Double-Your-Crypto Scams Share Crypto Scam Host

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here's a closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams.

Double-Your-Crypto Scams Share Crypto Scam Host

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here’s a closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams.

A security researcher recently shared with KrebsOnSecurity an email he received from someone who said they foolishly invested an entire bitcoin (currently worth ~USD $43,000) at a website called ark-x2[.]org, which promised to double any cryptocurrency investment made with the site.

The ark-x2[.]org site pretended to be a crypto giveaway website run by Cathie Wood, the founder and CEO of ARKinvest, an established Florida company that manages several exchange-traded investment funds. This is hardly the first time scammers have impersonated Wood or ARKinvest; a tweet from Wood in 2020 warned that the company would never use YouTube, Twitter, Instagram or any social media to solicit money.

At the crux of these scams are well-orchestrated video productions published on YouTube and Facebook that claim to be a “live event” featuring famous billionaires. In reality, these videos just rehash older footage while peppering viewers with prompts to sign up at a scam investment site — one they claim has been endorsed by the celebrities.

“I was watching a live video at YouTube where Elon Musk, Cathy Wood, and Jack Dorsey were talking about Crypto,” the victim told my security researcher friend. “An overlay on the video pointed to subscribing to the event at their website. I’ve been following Cathy Wood in her analysis on financial markets, so I was in a comfortable and trusted environment. The three of them are bitcoin maximalists in a sense, so it made perfect sense they were organizing a giveaway.”

“Without any doubt (other than whether the transfer would go through), I sent them 1 BTC (~$42,800), and they were supposed to return 2 BTC back,” the victim continued. “In hindsight, this was an obvious scam. But the live video and the ARK Invest website is what produced the trusted environment to me. I realized a few minutes later, when the live video looped. It wasn’t actually live, but a replay of a video from 6 months ago.”

Ark-x2[.]org is no longer online. But a look at the Internet address historically tied to this domain (186.2.171.79) shows the same address is used to host or park hundreds of other newly-minted crypto scam domains, including coinbase-x2[.]net (pictured below).

The crypto scam site coinbase-x2[.]net, which snares unwary investors with promises of free money.

Typical of crypto scam sites, Coinbase-x2 promises a chance to win 50,000 ETH (Ethereum virtual currency), plus a “welcome bonus” wherein they promise to double any crypto investment made with the platform. But everyone who falls for this greed trap soon discovers they won’t be getting anything in return, and that their “investment” is gone forever.

There isn’t a lot of information about who bought these crypto scam domains, as most of them were registered in the past month at registrars that automatically redact the site’s WHOIS ownership records.

However, several dozen of the domains are in the .us domain space, which is technically supposed to be reserved for entities physically based in the United States. Those Dot-us domains all contain the registrant name Sergei Orlovets from Moscow, the email address ulaninkirill52@gmail.com, and the phone number +7.9914500893. Unfortunately, each of these clues lead to a dead end, meaning they were likely picked and used solely for these scam sites.

A dig into the Domain Name Server (DNS) records for Coinbase-x2[.]net shows it is hosted at a service called Cryptohost[.]to. Cryptohost also controls several other address ranges, including 194.31.98.X, which is currently home to even more crypto scam websites, many targeting lesser-known cryptocurrencies like Polkadot.

An ad posted to the Russian-language hacking forum BHF last month touted Cryptohost as a “bulletproof hosting provider for all your projects,” i.e., it can be relied upon to ignore abuse complaints about its customers.

“Why choose us? We don’t keep your logs!,” someone claiming to represent Cryptohost wrote to denizens of BHF.

Cryptohost says its service is backstopped by DDoS-Guard, a Russian company that has featured here recently for providing services to the sanctioned terrorist group Hamas and to the conspiracy theory groups QAnon/8chan.

A scam site at Cryptohost targeting Polkadot cryptocurrency holders.

Cryptohost did not respond to requests for comment.

Signing up as a customer at Cryptohost presents a control panel that includes the IP address 188.127.235.21, which belongs to a hosting provider in Moscow called SmartApe. SmartApe says its main advantage is unlimited disk space, “which allows you to host an unlimited number of sites for little money.”

According to FinTelegram, a blog that bills itself as a crowdsourced financial intelligence service that covers investment scams, SmartApe is a “Russian-Israeli hosting company for cybercriminals.”

SmartApe CEO Mark Tepterev declined to comment on the allegations from FinTelegram, but said the company has thousands of clients, some of whom have their own clients.

Cryptohost’s customer panel, which points to an IP address at Russian hosting provider SmartApe.

“Also we host other hostings that have their own thousands of customers,” Tepterev said. “Of course, there are clients who use our services in their dubious interests. We immediately block such clients upon receipt of justified complaints.”

Much of the text used in these scam sites has been invoked verbatim in similar schemes dating back at least two years, and it’s likely that scam website templates are re-used so long as they continue to reel in new investors. Searching online for the phrase “During this unique event we will give you a chance to win” reveals many current and former sites tied to this scam.

While it may seem incredible that people will fall for stuff like this, such scams reliably generate decent profits. When Twitter got hacked in July 2020 and some of the most-followed celebrity accounts on Twitter started tweeting double-your-crypto offers, 383 people sent more than $100,000 in a few hours.

In Sept. 2021, the Bitcoin Foundation (bitcoin.org) was hacked, with the intruders placing a pop-up message on the site asking visitors to send money. The message said any sent funds would be doubled and returned, claiming that the Bitcoin Foundation had set up the program as a way of “giving back to the community.” The brief scam netted more than $17,000.

According to the U.S. Federal Trade Commission, nearly 7,000 people lost more than $80 million in crypto scams from October 2020 through March 2021 based on consumer fraud reports. That’s a significant jump from the year prior, when the FTC tracked just 570 cryptocurrency investment scam complaints totaling $7.5 million.

A recent report from blockchain analysis firm Chainalysis found that scammers stole approximately $14 billion worth of cryptocurrency in 2021 — nearly twice the $7.8 billion stolen by scammers in 2020, the report found.

In March, Australia’s competition watchdog filed a lawsuit against Facebook owner Meta Platforms, alleging the social media giant failed to prevent scammers using its platform to promote fake ads featuring well-known people. The complaint alleges the advertisements, which endorsed investment in cryptocurrency or money-making schemes, could have misled Facebook users into believing they were promoted by famous Australians.

In many ways, the crypto giveaway scam is a natural extension of perhaps the oldest cyber fraud in the book: Advanced-fee fraud. Most commonly associated with Nigerian Letter or “419” fraud and lottery/sweepstakes schemes, advanced fee scams promise a financial windfall if only the intended recipient will step up and claim what is rightfully theirs — and oh by the way just pay this small administrative fee and we’ll send the money.

What makes these double-your-crypto sites successful is not just ignorance and avarice, but the idea held by many novice investors that cryptocurrencies are somehow magical money-minting machines, or perhaps virtual slot machines that will eventually pay off if one simply deposits enough coinage.