Group-IB, one of the global leaders in cybersecurity, uncovered an investment scam ring fooling users in France, Belgium, and Luxembourg into voluntarily transferring money to fraudsters. The gang, codenamed CryptosLabs by Group-IB’s Digital Risk Protection team, has been running a massive fake investment scheme since at least 2018. CryptosLabs is a well-organized illicit business that has a hierarchy of kingpins, sales agents, developers, and call-center operators that collectively could have earned as much as €480 million since its launch, according to Group-IB’s rough estimates. Group-IB was able to trace down a complex network infrastructure of over 300 scam domains hosted on 70 servers, and the gang’s major weapon CryptosLabs scam kit. To lure the victims onto fake investment portals the scammers have been impersonating 40 popular European brands from the banking, fin-tech, crypto, and asset management industries. Group-IB’s Europe HQ team in Amsterdam proactively notified these companies about the scam campaign so they could mitigate the threat and shared its findings on the scammers with French law enforcement.
Why choose CryptosLabs?
As Group-IB’s cyber investigators revealed, CryptosLabs began its operations in 2018. Its unusual name comes from an early scam website template used by the gang. The scheme that underlies the gang’s operations is an advanced variation of the fake investment scam described by the Group-IB Computer Emergency Response Team (CERT-GIB) in July.
Figure 1. CryptosLabs average victim journey
Right out of the block, the victims are promised high returns on their capital. To find the “investors” scammers leave messages on the dedicated investment forums or use legitimate advertising mechanisms on social media and search engines to promote the scheme. To appear trustworthy, such ads feature logos of notable banking, fin-tech, crypto, and asset management companies active in France, Belgium, and Luxembourg.
Upon clicking the ad, the users are taken to a branded scam page. The Group-IB team identified over 300 affiliated domains impersonating 40 popular companies primarily from the financial and asset management sectors. The pages use slightly different templates but had identical JavaScript code, static files, and similar domain naming conventions (*secure*, *fr*, *mon*, *access*), which allowed Group-IB to attribute them to a single threat actor.
Figure 2. CryptosLabs in numbers
At first glance, some of the detected resources looked like ordinary phishing pages impersonating a very well-known fin-tech company. Further examination revealed that it was a small piece of a very big pie. By jumping down the rabbit hole, Group-IB experts discovered that fake branded websites were designed so that the victims could leave their contact details.
Figure 3. The scam page on which the victim is asked to leave contact details
Interestingly, the victim doesn’t get immediate access to a fake investment platform. The scammers’ call center verifies the information to identify the most likely targets. Masquerading as personal managers of investment divisions of the companies that victims saw on the social media ads, call-center operators reach out to the victims to clarify further steps, explain how the platform works, and provide credentials to start trading.
Bulls only
After successfully logging into an investment portal the victim sees multiple made-up graphs and charts all indicating sky-high returns and growth stocks. After some time, the victim is contacted by a “personal manager” again to sign a fake engagement document and make a €200-300 deposit to activate the account. Once the victim pays, the money goes straight into the scammers’ pockets. The victim is finally granted full access to a branded fake trading platform. Those who make it that far can see the account balance and multiple juicy investment opportunities in stocks, crypto, NFTs, and contact their “personal manager” at their convenience. Some panels seen by Group-IB offer victims up to 17 different investment strategies.
Figure 4. The interface of the fake trading platform
The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves and encouraging them to deposit more funds to multiply their investments. Those who decide to exit and withdraw money are not let go without a finishing stroke. The personal manager informs the victim that their money got frozen by the processing bank and that they need to pay a “fee” to receive the money. Once paid, the scammers disappear with all the money.
“The Group-IB team is aware of at least 20 victims from France who signed up with the same trading platforms and collectively handed over €280,000 to the scammers. In one case, known to Group-IB, a victim of an investment scam operated by a different group lost more than €1,500,000. Based on Group-IB’s rough estimates CryptosLabs’s all-time earnings could be as high as €480 million.”
Digital Risk Protection Analyst at Group-IB Europe
Anatomizing CryptosLabs
The analysis of the related network infrastructure allowed Group-IB investigators to trace the gang’s roots back to 2018, when the first domain attributed to CryptosLabs was registered. At the moment, their infrastructure combines over 300 domain names hosted on 70 different servers, as shown by Group-IB’s Unified Risk Platform.
Figure 5. CryptosLabs network infrastructure as shown by the Group-IB Graph Network Analysis tool
The gang’s major weapon and one of the driving forces behind their phenomenal persistence is the CryptosLabs scam kit. This set of tools has been developed to automate the deployment of scam websites using over 200 branded templates, and the kit makes it possible for scammers of lower ranks to set up a website within minutes. The kit also includes the tools to facilitate the fraudsters’ interactions with the victims such as a CRM platform with all the victim profiles, a panel to distribute the new “leads”, and IP telephony and chat tools to communicate with the victims in real-time.
Figure 6. CryptosLabs “leads” panel
“From an operational perspective, CryptosLabs is a well-organized and fully automated profitable IT business. It is one of the few scam-as-a-service operations that has such a clear geographical focus on France, Belgium, and Luxembourg. Sophisticated investment scams like this are not only a threat to regular users who lose thousands of euros every day, they represent an imminent and credible risk to companies whose brands are being abused by the scammers. It’s in their power to constantly monitor and investigate such scams as no user alone can take down a prolific scam operation.”
Head of cyber investigations at Group-IB Europe
A comprehensive corporate scam mitigation strategy involves a two-phase approach: proactive scam detection and takedown using advanced Digital Risk Protection solutions; investigation of schemes and prosecution of scammers together with law enforcement organizations to eliminate the networks completely.
Defend your digital assets with best-in-breed, AI-powered brand protection solution.
Investment scam checklist for regular users:
- Stay vigilant. You are probably more likely to be scammed online than robbed on the street these days. Treat any branded external communications, advertisement, message, or call with suspicion. It is better to be safe than sorry when it comes to your personal finances.
- Verify the source. Users should always check the domain of the URL to verify if it’s the official website before sharing any information. If you are not sure about the legitimacy of the company, take some time to research it. The devil is in the details. Google the organization’s name, and URL, and look for reviews. You can also check government-run databases of fraudulent websites in France, Belgium, and Luxembourg.
- Think twice before you pay. It is almost impossible to get your money back. Legitimate financial organizations never request p2p or direct debit/credit card transfers. Carefully check whether the legal entity’s details you are about to pay to match the ones provided on their official website.
- Don’t stay silent. Scams thrive on our silence. When you realize you’ve become a victim of a scam, make sure to report it to the police. Provide as many details as you can so that investigations can get underway, and perpetrators can be brought to justice.
