A couple of months ago I received a message request on Twitter, one that I imagine many people receive every so often as I have. A user was congratulating me on winning a giveaway for BTC that I didn’t even have to enter for! Imagine my luck. A bit of background digging and it looks like this robexcoin.com exchange “gives away” a decent chunk of BTC when you sign up, after you’ve put in the minimum 0.015BTC first – which you later can’t withdraw. Regardless, despite not fooling me I was curious to see where this went.
The Target
I had heavy doubts that the user in question had used a name at all related to them, but I decided to throw that in along with the domain to see what we could pull out. I have to say, I was surprised with how much SpiderFoot was able to find from very little input.
I wasn’t 100% sure what to expect or what I had in mind, but I was hoping to see a few chinks in the armour of this campaign and determine who was really behind it all, but ultimately it doesn’t seem like there was much armour to begin with, more of a thin facade. The website itself is modern, gives a decent appearance of belonging to an organization that is legitimate, and appears to be relatively intuitive to use. Fortunately, you don’t have to look far to know that this isn’t what it seems.
The site itself claims it’s registered in the US as Robexcoin.com Finance LLP, but of course no such company exists. The scam doesn’t appear to put much effort towards this level of trickery – the heavy lifting is being done by the sleek interface and the various professional pages included such as having policies and terms of use, no doubt lifted from other sites. To dig deeper, we’ll need to look into what SpiderFoot HX has found.
Scan Results
The site’s domain and IP information has been blacklisted and flagged by numerous sources including the Honey Pot Project, and it’s plain to see why:
Quite a number of sites on the same IP appear to be various forms of scams, phishing sites, and other malicious setups, sadly all associated with known infrastructure, Cloudflare. It has become increasingly common to see malicious websites hosted with popular infrastructure, and unfortunately this gives the sites an added level of credibility that makes AV, browser protection, and search engines work a lot harder to target and block for the end user. The domain is registered via publicdomainregistry.com/PDR Ltd., and has some rather odd and unique information associated with it in terms of address and identity information, so let’s get into that below.
Removing the Mask
I was quite interested in determining identity here, and being able to attribute this scam to a specific place, person or group, so that it might be correlated to other similar scams. Based on the initial data, it appears that the WHOIS data found by SpiderFoot HX is relatively unique, and can be found on another site’s WHOIS data:
Droxcoin.com looks to be a similar type of scam, and we can attribute these to be related as they have the same email, address, and country of origin for their domains. Typically here we’d expect use of known infrastructure in countries that you might expect to see here (e.g. Germany, US, UK, etc.), but interestingly the address specified is in the Karas region of Namibia, in southern Africa. There is even a Namibian number (+264) found along with the address and a protonmail email address.
The address is an odd string, which makes it unique for correlation but difficult to associate with a specific location – I did however find the street, and well, I don’t think it breeds much confidence in this crypto exchange:
Droxcoin.com operates a similar level of ‘legitimacy’ as Robexcoin.com does, instead opting to claim that they began in 2017 and are based in Sydney, Australia.
As an Australian myself, I know that company information here is well documented and easy to get – each company must have an ABN or ACN (Australian Business/Company Number), and these are often shown on their site or directly in their name on the Australian Business Registry. Companies based in Australia have to relate their domain names and online presence directly with their business operations so the company should share the same name as the site. This of course, isn’t the case:
If this wasn’t already a pretty good indicator that this isn’t a legitimate operation, their ‘About Us’ blurb is ripped from another site. See the beginning of theirs:
And from another site:
For what it’s worth, I found the same blurb on a dozen other sites via Google, so the above site is likely a similar operation, given the domain is only a month old (via Virustotal). The rabbit hole just gets deeper and deeper. It’s difficult to keep up given the lack of regulation and validity in the crypto industry, isn’t it?
As suspected, it seems “Vincent Owens” is very likely just a fake name for the twitter aspect of the scam. Some interesting detections show the name via OnionScan, but it’s far too generic to attribute these detections to the same scam campaign. SpiderFoot offers other API modules that might dig deeper into this name, but in this case they would generate far too many false positives with such a name.
How to Spot the Fraud
These types of scams are becoming more and more widespread and pervasive as the world of cryptocurrency steams ahead despite continuing volatility. It’s important to be able to spot them and avoid them if you’re in this world, or hold cryptocurrency yourself. One of the things that’s easy to do when you aren’t sure, or aren’t as able to use the tools I’ve used above, is to see what other real people are saying about the site. In this case, there’s scam review sites out there that give some indication about the true nature (including the fact you must input money before you can withdraw or use the platform), but social media is also surprisingly a useful tool:
Twitter attempts to filter the message I received, but it isn’t always successful. Either way, this should be a big clue to the true nature of the site, however you may receive messages like this in other ways, or stumble across the site on the web. In cases like this, come back to the above, see what people think or what reputable sites have to say. If you can’t find anything, it’s not worth the risk. Keeping your cryptocurrency with a hardware key is the safest way to store it, especially with the lack of accountability many cryptocurrency exchanges have.
To quote the common adage in the crypto world: “Not your keys, not your coins”.
Leave a Reply