Full Report
By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15 more scam sites... The post Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency appeared first on McAfee Blog.
Analysis Summary
# Incident Report: Cryptocurrency Double-Your-Money Scam Campaign
## Executive Summary
McAfee identified a widespread cryptocurrency scam campaign leveraging manipulated live streams of prominent figures like Elon Musk discussing crypto to add legitimacy. Attackers directed victims to malicious websites promising to double any sent cryptocurrency. The campaign involved at least 26 confirmed scam sites and resulted in confirmed losses totaling over \$280,000 across various crypto wallets by May 5, 2022, with the total aggregated value across all identified wallets reaching over \$1,300,000 by May 25, 2022.
## Incident Details
- Discovery Date: On or before May 5, 2022 (Initial value reported), with continued escalation up to May 25, 2022.
- Incident Date: Campaign actively running in the days leading up to and including May 25, 2022.
- Affected Organization: General public/cryptocurrency users globally.
- Sector: Financial Technology (Cryptocurrency scams) / Social Media Platforms (YouTube/Twitter).
- Geography: Global (Attacks distributed via internet/social media).
## Timeline of Events
### Initial Access
- Date/Time: Prior to May 5, 2022 (when initial transactions were recorded).
- Vector: Social Media Manipulation (YouTube Live Streaming Hijacking/Impersonation).
- Details: Attackers modified existing YouTube live streams featuring figures discussing cryptocurrency (like the 'The B Word' stream featuring Elon Musk, Cathie Wood, and Jack Dorsey). The manipulated stream displayed a frame advertising malicious websites that promised to double deposited cryptocurrency.
### Lateral Movement
- Not applicable (This was an external phishing/social engineering campaign targeting end-users, not an internal network breach).
### Data Exfiltration/Impact
- Impact: Financial loss incurred by victims who sent cryptocurrency to the malicious wallets, totaling \$280,000+ received by malicious wallets as of May 5, 2022. The campaign was highly scalable, identifying 15 new scam sites within 24 hours of the report update on May 25, 2022.
### Detection & Response
- Detection: McAfee identified the malicious sites and associated YouTube streams.
- Response Actions: McAfee blocked the malicious URLs using McAfee Web Advisor.
## Attack Methodology
- Initial Access: Compromised social media presence (YouTube) paired with topical authority impersonation (Elon Musk/Crypto discussion) to lure users to malicious websites.
- Persistence: Continuous operation of 26+ scam domains running simultaneous crypto-doubling scams.
- Privilege Escalation: Not applicable (Non-technical social engineering).
- Defense Evasion: Using seemingly legitimate, high-profile discussion topics to build immediate user trust.
- Credential Access: Not applicable (Focus was on financial transfer, not credential theft).
- Discovery: Attackers likely surveyed popular or trending cryptocurrency discussions on platforms like YouTube.
- Lateral Movement: Not applicable.
- Collection: Scam websites used JavaScript to display a fake table of recent transactions to simulate legitimacy.
- Exfiltration: Cryptocurrency sent by victims was transferred to associated attacker-controlled wallets.
- Impact: Direct monetary loss to victims.
## Impact Assessment
- Financial: Over \$280,000 received by malicious wallets as of May 5, 2022, with a combined value across all identified wallets exceeding \$1,300,000 by May 25, 2022.
- Data Breach: None reported; the compromise was primarily financial fraud against users.
- Operational: None reported for the targeted organization (McAfee), though victims suffered financial loss.
- Reputational: Potential reputational damage to the individuals/events being impersonated (e.g., Elon Musk, 'The B Word' event).
## Indicators of Compromise
- Network Indicators (Defanged):
- `22ark-invest[.]org`
- `2xEther[.]com`
- `2x-musk[.]net`
- `arkinvest22[.]net`
- `doublecrypto22[.]com`
- `elonnew[.]com`
- `elontoday[.]org`
- `Teslabtc22[.]com`
- `tesla-eth[.]org`
- `teslaswell[.]com`
- `twittergive[.]net`
- File Indicators: N/A (Web-based scams).
- Behavioral Indicators: Promotion of "double your crypto" offers via manipulated live streams on video platforms.
## Response Actions
- Containment measures: McAfee blocked the listed malicious URLs using McAfee Web Advisor.
- Eradication steps: Not applicable, as this was an external campaign.
- Recovery actions: Advising customers to avoid suspicious links and that offers too good to be true are likely scams.
## Lessons Learned
- Key takeaways: Cryptocurrency scams continue to use high-profile events and figures for social engineering, leveraging platform trust (YouTube). Adversaries are skilled at creating high volumes of lookalike scam domains quickly.
- What could have been done better: Enhanced monitoring of social media platforms for manipulated live streams coinciding with major news events.
## Recommendations
- Users must be vigilant regarding cryptocurrency offers, especially those promising guaranteed high returns (e.g., doubling funds).
- Ensure streaming content is sourced directly from verified channels, not embedded or modified streams.
- Utilize web protection software (like McAfee Web Advisor) for immediate blocking of known malicious domains.