14 May 2024
Tord Lundstrom (Qurium), [… (…)] and Sam Harper (Cyber Citoyen).
(Note 16/7/2024: The contact details of one of the researchers of this investigation has been removed from this article)
Introduction
There was once a time when unsolicited advertisements would arrive in our physical mailboxes. The Internet made those printed ads obsolete and they were soon replaced by e-mails. E-mail spam was the most commonly-used mechanism to lure victims into all sorts of scams. It was the time of Viagra, lottery prizes and dating scams.
In recent years, targeted advertisements have become the technology of choice to promote new financial products. Binary options, Forex or crypto investments flood social media, and big tech companies are happy to run ads that provide the means for affiliate advertisement networks to grow.
As technology evolves, so too have criminal networks. These structures have built out new schemes that combine the expertise of multiple criminal actors. Consumers of social media receive targeted advertisements, which in many cases impersonate existing media and abuse the image of famous individuals to promote the wonders of crypto investments.
Readers of social media can find videos and articles promoting new investments with the promise of a get-rich-quick scheme. When future victims show interest and provide their phone number and contact details, personal phone calls seduce the victims, guiding them on how to make these “lucrative” investments. The final outcome enriches members of organized crime and its facilitators, who share a part of the revenues.
These financial “opportunities” aren’t just malicious scams. They also show the total lack of accountability in the advertisement industry. Advertisements impersonating well-established media, impersonations or fake videos and audio productions are symptoms of a much bigger problem: the willingness of tech platforms to accept any and all advertisers — as long as they pay.
This investigation shows that not only is it possible to identify the advertisement networks that run these campaigns but that is also possible to disrupt their business model if there is a real will to do so.
Our investigation shows that affiliate networks make an effort to hide their association with the financial products they promote. These outfits hide behind bulletproof hosting providers, offshore companies and operate tens of thousands of domain names.
Meet the people flooding your daily life with crypto scams and turning the Internet into a junkyard.
“The actors”
Scummy financial investments are advertised in websites designed by “Affiliates” to drive traffic (leads) to the “Advertisers“. The advertisers receive the personal data from the victims. Then, call centers run by the criminals operate to convince these victims to invest in schemes or products that are worthless or do not exist. The majority of these investment frauds are run out of offices known as “boiler rooms”.
“Affiliate Networks” act as brokers of these transactions, paying affiliates to promote the financial products and ensuring that advertisers and their boiler rooms receive the phone numbers and details of their future victims.
To ensure that everyone gets paid and profits from the scams, the affiliate networks operate traffic management software that track the performance of their affiliates and the actions taken by their victims. For example, affiliates get rewarded and gain a fee commission when a victim is put in contact with a “boiler room”. Affiliate networks not only gain a brokering fee acting as an intermediary but are the key element to ensure that the identity of the criminals remains unknown.
Research approach
One of the challenges in understanding who runs the advertisements of scummy financial investments is to identify the different traffic management software solutions that they run. Understanding the workings and the infrastructure of these networks provides the means to identify which affiliate network is behind the promotion of the scams.
Not surprisingly, the tracking software that push information about the victims actions are not in the public domain and are only shared privately with affiliates and publishers.
Once we have learned about the specific communication protocols and their associated affiliate networks we can dig into the history of their offerings. By knowing what products have been offered in an affiliate network we can conclude if the affiliate network is often used in promoting financial scams.
The impersonation of a newspaper and a famous politician
During Qurium’s previous work jointly published with Le Monde we identified the Russian Affiliate network RPT connected to crypto scams. This time our investigation started with the impersonation the The Philippine Daily Inquirer that included an article promoting a crypto investment. In this case, the article was impersonating Raffy Tulfo, a Filipino politician and media personality in both the fake Inquirer and publishing platform Medium.
The promoted site made as a clone of the real Inquirer.net was using the domain liberation-news{.}com.
These articles provide a link to the domain name snbghllytrk{.}com that is used to run a second redirect to a set of domains hosted at 162.19.231{.}202
official-platform{.}com.
official-site-offer{.}com.
official-site-platform{.}com.
the-official-website{.}net.
best-money-deal-daily{.}com.
Other domains in the same machine include:
devself{.}xyz.
newsbbi{.}com.
immediate-1x-cipro{.}online.
immediate-neupro-2-0{.}online.
All the sites that promote the crypto scams display a form of this type:
Where is the form data sent? As the investigation reveals, the answer depends.
An OSINT working group is formed
Despite the different names of the scams promoted, the domain name snbghllytrk{.}com was the first common entry point to all of them. When Qurium did a quick search for snbghllytrk we found that we were not the only ones investigating the case. Both […(…)] and Sam Harper from Cyber Citoyen (Quebec) were following the same leads.
Both of them looked at the activities surrounding the domain snbghllytrk{.}com in different time periods and to our surprise they recorded that the form collecting the data was sending it to different locations.
Qurium contacted […] and Harper and we quickly agreed that our joint mission, should we decide to accept it, was to identify each of these affiliate networks.
During two intensive weeks in April we analyzed the different API calls to determine where the affiliate responsible for promoting the scams was driving the traffic and to which associated affiliate networks the leads were provided:
We identified three different API calls:
| Date | Fetch call | Domain | Vars | CPA Network |
|---|---|---|---|---|
| 13 March | https://regapi.trafficon[.]co/secured-registration | trafficon[.]co | aff_id, offer_id | Trafficon |
| 13 April | https://ss2701api[.]com/v3/affiliates/lead/create | ss2701api[.]com | Token | Supreme Media |
| 23 March | https://scfourllogin[.]com/api/v1/brokers/login/redirect.php | scfourllogin[.]com | Binom, intgrtn | getlinked roicollective |
Affiliate network 1: TrafficON
The […] has since March 2024 been investigating misleading advertisements posted on social networks, spoofing the names of French celebrities and major news media to promote fraudulent crypto-trading offers.
By following the trail of more than 400 publications on Medium, it detected a specific pattern passing through three distinct domain names to land on the sales page, just like this:
Among the various affiliates operating under this scheme, the most prolific at that time was recognizable at its API hosted on a subdomain of trafficon{.}co.
TrafficOn is an affiliate network active since 2014 and specialized in online gambling, betting and trading mainly in the verticals of Casinos, Sportsbook, Forex and Crypto. It operates earnings per click (EPC) or commission (CPA) programs with a minimum payment of $100 and boasts of belonging to “a group that has paid more than 50 million dollars per year to Affiliates and Partners”.
This group is Affilomania Ltd. It is headquartered in Ramat Gan (Tel Aviv) but has its offices at Metsada 7, Bnei Brak, just like TrafficOn. It also owns Proftit, a subsidiary that develops a CRM aimed at providing a complete business automation solution for Finance and Gaming Industries.
Founded in 2013, Affilomania soon became known for illicit activities. In 2018, its name surfaced when a massive binary options fraud that raged from 2000 to 2017 was uncovered. At the time the affair broke out, it was identified with BoaElite, self-reported as “the largest affiliate network for the financial markets”. But the latter brand was originally launched in early 2013 by SpotOption Ltd, a Ramat Gan-based company founded in 2009, which was the main binary options platform provider, used by hundreds of websites in a huge global scam.
It is unclear what BoaElite became. Although stripped down, the website www.boaelite[.]com is still online. While the company is supposed to be “in willfull dissolution“, some employees continue to connect with it on LinkedIn. On ZoomInfo, it is said to be based in Prague, Czech Republic. Elsewhere there are hints that BoaElite has been resurrected in TrafficOn.
Affilomania goes to great lengths to hide its ties to TrafficOn. The two names never appear at the same time on the same place. Until someone makes a mistake… Not to mention that the Internet records everything: almost all TrafficOn employees listed on ZoomInfo are also listed at Affilomania.
Despite its dark origins, TrafficOn often exhibits at major trade fairs such as SIGMA or IGB Affiliate where it sometimes has been a gold sponsor and communicates through the voice of its managers.
The company also particularly stimulates its network with what it called the “Candy Shop”: for each lead converted into a sale, the affiliate pockets “TraffiCoins” which allow them to “buy” high-end products (Rolex, Breitling, MacBook, iPhone, etc.) of unknown origin and with a market value that may exceed €100,000.
The owners
According to FinanceFeeds, BoaElite was owned and operated by Leon Okun, a co-founder of SpotOption and former senior executive at the company. This man is currently listed as a member of Affilomania.
In 2022, Leon Okun also founded fintech software provider Inabit Tech Ltd, a Bnei Brak-based company that provides a crypto asset management platform, where he sits alongside Tomer Shaham, former VP Product and CEO at Affilomania. Actually, many employees moved from Affilomania to Inabit or state on LinkedIn that they currently work for both. Notably, the same “Talent Acquisition Specialist” is responsible for recruitment at Affilomania, Proftit and Inabit.
Affiliate network 2: Supreme Media
During the investigation Qurium noticed that for a period of time the form responsible of forwarding the victim’s data was making use of a WordPress plugin with the name suprememedia-api.
The plugin called the Javascript function js/ip.js to geolocate the reader. The geolocation was done by making a request to the online service ipinfo{.}io.
Once the country is returned from IPInfo, the website renders the form and content in the local language of the victim. Once the victim has completed the form the, data is sent to the website “ss2701api{.}com” via an API (v3/affiliates/lead/create).
By using the online tool urlscan{.}io we found all sites that where using the suprememedia.api plugin. Each website listed is a landing page of the same scam machinery.
By analyzing the source code of the contact form we can see that the domain name ss2701api{.}com is being used to fetch content to be displayed to the user. These finding links the domain name ss2701api{.}com to the WordPress plugin (suprememedia-api).
The owners
Supreme Media (trading as Amashen) is a Cypriotic company run by Benjamin (“Ben”) Rose, Guillaume Meex and Louka van der Wolf. Despina Zenonos is responsible for recruitment including staffing of call centers.
Supreme Media was launched and rebranded from Media500 in 2018 and currently operates in several verticals including Crypto, Casino and Nutra. Supremedia runs supremecode{.}com.
According to social media, Ben Rose also run ihforex{.}com a Forex investment portal that back in 2011 replicated the logic of the crypto scams.
Supreme Media runs campaigns with Monetize Ad, a digital marketing firm that has been flagged for conducting Bitcoin scams.
Supreme Media is associated with Amashen Limited in Cyprus. According to the company registry in Cyprus, Amashen was originally created by the Cyprus registered companies Amarok Limited (50%) and Shenron Limited (50%). Later on the company was register in the name of Manifika Star Ltd (Seychelles, Panama Papers) and finally to Guillaume Meex.
Apart from his role in Supreme Media, Guillaume Meex is one of the three founders with Louka Van De Hel and David Grare of Marketiz, a French marketing company from Foulayronnes.
According to the Panama Papers, Meex is also behind Wellgardenterprises.
In 2018, Meex aka “lilolior” was presented in Barcelona at the AW Affiliate World as Co-founder and CEO of Media 500.
Affiliate Network 3: ROI Collective
In March 2024, Cyber Citoyen discovered that Adds featuring Quebec TV personality Normand Brathwaite started appearing on Facebook promoting crypto investments. The social network owned by Meta is still serving them as new ones keep getting posted with other local celebrities. These adds redirect the users to fake websites made to look like legitimate news sources, like La Presse or the Journal de Montréal.
During our research we found and decided to focus on a large number of Medium articles about some super secret financial investment app. It seems this affiliate relies on Medium’s ranking in Google searches to lure his victims. According to these “articles”, the celebrity got into trouble for sharing the link to this app. This of course never happened.
The final landing page of the articles included yet another different code responsible of sending the victims data to an affiliate network. Using Urlscan{.}io we downloaded and analyzed different versions of these API code and extracted the various “endpoints” used by the software.
The domain names used recently such as server.fsbckup[.]com, server.fl-bckup[.]com server.flbckup[.]com) were of little help, as their registration data is confidential. However, we found that between 2018 and 2020, the endpoint of this API that was also used in boiler-room type scams were hosted on the following domains: server.getlinked[.]io and server.roicollective[.]com
Getlinked (Israel): the tracking software
Getlinked is a business that offers a software platform to manage affiliate marketing campaigns. This kind of software is useful for tracking traffic from affiliates to vendors to know who should be earning the commissions.
There is very little public information about this company. According to the professional social network LinkedIn, the co-founder of the enterprise is Gal Friedman based in Tel Aviv, Israel.
We contacted Getlinked to let them know that their software was being used by bad actors and asked for an interview. A spokesperson for the company, who did not give us its name, answered that: “Getlinked is a software (SaaS solution) used by many companies around the world to manage their affiliate networks, online traffic, leads, campaigns and affiliates.”
They added that they do not run affiliate networks themselves and that “[o]ur terms of services strictly prohibits any illegal activity including copyrights infringement etc”.
Getlinked concluded by saying that if we “think anyone breached our terms it is done without the knowledge, consent or permission from our side and you should approach them directly”.
In an answer to our follow-up questions, Getlinked stated that “all the affiliate relationships are between them and the affiliate networks and we have no knowledge or take part of it”. They also added that when receiving complaints, they “immediately look into it and take action in case it’s needed”.
Promotional material published by Getlinked states that client data is encrypted and that they do not have access to it.
However, the business also explains on their website that their product is “not a shelf-product solution, which means you cannot register, open an account and start working by yourself”. According to the available information, the process to start using the platform involves working with their technical team to set up the affiliate network.
Perspecta LTD (Bulgaria): software developer
Perspecta LTD is a Bulgarian company whose CEO is Rosen Marinchev. A 2021 archived copy of the company’s website, perspecta-soft[.]com, states that they “operate as an R&D department for GetLinked.io”. An older version of the website, from 2018, states that they are the R&D department for another affiliate marketing company, TactiClicks.
One of the products developed by Perspecta is a video-hosting platform called VIDIT[.]IO. A search for this domain on urlscan.io returns many results associated with the same API linked to Getlinked and ROI-Collective we were investigating.
ROI Collective (Hong Kong / Israel): marketing online gambling and “finance”
ROI Collective is an affiliate marketing network specialized in online gambling. According to its website, the parent company, Blue Media, is registered in Hong Kong.
In an interview published on Facebook, Matt Aizen who is an affiliate manager at ROI Collective explained that his company had visibility into the activities of its affiliates: “We supervise the traffic from the click all the way to the deposit, all the way to the sales themselves.”
According to WHOIS records, the domain name roicollective[.]com, which now redirects to a website at the main domain name roi-collective[.]com, was registered by Moshe (Hiko) Rajczyk in 2016.
Moshe Rajczyk is the founder of Yomora 4Media, a business based in Cyprus that offers financial and legal services for the affiliate marketing, online gaming and Fintech industries.
According to the Cyprus business registry, Moshe Rajczyk is the director of ROI Play LTD, one of the brands used by ROI-Collective that includes mr{.}click and roiplay{.}com. The linkedin page for Yomora 4Media also publishes job offers for the affiliate network marketing company.
We reached out to Roi Collective, Yomora 4Media and Moshe Rajczyk for comment. As of publishing, we have not obtained any response.
Bullet proof infrastructure
Searching for other websites that uses the same API call: “api/v1/brokers/login/”, we found several online postings (1) and (2) related to the scams CoinNewsSpan{.}com and Profit-Edge{.}online.
The endpoint server server.fsbckup{.}com of their API can be reviewing afps{.}xyz/api/v1/integration/sdk.js or scfourllogin{.}com/api/v1/integration/sdk.js.
The domains are part of hundreds of domain names used to run financial scams. The domains are systematically hosted in Alliance64 (Russia), Snel (Netherlands), 3NT SOLUTIONS (Russia), BlackHost (Seychelles) and IPConnect (Seychelles).
80.87.206.180 Alliance64 (RU)
193.34.166.202 Snel (NL)
185.162.235.87 Alliance64 (RU)
38.180.33.13 3NT SOLUTIONS LLP (RU)
185.142.236.235 Black.HOST (SC)
Black.host is a bullet proof hosting provider registered in the Seychelles with address in Switzerland. The contact person of Black.host is Genevieve Odette Rona Magnan that in the Panama Papers lists herself as residing in Belize and associated to more than 300 companies including OneMillion Ltd, DexterFX or Eclipse Finance Ltd. An article published at Inkyfada provides background information of Genevieve and SFM Corporate Services, a firm specializing in the establishment of offshore companies.
Conclusion
This research wants to bring light into a large network of affiliate marketers responsible for the promotion of crypto scams.
The research conducted jointly by […(…)], Cyber Citoyen (QC) and Qurium (SE) has managed to identify three affiliate networks used by one single affiliate for the promotion of crypto scams.
The promotion of dozens of fraudulent investments apps has been traced back to TrafficOn, Supreme Media and ROI Collective three affiliate networks based in Tel Aviv (Israel).
By analyzing the communication protocol between the websites that collect the information of the victims we also managed to identify the use of “Getlinked”, an affiliate tracking software with offices in Tel Aviv and developed by Bulgarian company Perspecta Ltd.
During our research we also discovered that actors involved in other forms of financial scams as binary options and Forex investments a decade ago have evolved into the promotion of crypto scams. These affiliate networks that rely on paid advertisements to promote their fraudulent schemes are behind the impersonation of legitimate media. Making accountable those that share the profits is a necessary step to protect future victims and sanitize our Internet.
Credits
Thanks to Andreas Cosma (OCCRP) for helping out with all the registration information coming from Cyprus.