Cyber scammers are using YouTube ads to sell fake cryptocurrencies in the name of Elon Musk, billionaire owner of Tesla and SpaceX. Since late May, a gang of scammers has stolen more than $430,000 worth of cryptocurrencies from users, buying advertising space in cryptocurrency videos available on YouTube to promote a counterfeit SpaceX (or $SpaceX token), claiming that she would be Musk’s creation.
“At the time we made this discovery, the scammers had an active campaign that, once completed, could increase the total value of stolen cryptocurrencies to nearly $1 million,” says Satnam Narang, Research Engineer, Response Team Tenable Security.
In early May, scammers hacked Twitter and You Tube accounts to promote a series of cryptocurrency-related scams, prior to Musk’s Saturday Night Live appearance, stealing more than $10 million in Bitcoin, Ethereum and Doge tokens. The scams carried out through YouTube were the most successful, resulting in a theft of more than $9 million.
According to Tenable’s security experts, the first ads aimed at tricking users and stealing their cryptocurrencies appeared on YouTube around May 22, before and during videos about cryptocurrencies made by popular creators on the video platform. “The ads are made up of several Musk videos, which have nothing to do with the subject. Tesla’s founder has gained a lot of attention in recent months for his support of cryptocurrencies, especially Bitcoin and Dogecoin,” says Narang.
Detail of the blow
Experts at Tenable detail that cryptocoup ads are three to five minutes long and feature a template that includes, at the top, a fake tweet by Musk, claiming he is launching his own cryptocurrency, called $SpaceX. In the same template, there is descriptive text with a header with the Tesla logo. The text says that “Elon Musk is releasing his own cryptocurrency, $SpaceX”. The purpose of the coin, according to the coup announcement, “is to take everyone to Mars and make human life there possible.” Lastly, they claim that for every transaction involving the $SpaceX currency, a donation will be made “to space research companies” with the aim of “assisting Elon’s mission”. The video that is part of the above ad is an excerpt from an interview Musk with the Computer History Museum and “KQED Revolutionaries” from 2013. The scammers indiscriminately use several Musk videos in these YouTube ads.
Ads are hosted on tampered YouTube accounts. When they appear, the username associated with the ad is visible. Narang explains that when searching for the user’s profile, one notices that the user joined YouTube in August 2011, for example. “Many of the accounts I found were created ten or 12 years ago. In this example, there were no videos associated with the account other than the video used in the scammer ad, but this is not a rule. It is likely that these YouTube accounts were inactive and the scammers managed to break into them to promote these fake ads,” says the Tenable executive.
Model used in previous scams
Narang further emphasizes that these ads take advantage of the same template that Tenable experts saw being used in Musk’s SNL scams in early May, including the Tesla logo. “In the YouTube ads related to the supposed SpaceX currency, you might think the scammers should have used the SpaceX logo instead of continuing to use the Tesla one, but it looks like they just copied the model the way it was,” says Narang .It is worth noting that the YouTube ads themselves do not contain a direct link to a website, but rather advertise the website in another section of the template. During analysis by Tenable’s security experts, at least twelve different websites were discovered to be promoted via these fake YouTube ads, including:
|buyspacex.com||NameCheap, Inc.||May 21, 2021|
|buyspx.com||NameCheap, Inc.||May 27, 2021|
|getspx.com||NameCheap, Inc.||May 29, 2021|
|spxlaunch.com||NameCheap, Inc.||May 29, 2021|
|spacexbuy.com||REG.RU LLC||May 30, 2021|
|officialspx.com||REG.RU LLC||June 1, 2021|
|missionspx.com||REG.RU LLC||June 2, 2021|
|spacexsale.com||REG.RU LLC||June 3, 2021|
|salespacex.com||REG.RU LLC||June 9, 2021|
|buyspxcoin.com||REG.RU LLC||June 15, 2021|
|muskspx.com||REG.RU LLC||June 16, 2021|
|falconspacex.com||REG.RU LLC||June 17, 2021|
“As a reminder, please note that this may not be a complete list of all domains used in these campaigns,” concludes Tenable’s Satnam Narang