Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Conning the Crypto Conman: End-to-End Analysis of Cryptocurrency-based Technical Support Scams

Bhupendra Acharya, Muhammad Saad, Antonio Emanuele Cinà, Lea Schönherr, Hoang Dai Nguyen, Adam Oest, Phani Vadrevu, Thorsten Holz

TL;DR

The paper presents HoneyTweet, a deception-based framework that baited over 9K cryptocurrency technical support scammers on Twitter to study their lifecycle across platforms. By integrating automated tweeting, cross-platform pivoting, and money-trail analysis (including honey wallet keys and collaboration with PayPal), the authors map scammer modalities, profile attributes, and monetization channels. They reveal two main scam archetypes, measure platform blocking efficacy, and propose practical mitigations for social platforms to curb cross-channel fraud. The work demonstrates a practical, end-to-end methodology to characterize evolving crypto scam ecosystems with real-world impact and provides open-source tooling for future research.

Abstract

The mainstream adoption of cryptocurrencies has led to a surge in wallet-related issues reported by ordinary users on social media platforms. In parallel, there is an increase in an emerging fraud trend called cryptocurrency-based technical support scam, in which fraudsters offer fake wallet recovery services and target users experiencing wallet-related issues. In this paper, we perform a comprehensive study of cryptocurrency-based technical support scams. We present an analysis apparatus called HoneyTweet to analyze this kind of scam. Through HoneyTweet, we lure over 9K scammers by posting 25K fake wallet support tweets (so-called honey tweets). We then deploy automated systems to interact with scammers to analyze their modus operandi. In our experiments, we observe that scammers use Twitter as a starting point for the scam, after which they pivot to other communication channels (eg email, Instagram, or Telegram) to complete the fraud activity. We track scammers across those communication channels and bait them into revealing their payment methods. Based on the modes of payment, we uncover two categories of scammers that either request secret key phrase submissions from their victims or direct payments to their digital wallets. Furthermore, we obtain scam confirmation by deploying honey wallet addresses and validating private key theft. We also collaborate with the prominent payment service provider by sharing scammer data collections. The payment service provider feedback was consistent with our findings, thereby supporting our methodology and results. By consolidating our analysis across various vantage points, we provide an end-to-end scam lifecycle analysis and propose recommendations for scam mitigation.

Conning the Crypto Conman: End-to-End Analysis of Cryptocurrency-based Technical Support Scams

TL;DR

The paper presents HoneyTweet, a deception-based framework that baited over 9K cryptocurrency technical support scammers on Twitter to study their lifecycle across platforms. By integrating automated tweeting, cross-platform pivoting, and money-trail analysis (including honey wallet keys and collaboration with PayPal), the authors map scammer modalities, profile attributes, and monetization channels. They reveal two main scam archetypes, measure platform blocking efficacy, and propose practical mitigations for social platforms to curb cross-channel fraud. The work demonstrates a practical, end-to-end methodology to characterize evolving crypto scam ecosystems with real-world impact and provides open-source tooling for future research.

Abstract

The mainstream adoption of cryptocurrencies has led to a surge in wallet-related issues reported by ordinary users on social media platforms. In parallel, there is an increase in an emerging fraud trend called cryptocurrency-based technical support scam, in which fraudsters offer fake wallet recovery services and target users experiencing wallet-related issues. In this paper, we perform a comprehensive study of cryptocurrency-based technical support scams. We present an analysis apparatus called HoneyTweet to analyze this kind of scam. Through HoneyTweet, we lure over 9K scammers by posting 25K fake wallet support tweets (so-called honey tweets). We then deploy automated systems to interact with scammers to analyze their modus operandi. In our experiments, we observe that scammers use Twitter as a starting point for the scam, after which they pivot to other communication channels (eg email, Instagram, or Telegram) to complete the fraud activity. We track scammers across those communication channels and bait them into revealing their payment methods. Based on the modes of payment, we uncover two categories of scammers that either request secret key phrase submissions from their victims or direct payments to their digital wallets. Furthermore, we obtain scam confirmation by deploying honey wallet addresses and validating private key theft. We also collaborate with the prominent payment service provider by sharing scammer data collections. The payment service provider feedback was consistent with our findings, thereby supporting our methodology and results. By consolidating our analysis across various vantage points, we provide an end-to-end scam lifecycle analysis and propose recommendations for scam mitigation.
Paper Structure (38 sections, 15 figures, 8 tables)

This paper contains 38 sections, 15 figures, 8 tables.

Table of Contents

  1. Introduction
  2. HoneyTweet: System Anatomy
  3. Tweets Module
  4. Timelines Module
  5. Analysis Module
  6. Technical Scams: Twitter Interactions
  7. Modes of Scammer Interactions
  8. Analysis of Scammer Profiles
  9. Scammer Profile Pictures
  10. Tweet Content Analysis
  11. Technical Scams: Platform Pivoting
  12. Interactions via Email
  13. Interactions via Instagram
  14. Technical Scams: Following the Money Trail
  15. Analyzing Key Phrase Theft
  16. ...and 23 more sections

Figures (15)

  • Figure 1: Overview of the HoneyTweet data collection and analysis pipeline. Our workflow consists of three modules (tweet, analytics, and timelines module). Additionally, we implemented an account interaction component where we performed automated and manual interactions with scammers outside of the Twitter platform (more details in Sec. \ref{['sec:pivoting']}). This figure displays the anatomy of tweet posts that we perform to lure scammers.
  • Figure 2: A sample tweet from our Tweet Generator module. Note that the profile setup reflects a cryptocurrency enthusiast. The first sentence is a greeting, followed by two sentences indicating the problem and requesting help. We also included hashtags to enhance the tweet visibility.
  • Figure 3: False Positive examples of benign interaction performed by official wallet support and regular Internet users. The left image shows two replies, one from the official MetaMask support and the second from regular Internet interaction. The right graph displays Binance's official support link to the page and offers support for wallet issues.
  • Figure 4: Interactions of scammers with HoneyTweet. Figure \ref{['fig:si_at']} shows the overall interaction in the form of replies, retweets, quoted tweets, and likes seen over the experiment duration. \ref{['fig:si_af']} shows the following count of each honey tweet account. \ref{['fig:si_sd']} shows the cumulative sum of scammers based on their total interactions with HoneyTweet.
  • Figure 5: Examples of scam accounts asking potential victims to connect through email, Google forms, and Instagram. These interactions indicate that scammers use Twitter as a starting point for fraud before pivoting to other platforms.
  • ...and 10 more figures