Share this article:
Beware: The swindle uses legitimately purchased YouTube ads, real liquidity, legitimate DEX Uniswap, and the real wallet extension MetaMask to create an entirely convincing fake coin gambit.
YouTube fans have been swindled out of almost $1 million (and counting) thanks to an extremely convincing fake SpaceX crypto-coin campaign that uses a popular decentralized finance protocol called Uniswap.
The scam is rearing its Elon-Musk-themed head in ads on YouTube that show up before and after videos about cryptocurrency, according to research from Tenable. So far, the scammers have earned more than $430,000 so far across two completed campaigns, with a third still running that is on pace to bring the total “earnings” up to $1 million, the firm said.
“The reason this particular campaign stands out is that it didn’t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube,” explained Satnam Narang, researcher at Tenable, in a blog posting on Thursday. “It did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it’s an ideal channel for promoting a fake coin.”
The ads have been running since the end of May, according to the analysis. Each of them are around three to five minutes long, and all follow the same format: There’s a fake tweet at the top from SpaceX and Tesla founder Musk that claims he’s launching his own cryptocurrency, called $SpaceX.
The ad goes on to say that “Elon Musk is launching his own cryptocurrency, $SpaceX,” in a bid to purportedly “take everyone to Mars and make human life possible there.” To sweeten the pot, the ads then note that for each transaction involving the $SpaceX coin, a donation will be made “towards space-research companies” in order to “help Elon’s mission.”
The YouTube ad for $SpaceX cryptocurrency.
Meanwhile, an embedded video plays featuring various random clips of Musk interviews, including one for the Computer History Museum and KQED’s “Revolutionaries” from 2013.
If someone is duped into following up on the promises of the ads, the next part of the campaign begins, by asking victims to visit one of at least a dozen purpose-built $SpaceX coin sites.
“The YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template,” explained Narang.
The websites include URLs like “buyspacex.com,” “missionspx.com” and “muskspx.com,” among many others.
The ad space was purchased legitimately from YouTube, and Tenable said that it reached out to the platform about the situation, but it hasn’t yet had a response.
Tenable’s research uncovered that the websites include step-by-step directions on installing the browser-based cryptocurrency wallet called MetaMask on their computers. The version of MetaMask being pushed is the legitimate application/browser extension, used by millions of coin enthusiasts, and it’s unlikely to raise red flags with victims, according to the analysis.
The next step is to direct victims to use a custom Uniswap link that allows them to import a $SpaceX coin. Uniswap is a decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols, Narang explained.
“As a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature,” he said. “Uniswap [also] allows individuals to create their own tokens to be tradeable on the platform.” He added, “At the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.”
Although $SpaceX coins don’t actually exist as real currency, Uniswap doesn’t block the transaction, Tenable found. It does, however, surface a warning that the supposed $SpaceX currency “doesn’t appear on the active token list(s)” and tells the user to make sure that “this is the token that you want to trade.”
Once imported, the user is presented with several screenshots showing how they can cash out their Ethereum tokens for more $SpaceX coins, and how they can view their stash in the MetaMask wallet.
“Conventional cryptocurrency scams ask users to send cryptocurrency to a specific address in order to ‘double’ their money, which never happens,” Narang explained. “However, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user’s MetaMask wallet.”
The campaigns are proving successful because instead of out-and-out stealing any money that people pay into the scam, the crooks deliver a fake coins into unwitting victims’ accounts to give them a false sense of legitimacy. They’ve also been adding liquidity to the mix and performing a classic scam move called a “rug pull,” Tenable found.
It works like this: In order to list and facilitate the trading of any coin on Uniswap, there must be liquidity, or financial backing, to the exchange. As people buy into the “contract,” or trading deal, more money and liquidity hits the system and it becomes self-sustaining. That is, until the scammers decide to cash out, i.e., “pull the rug,” taking the funding provided by the dupes with them and leaving the $SpaceX coins worthless.
“The only address capable of moving funds out of the contract is the creator. So even if the scammers don’t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway,” Narang explained.
He added, “The scammers have provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.” That makes for a tidy little profit, given the volume of other “investments” made by victims.
The scammers are also artificially manipulating the price of individual $SpaceX coins by creating coins and then sending them out of circulation by storing them in wallets on popular exchanges like Vb, Binance and Huobi, Narang said.
“Since these fraudulent $SpaceX coins aren’t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply,” he explained. “My understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.”
In all, Tenable found that when the fake $SpaceX contracts were created, the scammers minted 1 billion coins in each contract and added liquidity to the contract for 200 million of them. Then they “burned” the remaining 800 million.
While the campaign is intensely savvy in its legitimate-seeming details, there are a few tell-tale signs that all is not what it seems. For one, the original ads are hosted on compromised YouTube accounts.
“When they appear, the name of the user associated with the advertisement is visible,” Narang explained. “When browsing the user’s profile…many of the accounts I encountered were created between 10-12 years ago. In [one] instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.”
Secondly, it’s important to adhere to cautionary signs when using a DEX. Even though they operate autonomously and provide no recourse for fraudulent transactions as a centralized, traditional bank would, they do offer warnings, such as the one that Uniswap displayed about the scam token not appearing on active token lists.
DEX entities also add banners when there’s an unknown source for a new contract, which users should see as a red flag before importing the token contract and swapping it for their cryptocurrency.
“This is one of the first times we’ve seen scammers pivot away from the conventional cryptocurrency scams of promising to double cryptocurrency and offering up a fake coin through DeFi platforms,” wrote Narang said. “DeFi scams aren’t new, but seeing the adoption of them within the context of Elon-Musk-related cryptocurrency fraud is new and unique.”
And finally, the ad template is a bit amateurish and doesn’t seem like a product that would be put out by Musk & Co. Also, the use of the Tesla logo is entirely out of place, Narang pointed out.
The main way to avoid scams like this is to research, research, research, Narang advised.
Look for the aforementioned red flags, of course. But also, enthusiasts should be wary of fake coins for real projects: “While there is no such thing as a $SpaceX coin…there is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.”
Thus, it’s important to look for official announcements from the creators of these projects – for instance, independently verify that Elon Musk is, in fact, launching such a coin, by looking for official press releases and news coverage, for instance.
“They will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment,” Narang said.
Also, it’s important to keep in mind that reviews can easily be faked.
“Etherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects,” Narang said. “In the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof. The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.”
In general, it’s easy to get caught up in the hype of it all, Narang warned, and crooks know this – thus, cryptocurrency scams abound out there (even Steven Seagal was suckered into participating). So if there’s any doubt at all about the legitimacy of a coin or project, it’s probably wise to just sit it out.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!
Share this article:
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.