We use cookies to enhance your browsing experience and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.. View our Privacy Policy for more information.
Your browser (Internet Explorer) is out of date. Please download one of these up-to-date, free and excellent browsers:
For more security speed and comfort.
The download is safe from the vendor's official website.


Anatomy of an exchange impersonation scam

HUMAN Protocol
Apr 12, 2022

Anatomy of an exchange impersonation scam

2 min read

Despite its size, crypto is still a young industry. We are becoming more professional, more regulated, and more institutionalized each day, but in some areas it is still early days.

One example of this is the exchange listing process, which is somewhat opaque to projects.

An exchange can decide to list a token without any contact with the project, but may reach out for some information to complete due diligence first. They may also ask for help if your project requires more complex integration than usual and they would like engineering support.

The same information a real exchange may collect during diligence can also be abused, e.g. for spear-phishing attempts, impersonation, collecting information on security measures, and more.

The goal is almost always the same: to steal from a project, its supporters, or its staff.

Today we’re going to dissect one of these impersonation scam attempts in detail.

Background: good security hygiene is critical

As a fairly well-known project, HUMAN has seen hundreds of these attempts over the years. Since we have a large number of security experts on the team we are extremely rigorous in our internal and external interactions, processes, and controls, and fortunately these have been successful in preventing any issues to date.

For example, no project staff member, advisor, or ambassador is allowed to communicate with any other person working on the project except through pre-approved, cryptographically secured, two factor authenticated channels. In other words, no Telegram and no emails.

Similarly, any business communication with or from an outside entity is also validated in multiple ways. All HUMAN staff are trained never to trust an initial cold contact. They will always reach back out to the organization separately to confirm authenticity, and the initial message will be cross-checked by our security team.

All outreach must also be authorized by multiple people before engaging with a contact. This will be done after confirmation of validity over a completely different channel, whether via personal contacts at the organization, or via that organization’s public contact methods if personal contacts are not available.

Live group video rather than text will almost always be used. Asynchronous communication is convenient, but there is no substitute for real-time video and voice validation of the people you believe you are speaking with, and multi-factor cryptographic authentication for any kind of important approvals.

Deepfakes will eventually require further changes to these processes, but at this time they are generally not able to run real-time in a convincing way, and most of us do not make enough training data available to attackers (e.g. video interviews) to create a good deepfake.

We are certainly not alone in being targeted, and while our security measures are probably more extreme than other projects, there is no reason why others should not adopt the same kinds of countermeasures. We suspect many have, and thus scammers are trying to adapt.

What a modern impersonation scam looks like

Historically, scammers have used fake Telegram accounts impersonating well-known employees of companies they wanted to impersonate.

This has become harder as the ecosystem has become more mature, and today they often attempt to look like mid-level employees to avoid suspicion and make it harder to validate.

Recently we have seen more attempts to use channels like LinkedIn, and initial approaches to advisors or vendors rather than core team members in order to attempt to boost credibility via the referral.

As a suggestion to other projects, do not neglect informal advisors, vendors, or anyone else a web search could imply has some relationship with you in your security training. Staff are not the only ones targeted in these kinds of scams.

Example LinkedIn impersonation message

The impersonator used a unique and non-stock image, based on reverse image search.  Whether this image was a deepfake is left as an exercise for the reader.

More sophisticated email impersonation attempts

We have also seen more sophisticated email impersonation attempts lately, as scammers have likely realized that most projects now require multi-channel communication.

For example, the same scammer who sent the LinkedIn message above then went on to send an email that looks plausible at first glance:

However, our staff are trained to validate all emails in several ways.

First, is the domain correct and did it pass SPF and DMARC? 

If you happen to use Gmail or Google Apps, you can check this easily via ‘Show original’:

You will then see something like this:

Here we see a real domain is used but both DMARC and SPF email authentication methods failed. Google really should have sent this email to spam or flagged it as a phishing attack on that basis alone.

This already tells us the email is almost certainly fake before looking any further.

Second, does the reply-to address match the sender email and domain?

Digging in, we gain some additional information:

Notice the Reply-To? In case you missed it:

ṭ (latin small letter t with dot below, U+1E6D) instead of ascii “t” in upbit.

This domain doesn’t actually exist:

So our theory is the impersonator was willing to risk an email bounce in the event the recipient replied.

The fake form

In case you’re curious, the email linked to a Google Form that attempted to extract personal information, presumably in order to pivot into attempted thefts using those details for validation:

What to do after detection

Historically, many people have been skeptical about the value of reporting online crimes and attempted crimes like the one described here.

However, we have recently seen increased investigation and prosecution, even in countries like India that have historically been less active in cybercrime prevention.

We recommend you do your own initial forensic analysis, have your legal team reach out to all services identified to notify them to preserve data and to share whatever they are willing, alert the impersonated parties (e.g. Upbit in this case) so that they can warn others, and then begin formal proceedings in relevant jurisdictions.

In this case the perpetrator of the attempted scam left many clues without realizing it, allowing us to tie them to other activity online and similar scam attempts across the crypto community.

Handing the authorities a complete data package means they are more likely to conclude their work successfully, even if it takes a little bit of time for the wheels of justice to grind.

Finally, you should build case studies like these, share them with your colleagues and friends, and include them in your security training.

Thanks for reading!

We hope this look at a modern impersonation phishing attempt and some of the tradecraft used by slightly more sophisticated actors was informative.

If you work at an organisation that is frequently targeted, we strongly recommend following the best practices we have outlined above.

  • Train your staff and anyone else associated with your organisation, even informally, to run standard validation procedures like the ones described in this document.

  • Ensure you have multiple people cross-validate the contact and comms channel before supplying any personal or organisation information. Every time, no exceptions.

  • And remember, if anything seems too easy or too good to be true then something’s likely wrong.

Thank you for reading, and stay safe online and offline!

  – The HUMAN Protocol security + tech ops teams

No items found.
Guest post