26 March 2024
The Scam Machinery
– Did you see the Le Monde article revealing how Le-Pen earned a fortune on crypto trading? I checked out the trading platform she was using and got quite impressed. Simple to use, transparent trading, free demos with money to use, and personal contact with a professional trader. I left my number and they will call me up later. No harm in trying, right?
Welcome to the world of crypto trading scams, where a chain of fraudulent activities finally results in the loss of life savings for thousands of crypto enthusiastic every day people.
Three weeks ago, Qurium released the report Deep fake of Maria Ressa connected to Russian cyberscam network, a joint investigation with Rappler.com, revealing how cloned media websites, disseminated via Facebook Ads, were used to promote cryptocurrency investments frauds, political disinformation and sales of fake products that never even existed.
Our investigation took a new turn as investigative journalists from Le Monde (France) reached out as they were investigating the same kind of fraud where Le Monde had been impersonated in articles promoting crypto investment platforms which had lead to hundreds of people lost their life savings in fraudulent investments.
During the past weeks Le Monde has engaged with dozens of scammers to research this nefarious industry and illustrate how many elements are in common with online disinformation campaigns such as the Doppelganger. Qurium has joined Le Monde on this journey to investigate and document how networks of financial criminals invest in targeted advertisements to achieve their goals.
Eight elements are in common among all the targeted advertisement scams that we have investigated. They are presented in detail below as they are key for understanding the investigation.
The investigation is divided into three parts:
- Part I (The Ads): Explains how Ads in Facebook are used to drive victims to join crypto-scams, how clones of newspapers are used for dissemination and which companies drive traffic to the fake media.
- Part II (The Investment Portals): Reviews a number of dashboards used to lure victims into crypto trading (CFDs) and how these dashboards share the same code and functionality.
- Part III (The Payment Gateways): Dives into three different secure payment gateways used by crypto scammers to receive payments: PaymentCMS/Stripe, Dike Shiald/Flutterwave and Cashir/Casgate.
Part I – From a paid Ad to a crypto investment
Meet Fafa and Peter Parker
Please meet “Fafa“, a fake Facebook user with 0 reviews, 0 likes and 0 followers but with a great interest in buying Ads in Facebook. Fafa’s account has been hibernating since its creation in 2020, but is now suddenly promoting content.
In March 2024 Fafa published several Ads with the title “Ce sont les derniers mots etfin de sa carrière” that translates to “These are the last words and the end of her career“. The images of these Ads did not match the title at all.
The “transparency” feature provided by Facebook allows us to see that the Beneficiary and the Payer of the Ads are the same – namely Naomi. At this point we can assume that “Fafa” is in fact “Naomi”, the Game Publisher with 0 friends, 0 likes, 0 reviews and 1 credit card.
Facebook applies its “rigorous security checks” of the Ad content, withdraws the money from “naomi” (Fafa) for the advertisements and displays a seemingly innocent advertisement. However, it is no secret to anyone familiar with Facebook Ads that is trivial to change content of an Ad that has passed Facebook’s security check.
The Facebook Ads – published on the domains outcalmtcs{.}com and distriklrs{.}com – are no longer showing coffee and cookies. Instead, the content has been replaced with a fake article impersonating Le Monde with the title “The Central Bank of France sues Marion Maréchal-Le Pen for her statements live on television”. The fake article claims that Maréchal-Le Pen has promoted a “crypto investment” that promises to reveal “Everything You Need to Unlock Your Potential”. The article includes links to the crypto investment platform.
“Naomi” is not alone in her quest to share the secrets to become a billionaire and similar viral content is promoted by hundreds of other pages including a “Finnish” page with Chinese phone number run by “Peter Parker” that also impersonates Le Monde and drives traffic to equivahstm{.}com/c7JSm8Wj.
Finding the owners of the cloned site
Among the hundreds of domains used to clone media outlets we discovered that a large number of web pages have a specific piece of code in common: the code, labeled “Domonetka” (Домонетка).
By reviewing hundreds of disposable domains associated to the Le Monde’s impersonation campaign we found that a large cluster of them load a Javascript function from the domains firstekioq{.}com or ewoo{.}xyz and later on interact with the advertisement platform Keitaro that is hosted at beercaewid{.}com and ewoo{.}xyz.
Finding the people behind Ewoo and Keitaro
During our quest to find the friends of Peter Parker and Naomi, we needed to identify where the Keitaro tracking software was hosted and who runs the ewoo{.}xyz domain.
Open source intelligence tells us that the domain ewoo{.}xyz is registered to Ivan Ivanov with email address <leomozg16{@}mail.ru> and runs on the IP address 159.89.27{.}168 in Digital Ocean and that beercaewid{.}com runs at Zomro B.V. NL (NovoServe BV) at the IP address 212.162.152{.}200
Not surprisingly the e-mail account <leomozg16{@}mail.ru> was not run by Ivan Ivanov but accordingly to Russian domain registration Reg.ru the email is associated to Belov Leonid Alekseevich who together with Rutman Yakov Alexandrovich runs the RPT Company. The RPT Company operates as a “Traffic arbitrage“, a trusted middle-man between buyer and seller of traffic.
Who runs the Keitaro servers?
We looked into every single domain that landed in the server 159.89.27{.}168 where the RPT Company ewoo{.}xyz domain is currently hosted. One of the domains that we found was discotxzgh{.}com/?_lp=1 that does not just serves crypto scams but also promotes Mexican hammocks. Finally something not fraudulent, or?
The Mexican hammocks that are promoted via the same Keitaro server are sadly associated with “TD Globus Contract”, the very same scam network that we previously linked to Russian advertisement agency M1.
Dozens of other websites are pointing to the same Keitaro server containing code that pushes data to api.m1.top.
Several interviews can be found online from the RPT Company (1), (2), (3). In the interviews Leonid and Yakov are very outspoken about their methods including the use of mobile proxy providers or Dolphin software for automation. RPT also describes how simple is for them to pay Facebook for advertisements. More details of the relationship of M1 with RPT can be found in this video interview.
Key findings
This is what we know so far:
- Fafa Naomi and Peter Parker payed for Ads in Facebook pointing to fake articles in websites that cloned Le Monde.
- The clones of Le Monde used dozens of domains that pointed to at least two Keitaro servers: 159.89.27{.}168 (Digital Ocean) and 212.162.152{.}200 (Zomro BV)
- RPT Company: The domain name ewoo{.}xyz is used in this advertisement campaign and is registered in the name of Belov Leonid Alekseevich that runs RPT Company together with Rutman Yakov Alexandrovich.
- M1: That the keitaro servers used for these campaigns have been also used to host other scam campaigns as the fake goods of “TD Globus Contract” and associates that are promoted by Russian agency M1.
The master plan
Time for a re-cap of what we have learned so far. In Part I we have seen how the victim (1) reads a paid Ad in Facebook that directs them to a (2) Keitaro server managed by a Traffic Arbitrage company (in our case the Russian RPT Company), which re-directs to a (3) fake article impersonating Le Monde. The fake Le Monde article includes a (4) link to a fake crypto investment portal where the victim requests a demo via a (5) Call Center.
Part II focuses on the customized dashboards used by the crypto scammers and Part III will introduce you to the Payment Portals used.
Part II – The CFD Dashboards
To understand how the crypto scams work, we need to understand the basics of CFD (Contract for Difference). While in the traditional trading with stocks or Forex the investor owns the assets, in the CFD market the buyer (the victim of the scam) is simply just gambling via a broker if the price of a certain asset is going up or down during a period of time. To start trading (gambling), the seller (the scammer) will require the victim to deposit (leverage) into the platform.
These crypto scams will lure the victims to repeatedly place real money (not crypto) deposits on the CFD platforms and will make sure that the victims will never have a realistic chance to withdraw any money since high commission fees and delays are parts of the scam scheme. When the victim starts to suspect that he/she is being scammed, he/she will be ignored, kicked out of the platform and eventually the portal and its friendly brokers will just vanish.
Several victims have reported that no real trading takes place inside of the CFD platforms and operators use the dashboards to show the victim quick profits and to convince them to make larger deposits.
The CFD dashboards
During this investigation we reviewed a total of eight CFD online platforms that were presented to the victims once they had registered and after a phone call from a friendly broker agent been manually approved for a trial.
This is a summary of our findings:
Bullet proof hosting
Many of the platforms are hosted in bullet proof hosting providers that accept cryptocurrency, such as Aeza, Cherry Servers and Stark Industries. In Lithuanian Cherry Servers and Start Industries we were able to find close to 300 dashboards using the same software reassembling to Webtrader MT4.
Dashboard as a service
Several hundreds of websites use the very same code to operate their panels. When we loaded one of their dashboards (tradezila) we observed how information was exchanged with a central server and how such information then was used to provide the look-and-feel of the dashboard. Hence, a central server is able to control the look-and-feel of hundreds of CFD dashboards used for crypto scams.
The dashboards load content from the domain p-cdn.co that is hosted with the Bulgarian bullet proof hosting provider Neterra at 87.121.52{.}201. We have identified a total of 294 domains running the very same dashboard, the large majority of them hosted with Cherry Servers and Stark Industries.
Similarly, another type of CFD dashboard found at Golden Shark loads its assets from the domain crmjoker{.}com hosted with Russian reg.ru. We have identified more than 30 VPS in Hetzner (DE) that are used to host sites running crmjoker.
The following table summarizes some of the CFD dashboards found in this investigation and their hosting providers.
| Service | Domain | Article | IP | Hosting provider | Software |
|---|---|---|---|---|---|
| Dashboard | trade.green-ultra.com/fr trade.royaldiam.com | medium.com/@jesusabuzis/medium.com/@qgnl4xk3ma | 5.252.118{.}22 | Aeza | Laravel |
| Dashboard | cfd.brokerinteraktive.com/ | frenchnewsforbuddy.com/G3nhs4 | 45.133.216{.}251 | Stark Industries | Webtrader MT4 |
| Dashboard | cfd.crptrade.com | 5.199.173{.}223 | Cherry Servers | Webtrader MT4 | |
| Dashboard | cfd.tradezilla.com | via victim | 87.121.52{.}201 | Neterra | Webtrader MT4 |
| Dashboard | smartmarket26.com/deposit/ | 154.62.108{.}158 | Hostinger | Proftit CRM | |
| Dashboard | gscompany.trade/finance gs-company.pro | lemondee.fr | 157.90.35{.}33 194.58.112{.}174 | Hetzner Reg.ru | crmjoker |
| Payment Gateway | joinclub888.live/payments/ (siriustrade.org) | via phone call | 185.61.153{.}108 | Namecheap | PaymentCMS |
Part III – The payment gateways
The payment gateways are used by the victims to transfer real money to the scammers as “deposit”. In this investigation we have identified the use of Stripe, Flutterwave, Bmopay and Momentex to receive the payments.
Green-Ultra & Royal Diam
Aeza International (UK) is the chosen bullet proof hosting provider of Green-Ultra (green-ultra.com) and Royal Diam (royaldiam.com), two trading portals announced in Medium.
Once we had created accounts in both dashboards we were forwarded to a common payment gateway to deposit 250 USD so that we could start investing in our bright future and “explore our full potential”.
The payment gateway is operated by American Flutterwave linked to a company registered in Poland Dike Shiald (KRS0001042807) that also runs the Lithuanian DikeShiled. The company has been flagged as money proxy for other crypto-scams as Pix Point‘s Vexchange. During our review we found that just in one IP address 185.46.46{.}61 where pixpalpro{.}com was hosted, twenty more trading platforms could be found. More about Pix Consulting Limited licence forgery is available here.
Joinclub888
Another platform that we found during our research asked us to place payments using the website joinclub888{.}live/payments. We discovered that this website runs a software developed by Rapidev{.}tech, a Pakistani software company based in Sargodha.
The company director Abdul Wahab and software developer Abdul Sami operate a Stripe secure payment gateway to collect money from the victims.
Payment is channeled through a UK company “Power Account Media Ltd” that sells books and courses for 250 EUR, the standard starting fee to open an account in the crypto-scam.
Using UK online book stores to wash the money
When we reviewed “Power Account Media” in the UK’s company register we discovered another two other companies that have been established to sell educational books for 250 USD. All the companies are registered in the name of Romanian nationals in April and July 2023. It is not just astonishing that the book “Let us Python” is sold by 250 USD but that was not even possible to buy this amazing piece of literature.
| Name | Creation date | Owner | Website | Ref |
|---|---|---|---|---|
| CRISTIAN-LIVIU ZOITA LTD Power Account Media LTD | 13 July 2023 | DIACONU, Marius-Catalin | powermediaacct{.}co powermediaacct@gmail | Ref |
| WIZARD LEARNING CONTROL LTD | 20 July 2023 | FULOP, Samoil | wizardlearning{.}online wizardlearningl@gmail | Ref |
| MAGIC MEDIA COMP LTD | 14 April 2023 | ZOITA, Cristian-Liviu | magicmediacomp{.}pro Magicmedialtd9@gmail office@magicmediacomp.pro | Ref |
| RAPIDEV | Abdul Wahab Abdul Sami | rapidev{.}tech rockingwahab9@gmail abdulsami5606@gmail |
One of the companies was closed from the register immediately after getting an account in a payment gateway.
Casgate
Another crypto portal meridianfinance{.}pro that the independent public authority in France (AMF) has already flagged as irregular in a recent Forex blacklist, pointed us to make a payment using the portal abncp{.}com hosted at 84.32.188{.}7 at Cherry Servers.
When we looked into abncp{.}com payment portal, we discovered the use of a proxy domain app.cashir{.}live that is connected with payment gateway casgate{.}io
Very little can be found of who runs Casgate with just a contact address in a flex office in Hong Kong. What we could discover is that cashir.live seems to be also the gateway of choice of a network of online casinos including supergra{.}ua or allrightcasino21{.}online.
These network of casinos are operated by Atlantic Management B.V., (company number: 139089) registered and regulated in Curacao. Atlantic Management B.V. that lacks a license to operate in several countries including Sweden can be linked to companies in Cyprus, Curacao and the Netherlands. Alina Dobriakova shows as company owner and as registrant of dozens of domains connected to the online casino network. We could also found domains registered in the name Alina Tatarina that in social media has a profile as CEO of a “Gambling High-Risk Company”. As Alina Tatarina, other members of Casgate as Yana Kotenko are based in Kiev.
Back in 2016-2020, several domains run by Atlantic Management B.V. where registered in the name of Kakhaber Ninua. Unfortunately we have no means to confirm if Kakhaber Ninua is the Georgian official that shows in the Panama Papers or the reports of the Human Rights Center in Georgia.
The fact that a crypto-scam decided to use “Cashir / Casgate” as a payment gateway raises some eyebrows. Casgate that is used as a payment gateway of Atlantic Management BV has also made a great effort to remain hidden and hosted the domain casgate{.}io in bitcoin VPS provider AS399629 BLNWX at 168.100.11{.}89
Conclusions
Our research shows how fraud and cybercriminal networks heavily invest in targeted advertisements in social media. These networks work closely with advertisement agencies that happily drive victims to fall into fraudulent scams. Fake goods, crypto-scams or disinformation campaigns are among the vertical markets that are run by the same actors.
The use of proxy companies to obtain access to payment gateways is a standard practice, an example of such practice can be found in the creation of online book stores used by PaymentCMS. Social media platforms, advertisers and payment processors happily accept a transaction fee coming from the stolen money of the crypto scams or the private or state actors driving disinformation.
The advertisement industry is not only totally broken but has already rooted deep inside the major social media platforms.
Appendix
Once we thought that the time of new scam calls was over, a call from skill-genic{.}com arrived. Skill-Genic is an interesting example of how Meta shamelessly cashes in from Advertisements placed by criminals.
Skill Genic (Claritera Group Kft) and several associated organizations including: admirria{.}tech, aventigo{.}com (Studex Group EOOD), interagio{.}com (Educatix OU), learnspread{.}com (Homingo LTD) or trade-prof{.}solutions cover their scams by selling “trading courses”.
Looking into the country that manages the page of “Skill Genic”, we found Ukraine.
The Meta’s Ads Library for Skill Genic is populated with advertisements of courses and training despite that Skill Genic has been long flagged (2) as a scam network.
According to Scam Watcher, Skill Genic works with tradercode{.}.com, a crypto investment platform reported for fraud. Decoupling the “course business” from the crypto scam is the main deniability strategy and each of the online trading training platforms that we encountered follow the same methodology: book stores, training courses, learning centers as front business and several crypto scam dashboards associated.
When we looked into tradercode{.}co we found that the domain and dozens of other crypto portals are associated to a web developer using the domain mycube.kz. Projects as tradercode1{.}com, ltbcapital{.}com, ltbcapital1{.}com, acta-swiss.com, markets-bank.com among others have been original developed under the subdomain name of *.mycube.kz
Mycube is associated with a web design developer for Almaty: Siluyanov Andrey webdesign84{@}mail.ru. The web developer presents himself as web designer for several companies including A3studio or Kazahkweb.
A3Studio in Almaty is not a new comer to the design of websites for crypto “investments”, back in 2014 they designed the landing page of Vulktrade a binary options firm from Israel sentenced for fraud (2).
The list of websites associated to crypto-scams developed by Siluyanov Andrey (boc84man) from Kazakhweb/A3Studio include:
acta-swiss{.}com.
ibitepartners{.}com.
intrafund{.}com.
intra-fund{.}com.
intrafund2{.}com.
ltdcapital1{.}com.
ltd-capital{.}com.
ltdcapital{.}com.
marketgiants{.}com.
markets-bank{.}com.
marketsbank{.}com.
opticapital1{.}com.
timemarkets{.}com.
torrocapital1{.}com.
tradercode1{.}com.
tradercode{.}com.
traderhouse{.}com.
According to Google Transparency KazakhWeb spent more than 10.000 USD in Advertisement in the past 90 days which shows “its ability to help clients consistently identify new growth opportunities and sustain their success on an ongoing basis”. All right!
Acknowledgments
This research was possible thanks to the dedication of Damien Leloup and Florian Reynaud who during weeks were able to provide us with data from the key infrastructure used by the crypto scammers.
In the last months several research groups have documented how Facebook is facilitating the growth of disinformation and cybercrime networks. Their reports provided us with irrefutable evidence that our research is not just an exceptional case but a pattern that needs to stop.
- Facebook Hustles: The Hidden Mechanics of a Scam Machinery Impersonating News Organisations and Creators. (Check First)
- Vast Networks of Fake Accounts Raise Questions About Meta’s Compliance with the EU’s New Digital Rulebook. (Reset)
- French prime minister faces onslaught of online attacks. (DFRLab)
- Disinformation on Facebook. (Disinfo EU)
Into the crypt in numbers:
- 1200 domain names screened
- 300 crypto dashboards found
- 34 pages broadcasting ads shared with Meta
- 3 dashboard code base identified (MT4, crmjoker, green-ultra)
- 6 bullet proof hosters found (Aeza, Zomro BV, Cherry Servers, Stark Industries, Neterra, BLNWX)
- 70 phone calls received
- 8 completed interactions with call agents
- 2 weeks receiving scam calls
- 1 VoIP provider identified (Wavecrest +442070978XXX)
- 3 payment gateways identified (Stripe, Flutterwave, Casgate)
- 5 fake trade learning centers found
- 3 fake book stores found
- 2 CPA-networks RPT Team and M1 exposed
- 1 Webdesign company (A3Studio / Kazakhweb) found
- 6 mails sent to actors mentioned in this report. 0 answers.
And yes, we know that Naomi Fafa and Peter Parker are fake accounts!
Media
[Apr 9, 2024] El País Las redes de la estafa
[Mar 28, 2024] Catalin Cimpanu Mastodon A joint Qurium and LeMonde investigation has linked…
[May 15, 2024] The Inquirer Crypto scams impersonating Inquirer.net and other news sites
[2024] AI Forensics Meta Lets pro-Russia Propaganda
[Mar 26, 2024] Le Monde Derrière les fausses interviews d’Elise Lucet ou de Jamel Debbouze, les mafias des arnaques aux placements