updated 5/3/2022: Updated ‘Name Spoofing’ section examples and tips

Bottom Line Up Front

After replying to or quote-tweeting a popular Twitter account, you get a reply from someone impersonating them asking you to send a DM. If you do, there will usually be a short exchange about whether you invest in crypto, and if so, what projects and how much. This is followed by a claim that they can make you some quick money, and directions to join an exchange or investment site. These sites are honeypots - you can deposit crypto into them, but cannot take funds out. If you do make a deposit, the scammer will sometimes try to press for you to send additional funds to cover supposed trading fees or taxes.


Shortly after responding to a popular account you follow, you get a reply seemingly from the that account asking you to DM them. Most popular accounts often say they will never DM you first, so on the surface this may seem reasonable. Of course, if you look carefully at the name and follower count of the person replying to you, more often than not you’ll see it’s an impersonator trying to get you into a private conversation.

This approach to launching a scam uses two common tactics: it borrows credibility from the popular account you were responding two, and it tries to make it seem as though you initiated the conversation by having you DM them first. Though the ultimate grift will change from person to person, they usually involve you creating an account and depositing crypto into some site they send you, similar to the ‘new exchange giveaway’ scams that are common on Discord. Here’s how one played out in my DMs earlier today.

The Approach

After making some offhanded reply to @CryptoFinally on Twitter (a frequent target of impersonators), I received this:

Note the spelling of their @
Note the spelling of their @

Never wanting to pass up an opportunity to learn about the latest fraud trends first hand, I did as requested and sent them a DM:

She didn’t waste any time getting down to business, first asking about what I hold, then saying she has a few 20x gems she wants to pass along. The point of asking what I hold is simple: she wants to know if I have funds readily available to steal. If I said I didn’t, she’d have either moved on to someone else, or changed to a different scam that involved sending fiat. But, I had some crypto handy, and it’s hard to turn down a quick 20x, so I pressed on:

A project not being listed on Binance is reasonable enough - it takes a lot to be listed there, and most BSC projects never make it.

Now, I asked if the exchange was new as a sort of checksum on how honest or dishonest the scammer was willing to be with me. An ICANN lookup on the domain name will tell me exactly when it was registered:

In this case, it was made just over a week ago. Some scammers like this one go for quick hits - make contact with their mark, direct the to the fraudulent site, and move on - but others play a longer confidence game that will draw the conversation out over several days or weeks. In those cases, it can be useful to know if they are mixing in some truth with their lies. While I wanted for her answer, I went ahead and made an account on the exchange:

I should probably make sure isn't actually an active email address...
I should probably make sure isn't actually an active email address...

As usual, security is not an issue with sites like this, and my account was made right away!

Welcome, a!
Welcome, a!

Looking at the coin offerings, there were only about a dozen of the most popular tokens listed, so I was really curious to learn what these supposed 20x gems would be. Unfortunately, it wouldn’t be that easy:

Apparently, I would only find out what I was supposed to buy via email, once I deposited BTC or ETH into my account. Since I’m not willing to send even a dollar to a scammer to see how things would play out next, I respectfully ended the conversation by thanking them for the training materials, and went about my day.

Name Spoofing

There are some common tricks scammers will use to make their username look as close as possible to the one they’re impersonating:

  • Adding underscores to the name, or using two underscores instead of one → @Coffeebreak_YT vs @Coffeebreak__YT
  • Using a lowercase ‘L” and an uppercase “I” interchangeably → Coffeezilla vs CoffeeziIIa
  • Using ‘r n’ together in place of a lowercase ‘m’ → Bitmart vs Bitrnart
  • Using the number ‘0’ and an uppercase ‘O’ interchangeably → Official vs 0fficial
  • Using one or two ‘v’s in place of a ‘w’ → Brewlabs vs Brevvlabs or Brevlabs

You get the idea. If you’re looking quickly, and especially if you’re on a small mobile screen, it can be easy to mistake a spoofed name for a real one. Then there are the more insidious spoofs that use alt and Cyrillic characters as substitutes, which look identical to their real counterparts:

Full thread here.

Much like the I/l switching, there are no visual clues that something is off. So, how can you protect yourself if you receive a DM from an account that looks legit?

  • If it looks like a mod/dev on a platform like Discord or Slack DMed you, tag them in a public channel and ask if it’s really them.
  • If it’s on a social media platform, look at how many followers the account has, and compare that with the real account.
  • Copy the username into a text editor, and change all letters to uppercase (in Word, Shift+f3 will cycle through upper, lower, and capital case). This will help you spot most letter/number switches.
  • Enter the username into a browser address bar, and add “.test” to the end (without quotes). Your browser will decode any alt/Cyrillic characters in it.
    • L○○ksRare.test → xn--lksrare-hm6da.test
  • If it is a URL, manually type the address into your browser, rather than clicking a link or copy/pasting.
  • Enter the username into a Cyrillic decoder and check the output:

The Takeaway

Any time you receive a reply or DM that looks like it’s from a popular account, always double check the @ name and follower count before engaging. On phone push notifications, you’ll only see the display name and PFP, both of which might be identical to the real account. If at any point you are directed to deposit funds into a new or unknown exchange (or other investment-related site), it’s most likely a honeypot, and the funds will be unrecoverable. So, you know, don’t do it.

Have a question, comment, tip, inside info, or anything else? Email

Subscribe to Know Your Crook
Receive the latest updates directly to your inbox.
This entry has been permanently stored onchain and signed by its creator.