Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Elon Musk and YouTube Advertising Scams: Fake SpaceX “Coin” Promoted in Ads During Cryptocurrency Videos

Elon Musk and YouTube Advertising Scams: Fake SpaceX “Coin” Promoted in Ads During Cryptocurrency Videos

Scammers are on pace to steal nearly $1 million USD from unsuspecting users through a popular decentralized finance protocol, Uniswap, by abusing YouTube to promote a fake SpaceX coin as part of ads appearing before and during cryptocurrency videos.

Background

In early May, scammers compromised Twitter and YouTube accounts to promote a series of cryptocurrency scams ahead of Tesla and SpaceX founder Elon Musk’s appearance on Saturday Night Live, stealing over $10 million dollars in Bitcoin, Ethereum and Doge tokens. The scams conducted via YouTube were the most successful, resulting in a theft of over $9 million dollars.

Please note that both “tokens” and “coins” are used interchangeably to describe cryptocurrency like Bitcoin, Ethereum, Dogecoin, and many others.

Since the end of May, scammers have stolen over $430,000 in cryptocurrency from unsuspecting users by purchasing advertising space on YouTube cryptocurrency videos to promote a fake SpaceX coin (or $SpaceX token) claiming to be created by Musk. At the time this blog post was published, the scammers had one ongoing campaign that, once complete, would potentially increase the total amount of stolen cryptocurrency to nearly $1 million.

Analysis

As early as May 22, YouTube advertisements designed to scam users out of their cryptocurrency appeared before or during videos about cryptocurrency from popular creators in the space. The advertisements featured a variety of unrelated videos of Musk, who’s garnered much attention for his support of cryptocurrencies like Bitcoin and Dogecoin in recent months.

Breaking down the template

The advertisements are three to five minutes long and feature a template that includes a falsified tweet at the top from Elon Musk that claims he’s launching his own cryptocurrency called $SpaceX.

Within the same template is a description section, featuring a header with the Tesla logo. The description says “Elon Musk is launching his own cryptocurrency, $SpaceX.” The purpose of the coin, the scam advertisement claims, is to “take everyone to mars and make human life possible there.” Finally, they add that for each transaction involving the $SpaceX coin, a donation will be made “towards space research companies” in order to “help Elon’s mission.”

The embedded video in the advertisement above is a clip from Elon’s interview for the Computer History Museum and KQED’s “Revolutionaries” from 2013. The scammers use various videos of Musk indiscriminately in these YouTube ads.

Videos hosted on compromised YouTube accounts

These advertisements are hosted on compromised YouTube accounts.

When they appear, the name of the user associated with the advertisement is visible.

When browsing the user’s profile, we see that this user joined YouTube in August, 2011. Many of the accounts I encountered were created between 10-12 years ago. In this instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.

We reached out to YouTube to share our findings prior to publication, but we did not receive a response.

Same template used in previous YouTube Live scam campaign

These advertisements leverage the same template I saw being used in the SNL-themed Musk scams from earlier in May, including the Tesla logo.

In the YouTube ads regarding the supposed SpaceX coin announcement, you would think the scammers might have swapped in the SpaceX logo instead of keeping the Tesla logo, but it appears they just copied the template outright.

Users directed to multiple websites

The YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template. During my analysis, I found at least twelve different websites being promoted through these fake YouTube advertisements, which include:

Domain Registrar Registered
buyspacex.com NameCheap, Inc. May 21, 2021
buyspx.com NameCheap, Inc. May 27, 2021
getspx.com NameCheap, Inc. May 29, 2021
spxlaunch.com NameCheap, Inc. May 29, 2021
spacexbuy.com REG.RU LLC May 30, 2021
officialspx.com REG.RU LLC June 1, 2021
missionspx.com REG.RU LLC June 2, 2021
spacexsale.com REG.RU LLC June 3, 2021
salespacex.com REG.RU LLC June 9, 2021
buyspxcoin.com REG.RU LLC June 15, 2021
muskspx.com REG.RU LLC June 16, 2021
falconspacex.com REG.RU LLC June 17, 2021

Please note this may not be an exhaustive list of all domains used in these campaigns.

Websites include step-by-step directions on installing MetaMask and using Uniswap

The websites used in this campaign were designed using Telegram’s anonymous blogging platform, Telegra.ph.

To get users to purchase the fraudulent $SpaceX coins, the scammers include a step-by-step walkthrough on how to install MetaMask, a popular browser-based wallet used by millions of users, on their computers. I verified that the scammers are linking to the legitimate MetaMask extension for Google Chrome instead of a fake extension.

From there, the website instructs users to click on a customized link to Uniswap, a popular decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols. As a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature. At the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.

Uniswap allows individuals to create their own tokens to be tradeable on the platform. In this instance, the scammers are linking users to Uniswap to import a fraudulent $SpaceX token contract that they created.

When attempting to import the $SpaceX token, Uniswap’s interface provides a warning that it “doesn’t appear on the active token list(s)” but only cautions the user to ensure “this is the token that you want to trade.”

The walkthrough includes several screenshots on how users can swap their Ethereum tokens in exchange for the alleged $SpaceX coin. It also includes guidance on how to ensure the coins are visible within the MetaMask wallet.

At least three fake $SpaceX coins in circulation

Across the twelve websites I encountered, I observed three different contracts for $SpaceX coins. During this research, seven were pointing to the same $SpaceX token contract, which I will refer to as Alpha, while two sites, spxlaunch.com and salespacex.com, pointed to two separate $SpaceX token contracts, which I will refer to as Beta and Gamma. However, since the Alpha campaign ended on June 13, the remaining sites are now pointing to the Gamma campaign.

Swept up by a Rug Pull: How users end up holding worthless tokens

Conventional cryptocurrency scams ask users to send cryptocurrency to a specific address in order to “double” their money, which never happens. However, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user’s MetaMask wallet. So how do users get scammed through fake tokens? It’s a concept known as a rug pull.

In order to list and facilitate the trading of the fraudulent $SpaceX coin on Uniswap, the scammers have to provide some liquidity.

Across the three token contracts I encountered, scammers provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.

As users purchase the coins on Uniswap, they add to the liquidity of the $SpaceX contract. At some point, the scammers behind this operation will remove the liquidity from the contract, thus “pulling the rug” on those who own the $SpaceX coins, making them worthless.

Honeypotting: Users locked in with their purchase of the fraudulent $SpaceX coins

Recently, a user that purchased $SpaceX coins associated with the Alpha contract, posted on the Uniswap subreddit saying they weren’t able to swap their coins back to Ethereum. This is another concept known as honeypotting in the cryptocurrency space. It is different from the traditional use of the term in the cybersecurity space, which is focused on trapping bad actors. What it means in this context is that unsuspecting users are drawn into investing in this fake $SpaceX coin, but the contract created by the scammers was designed to prevent users from being able to swap their coins back to Ethereum. The only address capable of moving funds out of the contract is the creator. So even if the scammers don’t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway.

Scammers purposely burned coins from the contract

When these fake $SpaceX contracts were created, the scammers minted 1 billion coins (1,000,000,000) in each contract and added liquidity to the contract for 200 million (200,000,000) coins. The scammers also burned 800 million (800,000,000) $SpaceX coins for each contract by sending the coins to wallets for popular exchanges like Vb, Binance and Huobi.

Since these fraudulent $SpaceX coins aren’t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply. My understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.

Fake comments seeded on Etherscan pages

Etherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects. In the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof.

The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.

Fake $SpaceX coin rug pulls have earned the scammers over $430,000 thus far, with potential to earn nearly $1 million

Across three of the fake $SpaceX contracts I encountered, two have already completed their rug pulls. The following graph shows a breakdown of the liquidity provided by the scammers, the amount of liquidity removed from the contracts and the difference (profit) they made from their scams.

At the time this blog post was published, the Alpha and Beta campaigns had ended and the Gamma campaign was still active. These figures reflect data collected up until June 21, 2021, but do not include any additional funds sent to the Alpha and Beta contract post liquidation.

The Alpha campaign began on May 22 and concluded on June 13 and netted the scammers a profit of over $403,000. Through the Beta campaign, which operated from May 29 through June 9, the scammers profited off unsuspecting users to the tune of nearly $28,000. The Gamma campaign, which began operating on June 9 and was ongoing at the time this blog post was published, has seen a high volume of activity already, earning the scammers an estimated $543,000. This means the scammers are set to make another six figure sum from this campaign once they pull the rug, bringing the total cryptocurrency they’ve stolen to nearly $1 million.

One caveat: the scammers likely send additional funds to these contracts to make them appear more legitimate so the figures listed could be partially inflated by the scammers’ own funds.

DeFi protocols are rife with rug pulls and honeypots

While DeFi protocols on Ethereum (such as Uniswap and SushiSwap) or those on the Binance Smart Chain (BSC) (like Pancakeswap) facilitate a new era of investments on the blockchain, the decentralization of these platforms means that scammers have free reign. With traditional forms of finance like banks, which are centralized, stolen funds can potentially be recaptured and returned to victims. However, on the blockchain, stolen funds are lost with little to no recourse on recovery, and in the world of DeFi, it is an unfortunate tradeoff that exists within the protocol. As a result, terms like “rug pulls” and “honeypots” have become part of the dialogue within DeFi.

The reason this particular campaign stands out is that it didn’t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube. It did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it’s an ideal channel for promoting a fake coin.

How cryptocurrency enthusiasts can protect themselves from fraudulent coins

Remember to DYOR: Cryptocurrency enthusiasts may be familiar with the acronym DYOR, which stands for Do Your Own Research. It is a common refrain within the community for good reason. It is vital for potential investors to do their own research before investing in any asset, especially in the cryptocurrency space.

Look for cautionary signs when using a DEX: While DEXes like Uniswap and SushiSwap operate autonomously, they have put up some roadblocks for users when interacting with their services.

As I discussed earlier, Uniswap displays a limited warning about the scam token not appearing on active token lists. It also adds a banner of “Unknown Source” when displaying the address for the contract. Users should see this as a red flag before importing the token contract and swapping it for their cryptocurrency. While not every coin on Uniswap will appear on an active token list, investors should be wary of a token when they see this warning.

Be wary of fake coins for real projects: While there is no such thing as a $SpaceX coin, potential investors should also be wary of fake coins for real projects. There is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.

Look for official announcements from the creators of these projects. They will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment.

When in doubt, sit this one out: There’s a pent up demand to try to capitalize gains on new and emerging coins in the cryptocurrency space. However, if you have even the slightest bit of doubt about the legitimacy of a coin or project, even after you DYOR, it’s probably best to sit this one out. The potential losses that stem from investing in fake coins and projects can be significant, so it’s better to miss out on a potential opportunity than to find yourself holding onto worthless tokens in your wallet.

Related articles

Join Tenable's Security Response Team on the Tenable Community.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.