The coronavirus pandemic (COVID-19) which started in December 2019 quickly became a world-wide crisis. Beyond the virus in the physical world, the cyber-space also suffers from the security threats introduced by COVID-19. As COVID-19 continues to spread across the world, there are a growing number of malicious campaigns that are exploiting the pandemic. It is reported that a number of attackers have sought to exploit COVID-19 for malicious purposes, including email scams, ransomware, phishing domains and malicious apps [covidtreat, covidattack, he2020beyond, apwgreport], etc. According to the report from Federal Trade Commission (FTC), victims in the US have lost over $77 million to fraud during this crisis by the time of July 2020 [FTCScamLoss], and the number is just the ‘tip of the iceberg’, as the fraud was typically under-reported by consumers.
Blockchain, as one of the most popular techniques in recent years, has attracted great attentions from attackers in this pandemic. As more businesses accept cryptocurrencies as payments and more people have been drawn to cryptocurrencies, more scammers have appeared to take advantage of these eager new targets to steal money. According to an FBI press released on April 2020, the number of scams related to cryptocurrency has increased greatly during the COVID-19 pandemic [fbipress]. For example, some scammers posing as World Health Organization (WHO) sent fake emails asking for Bitcoin donation [fakewho]. They also used a forged email address, “firstname.lastname@example.org”, to defraud people. Also, it is reported that a malicious COVID-19 themed domain coronavirusapp.site claims to offer a real-time coronavirus tracking app [covidlock]. However, the app is a new kind of ransomware called “CovidLock” that locks the victim’s devices and requests for Bitcoins in 48 hours on the ransom note. Besides, a number of Initial Coin Offering (ICO) and other token scam projects are taking advantage of COVID-19 to release trashy cryptocurrency tokens (e.g., CoronaCoin, COVID19 Coin), to cheat inexperienced investigators [coronacoin]. For example, three consecutive exit scams happened for the CoronaCoin, which broke the project.
This Work. In this paper, we take the first step to characterize the coronavirus-themed cryptocurrency scams. Our goal is to systematically summarize and investigate different types of cryptocurrency scams related to COVID-19, explain how they work, measure their prevalence and characterize their impacts. To this end, we first make effort to create a taxonomy of COVID-19 themed cryptocurrency scams (see Section III). By resorting to security reports of COVID-19 cybersecurity attacks and scam reports obtained from discussion forums, we have summarized a taxonomy of 6 types of scams that take advantage of both COVID-19 and cryptocurrency to infect unsuspecting users. These scams include: 1) COVID-19 token scam, 2) COVID-19 giveaway scam, 3) COVID-19 blackmail scam, 4) crypto malware scam, 5) COVID-19 themed Ponzi scheme, and 6) crypto donation scam. By demystifying these types of scams, we propose a hybrid approach to collect scams in the wild (see Section IV), and identify 195 COVID-19 themed cryptocurrency scams in total, which correlate with 201 scam blockchain addresses, 57 scam domains, 14 crypto malware, 47 social accounts and 91 coronavirus-related tokens. We further measure the characteristics and impacts of these scams (see Section V). Our investigation shows that at least 330K US dollars has been stolen by the attackers from
victims, which is a lower bound estimate of the prevalence and criminal profits associated with these scams.
To the best of our knowledge, this paper takes the first step to reveal the COVID-19 themed cryptocurrency scams with some unexpected and interesting observations. We believe this work shall shed some light on identifying scams related to public events. To boost future research, we have released all the collected scams to the community at:
Ii Background and Related Work
Ii-a Blockchain and Cryptocurrency
Blockchain was invented in 2008 by Satoshi Nakamoto to act as a public, decentralised ledger for the cryptocurrency Bitcoin. It is an open, distributed ledger that stores transactions or related events among involved parties. Blockchain is maintained by peer-to-peer network and secured by cryptographic algorithms. By this design, each transaction in the block is verified by consensus on most of the system’s participants, and once entered, the data stored in the blockchain cannot be modified or erased.
Cryptocurrency is a kind of digital asset that uses cryptography to ensure the security of its creations and transactions. Most of the cryptocurrencies rely on blockchain techniques to operate. Since the born of first decentralised cryptocurrency Bitcoin, thousands of cryptocurrencies are emerging in the world [allcrypto]
. Cryptocurrencies except Bitcoin can be classified into two types:Altcoins, which mean alternatives to Bitcoin, and tokens, which are unable to operate independently without existing blockchain platforms. Blockchains like Ethereum and EOSIO, have simplified the development of token smart contracts. One can create a token smart contract with just a few lines of code. Recent work [tokenWWW] suggested that there are over 160,000 tokens exist on Ethereum.
Ii-B Cryptocurrency Scams
As cryptocurrencies are gaining more and more attention, malicious actors are also devoted to making profit on this rich field. In 2019, cryptocurrency scams caused over 4.26 billion in losses [cryptoscam]. Although users, wallets and exchanges are taking more and more countermeasures to avoid being scammed, attackers can still come up with new scam techniques to defraud users’ money. Vasek and Moore surveyed the presence of Bitcoin-based scams [vasek2015there]. By gathering reports from voluntary vigilantes and reports tracked in online forums, they identified 192 scams and categorized them into four groups: Ponzi Schemes, mining scams, scam wallets and fraudulent exchanges. After that, most scam studies were focused on detecting the Ponzi schemes [chen2018detecting, bartoletti2020dissecting, bartoletti2018data, vasek2018analyzing, chen2019detecting, toyoda2017identification, toyoda2019novel], fraudulent Initial Coin Offering (ICO) [liebau2019crypto, zetzsche2017ico], market manipulation of cryptocurrencies [gandal2018price, chen2019market, hamrick2018economics, chen2019detecting, hamrick2018examination], blockchain honeypots [torres2019art], and phishing scams [wu2019phishers, phillips2020tracing], etc. To the best of our knowledge, this paper is the first work to study COVID-19 themed cryptocurrency scams.
Ii-C Security Analysis of Blockchain Ecosystem
In order to better deal with attacks on blockchain, many researchers have studied the blockchain ecosystem on multiple aspects. On consensus mechanism, Bissas et al. [bissias2016analysis] presented a mathematical model of mining process and use it to evaluate the double-spend attack. Huang et al. [EOSIO] studied the activities on the EOSIO and found over 30% of the accounts in the platform are bots and 301 attack accounts in the real world. Chen et al. [chen2018understanding]
conducted a systematic study on Ethereum by graph analysis and proposed approaches to address attack forensics and anomaly detection. Atzei et al.[atzei2017survey] studied attacks on Ethereum smart contracts and summarized the major vulnerabilities on Solidity, EVM bytecode, and blockchain levels. Cryptocurrency exchanges have also been studied by many researchers [kim2018risk, mccorry2018preventing, chohan2018problems, feder2017impact, moore2018revisiting]. For example, Feder et al. [feder2017impact] investigated the impact of distributed denial-of-service (DDoS) attacks and other disruptions on Bitcoin ecosystem, and found that the number of large trades on the Mt. Gox exchange fell sharply after the DDoS attacks. McCorry et al. [mccorry2018preventing] proposed a reactive mechanism to detect heist targeting at cryptocurrency exchanges and freeze all withdraws. This countermeasure also allows an exchange to bring a trusted vault key online to recover from compromise.
Ii-D COVID-19 related Research
Since its outbreak, coronavirus has attracted great attentions from the research community. A large number of studies were focused on the medical domain, including pathology study, epidemiology study, treatment study and so on [bai2020presumed, zu2020coronavirus, onder2020case, shen2020treatment]. There are also some sociology or psychological studies on COVID-19 like misinformation research or social impact analysis [pennycook2020fighting, nelson2020sociological]
. Besides, many computer scientists have adopted computer techniques like machine learning to help medical practitioners deal with COVID-19. Zhang et al.[zhang2020covid] proposed the confidence-aware anomaly detection (CAAD) model to screen viral pneumonia on chest X-ray images. Wang et al. [wang2020covid]
proposed COVID-Net, a deep convolutional neural network design tailored for the detection of COVID-19 cases from chest X-ray (CXR) images.
At the same time, however, there are also malicious actors exploiting this situation to conduct criminal activities in cyberspace. Some studies have been conducted on cybersecurity regarding these illegal behaviors [lallie2020cyber, mathewcybersecurity, radanliev2020digitalization, kallberg2020covid, ahmad2020corona, he2020beyond]. For example, Lallie et al. [lallie2020cyber] analyzed the timeline of cyber-attacks and found that there is a large gap between initial outbreak and first COVID-19 related cyber-attack. Furthermore, they utilised the UK as a case study to demonstrate how cyber-criminals leveraged key events and governmental announcements to carefully craft and design cyber-crime campaigns. Ahmad et al. [ahmad2020corona] analyzed the security challenges on the work-from-home model and proposed some recommendations on how to avoid being attacked by phishing websites or emails. He et al. [he2020beyond] presented a systematic analysis of coronavirus-themed malware and found that over 53% of the malicious apps they collected were camouflaged as official apps. They also found that these apps’ purposes are to steal users’ private information or to make profit by phishing and extortion. Sun et al. [sun2020vetting] analyzed the security and privacy issues of COVID-19 contact tracing apps. Although a few previous studies have mentioned coronavirus-themed scams, there is still a lack of systematic study on coronavirus-themed cryptocurrency scams, such as the impact and popularity of these scams.
Iii A Taxonomy of COVID-19 Crypto Scams
To understand the prevalence and characteristics of COVID-19 themed crypto scams in the wild, we first create a comprehensive taxonomy by manually analyzing the existing scam reports. We will explain how each kind of scam works in this section. Based on this taxonomy, we will further measure their popularity and impacts in Section IV and Section V.
|Type of Scams||Tricks||Scam Entities||Example|
Creating the Taxonomy. We resort to the following information to create the taxonomy: 1) security reports of COVID-19 cybersecurity attacks released by security companies (e.g., DomainTools [domaintools] and McAfee [mcafee]), 2) over 40 scam reports obtained from scam accusations on Bitcointalk [bitcointalk] and BitcoinAbuse [bitcoinabuse], 3) COVID-19 themed scams summarized by the Federal Trade Commission (FTC) blogs [FTCBlog], 4) COVID-19 scams reported in the threat intelligence platforms (e.g., AlienVault [alienvault] and COVID-19 MISP [misp]), and 5) the related information by searching keywords like ‘COVID-19 attack’ and ‘COVID-19 scam’ on Google. At last, we have summarized a taxonomy of 6 types of scams related to COVID-19, as shown in Table I. We will detail these scams in the following subsections.
Iii-a COVID-19 Token Scam
A number of Initial Coin Offering (ICO) projects or other token-related scam projects take advantage of COVID-19 to release trashy cryptocurrency tokens to cheat inexperienced investigators. In addition to claiming to help people alleviate the pain of virus and lockdown, the founder of some tokens also indicate that they will participate in public welfare activities and donate part of the benefit of the tokens to charitable organizations. Moreover, many tokens can be traded on some decentralised cryptocurrency exchanges (DEX) and their promotion methods make investors think these tokens are profitable. However, some tokens are totally scams since the very beginning, and the founders would just disappear with the investment they receive from the ICO projects. Some token projects may run normally after issuing the tokens, but the project owners who possess most of the tokens will monetize their tokens when the price increases. This type of scams are also known as the “Pump-and-dump Schemes” [pumpscam], which have been studied by many researchers [hamrick2018economics, chen2019detecting].
Figure 1 shows the main page of the CoronaCoin111Ethereum address: 0x10Ef64cb79Fd4d75d4Aa7e8502d95C42124e434b (Token symbol: NCOV), which is claimed to be the first token related to COVID-19. It has more and more attention since reported by Reuters, Nasdaq and New York Times [coronacoin1]. It is designed to be burned per 48 hours based on the number of infected and facilities. The team of this token call this mechanism “proof of death”. It is advertised that by this way, the token will be deflationary and its value will increase. Although they donated about $235 on March 6th to the Red Cross for the first time, which seems to prove they operated this project with a good will, three consecutive exit scams happened afterwards. The CoronaCoin’s developers and administrators of different periods monetized the large amount of tokens they managed based on the “Pump-and-dump Schemes”. These scams broke the project, leading to its current failure. From the scam accusation reports on BitcoinTalk [coronacointalk], many investors have found that this token was a scam at the very beginning and they condemn the behaviors of designing scams by exploiting the pandemic, but there are still many unsuspecting investors were deceived.
Iii-B COVID-19 Giveaway Scam
Giveaway scam is a type of commonly used trick in the field of cyrptocurrency scam, and it is no exception when it comes to the COVID-19 themed scams. The malicious actors promise to reward users based on the money (tokens) that the users send, but they will not fulfill their promises in the end. The giveaway scam can be delivered using both social network (e.g., Twitter) and content sharing services (e.g., Youtube).
Figure 2(a) shows an example of giveaway scam reported on BitcoinAbuse. This Youtube video shows Bill Gates’ speech about Bitcoin and pandemic investment, which inserts a giveaway scam Bitcoin address 1Gatesk17u25gLEk4JNYMDTg8WkCmLpn47. It asks users to send Bitcoins to this address so that they will gain a double payback.
It is interesting to see that there is a “Gates” in the address and this may increase the credibility of the scam.
Giveaway scams are also prevalent on social network. Note that, our investigation reveals that the scams can be distributed by either the scam social accounts or the hacked accounts. For the scam social accounts, they are usually fake accounts that act as the famous people. For example, there are many fake accounts that have the same name, avatar and other information with Vitalik Buterin (one of the co-founders of Ethereum). In this way, they can post giveaway scam tweets to cheat unsuspecting users. For the hacked accounts, one of the largest campaigns is the Twitter’s massive attack on July 15th, 2020 [twitterhack]. The twitter accounts of major companies and individuals were compromised and these accounts were controlled to conduct a COVID-19 themed giveaway scam. Figure 2(b) shows one of the scam tweets. The attackers used Warren Buffett’s account to ask for sending Bitcoins to their addresses and promised to return a double payback. Till July 16th, the scam address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh has received BTC (about 110K US dollars222Note that, since the price of cryptocurrencies fluctuates by time, we estimate the price based on the closing price of each cryptocurrency on July 16th, and the same below.).
Iii-C COVID-19 Blackmail
The cryptocurrency-related extortion emails are mainly focused on sextortion, according to previous work [SpamsSextortion]. During this pandemic, attackers have adopted some other social engineering techniques for extortion. For example, attackers can ask for money by threatening that they are able to infect the emails’ receivers with coronavirus. There are also some scam emails claiming that they have a cure for coronavirus.
Figure 3 shows an example of COVID-19 crypto extortion email. The attacker claims to be the victim’s neighbour that was infected with coronavirus. He asks for Bitcoins to send to 18P3S6DuNUpW2WLozsrrW6rRd6xh24Rc7N, otherwise he will spread the virus. This address is reported 15 times on BitcoinAbuse and fortunately it only receives US dollars in total. We will further discuss the social engineering techniques used in these scams and their impacts in Section V.
Iii-D COVID-19 Crypto Malware
Ransomware is a type of crypto malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Ransomware is quite popular in recent years and is studied by both cybersecurity industry and academia [ransomstate, paquet2019ransomware, homayoun2019drthis]. Ransomware attack is typically carried out using a Trojan that is disguised as a legitimate application. COVID-19 has been invoked for malicious purposes by the ransomware creators. They usually impersonate coronavirus-related apps to trick users into installing them. Once launched, it will encrypt the victim’s mobile phone files or force a lock screen and extort a high ransom. Besides, there are also other crypto malware like crypto miners in the wild.
Figure 4 is an example of a mobile ransomware333MD5:d1d417235616e4a05096319bb4875f57 and it is distributed on a malicious COVID-19 themed domain http://coronavirusapp.site. Once launched, the malware will lock user’s phone and ask for Bitcoins. The button on the screen will direct users to a Pastebin link (https://pastebin.com/GK8qrfaC) and this link is a note of the attacker’s Bitcoin address 18SykfkAPEhoxtBVGgvSLHvC6Lz8bxm3rU.
Iii-E Covid-19 Ponzi Scheme
Ponzi Scheme is a kind of scam promising high rates of return with little risk to investors [ponzidefine]. In fact, the attackers will only pay back the early investors using the money that the subsequent investors deposit, and they will finally take all the money they get and leave. Lots of studies are focused on this kind of scam, both on normal blockchain Ponzi schemes [bartoletti2018data] and Ponzi schemes built on smart contracts [chen2018detecting, bartoletti2020dissecting]. Malicious actors also exploit the pandemic to carry out Ponzi schemes, claiming to help people reduce economic pressure of income fluctuations during quarantine.
As shown in Figure 5, the domain https://coronainvest.io/ hosts a Ponzi scheme event. The attackers claimed that they will invest in coronavirus’ vaccine and give stable and high return to the investors. With such a promise, the website did not survive for a long time. According to Wayback Machine444http://web.archive.org/web/20200315040815/https://coronainvest.io/, the website can be accessed earlier than March 15th and it was shut down by the time of March 29th.
Iii-F Fake Crypto Donation
Except for some common scams on cryptocurrency, we also find many coronavirus-themed crypto donation scams spread via emails, social network and websites. Attackers may act as some health-related official organizations or departments like Centers for Disease Control and Prevention (CDC), World Health Organization (WHO) and the United Nations International Children’s Fund (UNICEF). Moreover, some of them act as a charity group or individual to ask for help during this pandemic. In general, they will ask people to send money to their cryptocurrency wallet addresses in the name of donations.
The domain http://covid-coin.com/ showed on Figure 6 is a fake donation domain, which was flagged as malicious by VirusTotal. The attackers call for the cryptocurrency community to fight the virus by donating to them. The domain is built simply based on WordPress and support donations by 7 cryptocurrencies. As another example, the email shown in Figure 7 is a donation scam in which the attacker pretended to be WHO (using the email address “email@example.com”) to ask people to donate to COVID-19 Solidarity Response Fund.
Iv Collecting COVID-19 Crypto Scams
In order to fully understand the prevalence of COVID-19 scams in the wild, we have adopted a hybrid approach to conduct the investigation by: 1) collecting reported scams in the wild; and 2) detecting undisclosed ones based on information collected from various sources. Figure 8 shows the overall procedure of our approach.
Iv-a Harvesting Reported Scams
Based on the taxonomy of COVID-19 scams summarized in Section III, we resort to the following scam databases for collecting known ones reported by users.
1) BitcoinAbuse. BitcoinAbuse is a database where users can report malicious or scam Bitcoin addresses they encountered. By the time of this study, BitcoinAbuse has aggregated more than 170K Bitcoin addresses, which are mainly used in ransomware, blackmails, and giveaway scams. To identify the COVID-19 themed scams, we use keywords like “COVID” or “Corona” to fetch related malicious addresses. Through this, 31 COVID-19 scam Bitcoin addresses are identified from BitcoinAbuse. Based on the tags and descriptions provided by users, we manually classify them into 17 donation scams, 9 blackmail scams, and 5 giveaway scams.
2) CryptoScamDB. CryptoScamDB [cryptoscamdb] aims at collecting malicious cryptocurrency domains and related blockchain addresses using a crowd-sourcing based method. By the time of this study, there are over 7,700 malicious cryptocurrency domains collected by CryptoScamDB. To identify COVID-19 related scams, we use the heristics to search keywords like “COVID” or “corona” in both the domain names and the labeles provided by CryptoScamDB. However, we did not find any scams related to COVID-19 from CryptoScamDB.
3) BitcoinTalk. BitcoinTalk is an online forum devoted to the discussion of Bitcoin and other cryptocurrencies. It hosts a “Scam Accusations” board for people to report cryptocurrency scams. Thus, we have implemented a crawler to get all the related posts, and then identify scams related to COVID-19 using keywords matching. Finally, we get 11 related posts. Manually verification suggests that there are 4 token scams, 2 Ponzi schemes, 2 ransomware and 1 donation scam from these posts.
4) Threat Intelligence Platforms. Threat intelligence platforms like AlienVault and some security companies like McAfee provide reports related to coronavirus-themed attacks. These reports often contain indicators of compromise (IoCs), which can reflect attackers’ properties to a certain extent. We use a crawler to fetch all the reports on them and identify 9 COVID-19 cryptocurrency scam cases. Based on the detailed descriptions provided by these reports, we have categorized them into 4 donation scams, 5 ransomware and 2 giveaway scams.
5) StopScamFraud. StopScamFraud [stopscamfraud] is a platform collecting users’ reports on scam emails and till now there are over 900 mail accusations related to COVID-19. As we only consider cryptocurrency related scams, we search the blockchain related keywords (e.g., Bitcoin, Ethereum, etc.) and do not find any related scam accusations.
|Type of Scams||
Iv-B Detecting Unrevealed Scams
To further identify unrevealed COVID-19 crypto scams in the wild, we first perform a semi-automated analysis to identify suspicious scam entities, and then manually verify them. As we summarize in Table I, the scams can be delivered via entities including tokens, domain, malware, smart contract (DApp), email, and social network. Thus, our goal is to identify the scam entities related to COVID-19.
1) Scam Tokens. Etherscan [etherscan] is an Ethereum blockchain explorer that tracks tokens on Ethereum. We resort to Etherscan to search for COVID-19 themed ERC-20 and ERC-721 tokens555ERC-20 and ERC-721 are both token standards in Ethereum. ERC is a set of rules that the developers have to follow so they can implement a token in the Ethereum blockchain ecosystem. It includes information about the protocol specifications and the description of the contract. using keywords like “corona” and “COVID-19”. By the time of our study, we have identified 87 tokens that target the pandemic. To verify whether they are indeed scams, on one hand, we search these tokens (with their corresponding addresses) in Google to check whether they have related websites, social accounts or scam reports. On the other hand, we manually analyzed all their smart contracts, to see if they use simple ERC-20 or ERC-721 code samples without additional functions. Based on our manually verification, we believe all of them are trashy tokens without any value. COVID-19 is only used as the publicity stunt to cheat unsuspecting users.
2) Scam Domains. We seek to identify the malicious domains related to COVID-19 first, and then try to detect whether some of them belong to the Ponzi scheme scams or domains scams we summarized. Here, we take advantage of URLScan [urlscan], which is an online service that provide history snapshots, IP resolutions and other detailed information of massive domains. We use a number of keywords including “coronavirus”, “COVID-19” and their squatting ones (e.g., cor‘a’navirus, cor‘oo’navirus)666Previous work suggested that typosquatting [typosquatting] and combosquatting [combosquatting] attacks are prevalent in malicious domains. to identify the domain names that contain the keywords from URLScan. Combining with COVID-19 themed domains fed by RiskIQ [riskiq], we have identified newly registered domains that contain COVID-19 related keywords since January 2020. We further use VirusTotal [virustotal], a popular online service that aggregates over 60 anti-virus engines, to check whether the COVID-19 domains are malicious. At last, we identify
COVID-19 domains flagged as malicious by VirusTotal. For the malicious domains, after excluding the domain parking web pages, we use a heuristic approach to identify and classify the cryptocurrency related scams. Since domains that contain words like “crypto”, “bitcoin”, “invest”, “donation” tend to carry out coronavirus-themed cryptocurrency scams, we select such domains that contain keywords in their domain names, as the scam candidates (over 150 domains found). Then, we perform a manual inspection to determine whether they are cryptocurrency scams. At last, we have manually verified 7 Ponzi scheme domains, 2 donation scam domains, and 2 giveaway scam domains in this way.
3) Scam Malware. To identify the COVID-19 themed crytocurrency malware, we rely on two data sources. On one hand, for the aforementioned COVID-19 domains flagged as malicious, we use a premium API provided by ViusTotal to get files related to these malicious domains, i.e., files that communicate to these domains or files that are downloaded from these domains. After this step, we have collected binaries and of them are flagged as malicious by VirusTotal. On the other hand, we use Koodous [koodous], a large Android app repository with over 62 million apps in total by the time of this work, to find suspicious COVID-19 themed malware. Koodous contains historical apps from various sources. In this work, we collect the meta data of related apps whose app names or package names contain COVID-19 keywords. In this way, apps are collected. For all the collected binaries, we further use VirusTotal and AVClass for labelling their malware families. As we only consider COVID-19 themed ransomware and cryptomining malware in this work, all the malware whose families are labelled “Ransomware”, “Locker” or “Coinminer” are kept to the further research. Thus, 4 COVID-19 ransomware and 5 COVID-19 cryptomining malware are identified.
4) Scam Social Network Posts/Accounts. Social network is the major channel for distributing and advertising COVID-19 cryptocurrency scams. Thus, we resort to Twitter and Telegram to identify more scams. To be specific, we first identify Tweets and Telegram discussions that contain both the COVID-19 keywords and cryptocurrency keywords. Then, we manually inspect their contents. For example, if we find a Twitter account that imitates an official account to publish donation information, we will flag it as a donation scam. If we identify Tweets that advertise giveaway information like Figure 2(b), we will mark it as a giveaway scam. We have analyzed all the related Tweets and Telegram discussion from January 2020 to July 2020, and we have identified 30 donation scams and 10 giveaway scams, distributed by 37 Twitter accounts and 3 Telegram accounts.
5) Scam Smart Contracts (DApps). Previous work [chen2019detecting, bartoletti2020dissecting] suggested that some DApps (smart contracts) are actually Ponzi schemes. To verify whether the Ponzi DApps take advantage of COVID-19, we resort to DAppTotal [dapptotal], a well-known DApp explorer to find whether there are coronavirus-themed DApps. However, our keywords searching does not find any DApps related to COVID-19.
Note that, as we cannot get unrevealed email scams from public information, we did not identify any new scam emails besides the reported ones. For all the detected scams, we further analyze them using a semi-automated approach to identify their correlated blockchain addresses (if available). To be specific, we first use regular expressions777For example, the regular expressions (bc1—)[a-zA-HJ-NP-Z0-9]25,39 is used to identify Bitcoin address. to identify blockchain address candidates, and then we manually verify whether they are real addresses.
Iv-C Dataset Overview
Table II shows the statistics of scams we collected. Overall, we have identified 195 COVID-19 cryptocurrency scams, including 91 token scams, 19 giveaway scams, 9 blackmails, 14 crypto malware, 9 Ponzi schemes and 53 donation scams. These scams correspond to 91 COVID-19 tokens, 57 malicious COVID-19 domains, 14 COVID-19 themed malware, and 47 social accounts on Twitter and Telegram. Besides, we have identified 201 blockchain addresses correlated with them.
V Measurement of COVID-19 Crypto Scams
In this section, we analyze the overall trends of COVID-19 crypto scams, investigate the tricks and social engineering techniques used in scams, and further measure the impacts.
V-a The Trends of COVID-19 Cryptocurrency Scams
V-A1 Distribution of Scams
The distribution of scams is shown in Table III. Obviously, the token scams (46%) and donation scams (27%) are dominant in the ecosystem. There might be two reasons. First, cryptocurrencies are claimed to be the Safe Haven Asset (compared with the fiat currency). Thus, during the pandemic, malicious actors have the motivation to use COVID-19 token scams to cheat inexperienced users. Second, most people want to help fight the pandemic, so the scammers take advantage of this opportunity to act as the official agencies (e.g., WHO) to advertise a number of donation scams.
V-A2 Overall Impacts of Scams
We further estimate the overall impacts of scams. It is non-trivial to estimate the impacts, as we can only resort to the blockchain transactions related to these scam addresses, which is a lower-bound estimation. We have collected all the transaction records related to these scam addresses till July 16th 2020. Since some scam addresses have been active for a long time before 2020 (as they might be involved in other types of scams before this pandemic), we only consider the transactions related to these scam addresses since the beginning of the pandemic (early 2020) when calculating the overall financial losses of scams. Note that token scam is a special case. Here, we only consider the holders who have the corresponding COVID-19 trashy tokens. As there are 91 scam tokens, we estimate their prices based on the latest value shown in exchanges. For the tokens we cannot get their latest value from exchanges (which means that they have no trade records on exchanges), we do not count their value. Thus, our estimation is definitely a lower bound of the COVID-19 cryptocurrency scam ecosystem.
As shown in Table III (column 4 and column 5), the overall number of financial losses is over 333K US dollars, contributed by victims. Giveaway scam is the most profitable category (over $287K), with over 500 victims were scammed. Besides, at least $21K contributed by 103 victims were received by donation scams, and the volume of token scams is over $23K. We will further investigate each scam category in the following subsections.
V-A3 The Distribution of Scam Blockchain Addresses
Table IV shows the distribution of the 201 scam addresses888Note that we list token scams’ addresses separately, because these scams are based on comprehensive designs like “Pump-and-dump” schemes and these addresses can not be simply measured with transactions on addresses.. It can be observed that, Bitcoin addresses dominate the scams (40.3%), followed by Ethereum with 18 addresses. Among these scam addresses, 138 of them are active in 2020.
|Scam Tokens||91 (91)||-||-||23,178.0|
The Evolution of Scam Addresses. We further analyze the evolution of all the 151 scam addresses that ever have transaction records (including 13 addresses only received transactions before 2020), as shown in Figure 9. It is interesting to see that, there are 20 addresses in total that were active before 2020, indicating that they were related to other scam activities before this pandemic. Most of the scam addresses (86.8%) are active after 2020. It is obvious that, there is a sharp increase in March and April 2020, which is inline with the time of the global outbreak of COVID-19. Among these 131 addresses that are new emerging in 2020, the first address that succeeded in receiving crypocurrencies is 0x4e4f4153C6DA6c6df6ecA1f3BF367E5461Ad8F88, which was a giveaway scam that extracted from a Telegram account “Help_covid19funds”. It received ETH on 7th February and has received ETH (about $1518.7) in total.
The Distribution of Transactions. The distribution of the scam addresses’ incoming transactions is shown in Figure 10. For the amount of financial losses, most of them are small transactions, i.e., over 90% of the transactions are below US dollars and 67.6% of the transactions are below 100 US dollars. The largest transaction happened on July 15th, when the address999bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh associated with the Twitter hack event received 4.56 BTC (roughly US dollars). As to the transaction time, first transaction to the scam address happened on January 19th, 2020, and the donation scam address 0x376624e29f8c52b0181bdd794c76fd1058963334 received USDT. The Twitter hack campaign on July 15th accounts for over half of incoming transactions in our dataset, suggesting its great impact on the blockchain community.
The Most Profitable Addresses. On average, each active scam address has received transactions. The most active address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh has received 321 transactions. We further analyze the distribution of money each scam address received, as shown in Figure 11. It can be observed that over 61.7% of the active addresses have received less than $ equivalent cryptocurrencies. Table V shows the top-5 most profitable addresses in our dataset. Notably, three of them belong to the Twitter hack related addresses. The largest one has received 14.75 Bitcoins, which is equivalent to roughly $.
|Address||Description||Scam Category||# of Incoming Transactons||# of Cryptos Received||Est. Value ($)|
|1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF||A Twitter hack address||Giveaway Scams||39||14.75BTC||134,781.2|
|bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh||A Twitter hack address||Giveaway Scams||321||12.02BTC||109,799.9|
|182P8T7MM9assMo7V9YpqZ925yJX8HZurL||A campaign posing as Bill Gates’ fundatoin||Giveaway Scams||23||1.4BTC||12,838.2|
|142pEjfSBh8cnvE7BMJXMjoSBedJWvRKAG||A campaign reported by Spam404||Donation Scams||1||1.0BTC||9,132.2|
|1cv4tEUqUY7PciJaJWzFCxRuK75veTQNS||A Twitter hack account||Giveaway Scams||6||0.7BTC||6,440.2|
The Relationship among Scam Addresses. Furthermore, we attempt to investigate relations among scam addresses, i.e., whether they are controlled by the same malicious campaigns. For addresses that have ever received transactions on Bitcoin and Ethereum, we analyze their relationship based on the money flow, i.e., transactions from one address to another. Figure 12 shows the relationship between scam addresses. There are 3 types of addresses in the graph: 1) the labelled scam addresses (we exclude silent scam address that have no transaction records); 2) the victim addresses, which have ever transferred money to scam addresses but did not receive money from them; and 3) the fund transfer addresses, which are served as the money laundering channels, i.e., receive money from scam addresses and help the attackers transfer the money they have scammed.
There are scam addresses, victim addresses and fund transfer addresses shown on Figure 12. On average, each BTC scam address is connected to victim addresses and each ETH scam address is connected to victim addresses. Interestingly, some scam addresses are clustered into the same group. Here, we perform the connected component analysis. As long as there are paths between two scam addresses, we will cluster them together. Note that, we have excluded the impacts introduced by exchange addresses, as different scam addresses can exploit the same exchange address for money laundering. As a result, 9 scam addresses are clustered into 3 clusters. For example, the address cluster centred on address bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l is the Twitter hack address group. They have connected to 533 victim addresses and 38 transfer addresses. Most of the money they received was finally transferred to 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF, another scam address in the group, and was then transferred to multiple addresses for money laundering. We also find a new scam campaign based the relationship of the addresses. They are 182P8T7MM9assMo7V9YpqZ925yJX8HZurL and 1Gatesk17u25gLEk4JNYMDTg8WkCmLpn47, which are connected by 2 fund transfer addresses. It is interesting to see that they both carried out giveaway scams and used similar domain (gatesbtc.live and gatesmicrosoft.tech) which impersonated as Bill Gates’ foundation.
V-B COVID-19 Token Scam
V-B1 The Evolution of Tokens
There are 91 COVID-19 scam tokens in our dataset. The distribution of their creation time is shown in Figure 13. After 2 test tokens created, the first CoronaCoin101010Address:0x10Ef64cb79Fd4d75d4Aa7e8502d95C42124e434b was created on 4th February 2020, and a large number of tokens are created after that. Notably, when the coronavirus raised global concern in March, there are 31 (34.1%) newly emerging tokens created.
V-B2 Current Status of Tokens
The number of token’s holders and transfers can reflect the activity of a token to a certain extent. Figure 14 shows the current111111We crawled the data until block , i.e. UTC 2020-07-16 11:59:59 PM. status of these tokens. 84.62% of the tokens have less than 60 transfers and 86.81% of the tokens have less than 50 holders, indicating that most scam tokens do not attract too much attentions. There are 5 tokens that have more than 200 holders, and their information is listed in Table VI. Note that, the first 3 tokens have the same name ‘CoronaCoin’, we add the suffix based on their online time to distinguish them.
|Token Name||Token Address||
|CoronaCoin #1||0x10Ef64cb79Fd4d75d4Aa7e8502d95C42124e434b||2016||29896||Feb 4th|
|CoronaCoin #3||0x0c2c5E2b677dEa43025B5DA5061fEcE445f0295B||998||3666||Apr 3rd|
|CoronaCoin #2||0xb80112E516DAbcaC6Ab4665f1BD650996403156C||740||4906||Mar 30th|
|Corona Coin||0x170467C28C4BF99f2D3840E730498F730a526Da2||281||320||Apr 5th|
V-B3 Price and Volume
Among these tokens, several tokens are listed on some decentralised cryptocurrency exchanges (DEX), so that we can fetch the daily price and volume of them. We choose the price and volume from Saturn Network Exchange121212https://www.saturn.network/ because we can find most tokens (16) listed there. Their daily average volume is shown on Figure 16131313Note that due to space limitation, we only list the top-12 tokens based on their volume.. Figure 15 show the daily closing price of top 3 tokens that have the most average volume. The highest price ETH of CoronaCoin #1 occurred on Feb 11th, but considering its normal volume that day, we believe it is just a single case that the transaction is likely to be initiated by the founders of CoronaCoin #1. Their sole purpose is to increase the price of this token. After that, the price of CoronaCoin #1 rises due to increasing attention. On March 4th, a developer of the group made an exit scam by dumping all the tokens he had, which made the price decrease sharply. The CoronaCoin #2 and #3 both created as forks of their former version because of exit scams, and that is why the price curve of CoronaCoin #1 and #2 dropped rapidly in late March and early April.
|A Twitter hack address||bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh||321||12.02 BTC||109,799.9|
|vitalikgiveaway (Telegram)||0xd03dc334fb65cea1b83e654b26515e72694a713f||41||5.92 ETH||1,383.2|
|A Twitter hack address||1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF||39||14.75 BTC||134,781.2|
|A Twitter hack address||bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l||36||0.55 BTC||5,050.4|
V-B4 ICO Scam and Exit Scam
By manually investigation, we found 7 out of the 91 scam tokens have the ICO scam and exit scam behaviors. For the CoronaCoin #1, it has two evident exit scams. One is on March 4th, when a developer dumped 5 million tokens from the dev wallet, this profited him ETH (about $)141414The actor’s address:0x1865E7b66c3996Bd55e7dD88a16B897f4123D2A7. On March 30th, the lead developer compromised the wallet151515Address:0xf19afb42e574831776e7af0898f05c1b306bf3b7 that originally intended to donate to the Red Cross, and he got ETH (about $). The rest of the team migrated the project to the CoronaCoin #2, and shortly after that, the third dump happened where the malicious actors161616Address:0x4121CB0d7AA53AAbc7596c9cAfaa02B1863a2aC7 got 10 ETH (about $). Similar Pump-and-dump scams are found in VaccinaCoin171717Address:0x567d297d0cbb66195b268162a4547f220ef49c51, which is found on BitcoinTalk and claims to help COVID-19 vaccine production. and COVID19181818Address:0x6b466b0232640382950c45440ea5b630744eca99.
There are two scam tokens involved in the ICO scam, i.e., they either provide fake information or entice users to buy the token using giveaway-like tricks. Luckily, these ICO scams have not scammed many users. For the Corona Virus Coin191919Address:0x49017D1cE3359a3b81AE8417731298126Ff751F1, it only involved by 1 victim with merely dollars income. Another one is CoronaAid202020Address:0xd3CD8Ce0c357CAdC16F812884c2dDb89F8A22103, which has not received money yet by the time of the study.
V-B5 The Creators of Scam Tokens
We further anaylze the creators of scam tokens, as shown in Figure 17. Overall, 73 creators created 91 tokens. Over 81% (74) of the tokens are created by external addresses (i.e., by humans), while the remaining tokens (17) are created automatically (i.e., by smart contracts). We observe that, some creators (9 external addresses and 2 contract addresses) have released more than one COVID-19 scam token. For example, the address 0xec9005224daa378598aa0ea8f4c656d5a7c6de76 created 4 tokens. After creating 3 tokens that are less popular, this address created the 4th token named “Corona Coin”212121Address:0x170467C28C4BF99f2D3840E730498F730a526Da2, which has 281 holders by the time of this study.
We also find 5 tokens are created by token template contract MiniMe222222https://github.com/Giveth/minime, address: 0x909d05F384D0663eD4BE59863815aB43b4f347Ec, which has reduced the efforts of creating scam tokens.
|1PQMFqfnEtddpPwHyB3E3jWvakDZRmZtCg||Selling products||2||0.023 BTC||213.0|
|1NM8LLAGcMHjPZJ5ysUWvNrVjwFtQnYjYe||Selling products||1||0.017 BTC||151.5|
|1JoWQUtGcP2yYdQwDcjsUxgrZjntrBqLLQ||Selling products||2||0.016 BTC||149.9|
|18P3S6DuNUpW2WLozsrrW6rRd6xh24Rc7N||Virus spread threat||1||594 Satoshi||0.1|
|bc1q9l5tvr322w36ky9ex8kfhzjhffahmqmxg8s3we||Virus spread threat||0||0||0|
|bc1q9tpt4dffddj4dgtt8c8meeghvcqveml8j4n9wz||Virus spread threat||0||0||0|
|bc1qxaujxahx5wvfe4dy4eq5q939yw7ffmj8tctwpj||Virus spread threat||0||0||0|
|bc1q2868603740f4y3yq6x7ksmqq2gyynyeegpvtc4||Virus spread threat||0||0||0|
|App Name||Source||MD5||Address||Total Received($)|
V-C COVID-19 Giveaway Scam
In total, we find 19 cases coronavirus-themed giveaway scams, to which 5 domains and 10 social accounts are related. Among them, 14 of 21 extracted addresses have succeeded in receiving cryptos in 2020. Table VII shows top-5 active addresses. The most popular address is bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh, which received 321 transactions. This address is a Twitter hack address and is not used until July 15th. Besides the Twitter hack, the most active address in Ethereum is 0xd03dc334fb65cea1b83e654b26515e72694a713f whose attackers pretends to be Vitalik Buterin, a co-founder of Ethereum, and get about US dollars. It can be observed that coronavirus-themed giveaway scams impersonating famous persons or organizations could be more effective.
V-D COVID-19 Crypto Blackmail
We get 9 addresses related to blackmails and they are all Bitcoin addresses and are totally reported 23 times on BitcoinAbuse by users. The profit they made is shown in Table VIII. To our surprise, attackers do not make too much profit through these methods, the most profitable address has received 0.023 BTC and it claims to sell products during the pandemic and 6 of the addresses do not even receive any money. This may be because people’s awareness of such scams has increased and the mail content of infecting people with virus is difficult for people to believe.
V-E COVID-19 Crypto Malware
As for coronavirus-themed crypto malware, we find 5 Android ransomware apps and 9 Windows malware binaries (4 labeled as Ransomware and 5 labeled as Coinminer). By manually investigation, we found 4 addresses in them (1 address in 4 Android apps and 2 addresses in 1 windows ransomware). Their profit is shown on Table IX. The only address which made a profit is related to the domain http://coronavirusapp.site and its apps are disguised as coronavirus tracker apps.
V-F COVID-19 Ponzi Scheme
We finally find 9 websites that are suspicious to carry out Ponzi schemes. For example, they claimed that they will invest in vaccine of COVID-19 and make the investors get financial freedom, as shown in Figure 18. The list of the 9 websites is shown in Table XI. We can see that most of these domains contains a “invest” keyword and the descriptions of their websites indicate their scam properties. However, by the time of our study, none of them can function well or they are just unreachable during our manually analysis. Thus, we cannot get their scam blockchain addresses, so that we cannot estimate their impacts and the number of victims.
|Ponzi Scheme Websites|
V-G COVID-19 Fake Crypto Donation
23 domains, 30 social accounts are found related to coronavirus-themed donation scams and we extract 76 addresses from them. Table X shows the top 5 addresses that make the most money from their scams. The most profitable address 142pEjfSBh8cnvE7BMJXMjoSBedJWvRKAG received 1 BTC on March 22nd, whose scam campaign was reported by Spam404232323https://otx.alienvault.com/pulse/5e7f99a0808c6d74674980ca. In total, 28 of 76 addresses have made a profit of US dollars, which accounts for the third largest scam category by scam amount in our dataset. Because of donation’s close connection with this pandemic, such a serious condition deserve our vigilance.
Our observations in this paper are of key importance to the stakeholders in the blockchain ecosystem and the researchers who are interested in COVID-19 themed cybersecurity. On one hand, considering the prevalent COVID-19 themed crypto scams in the wild and their strong impacts, it is urgent for the community to detect these scams and eliminate their impacts. On the other hand, it suggests that the attackers are taking advantage of the public events to perform cyber attacks, similar social engineering techniques can be easily adopted to other social events or domains. Thus, the governance of the ecosystem on social events should be improved. For example, identifying the distribution channels (e.g., Twitter, Telegram, and malicious domains, etc.) of these scams timely can greatly reduce the impacts.
To the best of our knowledge, our paper is the first systematic study of COVID-19 themed cryptocurrency scams. Our study, however, carries several limitations. First, the taxonomy of the scams might not be complete. As the taxonomy is summarized based on public known scams reported by users in the wild, it is quite possible that there are new tricks we did not identified. Nevertheless, we believe we have covered most of the COVID-19 themed crypto scams. Second, this work relies on some manually efforts to identify the unrevealed scams, which might not be scalable. Although we have tried our best to reduce the efforts, i.e., by using VirusTotal to label the suspicious scams first, and applying heuristics to mark COVID-19 related scams, we admit that some advanced techniques (e.g., machine learning techniques) can be implemented to identify and classify the scams in the future. However, while the study is by no means comprehensive, we are able to provide a lower bound estimate of the prevalence and criminal profits associated with these COVID-19 scams.
In this paper, we take the first step to characterize COVID-19 themed cryptocurrency scams. We investigated six types of cryptocurrency scams related to COVID-19 by collecting existing scam reports and detecting the unrevealed ones. Specifically, we revealed how the scams work, measured their prevalence in the wild, studied their evolution and characterized their impacts. Besides, we released the labeled scam dataset to the research community to help fight against the COVID-19 attacks in cyberspace.