Rolling up the Cointellect scam

dniviE
6 min readAug 26, 2014

--

I work part-time at a digital currency exchange and a few days ago I got messages from several users that reported their funds getting maliciously withdrawn from their accounts. Not only that, users also reported that their desktop and web-based Bitcoin-wallets were compromised and emptied of their funds and that their Stellar-accounts had been emptied out. Only one of the users reported that this had happened after he signed up to and downloaded the software of a new fancy cloud mining provider — Cointellect.

There webpages are sleek and well-designed, I’ll give them that. However, since my users had reported bad things happening after signing up I was wary. I first checked their SSL-sertificate. Sure, it seemed legit, just that it didn’t belong to anyone. So, first warning sign: check.

Sorry for the Norwegian, it says: “You are connected to cointellect.com which belongs to (unknown)”.

I then proceeded to check if they actually had miner software on their webpage. They indeed do. And it looks fancy, way fancier than any other miner software out there. It has gimmicky graphics which no other miner software has, which leads me to believe that they want to lure new users to use their software because it is so fancy. Warning sign two: check.

Miner software way beyond the fanciness of any other miner software and with gimmicky features.

Next I scanned their miner software with VirusTotal. The report first looked like it was okay, but I went to the detailed report and it reported five possibly malicious parts of the installer:

Suspicious_GEN.F47V0819

Hacktool.Win32.BitCoinMiner.bAM

Artemis!830C7AE47D8D

a variant of Win32/BitCoinMiner.AM

The full report can be found here: https://www.virustotal.com/en/file/f7650cbae465847c493c6ee85479d8e1ea159124021d288755eca8827e97bc00/analysis/1409061088/

So, warning sign three: check.

Next I decided I’d check their Twitter-account to see if anything was fishy with it. Well, they have 2600 followers, pretty decent. But, hey — wait — their account was created the 11th of July and their first tweet was posted the 11th of July as well. That’s suspicious considering most cryptocurrency/Bitcoin-startups have problems reaching that many followers in that short amount of time. The exchange I work, has existed for over a year and still has not crossed 1000 followers. In fact, we have been stuck below 800 for a while now. It makes absolutely no sense that a startup in the cryptocurrency/Bitcoin-sphere has gained 2600 followers in less than two months when others struggle to reach 800. Also, the fact that their Twitter-account has only tweeted 61 times and has 2600 followers is suspicious.

So, warning sign four: check.

@CointellectHelp’s Twitter stats. 61 tweets, 2500+ followers in less than two months for a small cryptocurrency startup. Certainly smells fishy.

Delving deeper into their Twitter-account reveals that surpringly many of their followers have never sent out a single tweet and follows 500+ Twitter-accounts. Here are five such accounts:

https://twitter.com/dorothy14809773

https://twitter.com/gbyj8nion96btoy

https://twitter.com/deborah12169727

https://twitter.com/igc7dbga2nw6rz5

https://twitter.com/kipmk14

If you’d like to take a look for yourself, head over to the Followers-section of @CointellectHelp: https://twitter.com/CoIntellectHelp/followers

So, warning sign five: check.

After I’d had enough of looking through the Twitter-profile and the fake followers, I decided I’d do a Google-search for “Cointellect”. Turns out that this new and small mining startup has tons of references on the web. And, I am not just talking a few references and posts on the web, I am talking hundreds. Google turned up ten whole pages with forum-posts in foregin languages, obscure websites and some cryptocurrency blogs and newssites. Most of the results were plain forum postings advertising the service and people asking for others to sign up through their referral.

Below are links to five examples:

http://www.payout.cz/ostatni-f27/cointellect-mining-done-richt-t2026.html

http://www.guadagnolandia.it/sito-guadagno-470

http://bestemoneys.com/job-other_cointellect-com.html

http://www.techgyd.com/cointellect-doge-mining-hashing/13530/

http://www.dailydoge.org/2014/08/23/dogecoin-cloud-mining-cointellect-review/

For the Daily Doge, I contacted the adminstrator and told him about what I’d found. He responded with this:

Thanks for your comment. I didn’t approve it because it isn’t accurate. Cryptocurrency wallets and mining software have always tested as false positives on websites like VirusTotal. It doesn’t necessarily mean the application is actually a virus.

Please see:

https://bitcointalk.org/index.php?topic=314046.0
https://cryptocointalk.com/topic/3780-btcs-masthead-v12-whirlwind/?p=60782

Even open source mining software like GUIMiner is often detected as a “virus”

https://github.com/Kiv/poclbm
https://www.virustotal.com/en/file/6e96a70f816f9dd25858b5fe9b83ead86bbdef53a58b15e1b6da2ae6ff4611f5/analysis/

As you can see, this problem isn’t exclusive to CoIntellect’s software. Scan any popular mining software or cryptocurrency wallet and you will most likely encounter similar results. With that said, I will keep an eye on CoIntellect although I am doubtful it is their software causing issues for the customers of the Bitcoin exchange you work for.

Additionally, there were other reviews of Cointellect on the web as well. They were all very similar, with the exact same screenshots. To me, they seemed like a copy-paste-job paid by Cointellect. See for yourself and judge if you think they are a copy-paste job or not

http://thebitcoinnews.co.uk/2014/08/23/dogecoin-cloud-mining-cointellect-review/

http://www.techgyd.com/cointellect-doge-mining-hashing/13530/

http://www.dailydoge.org/2014/08/23/dogecoin-cloud-mining-cointellect-review/

http://bitcoinschannel.com/dogecoin-cloud-mining-cointellect-review/

So, warning signs six, seven and eight: check, check, and check.

To conclude, the evidence towards Cointellect points quite clearly towards it being a scam. Do not deal with these guys and do not trust them.

UPDATE 1: Cointellect is incorporated under a company called “Sonera Corporative OU”. Searching the web for this turned up lots of hits on the Swedish/Finnish telecom company Sonera, but obviously this is not what I am looking for.

One of the hits when searching “Sonera Corporative OU” with DuckDuckGo were interesting though. The third link turned up leads to www.larssen.ee, a website that today leads to a “404 not found”-error. The specific page found on the web search is headlined with “Companies on sale”, so it seems that it is an Estonian individual/company that incorporates companies and puts them up for sale on the web.

Looking up Larsen.ee on the WayBackMachine it can be found that several companies have been for the sale every time a snapshot of the webpage has been saved.

Larssen.ee the 8th of February, 2012
Larssen.ee the 2nd of March 2009. 10 500 EEK is about 670 EUR (885 USD)
Larssen.ee the 17th of September, 2008

So it seems that Sonera Corporative OU is bought from a online “ready made companies” seller. If this does not smell fishy, then what does?

UPDATE 2 (10/09/2014): Cointelegraph.com ran a piece on Cointellect as well, uncovering more on the case. It includes comments from someone who, Tom, applied for a job position as a PR manager. Tom says the following:

“The company, which seems legitimate on the surface, and their agreement seems fairly forthcoming and nothing is out of the ordinary on it, except that they lacked a letterhead and all communications from their HR people lacked any name.”

Several of the same aspects of CoIntellect is pushed forward as I have written about in this article.

I also did a quick WHOIS-lookup of CoIntellect.com and it turns out that the owners of the domain areanonymous behind WHOISGUARD INC. Skeptical? You definitely should be.

UPDATE 3 (10/09/2014): Just found some more interesting things. CoIntellect’s Twitter followers have suddenly dropped to 400 and the account has deleted litearlly all previous tweets. The tweet count is now on 18 and the follower count on exactly 400. I wonder how they got rid of all those followers. Messaged them to unfollow @CoIntellectFAQ? Hardly effective. Messaged the bot operators to get off their heels? Very effective, I’d assume. I think the latter is most likely to have happened.

--

--