A cybercrime group known as CryptoCore has orchestrated a sophisticated social media scam campaign, resulting in the theft of over $5.4 million worth of cryptocurrency assets. The group has employed a range of advanced techniques, including deepfake videos, hacked social media accounts, and professionally designed fake websites, to deceive users and drain their crypto wallets.
The group begins by hijacking social media accounts with large followings, which they then use to flood online platforms with comments, posts, and videos that appear to be from legitimate sources. These accounts often belong to well-known brands or personalities, adding a veneer of authenticity to their scams.
In a recent series of campaigns, CryptoCore exploited events such as Donald Trump’s presidential nomination, multiple SpaceX flights, and Apple's annual developer conference to attract victims.
The most common tactic involves convincing potential victims that these posts are official communications from trusted brands or famous individuals. The fraudulent communications direct users to fake websites that closely mimic legitimate ones, complete with "technical support" chat options and fabricated transaction systems, making the scam appear even more credible.
The group capitalizes on the public’s interest in these events, using them as a pretext to promote fake cryptocurrency investment opportunities. Victims are lured in by promises of quick and easy profits, often through limited-time "giveaway" offers that urge immediate action to avoid missing out.
The scammers prepare their deepfake content and fake websites well in advance, waiting for the right moment to conduct the attack. On the day of a major event, they modify the hijacked social media accounts to align with the theme of the event and flood the internet with their fraudulent content. This strategic timing ensures that their scams reach a large audience, as the hijacked accounts, with their significant followings, tend to dominate search results.
CryptoCore uses a variety of sophisticated tools and techniques to carry out their scams. The group reportedly employs a framework known as CryptoProject, which is available on hacker forums, to create landing pages and purchase services such as deepfake creation and account hijacking. Their campaigns often feature themes related to high-profile companies like SpaceX, MicroStrategy, and Tesla, with cryptocurrencies like Ethereum and Bitcoin being the primary targets.
To avoid detection, CryptoCore uses obfuscated JavaScript, manipulates cookies, and leverages Cloudflare protection. They also regularly change their tactics to exploit loopholes in automated anti-corruption systems.
An analysis of CryptoCore's activities over a six-month period revealed 1,200 crypto wallets linked to the group, with the most frequently used currencies being Ethereum, Bitcoin, Tether, and Dogecoin. These wallets had a turnover of around $5.4 million, Avast researchers said.