Conning the Crypto Conman: End-to-End Analysis of Cryptocurrency-based Technical Support Scams

TL;DR

This paper provides a comprehensive end-to-end analysis of cryptocurrency-based technical support scams, using a novel system called HoneyTweet to lure and study scammers across multiple communication channels, revealing their methods and payment strategies.

Contribution

It introduces HoneyTweet, an automated system for studying crypto support scams, and offers an in-depth analysis of scammers' operations, payment methods, and communication channels.

Findings

Scammers primarily initiate scams on Twitter before moving to other channels.

Two main scammer categories identified: secret key theft and direct wallet payments.

Validation with payment providers confirms scammer behaviors and payment methods.

Abstract

The mainstream adoption of cryptocurrencies has led to a surge in wallet-related issues reported by ordinary users on social media platforms. In parallel, there is an increase in an emerging fraud trend called cryptocurrency-based technical support scam, in which fraudsters offer fake wallet recovery services and target users experiencing wallet-related issues. In this paper, we perform a comprehensive study of cryptocurrency-based technical support scams. We present an analysis apparatus called HoneyTweet to analyze this kind of scam. Through HoneyTweet, we lure over 9K scammers by posting 25K fake wallet support tweets (so-called honey tweets). We then deploy automated systems to interact with scammers to analyze their modus operandi. In our experiments, we observe that scammers use Twitter as a starting point for the scam, after which they pivot to other communication channels (eg email, Instagram, or Telegram) to complete the fraud activity. We track scammers across those communication channels and bait them into revealing their payment methods. Based on the modes of payment, we uncover two categories of scammers that either request secret key phrase submissions from their victims or direct payments to their digital wallets. Furthermore, we obtain scam confirmation by deploying honey wallet addresses and validating private key theft. We also collaborate with the prominent payment service provider by sharing scammer data collections. The payment service provider feedback was consistent with our findings, thereby supporting our methodology and results. By consolidating our analysis across various vantage points, we provide an end-to-end scam lifecycle analysis and propose recommendations for scam mitigation.