One of the most tried and true tactics to lure people into a scam is to promise victims “insider” access to financial riches that ordinary people can’t get. This is how Wall Street financier Bernie Madoff signed thousands of investors enthusiastic about his incredibly incredible Ponzi scheme. It is now being used by scammers who promise their victims huge profits if they only install and use “private” smartphone apps meant only for insiders.
The scam is called “CryptoRom” and it has been around for a few months now. As described by Sophos Labs researcher Jagadeesh Chandraiah yesterday (March 16), it’s a trio of malice, combining romance tricks, cryptocurrency hoaxes, and malicious Android and iPhone apps — the latter usually quite rare.
Victims have lost tens of thousands of dollars in these schemes. Only one of the many Bitcoin addresses used by scammers has raised $1.3 million in illicit earnings; You can probably multiply that several times to get an idea of the grand total.
The scheme initially targeted China, Japan, Southeast Asia and the Indian subcontinent, but has now jumped to Western Europe and the United States.
One victim told Sophos they had been cheated, and said a friend “was using [a] A similar app called “UBS global” + Binance. “
“They offer cryptocurrency trading,” the victim said. “Now when he tried to withdraw the amount, they ask for a paid membership of $6000.”
Don’t trust this love affair
Most victims are initially contacted through online dating portals, such as “Bumble, Tinder, Facebook Dating and Grindr,” a previous Sophos report said. Many of these sites offer some of the best dating apps we tested.
Recently, Chandria said, some victims were contacted via WhatsApp random messages, apparently after scammers profiled them via social media and saw they had money to spend.
“We suspect that the scammers obtained the contact information of their targets either through their social media accounts or through the hacked websites,” Chandria wrote. “It also appears that they are getting publicly available information and targeting those who are already into investing and cryptocurrency.”
When using dating apps, the scammer uses a fake profile to build trust with the victim over the course of several days or even weeks. Then the scammer tells the victims about a secret investment in cryptocurrency that will make the victim a lot of money – the victim just has to install a special application.
Here is our first tip on how to avoid these scams: Don’t trust anyone who claims to be your soul mate, but who doesn’t seem to be able to meet you in person, or even on a FaceTime date.
Second tip: If someone you don’t know tells you that they have a special tip on how to make money with cryptocurrency, run fast.
Fake iOS apps and how they are possible
These private apps are not in the Apple App Store or Google Play Store and should be sideloaded. It’s easy to do on Android, but what about Apple devices? Doesn’t Apple prevent users from installing iPhone apps that come from outside the App Store?
not exactly. Apple has some measures in place to allow app developers and large companies to distribute apps privately.
Large companies can install specific profiles on employee devices that allow iPhones and iPads to install company-specific applications. Developers can have two different companion apps that allow iOS apps to be sideloaded for testing purposes – first during the initial development phase, and then later for “beta flights” before official submission to the App Store.
Scammers, including those running CryptoRom scams, have been known to abuse enterprise deployment features and developer testing. And now, according to Sophos, they’ve started using Apple’s TestFlight feature to infect up to 10,000 victims at a time.
In these cases, victims are first asked to install the real TestFlight app from the App Store. Having this app allows an iPhone user to download and install what appears to be a “private” version of a known cryptocurrency or financial app from a website.
These are fakes of course, but to the victim they look like real apps provided by CoinBase, RobinHood, Bitfinex, Binance or other cryptocurrency platforms.
Tip #3: If someone who isn’t your employer asks you to download an Android or iOS app, don’t do it. It’s likely a scam with Android; With iOS, it sure is.
Once the dummy app is fully set up, the victim is asked to buy Bitcoin or another cryptocurrency through a legitimate exchange, then pass it on to the scammers through the “private” smartphone app.
Initially, Chandria said, the victims would actually start making money. They are even allowed to spend part or all of their initial investment.
But then, the scammers prey on the promise of bigger dollars to get the victims to invest more money. They will even “lent” the victim an amount to make it easier. And this second round of investments is one that victims will never see again.
Don’t get us wrong – investments are already growing, at least according to what you see in the bogus app. But then there is a problem.
“When victims try to withdraw money from their big winnings,” Chandraiah wrote, “the scammers use the app to tell them they need to pay a “tax” of 20% of their winnings before withdrawing the money — and threaten that all of their investment will be confiscated by the tax authorities if they don’t.”
If the victims pay the “tax”, it is “frozen” by the “authorities” and the money remains stuck.
Stare at the victims for the last time
Chandraiah writes that this scam is becoming more widespread than the emergence of a “promising” secondary scam industry to help victims recover their money.
“Exploiting this desperation, a number of fake cryptocurrency recovery services have emerged that specifically target CryptoRom victims.”
At this point, victims may realize that their only option is to call the police. But even then, there is often little that can be done. Cryptocurrency transactions cannot be reversed, and even when the chain of transactions is transparent, as is the case with Bitcoin, there may be little legal recourse.
Chandraiah wrote: “Due to the nature of cryptocurrency and the fact that cross-border foreign transactions are involved, it is difficult at best to recover funds through law enforcement or other legal channels.”
One last tip: Do not invest cryptocurrency with someone you do not know.
These scammers have surely convinced many victims that they are using Binance, Bitfinex, Coinbase or other legitimate exchanges.
But it takes a huge leap of faith to believe that well-known cryptocurrency platforms will have secret spaces where only a privileged few will be able to trade their assets and make more profits than anyone else. Then again, this probably doesn’t sound so crazy.