An Elaborate Cryptocurrency Scam

The Verge recently revisited “The Great Twitter Hack”, where high profile Twitter accounts were made to tweet a Bitcoin scam.

osint discovery
Coinmonks
Published in
5 min readJan 3, 2021

--

Verge article on the great twitter hack, dated Dec 15, 2020
https://www.theverge.com/22163643/twitter-hack-bitcoin-scam-july-2020-elon-musk

However, a quick online search revealed that these scam messages were not restricted to Twitter, and were prevalent on Facebook posts, Medium articles, and Quora answers.

Scam messages spotted on Facebook, Medium and Quora. Scams also target Altcoins such as Tron
Scam messages spotted on Facebook, Medium and Quora. Scams also target Altcoins such as Tron

Recently, there are more and more sightings of YouTube LIVE videos pushing out these scam messages. Bitcoin.com reported seeing videos using the names of Chamath Palihapitiya and Elon Musk to entice viewers to send their bitcoins.

Screengrab of bitcoin.com report, dated May 19, 2020
https://news.bitcoin.com/btc-giveaway-scam-chamath-palihapitiya-elon-musk-not-giving-away-bitcoin/

These LIVE videos have high viewership (>10k views) and were posted from channels with large subscribers count (>100k). I was curious on how these videos could obtain such high traction.

The Great T̶w̶i̶t̶t̶e̶r̶ YouTube Hack?

Using two approaches, I realized that these were actually legit YouTube channels that were hacked, taken over and made to post these scam videos.

Approach 1: Finding remnants of original YouTube channel

original channel name could be identified from url, community posts still exists

Approach 2: Observing takeover of YouTube Channel, as it happens

scammer changed profile pic and name of channel, and then hid all previous content, while publishing the scam video

What I find most alarming is that the original channel owner may be oblivious that their accounts were taken over. These two channels are still active today.

[Taken on 3rd Jan 2021] Screenshots of channel after the hack, a return to normalcy
[Taken on 3rd Jan 2021] Screenshots of channel after the hack, a return to normalcy

Scam Tactics

Scam Video include a link to the scam website: Geminidrop.fund
Scam Video include a link to the scam website: Geminidrop.fund

So let’s see what happens when unsuspecting viewers click into the website in the YouTube video…

Screengrab of Geminidrop.fund

They will be asked to send some bitcoins to a BTC address, and in return, they will get 5 times bonus in return. Also, there is a table that showed past transactions i.e. many people have already sent in some BTC and got their 5x bonus.

Screengrab of fake transactions

But a look at the source code revealed that these are hardcoded to spoof as legit transactions. Senders’ addresses and BTC values are randomly generated, and refresh periodically to give the illusion that many others had successfully sent and received their bonuses.

JavaScript code showing that the transactions were false and hardcoded
JavaScript code showing that the transactions were false and hardcoded

Although most scams were unsuccessful in getting any cryptocurrency, there were some that received BTC.

This scam address received a total of 1.237 BTC
This scam address received a total of 1.237 BTC

As the Bitcoin Ledger is public, we can trace the transactions. The diagram below shows the simplified partial transaction network. We can see that the Red Geminidrop.fund’s address sent all the 1.237 BTC to another address (Black bc1qz). This Black address also received 0.855 BTC from another address (Green 1WoodNZh).

A search of the Green 1WoodNZh address showed that it is from another scam YouTube video that was using an interview with Cathie Wood.

https://checkbitcoinaddress.com/bitcoin/1WoodNZhYQ2Lv51XwTmz89Ykro2kms5tx?source=abuse

Hence, it is likely that the Black bc1qz address is collating the earnings from several YouTube scams, and have received more than 10 BTC.

Challenging to Identify Scammer

WHOIS information is often unreliable to pinpoint the origin of the scammer. Although domain information points to locations in Belize and Russia, it is important to note that registrants may not provide accurate information.

screengrab from DomainBigData showing tag locations as Belize or Russia

Let’s look at the source code of the webpage to see if we can find where they come from. Here, we took a phrase in the JavaScript snippet: “Hurry up, not much more BTC left!” and did a Google Search.

This lead to a task posting on a Russian freelancer site (https://freelance.habr.com/), with a sample snippet JavaScript code that is eerily similar to the codes on the scam site.

Similar code snippet spotted.
Post content is google-translated to English. Similar code snippet spotted.

The diagram on the left shows his profile on https://freelance.habr.com/, and a reverse image search of his portfolio revealed another profile on another Russian freelancer site (https://www.weblancer.net/) with the same portfolio.

How common is this YouTube Hack + Scam?

As Bitcoin keeps breaking all-time-high records, interest in Bitcoin is reigniting, and some of the growing pool of new cryptocurrency holders may fall into such scam. It doesn’t help when YouTube ranks these scam videos at the top (possibly because they a̶r̶e̶ were really legit channels).

A search for ‘bitcoin’ on YouTube LIVE videos shows that the top 2 results are scam videos from hacked channels.
A search for ‘bitcoin’ on YouTube LIVE videos shows that the top 2 results are scam videos from hacked channels. Try it out for yourself, using search phrase such as: invest, elon, trading, crypto. Filter video by LIVE

The scammers also rode on high-key events for higher clickthrough rates on their videos.

Hack channel spoofing SpaceX live launch and also XRP CEO
Top: Hacked channel changes name to spoof SpaceX, and was online during one of SpaceX Live Launch. | Bottom: Hacked channel featuring Ripple CEO, after the recent announcement of SEC charges.

Also, it is easy for the scammers to spin up scam webpages. On the scam websites, one can sometimes find code comments that were automatically added by website copier programs. These programs were used to download a webpage wholesale, for re-upload to another domain later on.

Top: Source code of scam website geminidrop.fund with comments showing that the code originated from a previous scam site (eth-fond.info) | Bottom: code archive of scam website with generated comments from a web copier software: https://forum.bitcoin.com/bitcoin-discussion/beware-fake-segwit2x-scam-site-fake-bitcoin-gold-scam-site-steal-bitcoin-ethereum-private-key-promise-bitcoin-cash-t64141.html
Screengrab of copy-pasted sites with similar source codes
Copy-pasted sites with similar source codes

Ending Statement

Google indexes these scam websites. As these websites often use the same structure and keywords, identifying and then downgrading them on the Search Engine Result Page seems feasible for Google.

To identify hacked channels and scam videos, YouTube could possibly perform a series of rule base filters based on the following:

  1. Did the channel and profile picture change suddenly?
  2. Did all the past videos get delisted except for the newly published LIVE video?
  3. Did the video OCR content or description match any keywords that usually suggest a high probability of scam?
  4. Did the language of the content posted or the comments change?
  5. Did the viewership demographic of the LIVE video differ drastically from past videos?

Lastly, it is critical to investigate how these scammers gain access to YouTube channels.

Thank you for reading.

--

--