Сrypto trap for the greedy, or how to steal from a thief

“Gentle grafters” are attacking dishonest crypto users by imitating wallet leaks and manipulating their victims for months.

Fake leaks of passwords and seed phrases are scammers' new weapons

We spent several months researching a new and very smart crypto scam, where the victims were slowly, craftily encouraged to install a malicious crypto management app. However, the ones who got scammed were only nominally victims, because the operators, like some digital Robin Hoods, targeted… other pilferers. Take an in-depth look at this scam with us and learn how to protect your cryptocurrency.

The initial bait

It all started with my receiving a fairly trivial forwarded Telegram message about cryptocurrency. Others might have ignored it, but being the web content analysts’ team lead at Kaspersky, I smelled a rat and decided to look into it. To evade detection, the message was presented as a five-second-long video clip, which contained a screenshot showing a hasty, heavily discounted sale of two lucrative crypto projects with respective links thereto. Likely designed to give the recipient a false sense of security, the first link led to a real second-tier crypto exchange — albeit a small one. The real bait was hiding behind the other link.

The screenshot of the crypto project sale announcement is wrapped into a five-second-long video clip. That's a red flag!

The screenshot of the crypto project sale announcement is wrapped into a five-second-long video clip. That’s a red flag!

A convenient server malfunction

Contrary to what could be expected, following the other link didn’t bring up any malicious content. Things were far more interesting: if you entered the address expecting to see a home page, the browser displayed a root directory listing with some enticing file names in it. It appeared as if the server had been misconfigured, or the home page accidentally had been deleted, revealing all of the unsuspecting domain owner’s data. You could click any file in the list and view its contents right in the browser, because, conveniently, all of them had common, easy-to-handle formats, such as TXT, PDF, PNG or JPG.

A visitor sees a list of files in the root folder. There isn't a single HTML file

A visitor sees a list of files in the root folder. There isn’t a single HTML file

This made a visitor feel like they’d landed inside the personal data folder of a rich but dimwitted owner of some crypto project. The text files contained wallet details complete with seed phrases, and the images were screenshots showing proof of a large amount in cryptocurrency being successfully sent, substantial wallet balances, and the owner’s lavish lifestyle.

The text file contains carefully collected addresses, logins, passwords, seed phrases, recovery keys, PINs and private keys

The text file contains carefully collected addresses, logins, passwords, seed phrases, recovery keys, PINs and private keys

One of the screenshots had a YouTube video in the background, explaining how to buy yachts and Ferraris with Bitcoin. A PDF catalog of these yachts could easily be found in the same directory. In a nutshell, this was seriously juicy bait.

The screen shows a snapshot from the life of a rich slacker. So, what is the CORRECT WAY to buy the Ferrari and Yacht with Bitcoin?

The screen shows a snapshot from the life of a rich slacker. So, what is the CORRECT WAY to buy the Ferrari and Yacht with Bitcoin?

Real wallets and cash

What’s smart about this scam is that the wallet details are real, and one indeed can access the wallets and view, say, the Exodus transaction history or the assets in the other wallets, worth nearly 150,000 US dollars, according to DeBank.

The Exodus wallet is empty, but it's real, and someone used it quite recently

The Exodus wallet is empty, but it’s real, and someone used it quite recently

You wouldn’t be able to withdraw anything, though, as the funds are staked — that is, basically tied up in the account. Nonetheless, this makes the visitor far less skeptical: the whole thing seems to be someone’s carelessly leaked real data, not spam or phishing. Besides, there are no external links or malicious files to be seen anywhere — nothing to be suspicious about!

The amounts in the other wallets are hefty. Too bad the funds are staked (locked)

The amounts in the other wallets are hefty. Too bad the funds are staked (locked)

We monitored the site for two months, seeing no changes whatsoever. The scammers seemed to be waiting for a critical mass of interested users to build up while tracking their behavior with web server analytics. It was only after this lengthy warm-up period that they proceeded to the next stage of the attack.

A new hope

The dramatic two-month pause was at last ended with an update: a fresh Telegram screenshot purportedly showing a successful Monero payout. If one took a closer look at the screenshot, one would notice an “Electrum-XMR” wallet app with a transaction log and a sizable balance of almost 6000 Monero tokens (XMR), worth about a million dollars at the time of publishing this.

The active phase kicks off: a wallet seemingly containing about a million dollars

The active phase kicks off: a wallet seemingly containing about a million dollars

By a lucky coincidence, a new text file with the seed phrase for the wallet popped up right next to the screenshot.

The seed phrase for the wallet was the bait

The seed phrase for the wallet was the bait

At this point, anyone dishonest enough rushed to download an Electrum wallet to log in to the careless dupe’s account and grab the remaining money. Tough luck: Electrum only supports Bitcoin, not Monero, and it takes a private key (and not a seed phrase) to regain access to an account. When attempting to restore the key from the seed phrase, every legitimate converter said the seed phrase format was invalid.

Yet greed was clouding the users’ judgment: after all, there was a million dollars at stake, and they needed to hurry before someone else stole it. The fast-buck artists went googling “Electrum XMR” or simply “Electrum Monero”. Whichever it was, the top result was a website ostensibly about an Electrum fork that supported Monero.

The "right" version of the wallet appears at the top of the search results

The “right” version of the wallet appears at the top of the search results

Its design resembled that of the original Electrum website, and, in typical open-source fashion, it featured all kinds of descriptions, links to GitHub (the original Electrum repository, though — not Electrum-XMR), a note that explicitly said this was a fork to support Monero, and handy direct links to macOS, Windows and Linux installers.

The website for the fake wallet app is very well made

The website for the fake wallet app is very well made

Which is when the hunter unwittingly becomes the prey. Downloading and installing Electrum-XMR infects the computer with malware identified by Kaspersky as Backdoor.OLE2.RA-Based.a, which provides attackers with covert remote access. What they do next is probably scanning the contents of the machine and stealing crypto wallet data and any other valuable information.

Our security solution would have blocked the malicious website, let alone an attempt to the install the Trojan, but crypto hunters eager to lay their hands on other people’s money are hardly among our users.

Our security blocks the malicious site, let alone an attempt to the install the Trojan

Our security blocks the malicious site, let alone an attempt to the install the Trojan

All of a sudden, a second iteration

Some time later, when we were done investigating this feat of social engineering, we received another bit of bait, which was hardly a surprise. This time around, the scammers switched from slow steaming to searing. The screenshot showed a fake wallet with a large balance next to an open text file containing a wealth of personal information and a thoughtfully added link to a malicious site. It looks like this scam has apparently proved to work well, and we’re in for lots of similar attacks.

Version two saw the scammers get right down to it by collecting all relevant information in one screenshot

Version two saw the scammers get right down to it by collecting all relevant information in one screenshot

Recognizing the attack

Victims of the scam we discussed above evoke no sympathy at all, seeing how they took the bait by trying to steal other people’s money. However, the scammers keep coming up with new tricks, and next time, you might be offered an ostensibly ethical way of making money. For example, you might accidentally get a screenshot advertising a lucrative airdrop, with the link right in the address bar…

So, stay alert, and take any information with a large pinch of salt. Each stage in the attack was suspicious in its own way. The website sale ad was presented in the form of a video clip with a screenshot, obviously to get around anti-spam algorithms. A website that contains nothing but unencrypted text files with crypto wallet data in these looks too good to be true. The domain purportedly hosting the crypto wallet fork had been registered just two months before the attack. Most importantly, however, the scam-filled crypto landscape makes using little-known wallet apps an unacceptable risk. Thus, follow these steps:

Tips