Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam

Rakesh Krishnan
Coinmonks
8 min readJan 13, 2021

--

It is a common scenario to come across the various Bitcoin Scams on Dark Web while visiting various services. Some are even advertised on landing pages of popular Dark Web sites, which transports users to the luring page of Bitcoin SCAMS. Inexperienced or Less Tech-Savvy Netizens are stupefied by such posts, falling into the bait; ultimately losing money.

It is also evident that these kinds of scams are being made operational by infamous Threat Actors such as Dark Hotel (Korea) to gain maximized profit to fund their Cyber Operations. One such incident pertaining to Magniber Ransomware (which we would be discussing at the end of this article). Hence, this paved the way for a passive income for the cyber criminals without directly infecting the intended targets.

Criminals always Experiment for better strategies| Source: Wrath of Sabellian by Artofcarmen (DeviantArt)

Bitcoin — The Greatest Cryptocurrency is currently witnessing an important stage in its Bull Run, surpassing the Market Value of Facebook (2 days back), to become $760 Billion in its Market Value. Moreover, the currency had been legalized in various countries such as the United States, Australia, Japan, Germany, and South Korea. It is also notable that more countries are in the pipeline of adopting Bitcoin for Economic Stability. Latin American Countries like Venezuela (Boliver) & Argentina (Peso) had already started to migrate towards Crypto-Economy, where local currency is getting devalued and spiraling down to hyperinflation.

As the adoption rate has gone astronomical, many more concepts are being added to the Crypto Economic Cultures such as Bitcoin ATMs, KYC-less Exchanges, Paper Wallet, Cold Wallets etc.

Source: CoinATM Radar

This provides a detailed view of Bitcoin ATMs installed over the world.

It is also remarkable that Bitcoin forks such as BCH (Bitcoin Cash) are also widely being accepted for day-to-day trading.

A Store accepting BCH in North Queensland | Source: Reddit

As adoption rate gets quadrupled, the SCAMS in this arena is also getting matured; hence defrauding many Bitcoin Enthusiasts. This article explains about 1 such SCAM which are generally known as Bitcoin Doubling or

What makes these SCAMS successful are various technical pointers which are implemented in the site to entice the people with partial knowledge and low-maintenance web pages etc. Let’s look into one of the use-case!

CASE STUDY — REAL TIME

Landing Page of Bitcoin Multiplier

This is one of the common Introductions found on such Scams, that instructs the users to feed their Bitcoin Wallet Address and Required Amount by sliding the Amount Pointer to get it into your account.

There are various factors used in the Website to lure the visitors. Some of them are:-

Live Stats:- This is used as a Trust Factor for newbies. The records are probably pulled from the Live Blockchain Transaction Log, repurposing it as Live Stats to showcase the website activity.

Live Stats

Live Chat Support:- Bragging about the profit made from the site is being dumped in this section. Another bait awaiting inexperienced users.

Chat Box

In order to bust this myth, let’s take a chat conversation and run a plain check:-

“I thought my friend wanted to fool me with this website link. but you can only get BTC here if you don't mess up with the fee confirmations”

Proof for Chat Script

Here, you can see similar Bitcoin Sites where the same chat log was found.

TIP: The best part is- Chat Windows even works without Internet Connection (as my power got disrupted while drafting this), hence proving it to be hard-coded to the website (JS Files).

Receipts: These are tiny pop-ups that appear on the site alerting visitors about its high-activity, claiming to have received funds by various users.

Receipt Notification

Again, if you are running any of the username checks, you will be thrown many SCAM sites.

After feeding a BTC Address, it will run a loader to satisfy the eagerness of the visitors. Following Script is being shown:-

Script Visualization

The above listed script is obtained from this site, which reported earlier.

Soon after the progress, following screen would appear claiming to have completed the doubling process and funds are ready for transmission:-

Return Screen

Here is the ruse:- Initially you have to deposit $1,300 to Scamster’s Bitcoin Address 1EFJNx1zGSgRf5u2L3oyCQunwa8Xro6ihb receive $3,500 to the user.

By mapping the address, we came to know that this address is active since 4 months and successfully received a sum of ~$310.

Scam Funds Received in 4 Months

Note:- As BTC is fluctuating, the amount gets varied. It also depends upon the fees calculated in the Scam site.

This is one of the site that still exists on Dark Web with high activity and it is evident that the last receipt was received a month back (Acc. to Blockchain), proving the scam is not obsolete.

If you think this amount is minuscule, here is another site that made around $3,705,769.52 in a span of 7 years (Still goes unflagged), hosted with Hetzner (159.69.62.95) with this Wallet Address: 1F7rkmXCouKbCuXF4DbpCwug9xBcsVvnQ5.

While digging deep, a profile got popped up from Bitcoin Talk Forum named Giaky from Italy, whose Wallet Address was mapped to.

Profile from Bitcoin Talk

Note: There is no 100% surety whether the alleged Bitcoin Address belongs to the alleged user, as the data obtained from a Bitcoin Blacklist Comment.

Similarly, there are a multitude of SCAM Campaign Websites are still operational on both Dark Web and Surface Web, reaping a high cash flow to Scamster’s account.

Following are some of the details with reaped profits:-

Similar BTC Doubling Operations (Live)

These are some of the notable websites (that I come across) which are targeting Bitcoin Doubling fanatics. It is also found that there are a large number of mirror sites for the same onion such as:-

Tor66 SE Report

According to this Search Engine, there are in-total of 331 Websites (including Mirrors) exclusively with “BITCOIN DOUBLING” content in it, on Dark Web. Of course, there are more, but not everything can be indexed by a single entity.

Note: This article covers Dark Web Aspect in more detail rather than Surface Web.

MAGNITUDE EK LINKED WITH BITCOIN MULTIPLIER IN THE PAST

Magnitude is one of the most successful Exploit Kit prevalent on various underground forums over the years. It delivers Magniber Ransomware upon infection, affecting APAC Region. The Group (attributed to infamous South Korean Group DarkHotel) works by keeping up-to-date with the recently uncovered security loopholes (CVEs) targeting the intended parties. It is a surprising fact that the group had also operated various Malwertisements and Bitcoin Scam Websites as per Malware Bytes Report.

It is evident that the Cyber Criminal Groups are using this means as a passive income in order to fund their cyber attack operations.

KEY TAKEAWAYS

  • Never ever fall for the Doubling/Multiplier or any sorts of Scams
  • Cyber Criminals can set up such SCAM sites on a large scale, in order to raise large amount without directly infecting anyone with Ransomware
  • This is also a form of Passive Income for Cyber Criminals or a long term investment policy without any red flags
  • Always check for the Website Reputation before engulfing all the displayed promises
  • Check for the Blacklist activities of Bitcoin Address listed on various platforms like BitcoinWhosWho or Bitcoin Abuse
  • Be a responsible infosec contributor by flagging malicious Bitcoin Addresses to the said platforms
Image Courtesy: Foxman Communications

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

--

--

Rakesh Krishnan
Coinmonks

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.