For several months, we have been studying with interest a new, very elegant crypto-fraud scheme, the victims of which are skillfully and slowly encouraged to install a malicious application for managing cryptocurrency. However, they can be called “victims” conditionally, because the developers of this scheme, like digital Robin Hoods, aim it primarily at… other thieves! We will analyze the fraud scheme and ways to protect cryptocurrencies in detail.
The first bait
It all started when I received a trivial message on crypto wallet topics in Telegram, forwarded from another user. Perhaps someone else would not have seen anything suspicious in it, but… As a team leader of the web content analysts group at Kaspersky Lab, I became wary and began to study the incoming spam in more detail. To avoid detection, the text in it was “wrapped” in a five-second video with a screenshot of an ad about an urgent, hugely discounted sale of a couple of profitable crypto projects and links to them. The first link to the supposed object of sale led to a small, but really working second-tier crypto exchange – most likely to lull the victims’ vigilance. But the real bait was hidden behind the second link.
A screenshot of a message about the sale of crypto projects is “wrapped” in a five-second video. Reason to be wary!
Convenient server error
As one might expect, no crypto wallet malicious content was found on the second link. Things were much more interesting: after entering the address, instead of the site’s title page, a listing of the root directory with enticing file names was displayed. It looked as if the server had been incorrectly configured or the home page had been accidentally deleted from it – and it was displaying a list of all the files in the root directory of the site, supposedly crypto wallet leaking all the information to the unsuspecting domain owner. You could click on any file in the list and view its contents right in the browser, because all of them – how amazing! – were stored in simple and convenient formats – TXT, PDF, PNG or JPG.
When you go to the site
a list of files in the root folder is displayed. There is not a single HTML file among them
When you go to the site, a list of files in the root folder is displayed. There is not a single HTML file among them
All this created the feeling that we had broken into the personal folder of a rich but dim-witted owner of a certain crypto project: the text files contained details of crypto wallets, including seed phrases, and the graphic files contained screenshots confirming the successful transfer of a large sum of crypto, as well as demonstrating large balances in wallets and the owner’s luxurious lifestyle.
The text file carefully lebanon whatsapp data collects addresses, logins, passwords, seed phrases, recovery keys, PIN codes and private keys.
On the screen is a snapshot of the life of a rich slacker. And really, how to buy Ferraris and yachts for bitcoins?
Real wallets and money
The elegant feature of the scheme is that the crypto wallet details are real, and you can actually access them and see, for example, the transaction history crypto wallet of the Exodus wallet or assets in other wallets – almost $150 thousand according to DeBank.
True, you won’t be able to withdraw the money because it is in staking (roughly speaking, frozen in a deposit). Nevertheless, this greatly reduces the visitor’s skepticism: it seems that this is not spam or phishing, but a real leak of someone’s information, made through negligence. In addition, there are no external links or malicious files anywhere – nothing suspicious!
But in other wallets the amounts are very decent. It’s just a pity that the funds in them are in staking (frozen)
But in other wallets the amounts are very decent. It’s just a pity that the funds in them are in staking (frozen)
We monitored the site crypto wallet for two months, and nothing changed on it during this time. Apparently, the scammers were accumulating a critical mass of interested parties, tracking their behavior using web server analytics. Only after such a long “warm-up” did they move on to the next stage of the attack.
New Hope
In the same screenshot, a certain Electrum-XMR wallet application is visible with a transaction log and a total, very considerable, balance on the account: almost 6,000 XMR — Monero tokens (at the time of publication of the post, this is crypto wallet about a million dollars).
The active phase begins: the bait is a wallet with a supposed million dollars
And next to the screenshot, by “lucky coincidence,” a new text file appeared containing the seed phrase for this wallet.
Bait is the seed phrase for this wallet
Bait is the seed phrase for this wallet
Any dishonest person at this point will probably run to download the Electrum wallet in order to log into the account of the “inattentive sucker” and transfer all the remaining money to themselves. But here’s the problem: Electrum only works with the Bitcoin network, not Monero, and to restore an account in it, you need not a seed phrase, but a private key. When trying to restore this key from a seed phrase, all legal converters report its incorrect format.
But greed blinds them – after all, there’s a million dollars at stake, and they need to hurry before someone else steals them – and the easy crypto wallet money hunter goes to Google to search for either “Electrum-XMR” or simply “Electrum Monero”.
The required version of the “wallet” is found at the top of the search results
This site is reminiscent of the original Electrum in design and, in the best traditions of open source, contains various descriptions, links to GitHub (though to the original Electrum, not Electrum-XMR), a clear indication that this is not the usual Electrum. Convenient direct links to download versions for Mac, Windows and Linux.
The fake wallet website is made very well
And so our hunter unwittingly turns into a victim. They will then probably analyze the contents of your computer and steal crypto wallet data and any other valuable information.
However, our protection would have stopped even the visit to a malicious site. Not to mention an attempt to install a Trojan. It is unlikely that “crypto hunters” greedy for other people’s money would use it.
Our protection blocks even access to a malicious site, not to mention an attempt to install a Trojan
And suddenly bam – second shift!
Having finished analyzing this amazingly interesting scheme from the point of view of social engineering, we were not at crypto wallet all surprised to receive another similar bait after some time. On the screenshot again there is a fake wallet with a large balance. Next to it is an open text file with a lot of private information. A carefully written link to a malicious site. So the scheme obviously turned out to be quite effective, and many more such attacks await us ahead.
In the second version of the attack. The scammers decided not to drag out the scheme.
How to recognize an attack
In the scheme we analyzed, the “victim” does not evoke the slightest sympathy. He falls for the bait, trying to steal someone else’s money. But scammers are constantly coming up with new tricks. Next time they can offer a completely “ethical” way to earn money. From a screenshot you accidentally learn about a very profitable airdrop.
Therefore, you should always remain vigilant and skeptical about information. In this attack, each stage was suspicious in its own way. Which does not contain anything from the site itself. Except for unencrypted text files with crypto wallet data, looks too good to be true. In the current situation around cryptocurrencies with a high level of fraud. Using little-known crypto wallet applications is an unacceptable risk.