Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Elon Musk and SNL: Scammers Steal Over $10 Million in Fake Bitcoin, Ethereum and Dogecoin Crypto Giveaways

Elon Musk and SNL: Scammers Steal Over $10 Million in Fake Bitcoin, Ethereum and Dogecoin Crypto Giveaways

In the run up to Elon Musk hosting NBC’s Saturday Night Live and the potential mention of Dogecoin on the show, scammers quickly capitalized on his appearance by promoting fake giveaways on Twitter and YouTube.

Background

On May 8, Elon Musk hosted NBC’s Saturday Night Live. Musk, who is a known supporter of the cryptocurrency Dogecoin, teased the possibility that he might talk about the coin on the show, which led to much online speculation.

Scammers, who have used Musk’s likeness to promote fake cryptocurrency giveaways in the past, seized on the feverish support behind Dogecoin, Bitcoin, Ethereum, and other cryptocurrencies, by leveraging compromised and fake Twitter accounts, as well as compromised YouTube channels to successfully peddle phony cryptocurrency giveaways.

Analysis

My analysis began on May 7, so for the purposes of this blog post, I will only be discussing the activity I observed from May 7 through May 9.

  • Scammers compromised a number of both verified Twitter accounts and YouTube channels with a significant following and pivoted them into fake SNL accounts in order to drive traffic to fake cryptocurrency giveaway sites.
  • I estimate that scammers potentially earned over $10 million dollars across all of their campaigns.
  • Compromised YouTube channels were the biggest catalyst for the Dogecoin scams and their relative success.
  • Twitter and YouTube need to take more proactive steps to protect verified account holders and large YouTube channels on their platforms.

Verified Twitter accounts compromised and pivoted to impersonate SNL Miley Cyrus

The primary activity I observed involved the compromise of verified Twitter accounts. These accounts run the gamut, from sports-related figures, government representatives, businesses, and other notable individuals.

Twitter Account Occupation Followers Last Tweet
@troystecher NHL Player 18,500 2021
@WinStarTylerB Photojournalist 1,946 2019
@Hemant_patil_ Member of Parliament 4,270 2021
@mouawad Jewelry Company 47,900 2021
@dkuemps35 NHL Player 22,100 2020
@loveacrc Government Agency 89,100 2021
@JorgeTaiana Politician 113,700 2021
@prima_nomura Comedian 37,500 2021
@Hockey_Saves NHL Non-Profit 2,908 2018
@niwayuyaibaraki Individual 1,077 2020
@LFPezao Entrepreneur, Politician 19,700 -
@bren_hucks Snowboarder 2,919 2021
@philcofiction Musicians/Band 651 2016
@BoserforPA Former Political Candidate 1,030 2018
@TheFavoredWoman Broadcaster, Media Entrepreneur 40,800 2021
@tiarachel91 Physiotherapist, TV show contestant 151,500 -
@PA_UCV Non-Profit 7,652 2020
@JDRaucci Sports Broadcaster 851 -
@firstpost Media and News Publication 2,000,000 2021
@LesleyMurph Travel Blogger 65,700 2020
@NLarcamon Football Manager 9,421 2021
@polacrinoficial Company 4,463 2019

Once these verified Twitter accounts were compromised, the scammers pivoted them away from their original owners by changing the avatar or profile picture as well as the associated name. They typically pivoted these accounts to impersonate the NBC SNL Twitter account by using the same or similar profile image and name as the legitimate account.

The actual content of the tweets did not include a link; they obfuscated the links by adding slashes around them. I believe this is a tactic to prevent Twitter from using automated systems to block these tweets or flag these accounts.

By compromising verified Twitter accounts, scammers are able to trade on a significant level of trust from most Twitter users who are more likely to trust posts from accounts with blue check marks. However, users may not realize the accounts are fake, because while a name can be changed (e.g. from Troy Stecher to SNL), the usernames for these accounts are often unchanged.

In addition to scammers compromising accounts and impersonating SNL’s Twitter, I also found some accounts impersonating Miley Cyrus, the musical guest appearing on SNL alongside Musk.

One particularly interesting observation I made from the tweets being shared from these verified accounts was the quote: “Our mission is to advance humanity by solving the world’s hardest problems.” It turns out, this was a quote from venture capitalist and engineer, Chamath Palihapitiya. Chamath is another notable figure that scammers have impersonated in order to peddle cryptocurrency scams over the last year. So, it makes me wonder if the same scammers decided to pivot into the SNL impersonation game.

Fake Twitter accounts impersonate SNL and Elon Musk

In addition to the rash of compromised, verified accounts, scammers also created fake Twitter accounts to impersonate SNL and Elon Musk. These accounts aren’t verified, so they don’t have the blue check mark (or verified badge) associated with their accounts. To a certain extent, this may explain why they did not have the same level of success as the compromised verified accounts at stealing cryptocurrency from unsuspecting users.

Similar to the compromised verified accounts, the fake accounts do not include direct links in their tweets.

Despite the limitations of not being verified, the people operating these fake accounts are relentless, posting very consistently in hopes that users will fall for their tricks.

Compromised YouTube accounts used to promote fake live videos

In addition to the activity on Twitter, I also identified multiple compromised YouTube channels impersonating the SNL YouTube channel.

This isn’t the first time cryptocurrency scammers have turned to YouTube to promote their scams. They have used the “YouTube Live” functionality to peddle fake giveaways as part of an ongoing tactic that began in late 2019, but continued throughout 2020. The fake YouTube Live tactic works extremely well in this instance because Musk was hosting Saturday Night Live, and he even shared a link on his Twitter for international viewers to watch SNL on YouTube. I believe this is what helped spur the success of these fraudulent cryptocurrency YouTube Live campaigns.

Plus, the template for these videos is well put together.

When users visit these fake YouTube Live videos, they’re presented with a pre-recorded video of Elon Musk from one of his many interviews or appearances elsewhere. However, the video is placed into a template that positions it near a fake Tweet from Musk claiming to be giving away money, as well as instructions and a URL to a website that users are encouraged to visit in order to participate. Often, the video descriptions will contain a link to the fake giveaway websites, but overall, the scammers opted to incorporate them into the YouTube Live video template itself. Like with Twitter, I suspect this is because the scammers do not want to make it easier for YouTube to automatically detect and remove their access from these compromised accounts.

The compromised YouTube channels are global, as I observed compromised channels from the United States, Brazil, Germany, Indonesia, Philippines, Saudi Arabia, Kazakhstan and India. In particular, one of the largest accounts that was compromised belonged to Wave Music Bhojpuri, which had 18.6 million subscribers.

When a user stumbles across one of these YouTube Live videos with tens of thousands of people watching, along with the clever templating used within the videos themselves, it makes it that much more enticing, and will ultimately lead to success for the scammers.

Giveaway Pages: Teaching an old “Doge” new tricks (much wow)


Example of a classic cryptocurrency giveaway website

The majority of landing pages associated with these fake cryptocurrency giveaways followed the traditional format: a fake Medium blog site with links to individual pages for varying cryptocurrencies from Bitcoin, Ethereum and Dogecoin. Historically, Dogecoin wasn’t one of the popular cryptocurrencies used in these giveaway scams. However, with all of the attention around it in part because of Elon, but also because of the large community of Dogecoin supporters, it was included in many of the landing pages I observed.


The classic cryptocurrency giveaway page now includes a link to “get free DOGE”

In addition to the traditional format, scammers stepped up their game and have begun using a newer template specifically for Dogecoin related giveaway scams.


Example of a Dogecoin cryptocurrency giveaway scam, using a new, well designed template and Doge imagery

The new pages are extremely well designed with a “much wow” factor, using more distinct imagery associated with Dogecoin. I would argue that the design of these pages is just another factor in what helps these campaigns be successful.

Scammers make millions in the Elon Musk SNL campaign

While it is challenging to try to capture every single fake Twitter account and YouTube channel and their associated websites, I was able to track 62 unique cryptocurrency addresses associated with at least 40 domains and determined that the scammers linked to these campaigns made over $10 million dollars over the weekend. This is based on the following dollar value for each cryptocurrency at the end of the day on May 9.

Coin Price
BITCOIN $55,376.70
ETHEREUM $3,896.90
DOGECOIN $0.5340

From a cryptocurrency perspective, unsurprisingly, Dogecoin was the coin scammers had the most success stealing.

The scammers managed to steal over $10 million in Dogecoin, which represented just over 90% of the cryptocurrency stolen during these campaigns. The scammers also stole over $595,000 Bitcoin and over $475,000 Ethereum, with the latter seeing a significant increase in price over the weekend, reaching above $4000.

From my analysis, the most successful campaigns were tied to YouTube videos, stealing over $9 million dollars. This was followed by verified Twitter accounts, which stole over $1.3 million, while unverified Twitter accounts were able to steal just over $100,000.

Category Amount (USD)
YouTube Live $9,031,861.48
Twitter (Verified) $1,302,027.72
Twitter (Unverified) $103,282.19
Total $10,437,171.39

The largest single grossing Dogecoin address used in these campaigns was one associated with a YouTube Live campaign linking to dogecoin-snl[.]com. The address tied to that campaign stole over 3 million Dogecoins.

Based on the market value at the time this blog post was written, one Dogecoin was worth $0.53. At this price, the scammer responsible for this campaign earned $1.6 million USD.

While that was the most successful single campaign, several of the campaigns I identified also found success in rotating either URLs and/or wallet addresses.

For instance, one particular compromised campaign operated by a scammer rotated multiple domains and wallet addresses out to earn $1.5 million dollars in Dogecoin.

Domains Dogecoin USD
dogesnl[.]live 781,614.997 $418,803.38
snl-elon[.]com 1,225,806.924 $656,809.41
dogecoin-snl[.]net 634,834.085 $340,155.53
dogecoin-musk[.]com, musk-dogecoin[.]org 369,230.05 $156,443.45
Total $1,572,211.77

The success here was largely driven by a single compromised YouTube channel and all of the viewers they attracted during this campaign. The YouTube Live videos on the channel had a combined view count of nearly 2,000,000 viewers across several live streams.

On Twitter, the most successful campaign involved verified Twitter accounts promoting two domains: snlmusk[.]com and snlelon[.]com. The scammers swapped out addresses for Bitcoin, Ethereum and Doge. In total, they used six Bitcoin addresses, four Ethereum addresses and three Dogecoin addresses. In total, their efforts netted them just under $800,000 after adjusting for transactions made prior to May 7 for one Dogecoin address.

Currency Type Domains Received USD
Bitcoin snlmusk[.]com 0.12961892 $7,633.92
Bitcoin snlmusk[.]com 1.77642877 $104,622.91
Bitcoin snlmusk[.]com 0.25774637 $15,179.99
Bitcoin snlmusk[.]com 0.69663748 $41,028.52
Bitcoin snlmusk[.]com 0.36856636 $21,706.75
Bitcoin snlelon[.]com 1.07228078 $63,152.06
Ethereum snlmusk[.]com, snlelon[.]com 33.84219722 $139,037.28
Ethereum snlmusk[.]com 11.36244760 $46,681.48
Ethereum snlmusk[.]com 16.99494134 $69,822.02
Ethereum snlmusk[.]com 4.43702352 $18,229.07
Dogecoin snlmusk[.]com, snlelon[.]com 159774.9384 $85,610.28
Dogecoin snlmusk[.]com 179845.9745 $96,364.71
Dogecoin snlmusk[.]com 168972.0617 $90,538.27
Total $799,607.27

The largest single campaign using a verified Twitter account was for the domain btclive[.]top. It was also circulated among unverified accounts. The scammers behind it were able to steal 1.89 Bitcoins, worth $111,516.59 for their efforts.

It is important to note that Tenable Research did not perform any deep analysis of the transaction history for these cryptocurrency addresses. We only subtracted from the totals for transactions that occurred before May 7 and after May 9. It is certainly possible that the scammers sent Dogecoins and other cryptocurrency to themselves as a way to prop-up the amount received to serve as proof, and entice others into sending cryptocurrency their way.

Cautionary tale for social media apps: cryptocurrency scams will persist

I’ve been monitoring cryptocurrency scams since 2017, which was the year of the last bull market in cryptocurrency. In 2021, cryptocurrency is in the throes of another bull market, as prices for Bitcoin and other cryptocurrencies, including Ethereum and Dogecoin have increased significantly. As long as we remain in a bull market, we should anticipate these types of scams will continue to persist.

How can social media services better address these scams on their platform? Well in 2018, Twitter responded to the increase in compromised verified Twitter accounts impersonating Elon Musk by putting a stop-gap in place when users tried to change their Twitter account name and image to Elon Musk. This was a step in the right direction, but as we’ve seen, scammers are very determined and will search for ways to get around these mechanisms.

I believe that both Twitter and YouTube can take a harder stance to stem the tide of these account compromises by taking more proactive steps to monitor for changes to verified Twitter and YouTube channels with a large number of subscribers, by taking the following steps:

  • Flag when an active or dormant verified Twitter account changes its name and avatar and starts tweeting in response to other accounts during a certain period of time
  • Flag when a YouTube Channel changes its name and starts doing YouTube Live streams
  • Enforce two-factor authentication on verified Twitter accounts and YouTube channels with a large subscriber base

Social media platforms need to place more scrutiny on these types of accounts because, as mentioned before, verified badges, or any form of social proof (like a large YouTube subscriber base) is invaluable not just to notable figures, but to scammers as well. Enforcing more stringent policies for these Twitter accounts and YouTube channels won’t stop the cryptocurrency scams from persisting, but they can help stem the tide, as we should not let perfect be the enemy of good.

Are there any other events we can expect will be the ideal subject for scammers? Certainly. It’s hard to predict what that might be, but in the cryptocurrency space, anything is possible. For instance, will this be the last time we see a Doge-related cryptocurrency scam? Not likely. After his appearance on SNL, Musk announced that his company, SpaceX, will be launching a satellite named DOGE-1 to the Moon that will be paid for entirely in Dogecoin.

Whenever SpaceX plans to launch this satellite, you can expect scammers will be ready to capitalize on this event with scams on Twitter and YouTube.

As we were preparing the publication of this blog post, Musk tweeted out a poll question to his followers, asking them whether or not Tesla should accept Dogecoin as a form of payment.

Within the replies of this tweet, was a compromised verified Twitter account impersonating Tesla, attempting to drive users to another fake cryptocurrency giveaway site in the same vein as the SNL accounts seen over the weekend. While it seemed like things had died down after Musk hosted SNL, it’s clear the scammers will continue to capitalize on Musk and Tesla’s tweets about Dogecoin and other cryptocurrencies.

Join Tenable's Security Response Team on the Tenable Community.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.