A new version of a classic online scam is percolating on Twitter. And while anyone even halfway paying attention likely wouldn’t fall for it, the trick has already raked in thousands of dollars of ethereum and bitcoin in less than a week.
The scheme itself is pretty straightforward: Attackers make Twitter handles that closely mimic the verified accounts of well-known figures like Elon Musk, John McAfee, or Ethereum co-founder Vitalik Buterin. Then they respond to one of those genuine tweets, giving the appearance of having started a thread, in which they claim that they’ll send a significant quantity of cryptocurrency (like 2 bitcoin) to anyone who sends a smaller amount of currency (like 0.02 bitcoin) to a particular wallet. Yup, that’s it. As of publication, you can see new attempts popping up on Twitter every few minutes.
“It’s like a social media impersonation mixed with a classic Nigerian prince scam,” says Crane Hassold, a threat intelligence manager at the security firm PhishLabs, who previously worked as a digital behavior analyst for the FBI. “Twitter will likely start blocking the accounts making the posts, but the level of effort needed for this scam is so low that it’ll probably be a cat and mouse game, and the return on investment at the beginning will be pretty good for the actor.”
The scheme also closely resembles a popular trick in the game Eve Online, in which scammers post “send a little, get a lot” promises to collect Eve’s in-game currency (known as ISK) in its Jita solar system, which acts as the commerce center. Like cryptocurrency, ISK is stored in electronic wallets for digital transactions.
‘The level of effort needed for this scam is so low that it’ll probably be a cat and mouse game’
Crane Hassold, PhishLabs
The Twitter version, which started cropping up on February 1, doesn’t appear to be a total blockbuster, since most people know to avoid “send a little, get a lot” setups. (Not to mention that Elon Musk probably wouldn’t randomly give out a ton of bitcoin for no reason through Twitter. We think.) Still, many of the bitcoin and ethereum wallets the attackers set up do have a low key stream of payments coming in. For example, one wallet posted in a fake John McAfee tweet, which promised 20 bitcoin for every 0.02 received, racked up 0.184 bitcoin within hours. At current prices that’s about $1,500. Not a gold rush, but also not bad for a scam that takes so little effort.
“It’s all a statistics game. They aren’t targeting folks who need to be convinced, they’re targeting folks who will knee-jerk react,” says Tinker, a researcher from the Dallas Hackers Association who was early to spot the scam. “By lessening the length of the message, it makes the scam more consumable. Combine that with impersonating famous people sending out popular tweets and the fall of bitcoin—folks are desperate to get a gain on their loss.”
As the price of cryptocurrencies has soared—and then crashed back down—scammers have capitalized on the booms and preyed on victims of the busts. The hustles are diverse, including all different types of phishing, spamming, and the notorious development of bogus initial coin offerings, but social media impersonation has a role in many of them, perhaps because so much discussion, speculation, and misinformation about cryptocurrency takes place there.
One attempt to identify bogus accounts impersonating prominent cryptocurrency community members is the new Chrome Extension “EtherSecurityLookup.” Created by web developer Harry Denley, who also makes the anti-phishing tool “EtherAddressLookup,” the new extension checks Twitter accounts against a whitelist of legitimate cryptocurrency community members, and flags handles that are too similar as potentially problematic.
Impersonation on social media is an ongoing problem, but these rackets violate the user agreements of pretty much every service, and platforms like Twitter can discourage them by playing whack-a-mole with the malicious accounts. And scams that are easy for fraudsters to run never totally go away, because it doesn’t take much investment to do them as quick one-offs. “It’s like any of the old school schemes,” PhishLabs’ Hassold says. “They’re somehow still around, because there are always people who are going to fall for it.”