By Jean Le Roux
A cryptocurrency investment scam using a network of Twitter-based sockpuppet accounts is targeting South African users by leveraging fabricated “testimonials” posted on the platform.
Since the start of the year, the network has posted more than 43,000 of these tweets, usually in reply to high follower accounts such as celebrities, news publications and journalists. A rise in the price of bitcoin and other cryptocurrencies since late last year has made cryptocurrencies an attractive lure to get users to part with their cash.
The network consists of two parts. The first layer is scores of sockpuppets that promote these accounts using tweets styled as fake “testimonials.” These accounts portray themselves as South African and are used to give the rest of the network credibility. This consists of several sockpuppet accounts that resemble successful U.S. based forex and cryptocurrency traders.
Despite claiming they hail from the U.S., the DFRLab has identified several links to West African countries, including Nigeria, Uganda, and Tanzania.
When a victim engages with the successful-seeming forex trader networks, they are ushered off-platform to instant messaging apps and websites where they are inevitably prompted to deposit cryptocurrency into the scammers’ cryptocurrency wallet address. These sites are little more than window dressing; despite the impressive looking dashboards, their only functionality is providing the user with the wallet address to complete the “investment.”
The Financial Sector Conduct Authority (FSCA), South Africa’s financial watchdog, issued two warnings against these cryptocurrency exchanges this year alone. On February 4, 2021, the financial regulator issued a press release cautioning South Africans and institutional investors against scams dressed as cryptocurrency investments, and deemed it necessary to issue a follow up on March 18, 2021, noting with concern increasing volumes of crypto assets related losses.
There are strong parallels between the tactics used by these scammers and those deployed by bad actors pushing other forms of disinformation. The accounts were given a veneer of credibility by employing inauthentic and coordinated testimonials, the use of sockpuppet accounts and artificially inflated follower numbers gained through follow-trains. The motive here was financial, but could easily be adapted for political and other forms of disinformation.
Trails from the Crypto
The majority of the tweets in this scam are published by the accounts meant to funneling users towards the crypto trader accounts. They do this using copy/paste testimonials posted in reply to large-following Twitter accounts, such as news publications and celebrities.
To identify the accounts operating in this network, the DFRLab identified three recurring tweets used by various accounts to lure users into the scam. The phrases in these tweets were used to perform keyword searches and create three datasets, one for each keyphrase.