Not for love nor money: dating app crypto thieves hold on hard to stolen loot
Threat actors behind a cryptocurrency trading scam targeting mobile phone users through dating sites have tightened their grip on ill-gotten gains, freezing victims’ accounts when they try to pull out funds, says fresh research by Sophos.
Last year the CyptoRom scam cut a swathe through the wallets of online daters looking to take a punt on digital currency, bilking them out of at least $1.4million by October. Users in the US, Europe and Asia of popular dating sites such as Bumble and Tinder were conned into installing fake cryptocurrency trading apps on their Android and iPhone devices.
Now the latest development, also uncovered by Sophos, looks to be taking things up a notch as the cybercriminals responsible try to shore up their illicit gains.
When victims try to withdraw investments, their accounts are frozen and charged a fake “profit tax” to regain access. One victim was charged $625,000 to recover the $1 million they had invested in a fake crypto-trading scheme recommended by a “friend” on a dating site – in fact a scammer who was in on the con.
“The CryptoRom operation is increasingly well organized and sophisticated, and targets victims all over the world,” said Sophos. “It is a romance-centered financial fraud that relies heavily on social engineering at almost every stage. The scammers attract targets through fake profiles on legitimate dating sites. The fake apps are usually installed as web clips and designed to closely resemble trusted apps.”
“The ‘profit tax’ is only mentioned when investors try to withdraw their funds or close the account. Victims who struggle to pay the tax are offered a loan. There are even fake websites that promise to help people recover their funds if they’ve been scammed.
“Whichever path the increasingly desperate victims go down to try to get their money back, the scammers are there waiting for them. People tell us they have lost a lifetime’s savings or their retirement funds to the scam.”
Tech-savvy and whip-smart
The masterminds behind CryptoRom also approached potential marks via Whatsapp and SMS, using what is believed to be stolen personal data to contact them. Apple products have also been exploited by the scammers – with TestFlight used by small groups to install and trial iOS apps using a less stringent review process. Sophos researchers observed CryptoRom adopting the same approach with iOS Super Signature and Apple’s Enterprise Program last year.
Furthermore, Sophos has uncovered technical aspects of the fraudsters’ operation that allow for greater agility to avoid detection and prevention.
Phony CryptoRom websites were found to have similar backend structure and content – with only brand names, icons and URLs being different – to enable threat actors to quickly reconstitute them once they have been detected and shut down.
“It is deeply worrying that people continue to fall for these criminal schemes, particularly since the use of foreign transactions and unregulated cryptocurrency markets mean that victims have no legal protection for the funds they invest,” said Sophos.
“This is an industry-wide issue that is not going away. We need a collective response that includes traceability of cryptocurrency transactions, warning users about these scams and quickly detecting and removing the fake profiles that enable this kind of fraud.”
More from Cybernews:
Subscribe to our newsletter