Whether you’re a crypto-skeptic or a crypto-maximalist, it cannot be denied that the mostly unregulated cryptocurrency ecosystem is no stranger to fraud. It has links to multiple types of cyber crime, including ransomware, carding, phishing, and malware development. What’s more, the line between a cryptocurrency criminal and entrepreneur is often hard to define: In December 2022, for instance, the once-respected founder of the prominent cryptocurrency exchange FTX was charged with wire fraud, commodities fraud, securities fraud, money laundering, and campaign finance law violations. To conduct attacks specifically linked to cryptocurrency, threat actors must usually cooperate within a web of associates—just like any other area of cyber crime. In this blog, we’ll take a look at the components of a crypto scam, including investors, designers, developers, and marketers, as well as a few interesting trends that characterize this black market.

Pump and Dumps, Fake Exchanges, and Malicious Smart Contracts

Before diving into the “who” and “how” of a cryptocurrency scam, we should first explain the “what.” There are three main types of cryptocurrency-related scams: the pump and dump, the fake exchange, and the malicious blockchain or smart contract.

Pump and dump: Also known as a rug pull, a pump and dump is a form of fraud that involves artificially inflating the price of a coin or token through false and misleading statements (e.g., “this coin is going to the moon!”) in order to sell the cheaply purchased coin at a higher price once enough investors have been duped into purchasing it. When criminals begin to sell the coin, its price tanks, leaving investors with a worthless asset.

Fake exchange: Cryptocurrency is traded via exchanges, which invariably take a commission and may have large differences between the buy and sell price of a coin, otherwise known as a large spread. Criminals establish their own fake exchanges promising very low or nonexistent fees and small spreads, but when traders deposit their funds onto these exchanges, the criminals simply abscond with them.

Malicious blockchain or smart contract: Cryptocurrencies rely on blockchain technology to ensure that coin or token transactions cannot be manipulated or retroactively altered. However, not all blockchains are created equally, and a maliciously created blockchain can facilitate theft from unwitting investors via fraudulent smart contracts they enter into on the blockchain.

Ocean’s Crypto: Putting the Team Together

Crypto Scam Investors

Starting a cryptocurrency scams require a significant amount of capital. In the case of the pump and dump, an initial outlay of funds is often referred to as “seed money.” In the traditional securities world, seed capital often comes from investors who trust that a start-up company won’t deceive them, such as friends and family or angel investors. Start-ups must therefore be very transparent in their dealings. However, things are a bit trickier in the cyber-criminal world, where anonymity is paramount. Luckily for cryptocurrency threat actors, cyber-criminal forums often have dedicated sections where users seek and offer substantial amounts of money as “investment.” For example, one user seeking an investment of “at least 100k$ in crypto” for a pump-and-dump scheme claimed that their “experienced team” had exceeded this value in profit in the previous six-month period. In these sections, entire teams are put together to conduct cryptocurrency scams.

Forum user offers to fund various cyber-criminal endeavors, including cryptocurrency “hype” projects

These investors provide both the initial capital into the coin or token itself (increasing its value in order to convince victims that there is already some money in the pot) and the funds for making and marketing the coin to these victims. It is not uncommon to see forum users offering hundreds of thousands of dollars for this purpose. It is realistically possible that investors choose to support such projects in order to launder illicitly gained funds.

Grand (Graphic) Designs

Although many types of cyber crime only need a one-man army, a successful cryptocurrency scam requires a range of skills in addition to the initial investment. The next link in the chain is the designers, who create the scam coin’s look and feel. This includes everything that a real coin would have: an aesthetically pleasing logo, a legitimate-looking website, and perhaps even an impressive-sounding white paper that explains why this coin is going to be the Next Big Thing, replete with deliberately baffling technical jargon.

This stage is arguably the most crucial: Attackers need to convince both investors and exchanges that their coin is legitimate. If it has too much of an air of fraud about it, then (most) exchanges won’t list it, investors can’t buy it, and the scam never gets off the ground. Cyber-criminal forums are awash with users seeking and offering so-called “graphic design” and “rendering” services. Sometimes the requests don’t acknowledge the criminal nature of the scam. For instance, in a thread titled, “Who has experience creating their own coins and marketing them?” a user wrote that they were interested in the services of “people with experience in creating meme coins and pushing them to market.”

Cyber-criminal forum user advertises graphic design services

For fake exchanges, it’s much of the same: Whatever the criminals are pushing, it needs to look sleek and polished. In this instance, the graphic designer needs a bit more technical know-how, as they’ll need to set up a backend for facilitating account creation and deposits. Typically, graphic designers with ready-made exchanges seek investors to provide seed money or to fund an advertisement campaign. Once they’ve duped enough victims into placing their funds into the exchange, attracted by low fees and generous spreads, the scammers will pull the plug and abscond with their money, leaving victims in the lurch. This type of exit scam can be very lucrative and doesn’t require as much capital to get off the ground as you might think. We saw one graphic designer seeking a mere USD 10,000 for an advertisement campaign for their ready-made fake exchange.

Blockchain and Smart Contract Developers

Blockchain and smart contract developers handle by far the most technical part of a cryptocurrency scam. If a coin or token is going to be pushed to a legitimate market, it will almost certainly need a blockchain, a system in which a record of transactions is maintained across computers that are linked in a peer-to-peer network. Scammers can turn to programming-related sections on cyber-criminal forums to hire individuals to create a blockchain for them. These are often very basic—genuine innovation and real-world application is not of interest, only the illusion of it. Numerous articles on cyber-criminal forums tell users how to construct fake blockchains and market them to (mostly retail) investors. If an adversary has sufficiently developed social engineering and marketing skills, they can even get unwitting investors to buy coins for “cryptocurrencies” that don’t even have a blockchain.

Smart contract developers are unrelated to pump-and-dump schemers and fake exchange developers but are highly sought after on forums. These individuals write code for malicious contracts on secure blockchains that will steal funds from others. We noted one forum user offering USD 2,500 for an “Ethereum smart contract developer” to write a script that would automatically withdraw balances from Ethereum wallets. Most smart contract developers deliberately keep their posts low in detail; most malicious smart contracts rely on a vulnerability that developers want to keep secret.

Cyber-criminal forum user advertises their services for cryptocurrency attacks

Crypto Scam Marketing Executives

In the crypto scam world, ”PR specialists” or “shillers” use a variety of methods to heavily promote fraudulent coins and tokens, fake exchanges, and malicious smart contracts to victims. They may use mass-mailing software to send millions of spam emails and may pay for advertising space on every corner of the Internet. They often turn to dedicated cryptocurrency discussion groups on Discord and Telegram, posing as innocent members who “shill” the coin by raving about its perceived advantages and making bold predictions about future gains. They may even dupe (read: pay a lot of money to) social media influencers into promoting the product to their followers. This can be pretty high-profile stuff. In October 2022, Kim Kardashian agreed to pay USD 1.26 million in penalties to the Securities and Exchange Commission to settle charges that she illicitly touted the Ethereum Max coin on social media without disclosing how much she was paid for the promotion. Ethereum Max lost 97 percent of its value following Kardashian’s promotion and was almost certainly a deliberate pump-and-dump scheme.

Cyber-criminal forum user seeks cryptocurrency “shillers” to promote their coin

It is highly likely that many working as PR specialists in this scene operate on both sides of the law. In fact, many cyber-criminal forum users offering their marketing services explicitly list their legitimate experience. One user advertising the services of their “affiliate marketing team” of eight members for “white-grey projects” boasted of their experience in Google and Facebook advertising and “gambling.” Interestingly, this user offered to work “in office” and, therefore, presumably expected to meet their partners in person, a rarity in the cyber-criminal world. In this instance, the advertiser did not explicitly state their willingness to work with cryptocurrency, although users will be able to read through the lines of “white-grey projects.”

The cryptocurrency-related cyber-criminal job market shares the common characteristics of many other parts of the underground ecosystem. Firstly, scamming the scammer is extremely common. Any user offering large sums of money for “investment” paints themselves as a juicy target for opportunists seeking to part them from their ill-gotten gains. Much like the victims of cryptocurrency scams, if an investor is scammed by another forum user, they will have no legal recourse to recover their funds— they can hardly complain to the authorities. Scammed investors have attempted to turn to forum arbitration services to seek help from forum administrators, often with little success.

Cyber-criminal forum user complains that their cryptocurrency scam partner drained USD 10,000 in various cryptocurrencies from their wallet.

Just like with ransomware, cryptocurrency marketing teams can be extensive, sometimes approaching the size of the infamous Conti ransomware group before their eventual split. Teams can afford to be large because of the often immense amount of money to be made. One developer team promised investors profits north of USD 200,000 in two months. Unlike ransomware, however, there is little sympathy for the victims of cryptocurrency scams. One cyber-criminal forum user who launched an ask me anything (AMA) session after allegedly losing USD 100,000 through a cryptocurrency scam on Discord was openly mocked for their naivety. This user subsequently sought to enter the crypto-scam business for themselves, noting that the attack had “inspired them” to become a “phisher.” In contrast, news articles shared on forums about ransomware attacks against critical national infrastructure, especially healthcare organizations, often generate messages of disdain towards ransomware operators and affiliates.

Despite 2022’s declining cryptocurrency market continuing into 2023, cryptocurrency scams remain widespread. While the general public’s interest in cryptocurrency may have cooled in recent months, cyber criminals are still very keen on developing new scams to part investors from their money. As development continues in the field of artificial intelligence, and as more and more businesses incorporate blockchain technology into their operations, it is likely that cyber criminals will seek to find more angles of attack. At ReliaQuest, you can be sure that we will stay on top of all the latest developments to ensure that you stay one step ahead of the attackers.