Media outlets and governments around the world have warned of scammers taking advantage of the Covid-19 crisis. It’s a worrisome prospect. With an ongoing public health emergency — not to mention the accompanying economic downturn — most of us would rather focus on staying safe than guarding against scams. The thought that some would seek to profit by taking advantage of the vulnerable at a time like this is also disconcerting.
But while we can’t speak to the effectiveness of these scams in the fiat world, the data shows that cryptocurrency scams overall are making less than ever since early March, when the Covid-19 crisis intensified in the western world.
The total daily value sent to cryptocurrency scams dropped 61% between March 13 and March 31, though it has recovered some since then. Does that mean the concerns over scammers taking advantage of Covid-19 are overblown? Not quite. Nearly all of the scam revenue losses so far are concentrated to investment scams and Ponzi schemes, two scam sub-categories that together make up the vast majority of cryptocurrency scamming activity. But while Covid-19 has hurt that set of scammers, it’s giving others who favor email spamming tactics new stories they can use to try and fool their victims. While we’ve seen very few successful examples of such scams using Covid-19 so far, we still need to take them seriously and ensure the general public is made aware of them. Below, we’ll dig deeper into Covid-19’s impact on different types of scams.
How phishing and blackmail scammers exploit Covid-19
Cryptocurrency scams fall into a few different general buckets, but the goal is always the same: Trick victims into sending the scammer cryptocurrency or giving up access to their cryptocurrency wallet under false pretenses. Covid-19’s primary impact on cryptocurrency scams thus far has been to give scammers new narratives with which to “pitch” their victims, usually over email. We see this primarily in two common types of cryptocurrency scams: Phishing scams and blackmail scams.
Phishing scammers typically try to trick victims by imitating a legitimate business, charity, or well-known individual. A common example would be for a scammer to send an email from what appears to be the victim’s exchange asking them to provide their login information. But now, we’re seeing phishing scammers build their narratives around Covid-19. We pointed to one example last week in which a scammer claimed to be with the CDC and asked victims to donate cryptocurrency to help fight the pandemic. We’ve also come across other examples, such as scammers claiming to have medical supplies or even remedies for Covid-19 available for sale.
The phishing scammers exploiting Covid-19 are simply putting a topical spin on their usual strategy, but the scam itself remains the same. We see a similar trend in blackmail scams.
Blackmail scammers also contact victims primarily through email. They typically claim to have compromising information on their victim, which they threaten to leak to the victim’s friends and family unless they receive a payment in cryptocurrency. But now, instead of threatening to leak sensitive information, some blackmail scammers are claiming to have Covid-19 and threatening to spread it to the victim’s family unless they pay up.
Again, nothing separates this from the typical blackmail scam except that the specific threat being delivered relates to Covid-19. It’s a scary development to see in a time of crisis, but the addresses associated with Covid-19-centered scams that we’ve investigated have received very little money, suggesting these ploys haven’t been very successful yet (though some are reporting that fiat analogies of of these scams have been successful).
While it’s unlikely that no scammers have been successful exploiting Covid-19, the data shows that scams overall are receiving much less cryptocurrency since the crisis intensified in early March than they were previously. Why? Because any extra money potentially being generated by Covid-19 fraud and extortion scams is well outpaced by the huge drop offs in money being sent to Ponzi schemes and other types of cryptocurrency investment scams.
Covid-19 is crushing the biggest cryptocurrency scams
Ponzi schemes and investment scams take in much more than all other cryptocurrency scam types. Together, they received 95% of all funds sent to cryptocurrency scams in 2019. Phishing and extortion scams are a drop in the bucket by comparison. But since the week ending March 8, the weekly average amount being sent to investment scams and Ponzi schemes dropped by 33%, from $4.2 million to just under $2.9 million.
Why are these scams taking in so much less money? Ponzi schemes and investment scams typically pitch victims on investing in a new token or cryptocurrency business, enticing them with promises of high yields. Perhaps that message fools fewer people in the midst of huge cryptocurrency price drops and general concerns around an economic downturn. However, that doesn’t appear to be the case.
Above, we look at the total weekly value received and number of individual transfers made to the twenty most active Ponzi schemes and investment scams, which together make up 94% of all scam activity in 2020. We see that until this past week, the number of individual transfers to Ponzi schemes and investment scams remained consistent, suggesting they reached the same number of victims. However, the weekly total value received by those scams fell, suggesting those victims were sending less value per transfer. (Both figures have recovered for Ponzi schemes and investment scams in the last week ending April 5, but the vast majority of that recovery was driven by two specific Ponzi schemes. The rest are still seeing roughly even transfers but lower value than they were before Covid-19.) Digging deeper, we find that the loss of value is caused almost entirely by cryptocurrency price drops. Most of these scams have received the same or more value per day in their native coins since the crisis intensified in early March.
Why is this happening? It likely comes down to how Ponzi schemes and investment scams solicit “investments” from victims. Most of them ask for the same low, flat amount from victims — usually a figure like 0.2 BTC — in all their advertisements across email, YouTube, social media, and on their own websites. We believe scammers are still receiving those same payments from roughly the same number of victims per month. The payments are just worth less now due to cryptocurrency price drops.
In short, while Covid-19 is providing phishing and blackmail scammers with new fraudulent stories to entice victims, the cryptocurrency price drops spurred by the pandemic have drastically reduced the revenue of the Ponzi schemes and investment scams that make up most cryptocurrency scamming activity. But while the majority of phishing and blackmail scams exploiting Covid-19 don’t appear to have been successful so far, we can’t write them off as a threat, especially with so many set to receive relief money from the government — a potential revenue source scammers are surely thinking about. Plus, as we’ll explore below, the evidence suggests that the scammers exploiting Covid-19 are quite active in other areas of cybercrime. Investigating them could turn up new leads in old cases and nip future scams in the bud now.
Case study preview: Who are the scammers exploiting Covid-19?
Based on the techniques they’re using, we believe the cybercriminals exploiting Covid-19 for cryptocurrency scams are the same ones behind most phishing and blackmail scams. And in one ongoing case, we’ve received direct confirmation.
Sophos recently alerted us to a cryptocurrency scam exploiting Covid-19 that’s received some publicity in the UK. This scam follows the blackmail model we discussed above, in which the scammer emails victims threatening to infect their families with Covid-19.
Sophos provided us with the cryptocurrency addresses to which this scammer directed victims to send payments. Using Chainalysis Reactor, we were able to see that one of the addresses received a $950 payment from one victim. Since that address had undergone a transaction, we were able to analyze it further and eventually connect it to several other addresses we could confirm are controlled by the same person or group. We found that many of those addresses had been used in prior phishing scams, in addition to several attempted ransomware attacks and darknet market transactions before the pandemic.
The investigation is ongoing, but we’ll be able to share most of our findings April 15 in our webinar on Covid-19 and crypto crime (part two of a two-part series). Sign up and join to learn the details of the investigation, including more on the perpetrator’s prior criminal activity and a rundown of the techniques we used to discover other cryptocurrency addresses under their control.