Posted: 8 Min ReadNorton Labs

Scammers net more than $24.7 million in crypto scams in 2021

An attractive market where profits seem plentiful not only brings out legitimate investors but also the fraudsters and criminals.

The popularity of cryptocurrency has increased dramatically in the last decade. What was once a movement reserved for the underground and early adopters is now a mainstream economic powerhouse.

This digital gold rush has piqued the interest of established institutions, investors, and even some public figures. Household names like Tesla, PayPal, HSBC, and Visa have begun to embrace blockchain technologies in one form or another. This, in part, has led to record-breaking rises in the value of specific cryptocurrencies, and as a result, investors from all over the world have poured vast amounts of cash into digital assets.  

As a result, 2021 was a whirlwind year for crypto, with Bitcoin reaching record prices this November, stretching to more than $67,500 per Bitcoin for the first time since its creation. 

Crypto overview 

Figure 1 - Crypto Market Cap as of January 2022. Source: coinmarketcap.com
Figure 1 - Crypto Market Cap as of January 2022. Source: coinmarketcap.com

The cryptocurrency market comprised of more than 8,000 different currencies and was worth an estimated $2.9 trillion in November 2021, with 71% of that market cap dominated by the four most-popular coins. Here is how they broke down in popularity and value at their peaks [1].: 

  1. Bitcoin – $1.2 trillion   
  2. Ethereum – $569 billion
  3. Tether – $180 billion 
  4. Binance Coin – $74 billion  

Therefore, high-value assets like Bitcoin and Ethereum are attractive for many investors, trying to make a quick buck or two. 

An attractive market where profits seem plentiful not only brings out legitimate investors but also the fraudsters and criminals. According to a recent report from Chainalysis, it is estimated that the total economic cost of scams involving cryptocurrencies equated to $7.7 billion in 2021—an 81% rise from the previous year [2].  

Crypto-based fraud comes in many forms and they fall into the same categories as most financial-based scams. The most-common crypto scams are Ponzi schemes, fake investment scams, trading scams, and fake giveaways. Crypto Scams are the highest-grossing form of cryptocurrency-based crime. 

Crypto giveaway scams 

In this report, we focus on the "free giveaway" scams that typically impersonate celebrities or an organization, usually ones that have been outspoken about cryptocurrencies in the past. They pretend to be hosting a free giveaway of a cryptocurrency and promise to send double back to anyone who deposits funds to the scammer-controlled wallet. Sometimes they will use compromised Twitter accounts with a verified blue tick to add legitimacy to their fake giveaway adverts. Unfortunately, the true extent of this criminal enterprise accumulates to tens if not hundreds of millions of dollars per year in stolen funds. 

Figure 2 - Fake Elon Musk Giveaway Scam
Figure 2 - Fake Elon Musk Giveaway Scam

Usually, scammers will use social media for advertising the scams. Twitter is the most-popular platform, but we have also seen scammers use platforms like YouTube, Facebook, and even popular blogging platforms like Medium. However, the adverts posted on social media often lead to a website expressly set up for the scam, and it provides detailed instructions on how to participate in the giveaway. 

Figure 3 – Scam instructions
Figure 3 – Scam instructions

One of the most famous yet unsuccessful cases in recent history to use the crypto scam tactic noted above was the Twitter hack of 2020. Hackers from the U.S. and the U.K. used sophisticated spear-vishing attacks and social engineering to access Twitter's internal account administration tools. These tools allowed them to reset passwords and disable multifactor authentication (MFA) of more than 130 Twitter accounts, of which they tweeted from 45 high-profile accounts. As a result, the hackers gained access to the accounts of famous users like Elon Musk, Kanye West, Joe Biden, and Barack Obama. They even managed to take control of the accounts of some major cryptocurrency exchanges. Using these compromised accounts, the actors tweeted hundreds of fake giveaway adverts. 

Figure 4 - Tweet from compromised account of Elon Musk
Figure 4 - Tweet from compromised account of Elon Musk

The giveaway adverts followed the same pattern loosely, offering to double any amount sent to their Bitcoin address under various false philanthropic pretenses. The one constant that remained the same throughout all the posts was the Bitcoin wallet address. This was how Twitter's security team blocked the attack initially by deleting any posts on its platform that matched the Bitcoin wallet string. The threat actors managed to steal around $118,000 worth of Bitcoin during the attack, which lasted approximately four hours. Three teenagers, one from the U.K. and two from the U.S., were subsequently charged.  One individual was charged with more than 30 felony crimes, including fraud, misuse of a computer system, and identity theft. 

Figure 5 - Scam Emails
Figure 5 - Scam Emails

Another way scammers reach their victims is through phishing emails. These emails mimic trusted services to appear as if they are legitimate newsletters. The premise of the emails is simple: They pretend to be from popular websites like Medium and present the victim with fake news updates from Elon Musk and Telsa. 

“Our marketing department here at Tesla H.Q came up with an idea to hold a special giveaway event for all cryptocurrency fans out there. We have bought $1.5 Billion Worth of Bitcoin. To celebrate we allocated 5,000 BTC to be given away! “  

The victim is encouraged to join the free giveaway by clicking an embedded link in the email body that redirects them to a scam page. The threat actors in question use SendGrid to send emails to the victims. SendGrid is a mass mailer marketing tool commonly used by many legitimate businesses to send emails to their customers and is typically trusted by most email gateways as an authorized sender. This gives the appearance that the email originated from a legitimate source, making it harder to detect. Even though this attack was highly publicized in the media, it was just the tip of the iceberg for crypto scams. 

Live Streams 

YouTube is becoming a significant threat vector for distributing and delivering crypto scams to victims. Scammers will hijack or buy verified accounts, often with a large subscription base. They will then use these accounts to host live streams. However, these live streams are not as they seem; often, they will play pre-recorded videos of prominent figures and celebrities in the crypto scene, preferably pre-recorded videos of previous genuine live streams related to cryptocurrency discussions. Additionally, like the other giveaways mentioned above, they promise to double any donation made to their Bitcoin address. 

Figure 6 - YouTube Live streaming event scam
Figure 6 - YouTube Live streaming event scam

Methodology 

The Norton Labs web analysis pipeline uses an architecture of automated browsers to analyze and identify websites used for malicious purposes, phishing and scams. Utilizing the results of our visual screenshot classifier, we extracted a data set of 2,510 domains that hosted crypto scam websites in 2021. As mentioned above, the landing pages of crypto scams includes instructions on where to send one's coins to benefit from the giveaway. Allowing our researchers to write specific signatures that detect and automatically extract crypto address strings from the respective scam pages, resulting in 770 unique Bitcoin wallet addresses. 

Blockchain analysis 

The blockchains of cryptocurrencies are public ledgers of transactions between wallets, so using the scam addresses as a starting point, we set out to dig into the movements and value of crypto coins under the control of the criminals running these crypto scams.  

For the BTC addresses mentioned above, the Bitcoin blockchain shows 14,107 transactions with a total value of 572.9896 BTC as of the writing of this report, which have a value of X using the price of Bitcoin on Dec 31, 2021. However, this is a lower bar for the number of Bitcoins controlled by those scammers.  Tracing transactions to follow the flow of scam proceeds can uncover additional wallets controlled by the criminals used for scams or cashing out their proceeds.  

Conclusion 

Crypto scams are on the rise and show no signs of slowing down anytime soon. If cryptocurrencies continue to hold a significant value to investors, they will be a prime target for the criminal threat actors. Additionally, the decentralized nature of cryptocurrencies means that it is exceedingly difficult to retrieve money once it has been stolen.   

The adage rings true for many if not all types of scams: If it is too good to be true, it probably is. It is improbable in today's world to get anything for free. To have a healthy skepticism when trading is not a terrible thing. Always ask yourself what the catch is and why some entity would be giving away a large amount of free money; no matter how charitable Elon Musk or others may be, red flags should arise when any large organization claims to be giving away billions of dollars in assets.   

The scammers will not make these rational observations easy for their victims. Instead, they will do their best to pressure them into making irrational decisions. Confidence tricks, a sense of urgency, and the fear of missing out all serve to make a perfectly rational person make irrational and reckless decisions. 

How Norton360 can help 

Our innovative security technology is powered by artificial intelligence and machine learning. We monitor online threats across the globe to help protect your devices against viruses, malware, spyware, scams, and ransomware. Our goal is to help protect your private and financial information when you go online. This year Norton360 blocked on average 3 million scams per month in the first six months of 2021, with June seeing almost 3.9 million detections and blocks of scam-related content. 

Figure 7. - Total Scams Blocked in 2021
Figure 7. - Total Scams Blocked in 2021

20 wallet addresses  

A selection of some of the wallets we identified during our research: 

1HdxNqmMfZWAe8Qw57C3AVZ4xrprS9Vb3T 
17ZW9HFcttRH4D6x5fMtvt5Q8yrrEDwEpX 
bc1qf90uujpqw6ks8k9amutn2m4svxmwlgmy67klvn 
1BxBeWUidFEQ6atsZdbykVYM4ar4thPPBf 
1MusK1fkhhzrPJLwCHoPq9JBC6D6DvsM7a 
bc1qx8dfc4ug6ldvd5vhelj8k6k6a6nd44xvmc736t 
15GdECNnQwsraNrHCzDEBMEiuMqpJT8nwC 
1M6yBvJh5cMLU7vhPdqVYPyBT7K83DHr4K 
1GemXvUkZUXWCysgvJtkcY1TQEm4aTHtVA 
1MusK1XLAMPXaGfnds2ciGgyqRjyxf9M3x 
1MusKGu1MKWJHtG18GFNHE33adoeksoCZz 
1gEmnfiFqiEwFGxXqxWAv4xKFMFo6m9Cq 
bc1qjc2stxqanple680js0q2pcalmk2hqqzssj5qyx 
12Ss9yu4pvQWjQgNwzXpbt1LwsnWD9kXHf 
bc1qy779s6a8v04yczcxf3weytfdng80np3n7y892t 
1GeMavRVJNVVVkaLvrZrc7unjLfE2Hm52n 
bc1qctcajeku6x55jt2x8s8nmkmdd7ufms0tu6v0hm 
1MusK4M3Lq3qEoEZvMg6mNG3Ro4DUdVLEe 
1MusK1c7keXnBGp3xsK92PC2URHyQqEmYJ 
1GEMB1ryDG7nuRty2GgDKPs824MZgVzW1W 

20 domain names  

A selection of the domains used in the giveaway scams:  

coindrop[.]vip  
gemini21[.]org  
coinmusk[.]space 
geminigiveaway[.]club  
crypto-airdrops[.]net 
get-btc[.]pro 
dropmusk[.]ug 
getbtc[.]one 
elon-promox[.]com 
getbtc9[.]live 
elon-event[.]org 
krakenbounty[.]com 
emusk[.]info 
kz-tracking[.]ru 
gemini-website[.]blogspot[.]com 
live-drop[.]com  

[1]  CoinMarketCap. (2021). Today’s Top 100 Crypto Coins Prices And Data. [online] Available at: https://coinmarketcap.com/currencies/ [Accessed 8 Dec. 2021]. 

[2] Chainalysis. (2021). The Biggest Threat to Trust in Cryptocurrency: Rug Pulls Put 2021 Scam Revenue Close to All-time Highs. [online] Available at: https://blog.chainalysis.com/reports/2021-crypto-scam-revenues/ [Accessed 16 Dec. 2021]. 

[3] blog.chainalysis.com. (2021). Crypto Crime Summarized: Scams and Darknet Markets Dominated 2020 by Revenue, But Ransomware Is the Bigger Story – Chainalysis. [online] Available at: https://blog.chainalysis.com/reports/2021-crypto-crime-report-intro-ransomware-scams-darknet-markets/ [Accessed 16 Dec. 2021]. 

[4] London, A. (2021). Cryptocurrency Crime and Anti-Money Laundering Report, August 2021 - CipherTrace. [online]  Available at: https://ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021/ [Accessed 9 Dec. 2021]. 

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

About the Author

Norton Labs

Global Innovation & Research

Norton Lab’s research on Cyber Safety influences future technology and impacts the consumer cybersecurity industry worldwide. The Labs team includes top threat and security researchers who work to protect consumers from known and new threats.

About the Author

Milo Salvia

Senior Security Researcher, Norton Protection Labs

Milo specializes in web-based threats, phishing defense and malware analysis, for Norton Protection Labs, pulling from extensive experience in enterprise incident response and security operations.

About the Author

Armin Buescher

Sr. Principal Security Researcher, Norton Protection Labs

Armin Buescher is a security researcher and software engineer for Norton Protection Labs and is focused on the analysis of attack trends and development of novel detection technologies. He has more than 10 years of experience working in the security industry.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.