Domains Used for Crypto Scams Increase Fivefold
According to a new report from Group-IB analysts, the first half of 2022 saw a fivefold increase in domain names later used for cryptocurrency scams. 63% of these new fraudulent domains were registered with Russian registrars, but nearly all of the sites target international crypto investors.
Fake Crypto Giveaway Scams on the Rise
The sharp rise in fraudulent YouTube streams, allegedly featuring well-known entrepreneurs like Vitalik Buterin, Elon Musk, Michael Saylor, and Cathie Wood, was first noticed in February 2022. Researchers call this scam the “Fake Crypto Giveaway.” In these schemes, scammers impersonate famous personalities who supposedly promote crypto projects. The YouTube streams are fabricated from old recordings or even deepfakes, with fake celebrities inviting investors to visit a special promo site to double their investments. Victims are told to send funds to a specified address (or provide their crypto wallet seed phrase for even better terms). These sites are, of course, run by scammers, and victims end up losing some or all of their cryptocurrency.
Experts emphasize that this scheme has scaled up significantly in the past six months: over 2,000 domain names for fake promo sites were registered in the first half of 2022. This is nearly five times more than in the second half of the previous year, and 53 times more year-over-year.
Automation Fuels Scam Growth
Researchers attribute the explosive growth of such domains to the emergence of automated tools for launching these scams in February 2022, which require little technical knowledge from cybercriminals. By July, experts were seeing up to five fraudulent streams per day.
New “bait” celebrities include El Salvador’s President Nayib Bukele and, more recently, soccer star Cristiano Ronaldo. In 2021, El Salvador became the first country to declare Bitcoin legal tender, largely due to the president’s initiative. Cristiano Ronaldo became the first soccer player to receive a cryptocurrency award (Juventus rewarded him with tokens for his career goals), and in June 2022, Binance announced a partnership with him.
International Focus and Domain Zones
Group-IB reports that over 60% of scam domain names were registered with Russian registrars, but most used international domain zones, as the main targets are crypto wallet owners in Europe and the U.S. For this reason, all video descriptions and promo site content are in English.
The top five most popular domain zones for scam crypto sites are: .com (31.65%), .net (23.86%), .org (22.94%), and .us (5.89%).
How the Scams Work
YouTube is the main channel for driving traffic to scam sites, though there have been attempts to use Twitch for such streams as well. On average, fake streams attract 10,000โ20,000 viewers, including many bot accounts.
To run fake streams, scammers either hijack existing YouTube channels themselves or buy/rent them on the dark web for a percentage of the stolen funds (usually 10% to 50% of the “streamer’s” earnings). Once they control an account, scammers rename it, delete previous videos, change the avatar, add new design elements, and upload videos about investments or celebrity projects. They then boost the stream’s views to push it into YouTube’s trending and recommended sections for their target audienceโreal users interested in crypto investments. On underground forums, boosting 1,000 viewers costs about $100, while 5,000 viewers cost $200.
Another popular service is crypto stream design, with prices ranging from $100 to $300 depending on the package. A high-quality video for a crypto stream with a deepfake of a celebrity and voiceover costs scammers about $30.
Promo Site Development and Training
Another in-demand service is the development of the “promo sites” that victims are directed to from the streams. These are usually single-page sites with all the information about the fake crypto project. The price for a ready-made landing page for a scam can range from $200 to $600, depending on the freshness of the design.
There are even training materials for sale on the dark web, explaining how to organize such scams. Prices start at $100 and have no upper limit. Some ads even offer a 2-in-1 deal: selling “manuals” and providing training for a percentage of future “earnings.”
Crypto Scam Market Remains Active
“Recently, some underground forums have claimed that crypto scams are dying out, but the active registration of domain names and ongoing daily streams suggest otherwise. The intensity of attacks on unsuspecting crypto investors is growing, and the reach is expanding. We believe this is due to the ease of executing these schemes thanks to automation and cooperation within the cybercriminal community. The emergence and growth of this market show that investments in crypto scams are paying off and continue to bring cybercriminals huge profits on the scale of internet fraud,” concludes Yaroslav Kargalev, Deputy Head of CERT-GIB.