Cryptoscams & Twitter Bots: Effective Detection and Trolling

nothing prepares you for this moment in life where you have an image of yourself projected on the screen behind you which is like five times in real size but anyhow so today I'm going to speak about oh yeah thank you so today I'm going to speak about crypto scamming Twitter Bots um in like hopefully in 25 minutes time you'll all have a better understand understanding of how it works um and afterwards You' be able to understand how we can prevent it and draw some operators on the way which is probably the part you're all in for um and we'll also try to predict kind of a bit about like future Trends current situation so let's see how it

goes um we'll start with like how I got into this mess uh proceed into like local and global scale analysis of the issue how we can understand like a single tweet and then in the context of a campaign um also we'll go to the part you're all here for the me trolling crypto scamming Twitter Bots operators um and also some fortune telling me trying to predict the future if you trust me which I'm not sure you you should anyhow why you should even listen to me that's me by the way in The Mask first and foremost I'm a bides of ficado um that's actually me back from 2016 first bsides first talk of me ever

being all like sleeved up like the businessman I am I had nothing to like no idea what bides is back then and bide was the first place Who provided me the stage to speak on and I'm really like fingers crossed that one of you in the crowd here today will speak for the first time after you will um you know research something exciting so that's first things first also as Karen said I'm a full stock researcher I did basically anything from disassembly lowlevel stuff to upsc and cloud and also I'm into all kinds of campaigns here for example that's actually like my Purim costume disguised as a copy Kitt which was like an Iranian AP campaign

we've analyzed back then I was the one naming them copy kittens by the way and I'm also into proving stupid claims or just like claims which you know we make a lot of claims and you'll see in a sec what what I mean um but I mean to just like yeah sure we can do that okay let's test test it out why not we are people of science here so how I got into this stupid like crypto scamming Twitter Bots it doesn't seem like the first thing like a same person will choose to research so like that's meme number one for the day it's actually was long time ago um in a galaxy far away I've seen this

tweet you can see it was back in 2021 and they've mentioned a couple of Brands there metam mask and Trust wallet I had basically no idea what either of those was but the interesting part was the responses to this tweet um those four responses alongside others were all pretty synthetic I suspected that it is like Bots back then I I knew what Bots are I didn't explore them like thoroughly but it looks really weird we all trying to lure them into clicking onto a Google forms link um others were trying to lure them into clicking on a like Gmail like corresponding on like Gmail accounts maybe direct messages in in Twitter or other platforms it all seems like pretty

weird and I was sure those are Bots but will they respond to anyone mentioning these Brands now I have the The Magic Necklace anyhow is it that stupid that if I'm mentioning these Brands Bots will just respond to me it can be that stupid right right well what you know as I said I like to prove claims so this is why I tweeted the following tweet with the sensible sentence um trust wallet meta mask issue pancake swap BTC eth issue prevents Dodge as in Dodge Coin the nice one of the shba Inu face and what do you know it works I got this response second seconds later um and of course this this bot try to look

me into some kind of fraud which I still wasn't fully aware of what it is exactly and I I did a kind of a kind of a game with my friends who can trigger the most bots in a single tweet I think I'm holding the record with 17 Bots being triggered in a single tweet um you can play it with your friends afterwards I highly recommend it but but why why in order to understand why let let's do a quick game how many of you in the crowd today are familiar with u one different cryptocurrency type and most of us yeah Bitcoin haha three different I think I also do five yeah those are all the stupid meme coins Dodge

Etc how many of you actually owned a single type of cryptocurrency I did and three different ones no I didn't I didn't want this stupid um how many of you actually used cryptocurrency for anything else than buying another cryptocurrency quite a lot of people so metam mask is one of the ways or trust wellth all these like crypto wallets is one of the way you can do just that um it looks like this in the browser extension form you can actually use your crypto assets to pay for stuff what you know it might be useful to actually like something um as you expect you set up a password but the more interesting thing is something called The Secret recovery

phrase or SRP for short It's a combination of 12 simple words um and there's like a very large warning when you set it up when you you actually get it once you create a wallet please do not provide it to anyone no matter what not in a customer support scenario no matter what just like don't provide it to anyone please we beg you why you ask well because you have this screen and this like key phrase like the SRP the secret recovery phrase can be used to create a new password which makes sense because it is not a bank you want to have some kind of a backup mechanism to regain your funds it's a lot of you know

crypto assets and a lot of money implied um and if you own this SLP well and have meme for today he who owns the he who controls the SRP controls the wallet um and if you have the SRP you have basically full control over the wallet um yeah all of you Dune fans out there okay so we now kind of know how we all got into this MTH but let's make some sense out of the nonsense trying to understand how it work and how we can leverage the fact that it works this way to prevent it let's go one level deeper this is the actual email once you actually start correspondence with the frauders this is

the kind of email they're sending and the important thing is like the link that back there um oh yeah please come and restore access to your wallet no matter what you tweeted about this will be their kind of what they're pushing for and you will go to a website which looks like this of course that's a fishing website very similar to the previous legit one we've seen and whenever you'll insert the the SLP they will get it and they will get your crypto assets okay another example um Google forms a lot of bots are were like pushing Google forms and they will have this nice question as part of the Google form please provide us your top secret

phrase don't worry it's an encrypted bot no no man will never see it trust me bro guarantee um kind of a situation people are falling for that I guess otherwise they will never do that it's still kind of steal it to us but it works I guess and the DM variant will be also very simple they will speak with you a bit and they will push you into clicking into on a link to a fishing website as you can see okay so let's do a quick recap a user tweet something a bot response and uh from there it can be like U there's a free like potential branches here it will even be Google forms which is the

end game and you will provide thep there and if it is a kind of a DM or conversation of an email they will try to shift you into a malicious website fishing website basically but now I'm trying to think like the fraudster um the scammer they're into money they're not after Fame they're not like script kitties they're not after intelligence they're not like an AP group they want to make money that's like the top only priority from their standpoint and both operation like operational cost it is not for free by any means so they're trying to maximize their gains and there also another function here um I call it the lead conversion ratio a bit of a

marketing term they have a potential clients and they want to convert them into paying clients or victims as we know them and they want to be as optimal as possible so they must uh have what I call an ioc um kind of learning this term from the malware research World they want to have like a click URL or a very clear DM um someone to speak with a link to a Google form that they can't avoid that if they want to have a a good conversion ratio of uh their victims um they want to have it as as aggressive as possible and this forces their hand into being vulnerable in my opinion so what I

did was pretty simple first I was looking for anyone mentioning the word metam mask for example then I looked for anyone mentioning a potential ioc in the responses pretty straightforward right looking for email addresses in strings is nothing new and then I was looking in uh kind of who spams those ioc's across the T because what I've seen is they're not like going low and slow they're just like going all over the place uh with their Bots they trying to get the most out of the like the fake user before Twitter shuts it down so some stats for nerds I actually did this research like the entire setup was running for about half a year over 550 um email accounts

were like associated with known um kind of scammers were retrieved thousands of suspicious links and like usernames associated with all of that on Twitter and the interesting thing is like the most of the emails were pretty straightforward it was just like metam mask uh live. gmail.com so it is very easy for let's say Google to prevent this kind of scams or at least like raise the bar which is all we're we're here for I guess Al about the third of the suspicious links were Google forms but we'll speak about later in the presentation and there were a lot of like telegram accounts and even more curiously there were like 75 Instagram accounts but it works

so we don't we don't if it works for the scammers it works for us I guess another interesting kind of trend line I was trying to look whether there's like a an increase or when like Elon took off Twitter and he told us there will be no longer any Bots is it like the actual case well no it wasn't the only case where I've seen spikes was after some crypto exchanges were hacked so users were more vulnerable into being scammed and fraudsters understood that of course and they were more likely to be targeted because they were like oh no I need to get my funds back really quick um I I will fall for anything um so

those are part of the spikes you're seeing here another interesting graph is the I've tried to understand like how long an ioc can survive before it is getting shut down and the left side of the graph is like a day or two which is like accounts for about a third of the population of ioc's but there were some who survived over a month um those are the top offenders and I've realized that there's like nothing like in common across them those are very like straightforward like Gmail addresses they should get detected like way way faster than over a month being actively used in public Twitter campaigns to spread fraud but maybe it's just me thinking

that okay so that's the kind of the vanilla algorithm but then I did a nice pivot on that this data I decided that okay we now know who the Bots are let's see who they are replying to like what's the original tweets triggering the Bots assuming that Bots are being reused across multiple campaigns because it's cheaper to have one for a few campaigns uh it won't get shut down as fast um or at least it will be more like economical for the frauders so what I did is I aggregated like I've counted all of the words in the tweets BS are replying to filtering out like Words which are three letters or shorter or um like by parts of speech analysis

filtering out like m is an r and I got like the most common key keywords and I was able to find new keywords this way like a ledger for example I I didn't know it will trigger Bots but it did at least back then um this like from my GitHub account um doing all of this orchestration behind the scenes um and it just worked and I think this method by the way can be like kind of reused in different scenarios very useful one to remember okay so now we know like how we got into this mess how we can make some sense out of this nonsense and analyze the boss behavior and now we're here for

the fun part yeah yeah it's coming so that's like the email I got from the scammers oh yeah please go to our fishing websites it's like totally legit um please provide us your SRP over there and this was my response oh no I'm trying but I keep getting an error message here's a screenshot screenshot that jpeg wink wink little did I know it wasn't a screenshot or a JPEG it was a fingerprinting server I used the web hook. site and thanks for gleb glov who actually told me about this website a few years ago any kind of server will do the same for you but I got the fingerprint this way um and I got their IP addresses and like some

data about their user agent they use some headers and it pointed to Nigeria okay we all use vpns every now and then it might be this case right and then I've noticed this thing there's like a very strange Android device which was part of the user agent X 6515 what the hell is this device I did what anyone will do of course um and I Googled it and what do you know it's the number one phone at least it used to be back then being sold in Nigeria so I guess that they are from Nigeria right another fun experience I had was getting these two responses like 7 Seconds Apart so of course what I did

was speaking with the criminals and telling them oh no I I don't know which one is real um I I don't want to be a victim only to be reassured by the frauds there trust me bro don't worry those are my other teammates so I don't even know if there it is like the truth or not but it gives you kind of a perspective of how they are treating The Meta of this like fraud campaigns to some extent and they are fully aware of like how bizarre this kind of a fraud scheme is also by the way they were trying to push me into a website which was also registered in Abuja which is the number

nine large city in Nigeria so another kind of thing which points back to Nigeria and kind of a sibling fraud I was trying to research um that he asked me to transfer money into his account in this case the froster and I did the same thing URL shortener pointing to web hook. site and what do you know IP was again from Nigeria by the way I'm not saying that Nigerian people are all criminals oh in fact that they if Nigerians specifically it was just like pointing back all to Nigeria um and also an important note please treat your operational security very carefully and don't do if you're doing this back home it's at your own risk of course um and

you don't have to I did already for you so do it your own at your own risk okay so we are not familiar with like how it's it all got started how we can actually do it like properly and and improve detection how you can control the fraud STS but let's try to draw some conclusions in my opinion it is all a game of Cat and Mouse um Chewbacca my cat not my Mouse um and Google forms is a good example because I reported this thing to Google and I think that they are the ones responsible for this type like specific type of fraud being shut down almost completely today you will see some scams

in from this type being spread on Twitter but it won't be using Google forms so someone did something good like for once and Twitter well they did like more Shadow ban users um they will hide responses but it will take them a few minutes which is all it takes to be a victim to such fraud and fraud on their side well there's a good example for what we can like force them into look at this tweet this tweet um if you'll notice there is a URL as part of the Tweet but there's like space before and after the dot and between the C and the O if I'm correct um so so it is basically not clickable

any longer and by that it it it has like negative impact on uh the lead conversion ratio we were speaking about and it will make the fraud much less effective and this is good for us and I want to push more and more offenders into this kind of a scenario um and this campaign was a single one very large one but it was very unsuccessful in my opinion because I've never seen the same ammo being reused implying it is not good which is again good for us maam mask on their side also are trying to be better and for example they will respond to almost anyone um mentioning like metam mask with this tweet telling them you should never ever

provide your secret recovery phrase to anyone as anyone should everyone should know um but they will do it like almost on every tweet so should we be optimistic my Advocate rocket disagrees yeah yeah why I'm saying that because I've tried to look like what's the current state of the art of uh like how it goes right now and there's a random tweet speaking about crypto assets currency whatever and the responses were as follows um it is all basically crypto scam over and over and over again and it was like there like hours after the Tweet was posted to begin with so we should get much better there are there's a lot of room for improvement um and we should definitely

try and and be better and by Wei I'm speaking about Twitter um about the service providers like Google in this case everything you're seeing here today was reported to Google like years ago and they did took action in some cases at least um saying something good about them when it deserves and that's it I guess thank you