A sophisticated campaign involving thousands of fraudulent cryptocurrency investment platforms has been uncovered by Unit 42 researchers. These platforms, distributed through websites and mobile applications, are designed to deceive victims with unrealistic promises and operate similarly to Ponzi schemes.
The campaign lures users with promises of “unrealistically high returns on principal investments” and encourages them to recruit others through multi-level affiliate programs, a hallmark of pyramid schemes.
The threat actors behind this campaign employ a tactic of impersonation, mimicking well-known brands, cryptocurrency platforms, and popular organizations to gain victims’ trust. “Each scam crypto investment platform uses a popular theme that could be a well-known brand, organization, location or even a trending event,” the report states.
Researchers identified over 50 impersonated themes, including:
- Well-known banks
- Retail stores
- Technology companies
- Luxury brands
- E-commerce stores
- Cryptocurrency exchanges
The platforms even leverage major sporting events, such as the Paris 2024 Olympics, to attract users.
The scam platforms entice users with promises of unrealistic returns, such as a “VIP1” package claiming to yield a daily return of $3 on an $11 principal investment. “This represents a daily return on investment (ROI) of 27% that, when compounded, will yield an annual ROI of at least 2,650%,” the report emphasizes, calling such figures “unrealistic and should raise immediate red flags.”
Some platforms even fabricate explanations for these high returns, such as claiming the use of an AI-powered smart bot that leverages arbitrage to profit from price differences in cryptocurrency exchanges.
These scam operations exhibit telltale signs of a pyramid scheme. “Each platform employs a multi-level affiliate program where affiliates earn commissions for signing up new members through an invitation link or code,” the report details. The commission structure is tiered, offering the highest commission for first-level recruits, a classic characteristic of pyramid schemes.
The report indicates that affiliates promote these schemes on popular video-sharing platforms, often including invitation links or affiliate codes in their videos, suggesting they are top-level affiliates earning commissions through recruitment.
These scam investment platforms have a potentially large reach, with associated Telegram channels boasting tens of thousands of members. “For example, the Telegram channel… had over 29,000 members,” the report states. Researchers found that these threat actors primarily target internet users in East African and Asian countries.
Analysis of the websites reveals numerous similarities, suggesting the use of a single scam toolkit to generate them at scale. The websites share similar layouts, design elements, and structural similarities in their HTML. The mobile applications associated with these platforms are all Android-based and integrate the original website via a web view, “likely to reduce development overhead for the scam toolkit creators.”
Several indicators suggest that a single threat actor is behind this campaign. There has been increased activity in new domain registrations since June 2024, with an average of around 15 domains created per day. Most of the domains (82%) were registered in Singapore using registrars with relaxed registration requirements and fake registrant names, suggesting automated domain creation. The campaign also heavily used domain fronting through public cloud services to obscure their true locations.
Unit 42 researchers advise vigilance against these fraudulent schemes. “We strongly advise readers to always conduct thorough research before investing, to safeguard against such scams,” they warn. “Be particularly cautious of unrealistic promises of guaranteed returns, as these are often major red flags for scam investment schemes.”
