Threat Research

Another BitCoin Exchange Scam—This Time “Live” on YouTube

By Kushal Arvind Shah | April 22, 2021

FortiGuard Labs Threat Research Report

Affected platforms: YouTube platform
Impacted parties:    YouTube platform, YouTube users, and @chamath
Impact:                     Loss of funds and reputation
Severity level:          Critical

BitCoin Exchange Scam Summary

Many people today, especially as the effects of Covid-19 continue to linger, spend time at home looking for ways to interact with the outside world. This has led to a significant increase in Social Media interactions, primarily on media streaming websites like YouTube. And as new activities like this trend, malicious entities are never far behind. Like many of you, I too am always on the hunt for original content on YouTube. But while recently doing so, I accidently stumbled upon a “LIVE” Bitcoin (Ƀ) donate/exchange scam video.

After verifying that this video was not just a scam but also malicious in nature (which I explain in this blog), the FortiGuard Labs team reached out to the YouTube platform for assistance in taking the video down in the interest of user safety. 

Essentially, this is a typical scam, much like the recent Bitcoin exchange scams seen on Twitter. But this is a first for the YouTube platform. And it also made the claim that it was LIVE. And unlike previous scams falsely making use of @elonmusk, this one illegitimately makes use of @chamath of Social Capital. 

In the following sections you will find technical details on how we identified this recent live BitCoin scam. And hopefully, one takeaway from this article will be that, going forward, readers will check the authenticity of the YouTube/social-media channels they follow to ensure that the content being provided is not malicious in nature.

Initial Discovery of BitCoin Exchange Scam

Due to Covid-19 quarantining, as well as the recent spikes in the value of the stock market and cryptocurrencies, more people than ever are at home looking for live stock market/crypto-related content on streaming platforms like YouTube, etc. This might be to compensate for the lack of in-person interactions that we would normally have in a non-Covid-19 world, as well as to perhaps make some quick income on the side During a random midnight search for similar content, I accidently stumbled upon a LIVE Bitcoin scam on YouTube (yes, this time it was on YouTube and not on Twitter). YouTube has several labels/buttons on its home page to identify trending categories of videos, and this one indicated that several scams were streaming “live”. The first video I saw after clicking the Live button was titled, “Chamath Palihapitiya - What will be the New World of Finance? | SPACs, Coinbase IPO and NFT” with the URL link “hxxps://www[.]youtube[.]com/watch?v=cFstoyKl99s”. (Note that this address has been changed several times just in the last three days. The address listed here was the last known occurrence of this scam. Since we flagged multiple Video URLs by this attacker in the last 3 days, as of now YouTube has taken down the entire YouTube channel.)

The first thing that caught my eye was that, unlike other live-streamed videos on YouTube, this one used a smaller than usual video screen-size [1]. 

Figure 1: Video screen size is smaller than other live-streamed videos

This was my first red flag that something was amiss, as most YouTube content creators try to make use of the entire screen size for optimal interaction with their audience.

The next thing I noticed was the video’s caption message, “Our mission is to advance humanity by solving the world’s hardest problems. We want to thank our supporters and also help crypto mass adoption, so 1000 BTC will be distributed among everyone who takes part in the event. You can find all the information on the website.” And also, unlike most content creators, the website link “More info: cham-event[.]com” did not include any video descriptions. 

Another red flag was that while this YouTube channel had 252k subscribers, there was only ONE video on the channel. This could either be a case of a hacked YouTube channel that had had all previous videos deleted, OR it could be that the malicious attacker somehow found a way to add fake subscribers to his/her channel.

Detailed Investigation

Since there was no additional information on the video or the channel, I proceeded with checking out the website, “cham-event[.]com”.

Before visiting any website, I always check its WhoIs records to get a better idea of what remote content I am opening in my browser.

Figure 2: WhoIs record of the website cham-event.com

In the above image, we can clearly see that the domain “cham-event[.]com” was registered quite recently (10 days ago) and was updated yesterday (the same day the video was discovered). The domain is registered in Kiev, Ukraine to a Nikita Reznikov. However, the recent registration of the domain “cham-event[.]com”, potentially fake WhoIs data (Nikita Reznikov is also the name of a character from the popular TV show NCIS), and its Ukrainian origin linking from a US video definitely raised additional red flags.

Next, I visited the website “cham-event[.]com”. Here I found additional details about this fake Bitcoin exchange/giveaway scam. Figures 3, 4, and 5 show the content of the website.

Figure 3: Bitcoin Exchange/Giveaway scam using @chamath’s name

Figure 4: The attacker tries to explain how the BTC exchange would work, with some examples

Figure 5: These fake transactions are displayed to trick users into believing others are falling for the scam

The above images show that the attacker has crafted a simple website where he provides details about how the “Bitcoin exchange” would work, and then displays several fake transactions to convince users into sending him/her Bitcoins. The scammer uses the Bitcoin address “1Cham1qgWuPJw2Lo2RQmFEfVN3UffUzRkV”. Notice the “Cham” at the start of the address. It indicates that this is a vanity Bitcoin address. Vanity Bitcoin addresses are easy to generate and are known to be used by malicious entities.

Since Bitcoin transactions can be tracked, I looked for any transactions using the address “1Cham1qgWuPJw2Lo2RQmFEfVN3UffUzRkV” on the BlockChain tracker. 

Figure 6: BlockChain Explorer confirms our suspicion that no BTC are ever returned from this address

In the above figure we can clearly see that there is only incoming BTC and no outgoing BTC. This confirms our suspicions about the malicious nature of this website and its source, the live YouTube video.

But how is it that the “cham-event[.]com” website shows those fake transactions? Let’s figure that out. The easiest way to do this is to view the source code of the website.

Figure 7: Page source of website cham-event[.]com

Here we can see that there are three JavaScript files (main.js, config-ripple.js, and jquery.min.js). So, let’s check these files. 

Figure 8: The language locale settings confirms the initial Ukraine link found in WhoIs records

Figure 9: The main.js JavaScript file clearly shows how the Fake randomBTC transactions are created and then displayed on the website

From the above figures we can clearly see that the attacker is simply creating fake BTC transactions using JavaScript and displaying the same on the website, with the hope of fooling naïve users. 

So, if we go back to the source of this Bitcoin scam investigation—the YouTube video (hxxps://www[.]youtube[.]com/watch?v=cFstoyKl99s)—we can see it was a real interview with real people. So, it must be authentic, right? 

Wrong. The embedded “live” video is actually a recorded YouTube interview between Raoul Pal and Chamath Palihapitiya from Dec 24th, 2020. Clearly, neither Raoul Pal nor Chamath Palihapitiya had anything to do with this scam. Instead, this video and their names and reputations have been stolen to create the false impression that this scam is legitimate.

I was able to determine that this video had been hijacked because several times during the interview the video displays the “Real Vision Finance” name and logo on the top right of the screen. It turns out that this is the actual company where the interviewer Raoul Pal works, and that sponsored the original interview, and they have no connection whatsoever to the fake organization hosting their stolen video. To verify this, I searched for “Real Vision Finance Chamath interview” on Google and found the link to the original Dec 24, 2020 interview on Real Vision Finance’s actual YouTube site (https://www.youtube.com/watch?v=gu3vvrLRyZM).

Overall Impact of the BitCoin Exchange Scam

So, what’s the point of this blog? Well, to start, we all need to be aware of scams like this. These scams exist because they are very successful. Using this one scam, for example, the attacker has managed to siphon off more than $73,000 worth of BTC from naïve viewers. And I have based this amount on only the fake BTC addresses that we know of. It could easily be much more—don’t forget that the video is still live, with approximately 2000+ viewers who are potentially being scammed. 

And at the same time, the attacker is also maligning the reputations of the YouTube Platform and billionaire Chamath Palihapitiya (@chamath). And if our suspicions are correct, this could also very well be a legitimate YouTube channel which has been hacked and its original content deleted, potentially having a financial impact on the YouTube channel’s original owner. 

So what? How does it impact me, you may ask? Well, if you already sent BTC to the attacker’s address, then it has already impacted you. And if you have not, then this article should help ensure that you do not succumb to similar crypto scams run by malicious entities. We certainly hope it is the latter.

IOCs

Domain: cham-event[.]com

BTC Address: 1Cham1UKjRnjdsfD28skwjM7J6AWhq1XyL

BTC Address: 1Cham1qgWuPJw2Lo2RQmFEfVN3UffUzRkV

BTC Address: 1Cham1YmUEuzT1gkzTt4dgtzfoWD7y2EHm

BTC Address: 1Cham1vbXv7bUhQCMKkQRXqSeykU4PfFrM

Remediation & Recommendations

Users should routinely check the YouTube channels they subscribe to see if anything appears suspicious. 

We have also reached out to YouTube, asking them to take down this video ASAP. And we have submitted the BTC IOCs to the BitCoin Abuse Database. 

Users can also protect themselves by using Fortinet’s Threat Intelligence Services, such as FortiGuard Web Filtering and FortiGuard Botnet Services, which would block access to such malicious entities.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.