Image: Art Rachen (unsplash)
An undetected cryptocurrency scam had exploited a network of over 1,000 deceitful websites, tricking users into a fraudulent rewards scheme since at least the start of 2021.
Trend Micro researchers published a report last week asserting that this large-scale campaign had probably conned thousands of people globally, tying it to a Russian-speaking threat perpetrator known as “Impulse Team”.
They elaborated on the scam, which employed an advanced fee fraud, fooling victims into believing they had won a cryptocurrency amount. However, to obtain their rewards, victims were required to pay a minor sum to register an account on the implicated website.
The scam initiated with a direct Twitter message, inviting potential targets to visit the decoy site. This account, which was used for dispersing the messages, has since been suspended.
The propagated message encouraged recipients to create an account on the specified website and apply a promotional code mentioned in the message to earn a cryptocurrency reward, equivalent to 0.78632 bitcoin (around $20,300).
Once users registered an account on the counterfeit platform, they were asked to validate the account by depositing a minimal amount of 0.01 bitcoin (approximately $258) to confirm their identity and finalize the withdrawal.
The researchers remarked that although the activation amount was considerably large, it seemed insignificant compared to the promised return. Predictably, victims received nothing in return upon paying the activation sum.
A public Telegram channel, which documented each payment made by the victims, revealed that the illegal transactions had earned the threat actors just over $5 million between December 24, 2022, and March 8, 2023.
Trend Micro reported the discovery of hundreds of domains connected to this fraud, some of which had been active as early as 2016. All these counterfeit websites were part of an associated “scam crypto project” named Impulse, advertised on Russian cybercrime forums since February 2021.
This operation mirrored ransomware-as-a-service (RaaS) models, necessitating affiliate actors to pay a joining fee and share a portion of the earnings with the original authors.
To lend credibility to the operation, it is believed that the threat actors created a counterfeit version of a recognized anti-scam tool, ScamDoc, which assigns trust scores to different websites. This was presumably done to portray the dubious crypto services as reliable.
In addition to this, Trend Micro came across private messages, online videos, and ads on other social networks such as TikTok and Mastodon, indicating the use of varied methods by the affiliates to promote the fraudulent activity.
According to the researchers, the threat actor facilitated operations for its affiliates by providing hosting and infrastructure, allowing them to manage these scam websites independently. Consequently, the affiliates could focus on other operation aspects, such as conducting their advertising campaigns.
The revelation of this scam was followed by the exposure of a reinvigorated Romanian cryptojacking campaign named Diicot (formerly Mexals), which employed a Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation.
Simultaneously, a new series of cryptocurrency theft attacks by a threat actor named Pink Drainer was reported. The actor was found to impersonate journalists to take over victims’ Discord and Twitter accounts and endorse false crypto schemes.
As per data compiled by ScamSniffer, Pink Drainer had successfully breached 2,307 accounts by June 11, 2023, pilfering over $3.29 million in digital assets.
Furthermore, the previous month saw Elastic Security Labs outlining the deployment of an open-source rootkit named r77 for executing the XMRig cryptocurrency miner in several Asian countries.
The researchers explained that the main objective of r77 was to conceal the existence of other software on a system by tapping into important Windows APIs, rendering it an ideal tool for cybercriminals seeking to carry out surreptitious attacks.
The malicious crypto miner authors leveraged the r77 rootkit to evade detection and continue their campaign without being noticed. Notably, the r77 rootkit is also a component of SeroXen, a budding variant of the Quasar remote administration tool sold for a meager $30 for a monthly license or $60 for a lifetime package.