Security Experts:

Ongoing Bitcoin Scams Demonstrate Power of Social Engineering Triggers

Bitcoin scams have soared over the last seven months. The surge started around October 2020, and the scams are continuing today.

On May 17, 2021, the FTC announced, “Since October 2020, reports have skyrocketed, with nearly 7,000 people reporting losses of more than $80 million on these scams.” It describes two scam methods. The first is to lure targets to bogus websites that look genuine and offer investment opportunities. The second is effectively a celebrity scam, where the supposed celebrity promises to immediately multiply any bitcoin investment.

In the latter scam, the name Elon Musk is frequently used as the celebrity. Known for both his business acumen and interest in cryptocurrencies, he is used to add credibility to the scam. “For example,” says the FTC, “people have reported sending more than $2 million in cryptocurrency to Elon Musk impersonators over just the past six months.”

An example of a fake website that also used the Elon Musk celebrity name occurred this month. On May 13, 2021, the BBC reported that a schoolteacher had lost £9,000 (almost $12,750) after being lured to a fake website. The report gave no indication of how she was lured – but the website was a fake BBC website.

The scam itself was typical. A false news story claimed, “Tesla buys $1.5 billion in bitcoin, plans to giveaway $750M of it”. Only the latter part of the headline is false. In February 2021, Tesla really did buy $1.5 billion bitcoin, in order, it said at the time, to provide “more flexibility to further diversify and maximize returns on our cash.”

In the fake BBC website, grammatical pedants may have seen a red flag with the use of ‘giveaway’ (generally a noun) instead of ‘give away’ (the correct form for an action). Grammatical errors and typos are typical of scams, but otherwise the fake website is very convincing.

Fake BBC website

Fake BBC website used in bitcoin scam

The teacher invested £9,000, expecting to receive back £18,000 – but of course received nothing.

A month earlier, the BBC had reported on a Twitter-based scam with a far larger loss. On February 22, 2021, the real Elon Musk tweeted “Dojo 4 Doge”. A scammer, with the twitter name Elon Musk, responded offering a once-in-a-lifetime opportunity – send up to 20 bitcoin and receive double in return. The victim fell for it and sent 10 bitcoin which he immediately lost – around £497,000 (more than $700,000).

Today, security firm Bitdefender has reported on two similarly themed email campaigns. Tens of thousands of fraudulent Tesla-related emails have been sent in two separate campaigns. Both campaigns offer the same lure – send Elon Musk some bitcoin and he will return twice the amount. Both appear to have started around the same time: May 15, 2021.

The first campaign uses an attached PDF. There is nothing malicious about the PDF other than its message: “Our marketing department here at Tesla HQ came up with an idea: to hold a special giveaway event for all crypto fans out there.” The PDF includes details of how to submit bitcoin in order to receive twice the amount in return. A typical subject line for the emails reads, “ELON MUSK 5,000 B T C GIVEAWAY!”. Other emails, however, are targeted, including the target’s username.

In this campaign, almost 80% of the emails appear to be sent from IP addresses in Germany. “11% of the fraudulent emails have reached users in the UK, 79.26% in Sweden and 9.22% in the US,” say the researchers.

The second campaign is just an email, providing information on the fraudulent giveaway, and even including a Bitcoin Address QR Code to be scanned by participants. “If you would like to participate in the giveaway, it’s very simple!”, reads the email. “All you need to do is send any amount of Bitcoin (BTC), (between 0.1 BTC to 50 BTC) to our official contribution address for this event, and once we have received your transaction, we will immediately send back (2x) to the address that you sent the BTC from.”

According to the Bitdefender researchers, “This scam campaign has reached over 30,000 users across the globe. 16.73% of the spam emails originate from IP addresses located in Brazil, 14.15% in Russia, 6.32% in Indonesia, 4.91% in Turkey, 4.56% in Ukraine, 4.44% in Spain, 3.68% in the US, 3.63% in Italy, 2.16% in India, 2.11% in Romania and 1.93% in the Netherlands.”

Little is yet known on how successful the campaigns have been. However, Bitdefender notes, “At the moment, one of the crypto wallets used by the perps shows 31 transactions that translate to 1965.21 dollars.”

The lesson to be learnt from all these bitcoin scams is that it is almost impossible to prevent users from falling for good social engineering – whether it be scam or phishing. In this case the campaigns press all the right buttons: believability (Tesla really had bought $1.5 billion worth of bitcoin); celebrity endorsement (Elon Musk); urgency (before Tesla’s stock of bitcoins is depleted); and above all, greed (effectively something for nothing).

Related: Social Engineering: Attackers' Reliable Weapon

Related: FBI: IC3 Received 6 Million Cybercrime Complaints Since Inception

Related: Software Icon McAfee Charged in Cryptocurrency Scam

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.