Cryptocurrency Social Engineering: A Case Study and Avoidance Best Practices. Guest post by Richard Sanders from Energi

 · 9 mins read

The blockchain space is riddled with malicious actors that will capitalize on your desire to pursue obtaining cryptocurrencies or tokens through social engineering. Whether these social engineers are exploiting your naivety (if you’re newer or less experienced) or your greed (creating FOMO and deceiving even more knowledgeable individuals) — the statistics don’t lie. Over 90% of scam cases are the result of not hacking, but social engineering of various methodologies.

 

You may believe, in a rational state, that you’d never invest more than you could afford to lose in crypto — but social engineers will con you into thinking some “opportunities” are simply too good to not go all-in on. Extremely intelligent individuals, some of which have probably been in crypto longer than the average, have had rationality ripped from them by psychologically manipulative social engineering. If you think you’re better than they are, you can stop reading here . If you assess an Х minute read as worth the time considering the amount of capital you’re involving, this is an investment in time that can protect your investment in capital.

  

Energi Bureau of Investigations: the nightmare of scammers

My name is Rich, and I’m a blockchain cyber investigator. I work for Energi, and I lead the Energi Defense department — we’re running a first-of-kind cryptocurrency investigative team which is organically a part of the project’s team. Since Energi is new, and hasn’t had any attacks, I have been assigned noteworthy cases; for example, I am the lead investigator for Ian Balina’s case. I have a strong working relationship with international law enforcement and most major exchanges, as well as an extensive network of like-minded individuals across the industry, which has led to arrests and funds recovery in many situations.



I’ve already written on the more novice social engineers, impersonation scammers, in a past post. Most people, even those knew to crypto, know enough to avoid being victimized by such low-effort scams. Impersonation scam social engineering is more comparable to a shotgun— and the example below is more along the lines of a sniper rifle, as they’ll target you with more precision once they get to know you. The latter methodology often results in far more loss per victim due to established rapport and trust, and while this approach is more time consuming on behalf of the scammers, the statistics of financial loss prove it is time (temporarily, until justice is served) well spent for them.

Hopefully, you never need my services for a scam or hack — I’d prefer you only need me to prevent them. I’ve had to put my time at a premium, and if you value your assets enough to an extremely small relative portion in making yourself a hard target, it’s now possible to arrange.

 

A Case Study: “Scamspeak”

 

Disclaimer

These facts are used to discuss the structure of a scam operation, and are publicly accessible through various public-facing reports of numerous victims. I can not, and will not, reveal sensitive investigative details — while I will say that I have conducted extensive social engineering on this group with great results, and I can say with confidence their time will come (and likely when they least expect it,) I will not reveal the methods I use or what I know about the perpetrators, as it is not relevant to this article. Many victims have written strong public articles, such as this one, outlining the situation similarly.

I will also not be revealing information about who is responsible for Scamspeak, as it is not my place to do so. I will, however, outline the methodologies used by these scammers (hence referred to as Scamspeak) in order to provide examples of tactics, techniques, and procedures used by more sophisticated social engineers targeting cryptocurrency users.



Earlier this year, I was assigned a particularly interesting case. A client that runs a pooling group was scammed for over 3500 ETH by a group of individuals running what was (deceptively) presented as a group of private investors that would secure allocations for highly-demanded and promising blockchain projects. Within hours of investigating this situation, it became even more horrifying: this group of scammers had already victimized hundreds of individuals.

This group of scammers would initially find their victims through Reddit posts, and later transitioned to Telegram and ultimately Discord. They would pose as investors, discussing their allocations and how much money they were making. Initially, they would reach out to individuals offering a slot in their exclusive group — fostering FOMO by premise of having “just one slot left in our exclusive group.” Eventually, they transitioned into simply joining Telegram groups for major ICOs and discussing their allocations:

“Scamspeak” social engineers in Mainframe’s Telegram group, discussing their “teams” forecast on MFT and their allocation. This tactic fostered curiosity in future victims, resulting in numerous victims inquiring as to their allocation and attempting to get a portion.

 

Once an individual (victim) expressed interest in joining this “team” or “exclusive private group,” the conversation would continue in DMs:

If you didn’t read this far, you’d probably think “Peter” here was being cordial and providing you an opportunity to join an exclusive investment group. Since you have read this far, note what’s actually happening: the scammer is assessing how knowledgeable “Rain” is (to determine how difficult he would be to deceive) and creating uncertainty about being able to join the group, which will lend “credibility” and eagerness to impress from would-be victims. The eagerness to impress would often entail investing higher amounts of ETH than the victims normally would and/or investing in multiple projects.

Eventually, the conversation would move to a Teamspeak server for an “interview.” The interview consisted of almost entirely the same script for every victim — what projects have they invested in? How much did they invest? Amazingly, the Scamspeak group would ask for a LinkedIn of victims — which was often provided, yet not reciprocated (taking notes?) Upon the conclusion of the “interview,” the “team” would go to a private channel to “discuss their thoughts on you.” What was really happening? Not an assessment of your worthiness to join an exclusive investment group — but a discussion of how much could be stolen from you, and how easily.

Inside a Teamspeak server set up by the Scamspeak scammers. The names used by the Scamspeak scammers would vary by cycle, but were often re-used. Note the plethora of highly-demanded projects.

 

Unless the target claimed to be extremely poor or seemed extremely suspicious, the end-result would be the same: a congratulatory invite to the group to join under a “probationary period,” followed by an immediate follow up regarding an upcoming pool — often simultaneously occurring with being informed of the “group acceptance,” or the next day.

Victims would be chain-asked to invest in projects, with increasing amounts of pressure. Upon a shred of skepticism, the scammers would conduct one of two actions: if they had a backlog of seemingly wealthy victims, they’d immediately ban the victim from the server.

 

If the current victim seemed to be “worth the time” (having extensive investment capital, being extremely naive, or both) the Scamspeak group would put the time in to seemingly convincing “proof” of their investments… such as sending fake tokens to wallet addresses. It’s incredibly easy to make your own ERC-20 token, and simply creating an ERC-20 token titled “MFT” deceived several victims enough to conduct follow-on “investments” with Scamspeak.

And then we have email spoofing…

The raw email forwarded to a victim from Scamspeak to “prove” their “Quarkchain.”

 

Victims that were suspicious enough, but still deemed to be ripe targets by Scamspeak, would inquire about their tokens — and have “peace of mind” provided by verifying their tokens. Here’s the thing — these emails were spoofed, and spoofing emails is something incredibly easy to do if a blockchain project hasn’t invested the time or talent to prevent email spoofing. Email spoofing is a few keystrokes on script-kiddy level sites like Emkei, and naturally, most victims didn’t know enough to audit the .eml file and determine the emails were spoofed. After all, it came from the quarkchain.io site, so it must be legit, right? Hindsight is always 20/20, but now you’re equipped with foresight.

 

Eventually, victims would catch on to this ruse — and Scamspeak would ban them from their server. All it took was changing a server address or password, creating fresh Telegram accounts, and rinse/repeat. This group has scammed millions of dollars from hundreds of victims.


Read the second part of the article to get the lessons learned from Scamspeak case and identify the red flags of social engineering scams.