The Russian Giveaway Scam Factory
A week ago rock metal band Metallica dropped their new song: https://www.youtube.com/watch?v=_u-7rWKnVVo
It’s not my vibe (I got to about 33secs before I had to switch back to my DnB) but what did catch my eye was how quickly the crypto criminals jumped on this announcement and created a giveaway scam to try to steal cryptoassets from fans.
It involved a very professional looking website, complete with a rolling banner of the crypto prices, instructions for how to get involved and a steady stream of “live” transactions showing people who were participating in the $100,000,000 giveaway.
With 1,000BTC and 10,000ETH up for grabs, how could you possibly say no to this exciting opportunity?!
Well you should … because it’s a scam! You won’t get a satoshi or a wei worth if you take part.
The scam advised a Bitcoin and Ethereum address to send funds to, however both were fresh deposit addresses with no on chain history.
From some online searching I found an article which referenced a Bitcoin address linked to the scam that had received ~$3,500 worth of BTC, and an Ethereum account which had received ~$3,800 worth of ETH. These were different addresses to those I could see on the website so I wanted to check whether the site was generating new addresses per visitor. However, checking with Incognito and a VPN still showed me the same addresses. When I returned to the sites a day later the same addresses were still showing for me which therefore makes it feel like the website owner changed addresses post the expose article rather than them generating new addresses with some periodicity to try to obfuscate the flow of funds into and out from them.
As the scam looked pretty professionally done, a ~7k profit seemed too small ambitions for their efforts so I dug into who was behind the site and very quickly I found a link to Russia!
The registrant look up showed that the site was registered just 4 days ago and surprisingly the registrant details weren’t hidden as they usually are for scams:
The address seems to be fake as I couldn’t find anything on Google or Maps, however when I googled Leron Gennyy I did find some interesting results …
This was not his first scam!
I found him linked to https://btcrised.com/ a scam giveaway website which looked VERY familiar:
The websites were mirror copies of each other and what’s more these weren’t the only websites which Leron had to his name. Using another tool I discovered that he had 73 different scam websites, the most recent being a Twitter giveaway site registered only yesterday!
This therefore looks to be the work of a serial scammer who’s using the copy and paste technique to jump onto very events from inside and outside the industry and promote giveaway scams.
So how big is this enterprise?
It’s very challenging to say whether this is the work of one person — and it’s very likely that Leron Gennyy is not their real name (I could find no references or further proof-of-life clues anywhere) or a Russian scam factory.
However when we look at this size of the scam we can perhaps find some clues …
Using Elliptic’s Investigator tool I have explored how the funds from the known ~$7k scammed funds move (focusing on the ether part), and it appears that they are sent to a consolidation wallet where they are pooled with at least 3 other scam driven accounts. Each of these have very similar patterns of transactions into them, often with round number values which are frequently seen for giveaway scams. I would therefore guess that these accounts are being features on one or more of the 73 copy and paste scam websites which are related to Leron Gennyy.
However what’s interesting is that as well as these 4 arms of the scam which total $13.8k in ether, there are two other sources of funds into the consolidation account, one for a total of c$65k and the other for c$23k. This brings the potential scam income value to over $100,000!
When exploring the account which contributes the c$23k into the consolidation account, 71% of funds are originating from exchanges however they appear to be mainly small payments of a few hundred or thousands dollars. This is consistent with victims potentially falling for the giveaway scams and hoping to double their money which they are sending from the crypto exchange they’re holding it on. When I explored a number of the unlabelled accounts which had contributed funds into this account one had significant NFT trading activity and had sent c$1k to this account — a possible scam victim. Another potential victim had sent over $8k to this account and this was sadly not the first time they had lost funds since with some further exploration I found that they had been a victim from the DAO hack of 2016.
This account therefore appeared to be a more successful scam arm which had netted c$23k from victims.
I then explored the highest value contributor to the consolidation account and there was very similar activity with the majority of incoming funds from exchanges, and unknown sources which appeared to be individuals. There were many round number payments which supported this account being involved in a giveaway scam, and all transactions were within the last 8 days, tallying with the spate of domain registrations from Leron Gennyy.
It therefore appears that the wider scam factory has netted at least $100k from copy and paste giveaway scams.
However this wasn’t all I found — the numbers started getting bigger when I followed the flow of funds out from the consolidation account.
Of the ~$100k moved into the consolidation account, only $48k had been sent onwards so I looked to find where this had moved to.
$7k had been sent to the DEX 1Inch, $230 was moved to coin swap service FixedFloat, and $1,600 was sent to Binance. $5k was sent out to an account that pooled in $35k of funds from other accounts. This pooled account only had activity on December 1st and a ‘straight in-out’ pattern:
- $1k moved to an account which pooled in another $33k and then sent all funds to KuCoin
- $8k moved to an account which then pooled in $122k
- The remaining £30k was the pooled into an account with the $122k and then this now $150k was sent to crypto exchange Biget.
This $40k was moved to 3 accounts:
What’s therefore notable is that this initial $5k from the consolidation account looks to have been merged with $140k worth of scammed funds from other accounts under the control of the hacker.
We’re now therefore not looking at a c$100k scam income, but at least a $240k scam!
I then followed the final ~$30k payment out from the consolidation account which just two hops later was pooled with $130k from other accounts. We’re now looking at a scam worth at least $370k! Certainly much bigger than the initial estimates of $7k and really highlighting the scam factory nature of this discovery.
However this isn’t where the funds stopped. Instead the full $164k was sent onto an account which has had total incoming flows of $9.1m and outgoing flows of $8.2m! Either this is an unlabelled service, a change of ownership or the scammers have hit the big time.
So I looked to find evidence supporting either of these ideas.
The account had conducted 4,488 transactions from 17th October to today. A busy account by all accounts.
Looking at the destination of funds exposure of this account, 45% ($3.7m) has been sent to various exchanges and 47% ($3.8m) ends up in unlabelled accounts, not moving any further. This doesn’t necessarily point to any of the hypotheses.
Looking at the source of funds is perhaps a more interesting picture! For the top 5 accounts sending funds in (representing $2.3m of the $9.1m), $260k is coming in from an account which has 69% of its funds from Tornado Cash — the now sanctioned mixer (although this activity was all pre-sanctions). $900k is coming from an account which was first active in 2017 and then didn’t move funds until this year. $500k is coming in from accounts which are primarily funded from Binance but also has $1m+ ties to sanctioned exchange Garantex. ~$300k is coming in from an account which is primarily funded from Huobi, and another ~$300k is mainly funded from Binance and FTX. So it appears that that this $9.1m account has lots of links to other exchanges and certainly some illicit connections with sanctioned actors. Whether this is part of the scam or a cash out point is uncertain though.
So what is clear is that my stumble upon a $7k giveaway scam is part of a much bigger Russian-linked scam factory which appears to have scammed people from at least $370k, and potentially part of a multi-million pound criminal activity.