Beware! Bitcoin is recovering, and 3 new scams are emerging...

As the old saying goes, people are afraid of being famous, just as pigs are afraid of being fat. With the recent recovery of the cryptocurrency market, criminals who have been quiet for a while have come out to make trouble again.

This time, the criminals' offensive is even more fierce. They not only analyze the psychology of investors, but also enhance the technical content of fraud activities. A new wave of fraud is coming. Can you avoid it?

Recently, Bitcoin has ushered in its own spring. The price of Bitcoin has rebounded strongly and reached $8,000. But that’s not all. According to the forecast of Canaccord Genuity, a Canadian investment bank and wealth management company, this wave of Bitcoin bull market is not temporary. In the next two years, the price of Bitcoin will usher in a new climax.

In the bull market, not only those investors who tightened their belts to survive the crypto winter are happy, but also criminals who have been quiet for a while are eager to try again, hoping to resume their old business of Bitcoin crime . In the not-too-distant past, ICOs, fake cryptocurrency exchanges, and Ponzi schemes in the cryptocurrency industry have always been the usual tricks of bankers to cut investors' leeks.

Nowadays, many new tricks have appeared in these scams. Criminals have introduced malicious software to improve the technical content of the fraud. Below we use examples to analyze three new fraud methods used by criminals .

Bitcoin scam via ransomware push

In late May 2019, security personnel noticed that a ransomware was spreading on a large scale. This ransomware was disguised as a normal application such as a "bitcoin collector", but under the disguise it was actually stealing personal information.

The criminals promised that users could easily earn $15-30 worth of Bitcoin by simply running the software, with no strings attached .

In addition, the criminals promised that users would receive a reward of 3 Ether (worth $735) for simply sharing their personal invitation link to direct 1,000 new users to the site.

Home page of a scam website

The lure of instant cryptocurrency rewards with little to no effort was hard to resist, so users took the bait. Clicking the Continue button forwarded a link to download the Bitcoin Collector app.

To enhance the credibility of the scam and dispel user doubts, the download page provides a link to the malware analysis service VirusTotal to prove that Bitcoin Collector is safe and non-toxic . Of course, this fictitious security test is just for deception.

After the user clicks the download link, a ZIP compressed file will be automatically downloaded. This ZIP file will unzip many files, including a binary file called BotCollector.exe , which the user needs to run to get the Bitcoin reward.

In fact, this file is a Pandora’s box that launches an application called “Freebitco.in — Bot” and triggers the final malware .

In most cases, what is triggered is a ransomware called Marozka Tear, which searches for private files on the victim's computer and encrypts them in .Crypted format. It then leaves a ransom note to the victim, telling the victim that only by paying the ransom can further instructions on how to recover the data be obtained.

This is exactly the same routine as the WannaCry ransomware that ravaged the world in 2017. Fortunately, the underlying structure of this ransomware is the notorious open source ransomware Hidden Tear, and the foreign master Michael Gillespie has already provided a way to decrypt the ransomware, which means that victims do not need to pay the ransom to get their data back.

Foreign experts have provided a toolset that supports Hidden Tear

Another group of victims are not so lucky. The Bitcoin collector may also trigger the malware Baldr that steals the victim's information. Once Baldr starts running, it connects to the criminals' C2 server and waits for instructions on what information to steal on the victim's host .

Baldr is very powerful in information stealing. It can steal website login records and browser history on the victim's host. In addition, it can steal files of any format and even take screenshots of the current screen.

This Trojan horse-like attack method is so powerful that the ransomware Marozka Tear is dwarfed by Baldr.

Using YouTube videos to spread Bitcoin scams

Another group of criminals active on YouTube are targeting users who want quick and easy cryptocurrency gains.

Criminals promote a software called Bitcoin Generator in YouTube videos, which claims that users can easily earn Bitcoin. Unlike the pyramid scheme mentioned above, this scam mainly relies on YouTube videos to spread. In the video, criminals call Bitcoin Generator the best investment opportunity ever and provide a download link for the software.

However, these claims were nothing more than a smokescreen. What users downloaded when they clicked on the link was actually a Trojan program called Qulab, the core part of which was hosted on the encrypted cloud storage platform pCloud.

The Trojan is buried in the video description:

Once the user clicks on these videos, they will jump to the Setup.exe file:

When the Qulab Trojan is activated, it will perform a thorough scan of the host. The Qulab Trojan is keen on stealing login credentials (which can be understood as account numbers and passwords) for websites and gaming platforms (such as Steam and the gaming language software Discord) on the victim's host. It will also search the FileZilla FTP application to obtain the victim's saved authentication data, steal browser cookies (which can be understood as browser data) and cryptocurrency wallet information.

One of the most frightening features of the Qulab Trojan is that it can tamper with the Windows operating system's clipboard, meaning it monitors the information copied to the clipboard by the victim and may tamper with it silently .

You might think this is nothing to worry about, but the clipboard is a Achilles’ heel for cryptocurrency users.

Imagine that when you need to initiate a cryptocurrency transaction, you probably won’t manually enter the recipient address, which is often 20 or 30 digits long and has no pattern. People usually just copy the address to save trouble . At this time, the Qulab Trojan finds that you are copying a cryptocurrency address, and it will quietly replace it with an account controlled by criminals. If you don’t check carefully, your transaction is equivalent to paying tuition to criminals .

The shutdown of major coin mixing services makes life more difficult for criminals

Criminals are so arrogant, are governments doing nothing? No, the government has launched a precise strike against criminals starting from the money laundering link after they succeed.

In May 2019, the Netherlands Financial Intelligence and Investigation Service (FIOD) worked closely with Europol and Luxembourg authorities to take down BestMixer.io, one of the world's largest Bitcoin mixing service platforms. The success of this operation was inseparable from the nearly one-year investigation conducted by Dutch law enforcement agencies in cooperation with McAfee Security.

We all know that cryptocurrencies like Bitcoin are not truly anonymous. To be precise, they are only pseudonymous , so law enforcement agencies can find criminals by tracking the flow of stolen cryptocurrency money.

As the Western proverb goes: The best place to hide leaves is in the forest, and the best place to hide drops of water is in the sea. In this regard, criminals usually use mixing services to mix the transfer of ill-gotten gains in a large number of cryptocurrency transactions to hide the source of these stolen funds, thereby confusing the regulatory sight .

BestMixer.io, a currency mixing service, has reportedly made $200 million in revenue in a year since its launch in May 2018. According to law enforcement investigations, a large portion of this amount is unidentified black money.

In this anti-money laundering operation, law enforcement agencies seized a total of six servers used to provide currency mixing services, thus cutting off the channels for criminals to launder stolen money. It can be imagined that the criminals must be extremely anxious at present, and the ill-gotten gains have become a hot potato. They are in urgent need of new currency mixing service platforms to transfer the stolen money.

How to protect yourself from Bitcoin scams

The current form of Bitcoin fraud is very serious. Here I strongly recommend that investment institutions and ordinary users must strictly review the reputation of the investment object and carefully read the details of the investment contract to discover potential risks before deciding on trading strategies and participating in any high-return blockchain investments . If conditions permit, you can seek advice from professionals in the industry.

For ordinary users, various Bitcoin "generators" and "collectors" that promise instant returns often have no mature business model, so they are likely to be disguised ransomware and spyware .

For businesses, they should avoid investing in Bitcoin projects that promise high profits and quick returns, as these are typical features of ICO exit scams and cryptocurrency MLMs.

In short, when faced with temptation, remember that there is no such thing as a free lunch. High returns inevitably mean high risks. If an investment in a certain cryptocurrency looks too good to be true, the best investment strategy is to stay away from it.

Author: David Balaban

Compiled by | Guoxi

Produced by | Blockchain Camp (blockchain_camp)