the same month, the first fraudulent domain names attributed to the CryptosLabs campaign were registered by Group-IB investigators:

• сrypto-profits[.]net (Shinjiru Technology Sdn Bhd, reg date: 03.04.2018);
• crowdfunding[.]financial (Namecheap, reg date: 03.04.2018).

In three months, it proliferated to 25 domains, and in June 2018 the first CryptosLabs scam landing page was detected in the wild, and the campaign was started.

In the next two years, the threat actor started to expand the scale of its campaign and by the end of 2020, CryptosLabs accounted for about 150 fake investment platforms deployed. At the beginning of 2023, the CryptosLabs campaign included 350 domain names and more than 80 servers were hosting the campaign as stated previously, with the losses amounting to half a billion at the time.

Fig. 7: Timeline of the expansion of CryptosLabs campaigns

How ‘organized’ is CryptosLabs?

During the research, Group-IB analysts discovered not only the network infrastructure used for hosting the campaigns but also dug up some interesting details about the criminal ring itself. A chain of fake identities, email addresses and even legal entities tied to the campaign led us to the assumption that CryptosLabs is a well-organized criminal group with an established team covering all main aspects of the investment scam. This information was shared with the law enforcement.

Using several legal entities CryptosLabs operators were advertising their “legal” part of the business and searching for employees to work on developing and administering their scam campaigns.

This also led us to understand how CryptosLabs structured their illicit operations

• the main organizer of the scam enterprise
• developer and administration team (to develop the tools and maintain the network infrastructure)
• call center workers – fraudsters pretending to be “investment managers”
• money laundering part – an internal or external group of criminals facilitating the money mule network to withdraw and launder stolen money

Interestingly, the scam organizers used legal entities to officially hire “employees,” so some of their members might not understand where they stepped in.

Fig.8: A supposed structure of the CryptosLabs group

CryptosLabs scam kit: an all-purpose weapon that made their campaigns especially effective

Despite the strong regional focus, impersonation of famous local brands, and diversified criminal ring structure, CryptosLabs also put efforts into the development of their scam arsenal and created the CryptosLabs scam kit.

CryptosLabs’ scam kit is basically a set of tools developed by criminals to run, manage and scale their investment scam campaigns.

Based on our observations of the threat actor’s operation infrastructure, CryptosLabs scam kit’s main features include:

• multi-stage victim journey with separate environments (scam landing page, login interface, client portal)
• templated fake investment platform deployment (100+ templates, customizable design, and logos)
• 17 variations of the client’s investment interface including trendy NFTs and crypto
• manual user account approval
• administration interfaces for scammers, including messaging capabilities, control panel, email service, etc.

A victim’s path through the scam kit’s prism

The first part of the CryptosLabs scam kit is devoted to the victims. Once a victim falls into the CryptosLabs trap, they usually go through three main stages of the kit to finally reach the final destination – transferring money to the criminals.

Fig 9: All the stages of the CryptosLabs scam kit

Pre-stage

Fig 10: CryptosLabs social media advertising to lure victims

The victim’s path in this scheme begins with scam advertisements distributed by fraudsters through social media, third-party traffic arbitrage, investment forums, and even search engines. The CryptosLabs campaign doesn’t seem special in this aspect. As soon as fraudsters get the victim’s attention and/or contact details, then they direct the victim to another part – the CryptosLabs scam landing page.

Stage 1 – Scam landing page

URL pattern: *domain name*/landing/

A scam landing page is usually just a webpage with the same style and logo as an impersonated organization, and serves one purpose – to persuade the victim of its authenticity and collect their data for further contact.

Fig. 11: The scam landing page

Once the victim is led to a scam landing page, they’re asked to leave their email, name, and phone number so scammers can reach out and talk them into joining their investment platform. After the conversation, the victim is provided with credentials from a fake investment portal and can proceed to the next stage in the victim’s journey – the login interface.

Stage 2- Login page

URL pattern: *domain name*/login.php

Apart from the credentials, fraudsters also provide victims with an investment platform address. Following that, they finally enter the CryptosLabs login interface – a simple-looking authorization page used as a gate to the final stage – a fake investment portal.

Fig. 12: The authorization page that prompts victims to the investment portal

Since the login interface is the last barrier before the environment where the main part of the scam is happening, CryptosLabs operators try to protect it as much as they can by

• distributing infrastructure for hosting different parts of fraudulent campaigns
• using an “unsuspicious” domain name without the brand’s keywords (they instead put the keywords in a subdomain)
• non-use of the brand’s logo and favicon leaving only its style and colors
• manual account approval for all registered users

Despite its visual simplicity, it actually has a huge role in the process of campaign detection and investigation. By monitoring and hunting for these pages, it is possible to identify fake investment platforms, research their infrastructure and connected assets to uncover new ones and then proactively take them down to minimize impact. (Find more about CryptosLabs investment platform hunting indicators at the end of the blog).

Stage 3 – Client Portal

URL pattern: *domain name*/client/*related page*

This is the final victim’s destination in the whole chain is a client portal (fake investment platform itself). Those victims who make it this far can see the account “balance” and lucrative investment opportunities in stocks, crypto, and NFTs, and can contact their “personal manager” at convenience.

Fig.13: CryptosLabs fake investment platform (client’s portal)

The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves, encouraging them to deposit more funds to multiply their investments. Those who decide to exit and withdraw money, are conspired into another scam. The personal manager informs the victim that their money is frozen by the processing bank and that they need to pay a “fee” to receive the money.

Once paid, the scammers disappear with all the money and the journey stops.

Scammer’s tools

The CryptosLabs scam kit consists not only of website templates to keep victims in the scheme but also includes specific instruments for the scammers to manage campaigns maximizing their scalability and flexibility. During our investigation, we found lots of different services and interfaces deployed by CryptosLabs to support their scam operations.

Fig. 14: Different interfaces deployed by CryptosLabs to create and manage scam campaigns

Invest platform CRM

The first tool in the CryptosLabs operator’s arsenal is a custom CRM platform. The centralized interface was hosted independently. Its major functions include:

• adding/removing domains, assigning “managers”
• approving new users; assigning user roles; setting and changing permissions, passwords, and contact information; sending password reset emails, etc.

Fig. 15: A CRM originally created for other projects but pivoted to manage scam campaigns

This particular version of the CRM looked abandoned and didn’t contain a lot of data. According to some legacy features, the tool was developed for previous projects and has been subsequently repurposed to manage scam campaigns.

Landing page builder

Going further, CryptosLabs developers added a web-based landing page builder to their arsenal. It allows fraudsters to build and customize scam landing pages using 100+ different templates and design elements within minutes and immediately deploy them. We identified at least 2 different servers to host the CryptosLabs landing page builder.

Fig. 16: Landing page constructor tool

Leads control panel 

URL pattern: *domain name*/ui.php

This interface was present on every CryptosLabs scam platform and could be used by scammers (callers) for controlling the “leads” and granting access to the portal. It doesn’t seem to be in use currently, but the existence of this panel is a strong indicator that the scam site is related to the CryptosLabs campaign.

Fig. 17: CryptosLabs leads the control panel

Communication tool

Several CryptosLabs websites contained a separate interface called “project VoIP” which makes us believe that the scammers also set up their own VoIP service to communicate with victims in real time using the same platform.

Fig.18: VoIP interface observed on CryptosLabs domains

The JS scripts found on all fake investment platforms also mention this interface, confirming that it is a part of their scam kit.

Fig. 19: VoIP tool mentioned in JS scripts observed on the CryptosLabs domains

Protect your customers from falling victim to CryptosLabs investment scam

A lot of customers can fall bait to opportunities promising quick gains or exaggerated returns, such as investment scams. Therefore, it is vital to understand how prolific scam campaigns are orchestrated

Analyzing CryptosLabs, it is evident that the threat group has given its activities a well-established structure in terms of operations and headcount, and is likely to expand the scope and scale of its illicit business in the coming years.

So, for businesses to stay unabated against CryptosLabs and other emerging scammers, Group-IB encourages business-wide awareness and adoption of next-gen cybersecurity technology for comprehensive protection.

The foremost step is to create a robust scam mitigation strategy. For protecting users from CryptosLabs or similar scam enterprises, businesses could follow this 3-step protection approach:

Step 1: Proactive Fraud Monitoring and Takedowns

Safeguarding users and organizations require a proactive approach to identifying and removing fraudulent resources, such as fake investment platforms, scam ads, fake landing pages, etc. Through Group-IB’s next-gen Digital Risk Protection, organizations can enable proactive monitoring and real-time takedowns of fraudulent activities.

Step 2: Preventing Transactions to Fraudsters’ Owned Accounts

In many cases, fraudsters establish money mule accounts within the same financial organization they are impersonating, making it crucial to detect and block such accounts. Through Group-IB Fraud Protection, organizations can conduct transactional and sessional data analysis to identify fraudulent accounts and map the networks of money mules.

Powered by an explainable AI, Fraud Protection Global-ID can help banks detect mule account networks by identifying devices that have been used to create or take control of mule accounts. This can be done by tracking the device characteristics, such as its hardware, IP addresses, browser fingerprints, operating systems, etc., that access bank accounts.

If a single device is used to create or control multiple accounts, this may be a sign that a mule account network is being set up. It is then possible to neutralize the mule account while it is still in its warming phase.

Step 3: Investigating and Prosecuting Bad Actors

To effectively mitigate scams and protect more users, it is important to focus efforts on investigating the most impactful campaigns and stopping the threat actors behind them. As part of our commitment to fighting cybercrime, Group-IB provides comprehensive cyber investigation services where our team conducts deep investigations into scam schemes, gathers in-depth insights into the threat actors’ motivation, tactics, plans, and instruments, and eventually unravels their identities, collaborates with law enforcement agencies. By targeting the actors behind the threat, we ensure that scams are disrupted and their impact is minimized.

As cybercriminals get more sophisticated, finding newer ways to siphon off public money, it is essential for businesses to constantly assess current risks, alert and educate stakeholders and leverage the right technology to dodge massive losses from these scams. Through our proactive digital risk protection, fraud protection solutions, and comprehensive investigations, we empower organizations to stay undisrupted.

IOCs

CryptosLabs fake investment platform indicators:

If you have a question or concern about an investment, or if you’ve encountered a scam, take immediate steps to curb the damage with Group-IB. Click here.