A major cryptocurrency scam operation involving “over a thousand” fraudulent websites has been uncovered by security experts.
Cybersecurity researchers from Trend Micro announced their discovery of a crypto operation whose goal was to trick people into giving away their bitcoin, called Impulse Project. The scam was run by a similarly-named group called Impulse Team which, the researchers believe, is a Russia-based threat actor.
The scheme actually appears to be the old “Nigerian prince” scam but with a modern twist. In the Nigerian prince scheme, the victim would receive an email from a “royal” in Nigeria trying to get their money (often in the millions) out of the country - the only catch is that they need someone to cover the costs of the transaction. Gullible victims would then wire some of their money (usually a few hundred or thousand dollars, minuscule in comparison to what they expected to get in return), which would then disappear without a trace.
The Impulse Project operation is relatively similar - a victim would receive an SMS, or an email message, saying they were picked as winners in a charity giveaway organized by a cryptocurrency trading company, or similar. For the reward, they are set to receive roughly 0.7 BTC, which is approximately $18,000 at current prices. The only thing they need to do is set up an account with the company and top it up with 0.01 BTC (~$250) to “activate” it.
At first, the researchers only discovered one such website, but further investigation uncovered “over a thousand domains” related to the fraud, all created between January 2021 and May 2023. The researchers also suspect that the operation might have been active since 2016, as some of the domains were already active six years ago. Many were registered by the same people, and on the same day. Furthermore, many of the websites use the same template and look exactly the same, save for the website logo.
Usually, it would be relatively simple to find out exactly how much money the scammers stole, given the transparent nature of the Bitcoin network. However, the researchers are yet to pinpoint all of the project’s wallets. They did, however, find the Telegram bot that claims to serve as a logging system for the project, displaying bot messages whenever a victim makes a deposit. So far, the according to the bots, the victims deposited roughly $5,000,000.
The researchers suspect that the Telegram channel might also be fake, to entice affiliates and get them excited about participating in the scheme.
Analysis: Why does it matter?
Bitcoin, as well as other cryptocurrencies, remain a popular investment for many - with the total market capitalization of the crypto industry sitting at roughly $1 trillion according to figures from Coinmarketcap. The same source also claims there are now more than 25,000 various cryptocurrency projects. At the same time, the crypto market is relatively young and not properly regulated, making it ripe for various fraudsters and cybercriminals.
The amount of money being stolen in cryptocurrency scams is growing exponentially. In 2021, for example, the FTC reported retail investors losing more than $1 billion in scams, and last year - that number rose to $4.3 billion. The ease of use, and global reach, make cryptocurrencies an ideal asset for state-sponsored threat actors, too, with earlier reports suggesting that North Korea uses stolen cryptos to fund its missile operations.
What have others said about this cryptocurrency scam?
Dark Reading reported how Trend Micro describes Impulse Project and “perhaps one of the largest-ever crypto scam campaigns.” It compared it to the OneCoin fraud scheme, currently considered the biggest scam ever that resulted in the theft of more than $4 billion, from 3 million unwitting investors.
"While the total financial impact of the Impulse Team's operation is not specified in the Trend Micro report, its vast network of over a thousand websites suggests a considerable potential reach and impact," Craig Jones, vice president of security operations at Ontinue, told the site.
Karl Steinkamp, director of delivery transformation and automation at Coalfire, told Dark Reading that the main difference between OneCoin and Impulse Project is the latter’s care when it comes to picking targets. According to Steinkamp, the Impulse Team is “being tactical.” “These individuals are content in getting fewer, higher value targets and access vs the 'spray and pray' method of malware distribution, whereby malware is widely distributed with the malware expectation of impacting more potential, yet less valuable targets." Finally, being “tactical” means the team is also harder to spot, he added:
"When malware is more broadly distributed, the time for systems to identify and quarantine it is dramatically more," he says. "The focus here drives home the cybercriminal's approach and motive."
Go deeper
If you want to learn more about cryptocurrency scams, you first need to know what is bitcoin, what is a cold wallet, and what is phishing. Also make sure to check out our guide on the best bitcoin wallets, as well as our guide on how to safely buy bitcoin.