updated 5/3/2022: Updated ‘Name Spoofing’ section examples and tips
After replying to or quote-tweeting a popular Twitter account, you get a reply from someone impersonating them asking you to send a DM. If you do, there will usually be a short exchange about whether you invest in crypto, and if so, what projects and how much. This is followed by a claim that they can make you some quick money, and directions to join an exchange or investment site. These sites are honeypots - you can deposit crypto into them, but cannot take funds out. If you do make a deposit, the scammer will sometimes try to press for you to send additional funds to cover supposed trading fees or taxes.
Shortly after responding to a popular account you follow, you get a reply seemingly from the that account asking you to DM them. Most popular accounts often say they will never DM you first, so on the surface this may seem reasonable. Of course, if you look carefully at the name and follower count of the person replying to you, more often than not you’ll see it’s an impersonator trying to get you into a private conversation.
This approach to launching a scam uses two common tactics: it borrows credibility from the popular account you were responding two, and it tries to make it seem as though you initiated the conversation by having you DM them first. Though the ultimate grift will change from person to person, they usually involve you creating an account and depositing crypto into some site they send you, similar to the ‘new exchange giveaway’ scams that are common on Discord. Here’s how one played out in my DMs earlier today.
After making some offhanded reply to @CryptoFinally on Twitter (a frequent target of impersonators), I received this:
Never wanting to pass up an opportunity to learn about the latest fraud trends first hand, I did as requested and sent them a DM:
She didn’t waste any time getting down to business, first asking about what I hold, then saying she has a few 20x gems she wants to pass along. The point of asking what I hold is simple: she wants to know if I have funds readily available to steal. If I said I didn’t, she’d have either moved on to someone else, or changed to a different scam that involved sending fiat. But, I had some crypto handy, and it’s hard to turn down a quick 20x, so I pressed on:
A project not being listed on Binance is reasonable enough - it takes a lot to be listed there, and most BSC projects never make it.
Now, I asked if the exchange was new as a sort of checksum on how honest or dishonest the scammer was willing to be with me. An ICANN lookup on the domain name will tell me exactly when it was registered:
In this case, it was made just over a week ago. Some scammers like this one go for quick hits - make contact with their mark, direct the to the fraudulent site, and move on - but others play a longer confidence game that will draw the conversation out over several days or weeks. In those cases, it can be useful to know if they are mixing in some truth with their lies. While I wanted for her answer, I went ahead and made an account on the exchange:
As usual, security is not an issue with sites like this, and my account was made right away!
Looking at the coin offerings, there were only about a dozen of the most popular tokens listed, so I was really curious to learn what these supposed 20x gems would be. Unfortunately, it wouldn’t be that easy:
Apparently, I would only find out what I was supposed to buy via email, once I deposited BTC or ETH into my account. Since I’m not willing to send even a dollar to a scammer to see how things would play out next, I respectfully ended the conversation by thanking them for the training materials, and went about my day.
There are some common tricks scammers will use to make their username look as close as possible to the one they’re impersonating:
You get the idea. If you’re looking quickly, and especially if you’re on a small mobile screen, it can be easy to mistake a spoofed name for a real one. Then there are the more insidious spoofs that use alt and Cyrillic characters as substitutes, which look identical to their real counterparts:
Full thread here.
Much like the I/l switching, there are no visual clues that something is off. So, how can you protect yourself if you receive a DM from an account that looks legit?
Any time you receive a reply or DM that looks like it’s from a popular account, always double check the @ name and follower count before engaging. On phone push notifications, you’ll only see the display name and PFP, both of which might be identical to the real account. If at any point you are directed to deposit funds into a new or unknown exchange (or other investment-related site), it’s most likely a honeypot, and the funds will be unrecoverable. So, you know, don’t do it.
Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com