Elon Musk and SNL: Scammers Steal Over $10 Million in Fake Bitcoin, Ethereum and Dogecoin Crypto Giveaways
In the run up to Elon Musk hosting NBC’s Saturday Night Live and the potential mention of Dogecoin on the show, scammers quickly capitalized on his appearance by promoting fake giveaways on Twitter and YouTube.
On May 8, Elon Musk hosted NBC’s Saturday Night Live. Musk, who is a known supporter of the cryptocurrency Dogecoin, teased the possibility that he might talk about the coin on the show, which led to much online speculation.
Scammers, who have used Musk’s likeness to promote fake cryptocurrency giveaways in the past, seized on the feverish support behind Dogecoin, Bitcoin, Ethereum, and other cryptocurrencies, by leveraging compromised and fake Twitter accounts, as well as compromised YouTube channels to successfully peddle phony cryptocurrency giveaways.
My analysis began on May 7, so for the purposes of this blog post, I will only be discussing the activity I observed from May 7 through May 9.
- Scammers compromised a number of both verified Twitter accounts and YouTube channels with a significant following and pivoted them into fake SNL accounts in order to drive traffic to fake cryptocurrency giveaway sites.
- I estimate that scammers potentially earned over $10 million dollars across all of their campaigns.
- Compromised YouTube channels were the biggest catalyst for the Dogecoin scams and their relative success.
- Twitter and YouTube need to take more proactive steps to protect verified account holders and large YouTube channels on their platforms.
Verified Twitter accounts compromised and pivoted to impersonate SNL Miley Cyrus
The primary activity I observed involved the compromise of verified Twitter accounts. These accounts run the gamut, from sports-related figures, government representatives, businesses, and other notable individuals.
|Twitter Account||Occupation||Followers||Last Tweet|
|@Hemant_patil_||Member of Parliament||4,270||2021|
|@BoserforPA||Former Political Candidate||1,030||2018|
|@TheFavoredWoman||Broadcaster, Media Entrepreneur||40,800||2021|
|@tiarachel91||Physiotherapist, TV show contestant||151,500||-|
|@firstpost||Media and News Publication||2,000,000||2021|
Once these verified Twitter accounts were compromised, the scammers pivoted them away from their original owners by changing the avatar or profile picture as well as the associated name. They typically pivoted these accounts to impersonate the NBC SNL Twitter account by using the same or similar profile image and name as the legitimate account.
The actual content of the tweets did not include a link; they obfuscated the links by adding slashes around them. I believe this is a tactic to prevent Twitter from using automated systems to block these tweets or flag these accounts.
By compromising verified Twitter accounts, scammers are able to trade on a significant level of trust from most Twitter users who are more likely to trust posts from accounts with blue check marks. However, users may not realize the accounts are fake, because while a name can be changed (e.g. from Troy Stecher to SNL), the usernames for these accounts are often unchanged.
In addition to scammers compromising accounts and impersonating SNL’s Twitter, I also found some accounts impersonating Miley Cyrus, the musical guest appearing on SNL alongside Musk.
One particularly interesting observation I made from the tweets being shared from these verified accounts was the quote: “Our mission is to advance humanity by solving the world’s hardest problems.” It turns out, this was a quote from venture capitalist and engineer, Chamath Palihapitiya. Chamath is another notable figure that scammers have impersonated in order to peddle cryptocurrency scams over the last year. So, it makes me wonder if the same scammers decided to pivot into the SNL impersonation game.
Fake Twitter accounts impersonate SNL and Elon Musk
In addition to the rash of compromised, verified accounts, scammers also created fake Twitter accounts to impersonate SNL and Elon Musk. These accounts aren’t verified, so they don’t have the blue check mark (or verified badge) associated with their accounts. To a certain extent, this may explain why they did not have the same level of success as the compromised verified accounts at stealing cryptocurrency from unsuspecting users.
Similar to the compromised verified accounts, the fake accounts do not include direct links in their tweets.
Despite the limitations of not being verified, the people operating these fake accounts are relentless, posting very consistently in hopes that users will fall for their tricks.
Compromised YouTube accounts used to promote fake live videos
In addition to the activity on Twitter, I also identified multiple compromised YouTube channels impersonating the SNL YouTube channel.
This isn’t the first time cryptocurrency scammers have turned to YouTube to promote their scams. They have used the “YouTube Live” functionality to peddle fake giveaways as part of an ongoing tactic that began in late 2019, but continued throughout 2020. The fake YouTube Live tactic works extremely well in this instance because Musk was hosting Saturday Night Live, and he even shared a link on his Twitter for international viewers to watch SNL on YouTube. I believe this is what helped spur the success of these fraudulent cryptocurrency YouTube Live campaigns.
Special link to view SNL outside USAhttps://t.co/egSDZ8sNFu— Elon Musk (@elonmusk) May 8, 2021
Plus, the template for these videos is well put together.
When users visit these fake YouTube Live videos, they’re presented with a pre-recorded video of Elon Musk from one of his many interviews or appearances elsewhere. However, the video is placed into a template that positions it near a fake Tweet from Musk claiming to be giving away money, as well as instructions and a URL to a website that users are encouraged to visit in order to participate. Often, the video descriptions will contain a link to the fake giveaway websites, but overall, the scammers opted to incorporate them into the YouTube Live video template itself. Like with Twitter, I suspect this is because the scammers do not want to make it easier for YouTube to automatically detect and remove their access from these compromised accounts.
The compromised YouTube channels are global, as I observed compromised channels from the United States, Brazil, Germany, Indonesia, Philippines, Saudi Arabia, Kazakhstan and India. In particular, one of the largest accounts that was compromised belonged to Wave Music Bhojpuri, which had 18.6 million subscribers.
When a user stumbles across one of these YouTube Live videos with tens of thousands of people watching, along with the clever templating used within the videos themselves, it makes it that much more enticing, and will ultimately lead to success for the scammers.
Giveaway Pages: Teaching an old “Doge” new tricks (much wow)
Example of a classic cryptocurrency giveaway website
The majority of landing pages associated with these fake cryptocurrency giveaways followed the traditional format: a fake Medium blog site with links to individual pages for varying cryptocurrencies from Bitcoin, Ethereum and Dogecoin. Historically, Dogecoin wasn’t one of the popular cryptocurrencies used in these giveaway scams. However, with all of the attention around it in part because of Elon, but also because of the large community of Dogecoin supporters, it was included in many of the landing pages I observed.
The classic cryptocurrency giveaway page now includes a link to “get free DOGE”
In addition to the traditional format, scammers stepped up their game and have begun using a newer template specifically for Dogecoin related giveaway scams.
Example of a Dogecoin cryptocurrency giveaway scam, using a new, well designed template and Doge imagery
The new pages are extremely well designed with a “much wow” factor, using more distinct imagery associated with Dogecoin. I would argue that the design of these pages is just another factor in what helps these campaigns be successful.
Scammers make millions in the Elon Musk SNL campaign
While it is challenging to try to capture every single fake Twitter account and YouTube channel and their associated websites, I was able to track 62 unique cryptocurrency addresses associated with at least 40 domains and determined that the scammers linked to these campaigns made over $10 million dollars over the weekend. This is based on the following dollar value for each cryptocurrency at the end of the day on May 9.
From a cryptocurrency perspective, unsurprisingly, Dogecoin was the coin scammers had the most success stealing.
The scammers managed to steal over $10 million in Dogecoin, which represented just over 90% of the cryptocurrency stolen during these campaigns. The scammers also stole over $595,000 Bitcoin and over $475,000 Ethereum, with the latter seeing a significant increase in price over the weekend, reaching above $4000.
From my analysis, the most successful campaigns were tied to YouTube videos, stealing over $9 million dollars. This was followed by verified Twitter accounts, which stole over $1.3 million, while unverified Twitter accounts were able to steal just over $100,000.
The largest single grossing Dogecoin address used in these campaigns was one associated with a YouTube Live campaign linking to dogecoin-snl[.]com. The address tied to that campaign stole over 3 million Dogecoins.
Based on the market value at the time this blog post was written, one Dogecoin was worth $0.53. At this price, the scammer responsible for this campaign earned $1.6 million USD.
While that was the most successful single campaign, several of the campaigns I identified also found success in rotating either URLs and/or wallet addresses.
For instance, one particular compromised campaign operated by a scammer rotated multiple domains and wallet addresses out to earn $1.5 million dollars in Dogecoin.
The success here was largely driven by a single compromised YouTube channel and all of the viewers they attracted during this campaign. The YouTube Live videos on the channel had a combined view count of nearly 2,000,000 viewers across several live streams.
On Twitter, the most successful campaign involved verified Twitter accounts promoting two domains: snlmusk[.]com and snlelon[.]com. The scammers swapped out addresses for Bitcoin, Ethereum and Doge. In total, they used six Bitcoin addresses, four Ethereum addresses and three Dogecoin addresses. In total, their efforts netted them just under $800,000 after adjusting for transactions made prior to May 7 for one Dogecoin address.
The largest single campaign using a verified Twitter account was for the domain btclive[.]top. It was also circulated among unverified accounts. The scammers behind it were able to steal 1.89 Bitcoins, worth $111,516.59 for their efforts.
It is important to note that Tenable Research did not perform any deep analysis of the transaction history for these cryptocurrency addresses. We only subtracted from the totals for transactions that occurred before May 7 and after May 9. It is certainly possible that the scammers sent Dogecoins and other cryptocurrency to themselves as a way to prop-up the amount received to serve as proof, and entice others into sending cryptocurrency their way.
Cautionary tale for social media apps: cryptocurrency scams will persist
I’ve been monitoring cryptocurrency scams since 2017, which was the year of the last bull market in cryptocurrency. In 2021, cryptocurrency is in the throes of another bull market, as prices for Bitcoin and other cryptocurrencies, including Ethereum and Dogecoin have increased significantly. As long as we remain in a bull market, we should anticipate these types of scams will continue to persist.
How can social media services better address these scams on their platform? Well in 2018, Twitter responded to the increase in compromised verified Twitter accounts impersonating Elon Musk by putting a stop-gap in place when users tried to change their Twitter account name and image to Elon Musk. This was a step in the right direction, but as we’ve seen, scammers are very determined and will search for ways to get around these mechanisms.
I believe that both Twitter and YouTube can take a harder stance to stem the tide of these account compromises by taking more proactive steps to monitor for changes to verified Twitter and YouTube channels with a large number of subscribers, by taking the following steps:
- Flag when an active or dormant verified Twitter account changes its name and avatar and starts tweeting in response to other accounts during a certain period of time
- Flag when a YouTube Channel changes its name and starts doing YouTube Live streams
- Enforce two-factor authentication on verified Twitter accounts and YouTube channels with a large subscriber base
Social media platforms need to place more scrutiny on these types of accounts because, as mentioned before, verified badges, or any form of social proof (like a large YouTube subscriber base) is invaluable not just to notable figures, but to scammers as well. Enforcing more stringent policies for these Twitter accounts and YouTube channels won’t stop the cryptocurrency scams from persisting, but they can help stem the tide, as we should not let perfect be the enemy of good.
Are there any other events we can expect will be the ideal subject for scammers? Certainly. It’s hard to predict what that might be, but in the cryptocurrency space, anything is possible. For instance, will this be the last time we see a Doge-related cryptocurrency scam? Not likely. After his appearance on SNL, Musk announced that his company, SpaceX, will be launching a satellite named DOGE-1 to the Moon that will be paid for entirely in Dogecoin.
SpaceX launching satellite Doge-1 to the moon next year— Elon Musk (@elonmusk) May 9, 2021
– Mission paid for in Doge
– 1st crypto in space
– 1st meme in space
To the mooooonnn!!https://t.co/xXfjGZVeUW
Whenever SpaceX plans to launch this satellite, you can expect scammers will be ready to capitalize on this event with scams on Twitter and YouTube.
As we were preparing the publication of this blog post, Musk tweeted out a poll question to his followers, asking them whether or not Tesla should accept Dogecoin as a form of payment.
Do you want Tesla to accept Doge?— Elon Musk (@elonmusk) May 11, 2021
Within the replies of this tweet, was a compromised verified Twitter account impersonating Tesla, attempting to drive users to another fake cryptocurrency giveaway site in the same vein as the SNL accounts seen over the weekend. While it seemed like things had died down after Musk hosted SNL, it’s clear the scammers will continue to capitalize on Musk and Tesla’s tweets about Dogecoin and other cryptocurrencies.
Join Tenable's Security Response Team on the Tenable Community.
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.