The first time I’ve seen the Elon Musk scammer’s website, it surprised me with the high quality.
The website resembled a Medium article written by Elon Musk.
The website’s nature was so good and authentic that after the first perplexity, only looking at the URL and missing links and non-functioning buttons, I could understand that this was a scam.
The scam is nothing new, yet it changed to some degree from the ones in 2018.
The scam process is quite simple. A hacked Twitter account preferably verified, changes it’s display name to Elon Musk and promotes a Crypto giveaway. The promotion is often an answer to an existing tweet of the official account of Elon Musk or other tweets from verified users with a high follower amount.
The Scams repeat themselves and use the same template.
In my research, I wanted to answer two questions.
- What is the money they make today?
- Did the scam technique change since 2018?
Let’s go to the first step of the process.
The first step starts with tweets that inform of the Twitter giveaway.
All have one thing in common, they have the same text, and the website is not pasted in full but with missing space.
A simple search of “Hint: remove the space to get prize” will discover the ones that are not yet banned.
If you want to get notifications of such events directly, one can set up an automized solution like Zapier, IFTTTP, or similar.
You can set up those services to notify you immediately as the information is tweeted and paste data into a spreadsheet in case the tweet is deleted.
I’ve set up the monitoring on 17 November 2020, and in ten days, 40 tweets appeared posted by ten different accounts.
Twitter accounts hack or phish.
It is unclear if the accounts have been hacked, phished, or exploited with the help of a Twitter insider. Probably it depends on each attack.
|Twitter handle||Verified||Last tweet|
|@MadisonKocian||yes||22 Apr 2020|
|@WMBDMariaC||yes||27 Feb 2016|
|@Nicole39077483||no||Still Elon Musk|
|@NatalieGretz||no||30 Mar 2019|
|@brockkreitzburg||yes||13 Dec 2015|
What is clear is that some of the attacks use verified accounts that have been dormant for long periods. This might suggest that inactive verified accounts are being looked up and targeted.
The domains are registered or in Namesilo or Namecheap. The registrars offer very affordable domains plus the possibility to buy them with bitcoin. But what is most interesting is what is powering the scammer’s websites.
By playing around with the website, I found out that the scams (musk-givigng, spacexclaim, musk-web were all using Netlify.com.
With Netlify, one can instantly build and deploy a website site from Git, custom domains, HTTPS, deploy previews, rollbacks, and much more.
This quick set up seems to appeal to scammers that wish to make the process as swift and automated as possible.
When reaching out to the Netlify abuse team to flag the three websites, I received immediate response and support. The Team promptly removed the sites and banned the creators. During our correspondence, Netify team member was very open for suggestions and excluded potential attack vectors.
The exchange ended with a new control that hopefully will mitigate and block for some time similar scams on their platform.
What is true is that Scammers will always find ways to abuse free models to achieve their results faster. Here I cannot praise enough the quick and cordial efforts of Netlify. I wish others would take an example from them.
The Elon Musk image
I could not find any information on the fake Medium template that the scammers use. Probably they are being sold separately or part of a whole bundle of software & service on specific forums or on the dark web with which I am unfamiliar.
One thing that I could find is the origin of the Musk image.
The art used on the Scammers website is of high quality, and having looked at countless phishing Netflix, Paypal, or Apple phishing pages with the awful quality, I was intrigued by it. After several reverse image search with the first Tinyeye and Google image search, I found both the creator, Ilya Shapko, and the original file on dribble posted on 10 February 2018.
Bitcoin Etherum and a tiny bit of Ripple
All scams ask for a Cryptocurrency transfer by promising a transfer back of double the amount. The second transfer, of course, never occurs, and this psychological trick continues to be profitable.
The amounts are far from the comparable original approaches that cashed in 180.000 USD.
|Scam website||BTC adress||Total Deposits||Balance|
|Teslamoney||1F5Y7pPd3T2Vxd46Mv8VqTtsEAJeqfiTiy||0,58966429||10 693 US$|
|Spacex claim||17mRiVWkRSFEbhAX9gufPfMAMbbtvKk3Km||0,76345709||13 844 US$|
|Elon fund||1DxH2EXyg2JcCHnY4e99vqkaD6a7HRezqY||0,0094209||171 US$|
|Meneyx||1DSw2UenUhzBKv1o1Ns8bWSw7xvWRnu7Fc||0,67624764||12 263 US$|
|Musc giving||1BtgMgeKCRup34YaqFmprX98US1Byy3inS||1,57417468||28 546 US$|
|Musk Web||1sexVdhJHZptdNHTjrt2VZrFEuUf6c9KB||0,02023436||367 US$|
The new scams ask for Bitcoin or Ethereum, but in Spacexclaim, there was even a request for Ripple.
I was interested in how this money moves and if they join bigger wallets. At the time of the analysis, the BTC wallets for Musk-giving and Tesla-money did not register much movement.
But the wallet for Moneyx was older since the scam started earlier, and it was interesting to search manually the wallet transactions before taking a snapshot of the journey.
Bitcoins were moved from one wallet to another, probably mixed with a tumbler until it reached a wallet with significant proceedings owned by a Bitcoin exchange company.
I could do this thanks to Brenna Smith’s tip on a specific tool called wallet explorer. The tool is extremely handy in giving more context to a particular wallet.
It is hard to fully grasp the context and relation of all the chain of transactions. But the beauty of Bitcoin is that you can sit and watch how the money is moving, and sometimes, if the scammer is sloppy, it can lead to a publicly known wallet.
The Elon Musk scam is at least two years old and continues to cash in significant income from a partially automated process.
The income is not as high as the first takes but still makes it a quick and profitable attack.
What is critical in this attack is visibility; without the verified accounts, it is tough to appeal to a broader public and increase the scam’s chance of success.
As much as Netlify and similar companies can take their websites down, a considerable effort is required from Twitter, Twitch, or YouTube as they play an essential in blocking scams.
Brenna Smith pointed out in her July 2020 Newsletter that there isn’t an easy solution to blocking scams where they don’t restrict legitimate content but also recognize nuanced scams.
Yet time continues to pass, there is no visible progress on Twitter, and scammers continue to cash in significant amounts.