How I Accidentally Uncovered a Crypto Mining and Investment Fraud Network

Recently, a friend of mine who is a novice crypto investor reached out to me asking if I could look into a company that promotes crypto mining and investment. The website promised returns that seemed too good to be true and had various other red flags. Unfortunately, by the time I got back to them with this information, my friend had already transferred several thousand dollars worth of Bitcoin. They were told they had earned a substantial return on their investment, but when they tried to withdraw their money, things took a dark turn. The fraudsters demanded additional fees to be paid before allowing the withdrawal; then, they threatened to close the account and call the police if my friend did not send more money. At this point, it was clear that the investment was fraudulent, there was no profit, and nothing would be returned.

According to a 2022 report by the FBI's Internet Crimes Complaint Center (IC3), investment fraud caused the highest losses of any scam in the US, totaling as much as $3.31 billion. Cryptocurrency scams represented a majority of fraudulent activity, increasing 183% from 2021 to $2.57 billion in reported losses last year. There are likely many more victims who didn’t report their incidents or didn’t even realize that they had been scammed. What’s worse is that, even if they report it, there’s no way to identify the criminals hiding behind anonymous domains and encrypted chat applications.

By now, most people know what crypto currency is, and Bitcoin has become a household name, so I won’t go into detail about blockchain or complex algorithms. The purpose of this story is to recount my investigation, identify the real financial risks of crypto investment scams, and hopefully protect future victims. As a cyber security researcher, I am always looking for exposed data, open ports, and other security vulnerabilities. I am used to tracking down and finding the owners of databases – often with very little information or clues. Sometimes, this can take days or weeks; other times, I never figure out who owns the exposed datasets. As a data detective, I thought identifying the owner of a crypto mining and investment website would be an interesting challenge. Little did I know that I would discover much more and uncover an expansive fraud network targeting novice crypto investors worldwide.

How the scam works

The scam started through social engineering, which is an umbrella term for any attack performed by exploiting human psychology and manipulating an individual’s trust. Scammers use this method to deceive their victims and convince them to perform actions that benefit the perpetrator. In this case, someone contacted the victim on Instagram, pretending to be an acquaintance and telling the victim that if they ever want to invest in crypto with big returns, they should contact this mystery person that the scammer has successfully invested with. Next, the criminals send the victim a name, a WhatsApp or other messenger contact, and a website link. The scammers have multiple websites, but they all use the same modern-looking template that comes with graphs and fake images of deposits and withdrawals from other customers. The text is in broken English, but still realistic enough to give the impression that they are a legitimate investment company. All the domain names and text on the sites are structured toward building trust.

Many of the sites have trust logos of major credit cards and payment methods, but when a potential victim tries to make a deposit, it turns out they only accept Bitcoin (presumably because it is extremely difficult to recover once it is stolen). After the victim invests the minimum amount, the scammers will sometimes allow an initial withdrawal and even add a small amount of profit. The victim then feels confident that they are dealing with a real company and either leaves the money in their account or adds more funds in Bitcoin. Next, the scammers offer three membership levels with minimum investment amounts and guaranteed monthly returns as high as 20%. The scammers then encourage the victims to pull in friends or family members, knowing that people are more likely to invest when someone they know and trust vouches for the scheme. This continues until the victim realizes that they are unable to withdraw their investment and that all the alleged profits are fake numbers in their user dashboard.

Reviewing the website

The name of the website that scammed my friend was a well-known corporate brand name combined with the word “invest”. This would give the impression that the site was connected to or supported by this organization and create a false sense of trust with the would-be investor. However, there were various clues suggesting that something was off with the website. The first red flag was stock photos of the supposed company leaders, whose names appeared to be painfully fake. Then, when I tried the website’s chat feature, someone posing as the CEO replied immediately with a prewritten script about how trustworthy they are and how safe my investments would be. I also called the phone number on the website, but it was not functional and went straight to voicemail. Finally, the website had an image of a UK registration document in their name that didn’t match the records of Companies House, the agency of the British Government that maintains the registration of companies.

I immediately became suspicious that the site didn’t seem legitimate and decided to dig deeper. Looking at the source code of a website can provide a wealth of information, such as analytics accounts, templates or plugins that are used, and other unique footprints. When cross-referencing these identifiers, I discovered that these individuals had a large network of nearly 300 websites. Some of them were exact clones and others were slightly different, but all of them offered the same promises of safe investments with unrealistic returns as well as fake business registration documents from multiple countries. Most of the domains were registered with privacy protection, but several older domains were registered to an individual based in Nigeria. The.US domains are intended to be registered to citizens of the United States and cannot be registered privately. These domains were registered to an individual with a surname that does not exist, and it seems that no one by that name ever lived at the listed address.

There are countless complaints online of victims who have fallen for this type of investment scam. The chances of recovering stolen cryptocurrency are generally low if not impossible compared to traditional financial scams. The decentralized and pseudonymous nature of cryptocurrencies can make it challenging to identify and track down scammers. I highly recommend that anyone looking to invest in crypto currencies thoroughly researches the company or website to avoid falling victim to scams. No legitimate company would coerce customers into making additional deposits in order to withdraw the funds that they have already paid. In this case, the scammer would show large returns and then demand more money in the form of fees or fictitious taxes before allegedly releasing the profits to the investor.

A separate victim described the scam as follows: “I was directed to a "withdrawal funds" button which once I clicked and completed my request, I received the error message attached to this complaint. Basically stating my investment account required me to upgrade. I learned the "upgrade" required an additional payment. There were 3 levels of upgrading your level from basic to either an $850, $1300 or $2800 via the website. It is only then you'd be able to withdraw the funds smoothly. Is the term constantly used by the person on WhatsApp”. However, it’s highly unlikely that the funds will ever be available for withdrawal, as the money was probably stolen immediately after the initial deposit was made. Usually, the scammers would open a new wallet for each victim, withdraw the funds as soon as the victim transferred their crypto investments, and then close the wallet. This way, it’s nearly impossible to tie the scam’s transactions to a specific wallet.

Scammers use well-known brand names to make it much harder for potential victims to verify complaints or reviews from other victims, as the Google search results are skewed to favor top brands and authority websites. This makes fraudulent sites dangerously effective because any negative information will probably be buried too deep in the search results for the average user to properly verify if the business is legitimate or not. The unauthorized use of a company’s name is also illegal and is known as cybersquatting or domain name squatting. An example of this is when criminals register or use a domain name with the intent to profit from the reputation or goodwill of someone else's trademark or brand.

I contacted the scammers directly, notified them of my investigation, and requested that they refund the money they had stolen from their victims. I also asked them for an interview, but they predictably ignored the message and will likely never return the cryptocurrency they have taken. I reported a list of domains, IP addresses, and other relevant information to multiple law enforcement agencies, but these criminals are often based in locations out of their reach. I also notified both the hosting providers and domain registrars of my investigation. This way, they can review the websites for terms-of-service violations, document any billing information, names, or other data pertaining to the scammers, and pass it on to law enforcement. Taking these sites offline and having their accounts suspended is important to prevent more victims and to disrupt the scam network. It should be noted that I was able to get around 60-70% of the domains I discovered suspended by the time of publication.

Hosting providers and domain registrars are failing to protect the public

The revenue is there, but the enforcement of safety measures is not. In 2022, the web hosting industry generated roughly $79 billion in revenue worldwide, and the global domain name registrar market is expected to reach more than one billion dollars per year by 2027. Unfortunately, until hosting providers and domain registrars get serious about cracking down on cyber criminals who abuse their services, these scams will continue to flourish. Something they could do to potentially prevent this type of scams is to reform how private or anonymous registrations are validated or vetted.

The industry focuses on sales and renewals while seemingly doing the bare minimum to protect victims. Most hosting providers and domain registrars don’t really provide users with a meaningful way to report sites with anonymous registrations, nor do they allocate the resources to investigate all complaints. These companies should have an obligation to ensure the protection of the general public who will visit websites engaged in criminal activities. One way to do this would be to change the laws to require domain registrars and hosting providers to implement a Know Your Customer (KYC) system similar to banks or credit institutions. This way, when a scammer uses their services, they can no longer use false names and fake addresses. Once a crime is reported in relation to that domain, law enforcement will know who is the individual behind the website.

This screenshot shows the way many hosting providers respond when provided with a fully detailed report of domains abusing their terms of service and engaging in potentially criminal activities. Basically, they will only investigate claims made by those who have already been scammed and who have already gone to the police. Hosting providers must do more to take action against users who are abusing their services and protect the general public.

How a crypto investment scam works

Crypto investment scams can come in all shapes and sizes. The end result is always the same, though – to deceive individuals into investing their money with the promise of unrealistically high returns. These are the basics of how a crypto investment scam usually works:

• Initial contact: Scammers typically reach out to potential victims through unsolicited communication channels, such as cold calls, emails, social media messages, or online advertisements. They may pose as cryptocurrency brokers, investment advisors, or representatives of a fake investment firm.
• False promises: Scammers entice victims with promises of high and quick returns on their investments. They may claim to have insider information, secret strategies, or advanced trading algorithms that can generate substantial profits.
• Urgency and pressure: To push victims into making quick decisions without proper consideration, scammers often create a false sense of urgency. They might say that the investment opportunity is limited or that prices will rise rapidly, urging victims to act immediately.
• Fake websites or platforms: Scammers may direct victims to fraudulent websites or investment platforms that mimic legitimate cryptocurrency exchanges or investment firms. These fake platforms are designed to appear professional and trustworthy, making it difficult for victims to distinguish them from genuine ones.
• Initial investment: Victims are asked to invest their funds into the scheme. Scammers may request payment in crypto or traditional currencies, claiming that it's necessary to unlock the investment opportunity.
• Disappearing act: Once the victims have deposited their funds, scammers may vanish, cutting off all contact. They might even close the fake website or platform, making it nearly impossible for victims to retrieve their money or seek help.

To protect yourself from crypto investment scams, consider the following precautions:

• Do your research and due diligence: Thoroughly investigate any investment opportunity, including the individuals or companies involved. Verify their credentials, check for licenses or regulatory approvals, and search for reviews or warnings from reputable sources.
• Avoid unsolicited offers: Be cautious of unsolicited communication, especially if it promises guaranteed profits or high returns. Legitimate investment opportunities are rarely offered through cold calls, emails, or social media messages.
• Use secure platforms and wallets: Use reputable and secure cryptocurrency exchanges, wallets, and investment platforms. Ensure they have robust security measures, such as two-factor authentication (2FA) and encryption.
• Verify information independently: Don't solely rely on information provided by the person or entity promoting the investment. Seek independent advice from trusted financial advisors or professionals.
• Trust your instincts: If something seems too good to be true or you feel pressured to make quick decisions, trust your gut and take the time to carefully consider the investment.

If you believe you have fallen victim to a crypto investment scam, it is important to report the incident to the local authorities and financial regulatory agencies. They can guide you on the appropriate steps to take and potentially assist in the investigation.