Adam Guerbuez is a cryptocurrency evangelist whose YouTube channel is full of videos promoting cryptocurrency trading; when he got a Twitter message from a scammer promising to send him free Ethereum coins, he asked the scammer if they could talk about the scam.
The scammer turns out to be a big fan of Guerbuez’s and was happy to do an interview, which makes for a fascinating read. Assuming the scammer is telling the truth (admittedly a big assumption!), the scam pulls in $50,000-$100,000/day, and has been impervious to Twitter’s effort to crack down on bots. There’s a security economics story here: if a scammer can make millions every month by probing and bypassing Twitter’s bot-detection system, they will be powerfully motivated to do so, and can throw a lot of resources at the problem. If Twitter’s assumption is that botmasters are petty grifters, astroturfers, and griefers who have much smaller financial stakes, then the measures they develop are unlikely to prevent such a motivated adversary.
Also fascinating is that the scammers have abandoned their use of stolen verified accounts to push scams: their victims (whom they call “mooches,” which is an ancient bit of con-artist slang with something like a century of history, indicating that someone in this ecosystem has been doing their con artist homework) are easily hooked with unverified accounts, so there’s no point in spending $100-$1000 for blue-ticked, verified stolen accounts that might be reported and ganked in mere hours.
Other takeaways: stealing cryptocurrency is easier than stealing money because the marks don’t think of cryptocurrency as real money and are more reckless with it and there’s a massive system of coinwashing and other money-laundering techniques used to hide the cash-out (note that all this effort may be for nothing — just because the scammers think they’ve covered their tracks, it doesn’t mean they’ve actually done so — this would make a great infosec conference paper!).
Adam: Do you work as a team or just you?
ETHgiveaway: Small team but most of the operation is automated
Adam: When you say automated, can you explain?
ETHgiveaway: Well, the process from generating accounts, to tweeting to rotating ETH wallet address is all done automatic by our bots. The only manual process is cashing out.
Adam: But what about the Verified accounts (blue tick) how can you automatically create those?
ETHgiveaway: We do not use those now, they were just for a while we buy the accounts from markets selling sploited accounts that were verified on twitter then change name of account.
Adam: How much do they sell those hacked accounts for on the markets?
ETHgiveaway: it’s not a secret market or dark market, they sell on most gaming forums actually, the price is like 100 to 1000 usd per account depending on how many followers it has. But since owner reports account stolen fast, the account lasts not much more than a few hours, sometimes we get lucky with a couple of days before it gets killed.
Adam: So why did you stop using verified accounts?
ETHgiveaway: because the mooches send eth to any account we make, they do not even care about verfied like we assumed they would. The mooch is just so excited to make money for nothing and multiply their ETH.