When in doubt, use image reverse search — the case of the crypto sockpuppet and the innocent TV presenter
Sock accounts are used by bitcoin scammers as a way to establish authenticity on social media platforms.
A sockpuppet is an identity managed by a human operator, with the purpose to deceive a target audience. In this case, its purpose is to scam bitcoin investors by luring them into investment services.
If you are at all familiar with digital influence, you may be aware of sockpuppets used en-masse to ‘push’ social agendas. For the purpose of this report, you will see a real example of how a deceptive sock account is used in cryptocurrency scams.
Creating an authentic sock account
In this case, the scammer is scraping an innocent user’s Instagram data and cloning it to establish an authentic platform to lure potential cryptocurrency investors.
Often, it will exist in a network of other socks creating hype and mutual encouragement of success, as well as showing peer-reviewed success — all of which are simulated by a host.
A victim of this sock contacted me about a sum of money sent to Bhira Howes, a ‘cryptocurrency trader’ (pictured below).
The victim’s transaction went from the ‘trader’ Instagram account, through to a bitcoin tumbler to anonymise the transfer. Needless to say, it was clear the money would not be invested.
Common sock accounts are built using original images from an authentic account.
In this case, the TV presenter has also been a victim by having her account cloned.
The real account was located using a Yandex image reverse search with a clear image.
This led to a website on Christmas swimsuit sweaters, which, in turn, led to a news article providing the name of the real account.
The cloned account deceiving crypto investors
In this case, scammers have set up an Instagram scrape to re-upload content from a select account. The scrape has been leaving the tags of locations, friends and uses the same caption in many of the images.
Unfortunately for this innocent TV presenter, she has been the subject of this sock account since the beginning of this year.
A further element to establish the authenticity of the clone account is the use of Instagram’s video stories. In common scam accounts a video story would not be a feature due to the deceptive nature of the sock’s host.
In this case, video content is captured and re-uploaded to support the nature of the sock.
Blockchain forensics — where does the money go?
The nature of this sock is to act as an investment agent to ‘increase’ the outcome of personally managed cryptocurrency investments.
Images have been used on the account to create an illusion of ‘success’ with investment charts and payouts.
For the deceptive services, the conversation happens via Instagram DM — where referrals are made to send money to an address ending in FNEU.
From the volume of transactions coming into FNEU, there is no doubt that there are a number of successful crypto scam socks harvesting financing into this catch-all account.
Here is a six day blockchain screenshot to show a sample of the range of sizes of transactions the account receives:
So far, it has received 3.8 BTC (USD$24,843 value as of date of publication).
The return of the CbwP and 85oC addresses
If you have been following this field before, you may recognise these bitcoin addresses.
In a report on kidnappers, jihadists and scammers, I identified these addresses as being bitcoin tumblers that scramble bitcoin transactions to ‘confuse’ transactions made to the tumbler. It is a service used by criminals on the blockchain to ensure their anonymity.
Verification of cryptocurrency scam accounts
This report shows that verification procedures should be undertaken if there is any concern over the validity of a trader or account.
Verification can be performed through a simple Google search, or BitcoinWhosWho to identify scams.
If you identify cloned and sock accounts such as in this case, report it to the original owner of the images and to the social media platform.
UPDATE TO THE REPORTED ACCOUNT
Instagram have responded to the reporting of this account — so far, they have found it “does not violate” their “Community Guidelines”.