Back in April, someone reported to have lost over $ 20,000 USD to an elaborate phishing scam. The domain was found to be part of an elaborate network of romance scams. The Modus Operandi of the attack was an attractive woman, appearing to be of Asian descent whose profile was used by the scammers to reach out to high-value individuals (mostly men) on social media platforms like Instagram and Snapchat and dating apps like Tinder. The scammer would then build rapport and gain the victims’ trust by providing them with cryptocurrency trading strategies before driving the victim to a phishing website and swindling them of their fortunes by convincing the user to send money to the scammers’ wallet.
I followed this thread to discover a more complex and widely spread campaign leading to the discovery of additional victims.
Discovery
I initially received a report of a user scammed by a MetaTrader 5 broker impersonating LocalCryptos. LocalCryptos is a Peer-to-Peer Crypto Marketplace where people buy and sell crypto while MetaTrader is a trading platform that offers financial markets, including Forex, Stocks Exchanges, as well as Futures markets.
Unfortunately, the user had been scammed of $24 460 USD through the website.
Tragically, stories like these remain all too common. Sharing educational pieces such as this blog post which look deeper into the details of how these scams operate is part of how we can combat this as an industry. The following section will look further into the technical details of the attack.
DNS Analysis
Most of the phishing scams that we see targeting cryptocurrency exchange users are set up in the following way. The scammers purchase a domain and website hosting, set up a phishing kit that they’ve either developed or purchased and mass deliver the attack to the victims, either through social media channels or email. Their DNS setup is normally fairly simple. The phishing domain’s registrar also provides the name servers, at best the website is hidden behind proxies like Cloudflare.
This particular scam setup on the domain Lcryptos [.] com had an interesting DNS setup.
- They had set up mail exchange servers on chengmail[.]cn
- They had set up SPF: TXT lcryptos[.]com v=spf1 include:spf.chengmail.cn ~all
Lcryptos[.]com’s WHOIS records show that it was registered on 1 July 2021. It was hosted in Hong Kong along with a few other domains:
- foxconnr[.]com (Likely targeting users of LooksRare)
- financialfx[.]com
- hkyodacapital[.]com
- first-ratio[.]com
It had several subdomains:
- broker[.]lcryptos[.]com
- admin[.]lcryptos[.]com
- user[.]lcryptos[.]com
- trader[.]lcryptos[.]com
Deeper Investigation: More Victims
From gathering OSINT (Open Source Intelligence) I managed to find more victims of the scam and put together LCryptos’ MO.
The earliest victim I found was on 19 July 2021, the same month the domain was registered, they had been swindled of at least $ 5,000 USD. I went on to find more victims between July and September all with a similar story. The scam seems to have temporarily stopped after September only to resurface in December, presumably using a new hosting provider judging from the default Windows Server snapshot of the website from The Wayback Machine. The phishing website was probably reported and had its hosting revoked.
The Modus Operandi
The scammers set up accounts on Instagram, Snapchat and Tinder as beautiful Asian women.
They would then bait their victims by following and liking their pictures and/or matching with them. As soon as the victim responds they immediately pivot the conversation with the victim to WhatsApp likely because WhatsApp does not have reliable support for reporting accounts for the inevitable fallout when the victim catches on to the scam
On WhatsApp they start texting a lot, giving the victims attention and enticing them with photos. Over the course of the next few days, the scammer tries to discover whether or not the victim has a sizable income/savings while subtly using the images and conversation to suggest that the fictional character they’re impersonating is living a lavish lifestyle. They send pictures of themselves eating fancy meals, shopping for expensive bags and pictures of their luxury villas and apartments.
Next after winning over the trust of the victim, the scammer reveals the secret to how they make their money - they know someone who’s an expert in cryptocurrency trading. They used a few stories:
- Their professor at school built a sophisticated algorithm that gives reliable trading signals, he likes her so gives her daily signals.
- A family member, mother, father, sibling, or cousin is intelligent. They are studying in the United States, they are good at trading and give weekly and daily market forecasts.
- She has a friend who’s a “big-time broker” with dozens of employees monitoring the markets 24/7.
Naturally, they offer to help the victim trade, using tips from their expert trader third party. They help them download and set up MetaTrader and get them to fund their portfolio with anything between $200 USD and $500 USD. They then give the victim good trading signals and help them turn some decent profits. They keep this going for a few days, encouraging the user to increase the money they’ve invested each day.
For the victims who are interested in crypto investing, they would have them download BINANCE and take them through the same process, often helping them make some decent profits over the course of a few days. This process proves to be highly effective in getting the victims eager to start making “serious money”.
After gaining the victim’s trust, they encourage the victim to go all in. The story is that the expert forecasted that the following week the market will be bullish and it would be a great opportunity to make a fortune. They have the victim gather all their savings and have them ready for next week’s market. It’s at this point that they introduce “an even better platform with lower rates” - LCryptos, the phishing website.
The victim registers an account on LCryptos, deposits their savings into the scammers’ address, and before they even know it, the victim’s money is gone without them even noticing it. The platform shows fake graphs and terminals of the victim’s investment turning profits. When the victim tries to withdraw their profits they get a warning sent preventing them from withdrawing. These warnings vary but they follow a similar structure: the account has been flagged for some form of misconduct, usually money laundering, and the victim has to prove they are the rightful owners of the account by depositing at least 50% of the amount they are trying to withdraw.
One victim reported that they sent the required 50% but from a different account and was directed to deposit again, but from the same account they had used to make the initial deposit. They followed the instructions but like all the other victims, the platform’s support kept finding different reasons why the identity verification was failing and kept asking for more deposits to settle the account.
Some victims caught on to the scam quickly and some, unfortunately, kept depositing more money until they had drained all their funds and some even took out loans. When the victims confronted the “Asian woman” she denies any foul play, and she goes on to show that her withdrawals went through and that the victims should just follow the instructions and everything should work out.
Detection
I attempted to open lcryptos[.]com and its subdomains but they were not resolving, yet the victims were able to visit the site. This suggests that the website only resolves when the host has a specific referrer. This was later confirmed by one of the victims I found on Twitter.
Obfuscation methods like these make it especially difficult to detect these kinds of attacks. Another reason for the difficulty in detecting these kinds of attacks is the embarrassment the victims face due to the nature of the circumstances that hinder them from coming forward.
If you’ve been affected by this, or a similar scam please reach out to me and even if I can’t recover your funds I can move towards shutting down the scam and making sure that the public is aware of techniques that scammers are using, hopefully protecting themsevles in the future.
