Anatomy of an exchange impersonation scam
Despite its size, crypto is still a young industry. We are becoming more professional, more regulated, and more institutionalized each day, but in some areas it is still early days.
One example of this is the exchange listing process, which is somewhat opaque to projects.
An exchange can decide to list a token without any contact with the project, but may reach out for some information to complete due diligence first. They may also ask for help if your project requires more complex integration than usual and they would like engineering support.
The same information a real exchange may collect during diligence can also be abused, e.g. for spear-phishing attempts, impersonation, collecting information on security measures, and more.
The goal is almost always the same: to steal from a project, its supporters, or its staff.
Today we’re going to dissect one of these impersonation scam attempts in detail.
As a fairly well-known project, HUMAN has seen hundreds of these attempts over the years. Since we have a large number of security experts on the team we are extremely rigorous in our internal and external interactions, processes, and controls, and fortunately these have been successful in preventing any issues to date.
For example, no project staff member, advisor, or ambassador is allowed to communicate with any other person working on the project except through pre-approved, cryptographically secured, two factor authenticated channels. In other words, no Telegram and no emails.
Similarly, any business communication with or from an outside entity is also validated in multiple ways. All HUMAN staff are trained never to trust an initial cold contact. They will always reach back out to the organization separately to confirm authenticity, and the initial message will be cross-checked by our security team.
All outreach must also be authorized by multiple people before engaging with a contact. This will be done after confirmation of validity over a completely different channel, whether via personal contacts at the organization, or via that organization’s public contact methods if personal contacts are not available.
Live group video rather than text will almost always be used. Asynchronous communication is convenient, but there is no substitute for real-time video and voice validation of the people you believe you are speaking with, and multi-factor cryptographic authentication for any kind of important approvals.
Deepfakes will eventually require further changes to these processes, but at this time they are generally not able to run real-time in a convincing way, and most of us do not make enough training data available to attackers (e.g. video interviews) to create a good deepfake.
We are certainly not alone in being targeted, and while our security measures are probably more extreme than other projects, there is no reason why others should not adopt the same kinds of countermeasures. We suspect many have, and thus scammers are trying to adapt.
Historically, scammers have used fake Telegram accounts impersonating well-known employees of companies they wanted to impersonate.
This has become harder as the ecosystem has become more mature, and today they often attempt to look like mid-level employees to avoid suspicion and make it harder to validate.
Recently we have seen more attempts to use channels like LinkedIn, and initial approaches to advisors or vendors rather than core team members in order to attempt to boost credibility via the referral.
As a suggestion to other projects, do not neglect informal advisors, vendors, or anyone else a web search could imply has some relationship with you in your security training. Staff are not the only ones targeted in these kinds of scams.
The impersonator used a unique and non-stock image, based on reverse image search. Whether this image was a deepfake is left as an exercise for the reader.
We have also seen more sophisticated email impersonation attempts lately, as scammers have likely realized that most projects now require multi-channel communication.
For example, the same scammer who sent the LinkedIn message above then went on to send an email that looks plausible at first glance:
However, our staff are trained to validate all emails in several ways.
If you happen to use Gmail or Google Apps, you can check this easily via ‘Show original’:
You will then see something like this:
Here we see a real domain is used but both DMARC and SPF email authentication methods failed. Google really should have sent this email to spam or flagged it as a phishing attack on that basis alone.
This already tells us the email is almost certainly fake before looking any further.
Digging in, we gain some additional information:
Notice the Reply-To? In case you missed it:
ṭ (latin small letter t with dot below, U+1E6D) instead of ascii “t” in upbit.
This domain doesn’t actually exist:
So our theory is the impersonator was willing to risk an email bounce in the event the recipient replied.
In case you’re curious, the email linked to a Google Form that attempted to extract personal information, presumably in order to pivot into attempted thefts using those details for validation:
Historically, many people have been skeptical about the value of reporting online crimes and attempted crimes like the one described here.
However, we have recently seen increased investigation and prosecution, even in countries like India that have historically been less active in cybercrime prevention.
We recommend you do your own initial forensic analysis, have your legal team reach out to all services identified to notify them to preserve data and to share whatever they are willing, alert the impersonated parties (e.g. Upbit in this case) so that they can warn others, and then begin formal proceedings in relevant jurisdictions.
In this case the perpetrator of the attempted scam left many clues without realizing it, allowing us to tie them to other activity online and similar scam attempts across the crypto community.
Handing the authorities a complete data package means they are more likely to conclude their work successfully, even if it takes a little bit of time for the wheels of justice to grind.
Finally, you should build case studies like these, share them with your colleagues and friends, and include them in your security training.
We hope this look at a modern impersonation phishing attempt and some of the tradecraft used by slightly more sophisticated actors was informative.
If you work at an organisation that is frequently targeted, we strongly recommend following the best practices we have outlined above.
Thank you for reading, and stay safe online and offline!
– The HUMAN Protocol security + tech ops teams