Group-IB, one of the global cybersecurity leaders, identified a massive scam campaign exploiting the names of Vitalik Buterin, Elon Musk, Michael Saylor, and other crypto enthusiasts. Between February 16 and 18, 2022, the scammers ran 36 fabricated cryptocurrency giveaway YouTube streams that attracted more than 165,000 viewers. According to Group-IB’s estimates, the wallets controlled by the scammers received more than $1.6 million in 281 transactions.
Between February 16 and 18, 2022, Group-IB Digital Risk Protection Team first detected 36 fraudulent YouTube streams promising immediate high returns on cryptocurrency investments. The scammers used the footage of famous entrepreneurs and crypto enthusiasts (Elon Musk, Brad Garlinghouse, Michael J. Saylor, Changpeng Zhao, and Cathie Wood and many others) from legitimate events to create their own fraudulent streams. On average, such streams attracted between 3,000 and 18,000 viewers. One fake stream featuring footage of Vitalik Buterin drew more than 165,000 viewers who were promised that their crypto savings would be doubled in real time.
The names of the YouTube channels that ran these fake streams usually had names associated with the speaker from the rogue video. All these channels have supposedly been either hacked or purchased on the underground market.
In the stream description, the scammers spread the links to the websites designed to show visitors the mechanism behind a fake giveaway. Group-IB Computer Emergency Response Team (CERT-GIB) experts initially retrieved the links to 29 interconnected websites featuring the guidelines on how to double the cryptocurrency investments. Most of the websites used a similar eye-catching design and high-quality images related to cryptocurrency.
Several domain names often displayed one and the same crypto wallet address. In total, Group-IB experts detected more than 30 crypto wallets used for the scheme, with a total remaining balance of $933,963. The most popular cryptocurrency used by fraudsters as part of the scheme was Ethereum. Within three days of monitoring, (from February 16 to 18, 2022) all detected crypto wallets, controlled by the scammers, received 281 transactions in total, amounting to more than $1,680,000.
The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.
Source: Group-IB’s Graph Network Analysis Tool
When analyzing scam websites promoted during the fake streams, CERT-GIB experts detected an unusual technique. Depending on the cryptocurrency and type of crypto wallets, scammers asked visitors to their fake giveaway website to enter seed phrases to connect their wallets. Once a victim shares their seed phrase, fraudsters gain control over their wallet and can withdraw all funds from it. The exact number of victims and total amount of stolen funds remains unknown, but clearly some victims could not resist taking the bait.
Users are advised to be especially vigilant about free giveaways and not to share confidential data on rogue websites. Double check the legitimacy of the streams and the websites you are visiting using the official sources only. If you cannot find any information about the promotion taking place, you are likely being deceived. Seed phrases must be kept secret and stored securely. To do so, use password management tools. To minimize the risk of leakage, prioritize desktop solutions over cloud-based ones.