On Jan. 31, a Telegram user calling himself “Danny Nelson” contacted Karla Vilhelem, a public relations professional, with an unseemly proposal.

Pretending to be the CoinDesk reporter of the same name, he said he would publish a post about her client but wanted $600 for his trouble, a small sum for exposure on the crypto site of record.

Vilhelem was wary. After three years in the industry, she was used to scammers impersonating major players in the crypto ecosystem and, more frustratingly, so-called journalists asking for cash. She advised clients never to pay for coverage, and the proposition made her suspicious of this so-called Danny Nelson.

“I knew CoinDesk doesn’t take money,” she said.

Another tell-tale sign was her interlocutor’s atrocious grammar, and mispunctuation of the brand name, which is spelled with a capital D.

“I’ll get the vital informations [sic] needed to write and publish your project article review on your website or whitepaper,” the faux Danny Nelson wrote. “It cost [sic] $600 to write and publish your project article on Coindesk because I’ll have to pay for some logistics.”

Still, Vilhelem was curious. When would she have to pay?

Source: Karla Vilhelem

“You have to pay Before [sic] I can proceed with the work because I’ll have to pay for some logistics,” he said.

Source: Karla Vilhelem

Whatever the “logistics” involved, Vilhelem refused his offer after checking the real Danny Nelson’s Twitter profile and seeing his real Telegram handle. She contacted the CoinDesk team to report the imposter and sent along images of their Telegram exchange. (You can look for real contacts for CoinDesk reporters on our masthead.)

This impersonator never made off with Vilhelem’s money. Others weren’t so lucky.

At least three startup founders have been scammed in similar situations, CoinDesk has found. We explored two of these scams to better understand how they worked.

Working with blockchain investigations company Coinfirm, we wanted to see where the money was going and if we could learn anything about the perpetrators. The ultimate goal: to prevent it from happening to anyone else.

The grift

This scam is as old as journalism. Someone pretending to represent a major media company will approach a small business offering to write about them… for a price.

In the days before the internet, corrupt public relations professionals and fake reporters would offer pay-for-play articles in newspapers. Now, online imposters request products like computers, laptops and cameras from companies, offering to “review” them on major news sites. Thanks to anonymous payments, scammers can ask for cash in exchange for ink.

What makes this particular scam unique are the lengths the perpetrators will go to appear legitimate. Many create fake Telegram accounts – the hacker who tried to scam Vilhelem used @danielnelson – and then approach entrepreneurs in chat rooms on the internet. The exchange usually is straightforward unless the victim asks for more proof.

To maintain the facade, the scammers use a few other tricks, including spoofing email addresses. For example, some mail clients let you hide the source of emails, but in many cases, even the email headers are insufficient in identifying real or fake emails.

In Gmail, users can click on “Show Original” from the top right:

How to see headers in Gmail Source: CoinDesk

Yes, the header often can look very confusing to someone who’s never seen one. But here’s the most important part: The first thing to look for in the header is an email address that is not part of the email conversation. That’s clearly a sign of misdirection and something to bring up with a sender.

Here’s a rough example (for illustrative purposes only, as headers are subject to change depending on email and anti-spam providers):

Look out for email addresses in headers not part of the original conversation. Source: CoinDesk

Remy Eisenstein, victimized by a fake CoinDesk reporter, was so frustrated by past scams he created a system to prevent email spoofing. Called SafePost, he said it uses a blockchain to confirm emailers are sending from a verified address. So how did he, of all people, get hoodwinked?

Eisenstein noticed his scammer (posing as CoinDesk’s Ian Allison) had a strong-looking LinkedIn profile, another tool scammers use to fool victims.

“I told myself, ‘Okay, let’s imagine you have just 10 contacts on your Linkedin the page. I can imagine this is a fake’,” he said. “But in this case I saw more than 500.”

In another case we saw, the scammers created a real-looking LinkedIn profile for a CoinDesk writer and then immediately deleted it after the victim checked him out, erasing the evidence.

Almost all the scammers are stuck in the digital realm, although one sent a faked passport for CoinDesk Executive Editor Marc Hochstein, complete with a date of birth that made him seem older than he is. The constant know-your-customer (KYC) information requests of many exchanges seem to have trained scammers to forge official-looking documents.

All these tricks are often enough to fool busy entrepreneurs who will happily send payment in exchange for coverage. Then the whole thing unravels.

Once the scammers receive payment, said Pawel Kuskowski, CEO of Coinfirm, they usually transfer it to an exchange where they could, in theory, be tracked but in reality, rarely are. That’s where the trail ends because they never reply to the victim again.

“Working with CoinDesk to highlight these cases shines a light on how industry players need to further work with security platforms so they don’t facilitate these scams,” said Kuskowski.

The breakdown

To understand more about the scammers and where they were sending their ill-gotten gains, we worked with Coinfirm to trace payments made by two victims who contacted us only after falling for our impersonators.

First, we traced more than $2,000 worth of bitcoin (BTC) that one entrepreneur sent to a scammer in exchange for a post.

The scammer asked the victim to send the 0.23 BTC to an address he controlled, 19BkZZKsQPv14QAP2MJr8fNdwBBTRQxHvT. The victim paid on March 4 and within hours the scammer sent the funds to another address he may also have controlled, 1GJDn7MezDZjvt8ECD6yDYxPdYPjLDNqai.

The chain of transactions suggests the scammer has a verified account on Paxful. For one thing, the second address received a number of deposits from addresses Coinfirm identifies as belonging to Paxful based on regular patterns, or clusters, of transactions.

The victim, at the bottom, paid into the scammer's wallet. The cash then moved through a number of other addresses. Source: Coinfirm

And if we zoom out the lens, we see that on March 9, five days after ripping off our known victim, the scammer’s wallet received 0.37 BTC from another party, and deposited it straight into Paxful:

Two payments went into the scammer's wallet in early March. Source: Coinfirm

Coinfirm researched another victim’s transaction and was able to track its path through the Ethereum blockchain.

In this case, the scammer, the Hochstein impersonator with the forged passport, received $150 in USDC, a stablecoin that trades 1-for-1 with the U.S. dollar, from the victim. The victim’s wallet is in dark blue in this chart.

unnamed 6 Source: Image via Coinfirm

About $35 went to 0xa356acd1e8cd97a33a65ab7845c7f21b8921b276 (the yellow wallet in the middle in the chart) and then sent to a wallet allegedly connected to lending platform BlockFi. For simplicity’s sake, these wallets do not include the standard Ethereum address header “0x” in the chart.

The other $115 went to 0x87a1865e3ae422385b7d1beb66ad43b2e847f7f6 (green wallet in the middle of the chart ) and then went to a wallet that appears to be affiliated with crypto exchange NEXO.

“Although the dollar amount itself isn’t substantial in this particular case, these methods are applied on a wide scale and have affected countless people as well as exposed companies to money laundering risks,” said Kuskowski.

The ironic aftermath

CoinDesk is in contact with representatives from Paxful and BlockFi and the companies are investigating the fraud and may be able to recover the funds.

Teodora Atanasova, who does business development at NEXO, said the company is “extremely diligent in tracking down fake accounts, Telegram groups and all kinds of fraudulent activity and I have personally been dealing with a lot of scammers and impersonators lately as they seem to have gotten even more active in the current situation amid the market turmoil.”

Indeed, a funny thing happened when I approached the company in a public Telegram group. Two users reached out to me, each identifying himself as Beyhan Ahmed, a community manager at NEXO.

One of them was the real Beyhan, whose Telegram handle is @BeyhanNEXO. He put me in touch with Atanasova.

The other one went by @BehanNexo, conspicuously missing the “y” in his handle. To hear him tell it, he was very high up in the organization.

“I am Mr Beyhan, the officiating officer for nexo and head of marketing team,” he wrote. “You request for me, that’s why I have contacted you.”

This obviously fake Beyhan offered me a “license” to write a story about NEXO and the opportunity to post my story on … the company’s website, I guess? The details weren’t exactly clear, but I strung him along for kicks, as one might do with a dodgy telemarketer.

Source: CoinDesk

The discussion went back and forth for a few minutes and, as expected, my “officiating officer” needed a little cash to get the job done.

Source: CoinDesk

For the record, I never sent him the money.

Sadly, there is no sure-fire way to prevent these kinds of scams. Double- and triple-checking backgrounds is often insufficient and, given the ease with which scammers more sophisticated than “Behan” can recreate identities, due diligence is almost impossible.

That said, respectable news organizations would never ask for cash in exchange for coverage, be it CoinDesk or the New York Times. Scammers are out there preying on the distracted and frustrated. Our hope is you don’t become one of their victims.

As for my would-be scammer, he disappeared and deleted our conversation when I sent him a link to my “transaction” featuring a lurid picture from Wikipedia. We are currently tracing his bitcoin address, which seems to be empty.