How to Identify Cryptocurrency Scams

With social media analysis and blockchain forensics

The popularity of cryptocurrencies increased over the last few months and that’s good for the crypto community. However, when there is an increase in popularity — more scams start to appear. Criminals take advantage of inexperienced investors and naive people who want easy gains. That’s why people need to educate themselves on how to avoid fraudsters.

This article describes two scams. The first one involves good old Bitcoin and Ethereum. The second one is about the newly announced Libra cryptocurrency.

Bitcoin and Ethereum scam

Twitter analysis

In this scam, criminals created several websites and promoted them on Twitter. Sock accounts had similar usernames as they were generated with a script. Here are some examples: ShawnaS80706756, BrendaT27686862, Felicia65639086, Dominiq77363655 — the pattern is obvious.

One of the common schemes is to create an army of fake Twitter accounts and promote a scam by replying to influential Twitter accounts. How to spot fake Twitter accounts? That’s pretty simple, as usually, scammers don’t put many efforts into sock accounts. In most cases, a fake account satisfies these requirements:

Was created recently.

Doesn’t have a large activity history.

Uses a fake picture or doesn’t use it at all.

Let’s take a look at the account below; it looks like scammers didn’t care about making it authentic at all.

Screenshot from Twitter

All of these fake accounts are female, which is a common practice for frauds. It is done for the reason, as the number of men in the cryptocurrency space is twice higher than women. Thus, pictures of pretty woman are more appealing for the male audience.

Reverse image search in Yandex

Results of the image search showed that the picture is used by dozens of different accounts. Therefore, it was just reused by this Twitter account. The same goes for other fake accounts — they all have stolen somebody’s images.

Fake screenshots that were used to promote the scam

Looking at the screenshots you may notice inconsistent paddings. The second and third image have different paddings between the tweet text and retweets/likes bar. If the images were larger it would be noticeable how badly icons are aligned with numbers. That’s because they were edited. Image forensics proves these elements were copied. Below is a clone detection analysis, run on Forensically.

Clone detection analysis

Fake replies and activity statistics were added to make it more persuasive. A real tweet would never get positive replies from influential people, that’s why scammers create fake screenshots. Several images were generated from one template, which is probably the reason for such heavy editing.

Blockchain forensics

Fake accounts on Twitter were promoting crypto-promo.com to lure victims into the scam. The design of the website is common for this type of scams: wallet address with instructions at the top and fake transactions at the bottom. More details about the website are on urlscan.io.

Screenshot of the crypto-promo.com website

After loading, the “BTC left” status bar shows a decreasing amount of BTC. This is just a script, that exploits our fear of missing out. If you see something like this — reload the page or clear the cache and it will start over.

Fake transactions

It shows 7278862 completed transactions to build trust and create urgency. The transactions are nothing more than a fake script. Checking that Bitcoin address in block explorer proves it.

Checking the address in the explorer.bitcoin.com

As observed, there were only 9 transactions to the criminal’s wallet (not 7278862). Therefore, they put that fake script to trick visitors to follow the “crowd”, exploiting the group instinct.

Transaction visualization of the fraudulent wallet

The visualization above is done with Orbit, an open-source blockchain transactions investigation tool. According to the block explorer, there are 10 transactions, but there are more nodes on the image. That’s because one transaction can have more than one input or output. The highlighted node is the address where criminals moved Bitcoins (last transaction).

Another fraud has involved the Ethereum address. The website is taken down at the moment, but information about it can still be obtained on urlscan.io.

Screenshot of the ethprize.org website

Poor design, grammar errors and an unrealistic promise to get x10 in profit make it look sketchy. But still, people fell for the scam and sent Ether to the criminals. The following transaction diagram with the fraudulent wallet at the center was made in bloxy.info.

Transactions visualization

Libra scam

Recently Facebook announced its cryptocurrency called Libra and it quickly took news headlines. Although Libra is coming in 2020 and by far is only on the testnet, scammers decided to use this hype. They created Libra “pre-sale” website. More details about the website are on urlscan.io.

Screenshot of the coin-libra.org website

The website was also promoted on bitcointalk.org.

Screenshot of the bitcointalk.org forum post

Whenever you see unverified accounts posting — don’t fall for the promises and do some research. One of the simplest ways to check would be to Google using advanced search queries. Besides, according to whois.com, the website was registered on 2019–06–24, so maybe someone added it to blacklists.