AhnLab’s Mobile Analysis Team has confirmed cases of romance scams where perpetrators establish rapport by posing as overseas friends or romantic partners. They exploit this connection to solicit money under the guise of cryptocurrency investments.
A romance scam is a type of fraud that involves emotional manipulation to solicit money through various means. While previous romance scams mostly involved direct requests for money after gaining affection, current scams have expanded their scope to include fake cryptocurrency exchanges, banks, and online shopping malls.
Romance scams are not limited to South Korea but are conducted globally using messengers with translation features. In the case mentioned here, the perpetrator introduced themselves as a Chinese-Japanese and approached the victim claiming to want foreign friends. The approach processes of romance scams are as follows.
Luring Victims
The perpetrator does not approach victims directly but instead makes them come voluntarily. They mainly use social media to create posts that might interest potential victims. These posts appear to be ordinary and do not contain any content related to cryptocurrency. When a victim likes or follows such a post, as shown in Figure 1, the perpetrator expresses gratitude through a direct message (DM) and continues the conversation until eventually urging the victim to move to a messenger app with translation capabilities.
Figure 1. The perpetrator sending a DM upon being followed by the victim and urging them to take the conversation to a messenger app with a translation feature
Enticing Investment
The perpetrator engages in conversations with potential victims over several days to assess whether to proceed with their scam. If individuals are deemed susceptible to romance scams, the perpetrator indirectly asserts that they are benefiting from secret cryptocurrency insights shared by an acquaintance, as depicted in Figure 2.
Figure 2. Offhandedly mentioning cryptocurrency profits
Urging Victims to Use a Fake Cryptocurrency Exchange
If a victim expresses a desire to learn about cryptocurrency investment or shows interest in the secret profit information, the perpetrator mentions the fake cryptocurrency exchange they are using. If the victim attempts to use a legitimate cryptocurrency exchange, as depicted in Figure 3, the perpetrator convinces them that they can only profit by using the exchange they recommend, citing reasons such as national restrictions that prevent the same pattern from being observed.
Figure 3. Citing advantages of the fake cryptocurrency exchange to lure victim
Impersonation of a Cryptocurrency Exchange and Manipulation of Search Information
The fake cryptocurrency exchange called “CoinB” introduced by the perpetrator was found to be listed on platforms such as Namuwiki and Wikipedia, as seen in Figure 4. Wikis are publicly editable databases where false information can be added by anonymous internet users. However, the information regarding the exchange’s founder, details, and related articles on these platforms actually pertain to “Coinbase”, not “CoinB”.
Figure 4. “CoinB” listed on Namuwiki and Wikipedia
Further investigation revealed that this exchange was also featured on platforms like YouTube and Facebook, as depicted in Figure 5. However, the homepage of the mentioned cryptocurrency exchange (coinb.top) is not currently operational, and the address provided by the perpetrator for “CoinB” leads to a different domain.
Figure 5. “CoinB” featured on YouTube and Facebook
The perpetrator provides a download link for an app that allows access to the fake cryptocurrency exchange, as shown in Figure 6. Upon visiting this link, a page resembling the official market’s download page is displayed.
Figure 6. App download link for the fake exchange being distributed and the resulting screen
The app’s download page, as illustrated in Figure 7, distinguishes the victim’s device operating system before downloading the installation file. Upon installation and execution of the app, the victim can access the fake cryptocurrency exchange mentioned by the perpetrator.
Figure 7. App installation and launch screen
Learning to Use the App Through a Virtual Account
Once the app is installed, the perpetrator instructs the victim to learn how to use it with a virtual account provided by the fake cryptocurrency exchange. There are two reasons for providing this guidance.
Firstly, the fake cryptocurrency exchange is only superficially well-designed, as it only contains the features necessary for the scam. By guiding the victim to utilize only these necessary features, the perpetrator can prevent them from discovering that certain features are non-functional within the app, ultimately delaying the realization that it is a scam.
Secondly, the process of using the virtual account involves a demonstration of profit being generated. The victim indirectly experiences profits and develops a desire to invest, believing that the secret profit information held by the perpetrator is genuine.
Following the perpetrator’s guidance, if the victim applies for a virtual account in the app’s Contact Us section, they are directed to a virtual account registered with ProtonMail, as shown in Figure 8. Upon logging in with the provided account, the victim discovers a balance of $50,000 USD (approximately 68.85 million KRW) within the account, which can be used for virtual investments.
Figure 8. Requesting a virtual account in the app and the screen after logging in
Upon logging in, the victim follows the perpetrator’s guidance and purchases Bitcoin (BTC), as shown in Figure 9. This purchase does not impact the actual cryptocurrency graph; rather, the account balance increases after a certain period. When checking the Bitcoin graph during the actual purchase timeframe, there was only a slight fluctuation, and the value remained stable.
After the transaction, the perpetrator mentions the profit in the virtual account and convinces the victim not to disclose the investment to others, stating that this secret profit information is only being shared with the victim.
Figure 9. Purchasing Bitcoin according to the perpetrator’s guidance
Exfiltration of Personal Information and Coin
After completing the learning process with the virtual account, the victim is prompted to proceed with registration. During this step, they are asked to input their financial and personal information into the app, as depicted in Figure 10. The entered information is not verified and instructions are given regarding deposit methods for purchasing coins. During this process, the victim not only risks losing the deposited money but also faces the potential for secondary harm due to the entered personal information.
Figure 10. Entering financial and personal information in the app, including cryptocurrency wallet address
Similar Fake Cryptocurrency Exchanges
AhnLab’s Mobile Analysis Team conducted research on similar cases based on their investigation of this romance scam app and its web address. Their findings revealed multiple fake cryptocurrency exchange apps and websites, as shown in Figure 11. Some of these fake exchange sites have already been exposed as scams, leading to warning alerts. Upon being discovered, the perpetrators would shut down the servers of these exchanges and re-release them under different cryptocurrency exchange names.
Figure 11. Similar fake cryptocurrency exchange sites
Furthermore, although the download addresses of the fake cryptocurrency exchange apps are different, they all use the same script, as depicted in Figure 12. It is suspected that these apps are managed by a single group, as they are all composed of identical code.
Figure 12. Comparison of app download scripts and internal app code
Conclusion
AhnLab detects these apps as PUP/Android.CoinScam. Romance scams utilize social engineering techniques to approach victims, making it difficult to determine malicious intent solely based on the app and scam sites. Therefore, users should avoid using obscure cryptocurrency exchanges and ensure that their anti-malware apps are kept up to date to prevent any potential harm.
[File Detection]
PUP/Android.CoinScam.1222978
PUP/Android.CoinScam.1222977
PUP/Android.CoinScam.1222976
PUP/Android.CoinScam.1222975
PUP/Android.CoinScam.1222973
[IoC]
7353b685c49432783906cd74ce4cefdc
f1e88bc7c240507b2bbbea646205c8de
8977ff762385e1c5dd1515d098147ad2
41d5e86dbfd90c994c3b2de8e014c89c
6443f4586afdd3ca6f8372ab569c2911
f42db78ae4fa84e85905c831087ca210
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Romance Scams Urging Coin Investment appeared first on ASEC BLOG.