Bitrace

With the arrival of the airdrop season, Web3 users have ushered in a golden harvest. At the same time, they have also become a big prey of criminal gangs in the crypto dark forest. Bitrace noticed that some criminals used fake Twitter accounts to conduct phishing fraud. They published a large number of false airdrop claim links in the comment area of official Twitter accounts, induce users to click and try to receive tokens. Once users are careless, they may suffer financial losses.

Under this background, “highly imitated Twitter fishing scam”, as a representative fishing industrialization crime on social media platform, poses a serious threat to users’ capital security by virtue of its highly organized and large-scale operation characteristics.

Twitter, a new arena for fraud activities

Over the past few months, Bitrace have received help from several victims who have been stolen after clicking the “airdrop claim link” on Twitter. These links are actually phishing links.

Take the case of one of the victims related to Etherfi imitation as an example. On March 15th, ether.fi announced that its tokens would be launched on well-known exchanges, Binance and OKX. However, the project did not release the official airdrop inquiry link until March 18th. The false $ETHFI claim link was spread on Twitter during the three-day. After clicking the phishing link to interact, victim was cheated of authorization and lost 136.2 ETH. Now the phishing Web page cannot be opened, and the high imitation account has disappeared. The real account is @ ether_fi, the following figure shows the false account @ ethers_fi.

The fake link of the high imitation account that appears on the victim’s homepage

Bitrace team traced the addresses of victims in several of these cases and found that the addresses of attackers (spender) who authorized phishing and stealing coins in the cases were all 0x0000db5c8B030ae20308ac975898E09741e70000, marked as Inferno Drainer.

Industrialization of Fake Twitter accounts fraud

In fact, Fake Twitter accounts fraud has become an orderly black industry. From the buying and selling of Twitter accounts, to the establishment of phishing websites, to the targeted push of phishing information, and finally the realization of fraudulent activities, Crypto has played an important role in it.

Purchase Crypto Related Account

Well-known project Twitter accounts have a large number of fans, Blue Label certification, so high Fake Twitter accounts also need to move closer to this. The swindlers first purchase a high-quality Twitter account that meets the above conditions, reprint the head portrait and profile of the official account, and replace it with almost the same ID. A highly confusing and highly imitated account will be finished.

Bitrace tried to enter keywords such as “Twitter account” in TG, and found a large number of groups, buying and selling Twitter accounts. After communicating with many other groups, it was found that sellers all required crypto currency as payment. Most of the transaction accounts provided by the other party are related to crypto and have a certain daily life and fan base.

The above is the chat record between Bitrace and a seller.

According to the collection address provided by the seller, we found that the address had been traded with the address related to high-risk funds marked as “money laundering and online gambling” for many times, which was only the tip of the iceberg. Buying and selling Twitter accounts seems harmless. In fact, it facilitates criminals to carry out fraud.

Multi-number layout fishing link

Twitter has a mature and clear content recommend mechanisms. By using such rules, fraudulent gangs will be able to effectively push fraudulent information to the timeline of target audiences:

Commonly used methods are to forge data in the comment area. Fake accounts post fake airdrop claim links under official Twitter account tweets, and use robots to increase the number of likes, retweets, and replies to deceive victims into trusting and clicking on them.

Third-party promotion service payment interface

Many victims will be confused by the large interaction of fraudulent comments. In fact, this kind of scrubbing service has been very rampant and is one of the tools commonly used by Illegal industry.

Another common method is keyword contamination. The fraudsters use attractive propaganda techniques such as “check qualifications, apply for airdrops, and mint NFT for free” to publish tweets based on the fraudulent links of specific blockchain agreements. When potential victims search for agreement names and specific keywords, Twitter is likely to display the tweets of fraudulent accounts, and then pose a threat to ordinary investors.

Purchase a tweet promotion service

In addition to the phishing methodsmentioned above, Twitter and Google are actually involved in doing evil, they fail to filter fraudulent information in the paid promotion process, resulting in paid promotion for phishing links.

Bitrace found that once the news that $PRCL, a well-known option project in Solana, was about to airdrop was released, a large number of Twitter blue label matrices began to release phishing links, and they purchased Twitter’s promotion services to carry out phishing tweets, the same scam copywriting were pushed to the timeline of specific groups.

Technical support from well-known fraud groups, Inferno Drainer

In the cases mentioned above, most of the stolen funds eventually went to address marked as Inferno Drainer. Inferno Drainer is a malicious software designed to illegally clear or “empty” encrypted money wallets.

Source Group-B

The developer provides the phishing websites that the fraudsters need to support their fraud activities. Once the victim scans the QR code on the phishing website and connects to the wallet, the Inferno Drainer checks and locates the most valuable and easily transferable asset in the wallet and starts a malicious transaction. After the victim confirmed these transactions, assets are transferred to criminal accounts. 20% of the stolen assets are owned by Inferno Drainer, while 80% are owned by fraudsters.

Criminals are not ashamed of fraud, but take it as a strategy to attract more “operators” to join them. In order to expand the criminal network and increase the number and scale of criminal activities, it is staggering.

Response measures

Twitter, as a channel for Web3 users to obtain first-hand information, has been tainted by criminals. Be cautious when surfing the Internet, think twice when clicking on the link. Bitrace remind you:

1.Understand the basic mechanism of social media. Keep in mind the ID of the official account (unique and only), which cannot be duplicated by imitation account. The number of common follower under an account is an important basis for distinguishing true and false accounts. Official accounts are often followed by a large number of friends.

2.Verify the authenticity of the link through multiple channels. Once the official project releases important information such as “airdrop qualification and airdrop claim”, it will not only release through Twitter, but also release the information through other channels such as Discord, Telegram and third-party media. Therefore, users can lock real airdrop links through multiple channels.

3.Identify the pop-up window content of wallets. If you cannot determine the details behind the transaction, do not sign the transaction easily.

4.Be careful about the comment below Thread. Comment below official tweets has the target group and traffic, phishing links are most rampant. The official team is also aware of this problem and add notices at the end of a thread.

Cybercrime in the filed of crypto has become more and more organized, damages the interests of users and healthy development of the entire crypto industry. If you suffer losses unfortunately, please feel free to contact crypto security company for help.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish