Anatomy of a Crypto Scam

Diwaker Gupta
· 4 min read
Send by email

This is a quick rundown of the first crypto-scam that I saw unfolding in real time. It's by no means an exhaustive or comprehensive analysis, and I should further caveat that this isn't necessarily an area of expertise for me either.

So Elon Musk tweeted yesterday:

Thanks to the magic of Twitter's algorithm, this was the top reply that I (and presumably many others) saw:

Hmm, this is already looking fishy. If you hover on this suspicious comment, you can see what's going on:

Clever use of how Twitter renders usernames. Now, is a medium page:

Elon Musk — Official ETHand BTCGiveaway – EIon Musk – Medium
Our marketing department here at SpaceX HQ came up with an idea: to hold a special giveaway event for all crypto fans out there.

That links to two "give away" pages, one for ETH and one for BTC. The URLs have been rotating AFAICT, currently pointing to and respectively. Running a whois doesn't reveal much, as expected – all the domains are using a privacy guard.

The address they want you send your ETH/BTC seem real though. Just looking at 2 ETH addresses I was able to grab, seems likely that this scam has already taken in 10s of thousands of dollars worth of crypto.

But one look at the "submissions" quickly reveals several red flags. For one, the "block"s are all the same but perhaps more damning is that it's not even in the right ballpark! ETH blocks are currently in the 863K range!

The page also employs some cheap, and presumably effective tricks to make you feel like it's real and you're missing out on the this amazing offer. New transactions appear every few seconds and the progress bar at the top is filling up in front of your very eyes! But hang around long enough and you'll see the progress bar jumps back and forth at random, and those transactions don't seem real either. A quick peek at the source code spills the beans:

function newtr() {
tr = document.createElement("tr"), tr.innerHTML = '<td><a class="address-tag" href="#">0x9addb4ab6a83b917...</a></td><td class="hidden-sm"><a href="#">5386568</a></td><td width="150px !important"><span rel="tooltip" data-placement="bottom" title="" data-original-title="Feb-19-2018 04:16:52 AM" class="tim3" >1 mins ago</span></td><td><a class="address-tag" href="#">0xaa2498d85bA755900...</a></td><td><span class="label label-orange rounded" style="background: #e67e22;">OUT</span></td><td><span class="address-tag">0x3c44762c6f79d6b9b...</span></td><td>4 Ether</td><td><font color="gray" size="1">0<strong>.</strong>00042</font></td>', INT = "0x" + uuidv4().toLowerCase(), OUT = "0x" + uuidv4().toLowerCase(), TXID = "0x" + uuidv4().toLowerCase(), TXID2 = "0x" + uuidv4().toLowerCase(), INCIN = (Math.random() * (10 - 0.5) + 0.5).toFixed(3), INOUT = (10 * INCIN + 0.5).toFixed(0);
var t = document.getElementById("myTable").insertRow(1),

So the attacker is just randomly inserting totally fake transactions to trick you! The final finishing touch is the Comments section, which is full of genuine-looking comments aimed to convince you this scam is the real deal. Again, one look at the source reveals that this supposedly Disqus powered comments section is literally just another static page in an iframe:

<iframe src="/eth/comments.html" style="width: 1px !important; min-width: 100% !important; border: none !important; overflow: hidden !important; height: 1550px !important;" scrolling="no" horizontalscrolling="no" verticalscrolling="no" frameborder="0" allowtransparency="true" allowfullscreen="true" allowscriptaccess="always"></iframe>

You can confirm this by navigating directly to

So there you have it. I haven't poked much more at the identity of the attacker, how widespread or successful the attack was (e.g. in monetary terms) but watching this unfold in real-time and trying to unpack some of the mechanics was a fascinating experience.

Stay cautious out there!