Scammers robbed French-speaking investors of €480m, says analyst

A cryptocurrency scam targeting French-speaking investors in European countries has been buzzing under the radar for several years, netting the cybercriminals behind it close to half a billion euros, according to fresh research from Group-IB.

The cyber researcher said it identified what it described as a “complex network infrastructure” named CryptosLabs, active since 2018, consisting of more than 300 fake web domains hosted on 70 servers and centering on “the gang’s major weapon” – an easy-to-use digital scam kit of the same name.

“CryptosLabs is a well-organized illicit business that has a hierarchy of kingpins, sales agents, developers, and call-center operators that collectively could have earned as much as €480 million since its launch,” said Group-IB.

Bad enough on aggregate, the burden of these losses fell particularly heavily on some hapless victims.

“The Group-IB team is aware of at least 20 victims from France who signed up with the same trading platforms and collectively handed over €280,000 to the scammers,” said Group-IB. “In one case, a victim [...] lost more than €1,500,000.”

The fraudsters in the scam ring primarily targeted victims in France, Belgium, and Luxembourg, hoodwinking them into transfering money to them using a measured approach that entailed guiding them from bogus landing pages to social media posts with advertisements mimicking legitimate investment services, through phony call centers staffed by con artists, to the eventual payload: fake investment portals used to siphon funds from the unwary.

French scam screenshot fake web page
Fake form used by scammers to capture French-speaking victims' contact details

Too good to be true

“Right out of the block, the victims are promised high returns on their capital,” said Group-IB. “To find the ‘investors,’ scammers leave messages on the dedicated investment forums or use legitimate advertising mechanisms on social media and search engines to promote the scheme. To appear trustworthy, such ads feature logos of notable banking, fin-tech, crypto, and asset management companies active in France, Belgium, and Luxembourg.”

Clicking on the ads takes the victim straight to one of the 300 domains identified by Group-IB as “impersonating 40 popular companies primarily from the financial and asset management sectors.”

Group-IB did not name the companies mimicked or “spoofed” in this way, but said four in ten belonged to the financial sector, with a similar proportion coming from asset management and another 5% from the cryptocurrency industry.

What made this particular scam cunning was that initially it passed for a much smaller-scale social engineering attack.

“At first glance, some of the detected resources looked like ordinary phishing pages impersonating a very well-known fin-tech company,” said Group-IB. “Further examination revealed that it was a small piece of a very big pie. By jumping down the rabbit hole, Group-IB experts discovered that fake branded websites were designed so that the victims could leave their contact details.”

Screenshot of fake web page in French used by scammers
Bogus dashboard with fake data about investments that do not exist

Playing the long game

However, the scammers chose not to pull the trigger at this point, instead biding their time to do some ‘market research’ and identify which subscribers could be most easily duped.

“Interestingly, the victim doesn’t get immediate access to a fake investment platform,” said Group-IB. “The scammers’ call center verifies the information to identify the most likely targets. Masquerading as personal managers of investment divisions of the companies that victims saw on the social media ads, call-center operators reach out to the victims to clarify further steps, explain how the platform works, and provide credentials to start trading.”

Only after that are victims solicited to start ‘investing’ money, usually a modest sum in the order of some €200-300, with more than 15 fake strategies offered in some cases.

“After successfully logging into an investment portal the victim sees multiple made-up graphs and charts, all indicating sky-high returns and growth stocks,” said Group-IB. “After some time, the victim is contacted by a ‘personal manager’ to sign a fake engagement document and make a deposit to activate the account.”

Of course, this nominal amount is pocketed by the cyber fraudsters as soon as it is paid, and the victim is then granted access to a counterfeit branded trading platform that lures them into making further so-called investments.

“Those who make it that far can see the account balance and multiple juicy investment opportunities in stocks, crypto, NFTs, and contact their ‘personal manager’ at their convenience,” said Group-IB.

This is followed up with fake graphs purportedly showing returns on the bogus investments, and even when victims smell a rat and try to withdraw from the scheme, the fraudsters refuse to let them go without a parting shot.

“The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves and encouraging them to deposit more funds to multiply their investments,” said Group-IB. “Those who decide to exit and withdraw money are not let go without a finishing stroke. The personal manager informs the victim that their money got frozen by the processing bank and that they need to pay a ‘fee’ to receive the money. Once paid, the scammers disappear with all the money.”

Tools of an illicit trade

Group-IB has identified the secret weapon behind the scammers’ success as being the CryptosLabs toolkit, apparently sold as a service to other criminals after having been “developed to automate the deployment of scam websites using over 200 branded templates.”

What makes the software particularly damaging is that it can be placed into the hands of low-skilled crooks to give them an effective means of perpetrating cyber fraud.

“The kit makes it possible for scammers of lower ranks to set up a website within minutes [and] also includes the tools to facilitate the fraudsters’ interactions with the victims,” said Group-IB, adding that this includes a digital platform with comprehensive victim profiles, a dedicated panel for distributing the new scam “leads”, and internet protocol (IP) telephony and chat tools to communicate with victims in real time.

“From an operational perspective, CryptosLabs is a well-organized and fully automated profitable IT business,” said Group-IB. “It is one of the few scam-as-a-service operations that has such a clear geographical focus on France, Belgium, and Luxembourg. Sophisticated investment scams like this are not only a threat to regular users who lose thousands of euros every day, they represent an imminent and credible risk to companies whose brands are being abused by the scammers.”

Urging the companies being spoofed to step up efforts to monitor this abuse of their reputations, and in doing so help prevent victims from being conned, Group-IB also encourages would-be investors to carefully scrutinze all URLs when approached with what seems like the opportunity of a lifetime – in this case, the CryptosLabs gang had broadly similar domain names across their numerous phony portals such as “secure” or “fr” that allowed the analyst to attribute them to a group of threat actors using the same playbook.

“Users should always check the domain of the URL to verify if it’s the official website before sharing any information,” said Group-IB. “If you are not sure about the legitimacy of the company, take some time to research it. The devil is in the details.”

More from Cybernews:

Human Rights Watch details Iran phishing campaign

San Francisco will not allow police to use lethal robot force after all

Hive adds French sports firm to list of victims, local media claims

Florida Department of Revenue exposed user data, including Social Security numbers

Microsoft is preparing to defend Ukraine from renewed Russian cyber offensive

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked