SpaceX Bitcoin Giveaway?

On Saturday 13 June, Spacex successfully launched their ninth Starlink mission. Just 24 hours later, a total of nearly 9 BTC (almost USD 84 000 at the time of writing this) was lost to a SpaceX bitcoin giveaway scam. Yes, a SpaceX, bitcoin, giveaway.

Β 

Brief History

In November 2018, the Independent published an article about a wave of phishing attacks that swindled people of thousands of dollars in bitcoin. The attackers had hijacked a few twitter accounts with high followings, changed them to emulate Elon Musk, CEO of SpaceX and Tesla, and launched a fake giveaway campaign. For a while the scams ceased until they reappeared recently.

Several weeks ago, I received a report of a phishing attack hosted atΒ  spacex[.]money. I began looking into this and during the investigation I discovered a horde of additional domains set up by the attackers, including:

  • spacex-tesla[.]me
  • spacex[.]money
  • spacex-btc[.]net
  • spacex-btc[.]infoSpacex-btc[.]com
  • spacex-btc[.]live
  • spaceufx[.]site
  • btcspacex[.]com
  • officialelonmusk[.]com
  • elonmusckbtc[.]com

Β 

The Second Wave

CaptionPhoto credits: https://news.bitcoin.com/spacex-bitcoin-scam-btc-giveaway-elon-musk-nasa-launch/

The second wave of attacks were fundamentally similar to the first wave - hijacked accounts with high followings and fake giveaway campaigns. Only this time they leveraged YouTube and the muse was not just Elon Musk, but SpaceX too. The first collection of these YouTube channels streamed a live feed of Elon Musk being interviewed for a SpaceX convention. The second bunch were no longer streaming live, but still used interviews of Elon Musk to trick people into giving them their hard-earned assets.

This is an example of one of the attacks live on YouTube. The phishing sites could be found in the videos’ descriptions. The sites follow a typical trust trading format, where victims are encouraged to " send X amount of bitcoin with the promise of receiving 2X back”.

Captihttps://spacex-btc.info/#on

Β 

https://spacex-btc.net/#Caption

Β 

The particular phishing site above was setup with this bitcoin address: https://www.blockchain.com/btc/address/3Nra2wH6FxvuVwwZQj3EH5xHjUk68QwRBP

As of Sunday the 14th of June, this scam had made a total of 8.98024788 BTC from only 14 transactions.

https://www.blockchain.com/btc/address/3Nra2wH6FxvuVwwZQj3EH5xHjUk68QwRBPCaption

As can be expected, none of the bitcoin sent were reimbursed as the scam had claimed. They managed to make this much money all in one night, but how?

Following the money

I will take a look at one of the addresses and trace where the money went.

Caption1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj

Β 

Β 

Following one of the branches

BranchCaption

Just from this branch the money was bounced through two addresses before it was spent. On overall the branch looks like this:

CaptiBird's eye viewon

Β 

Some people were victims of multiple attacks.Β 

Why did the scam work?Β Β Β 

News Cycle

With SpaceX’s successful launch, the attackers were presented with a ripe opportunity to capitalise on the news. Since all eyes are on SpaceX, a SpaceX themed attack has thousands of potential victims waiting to take the bate.Β 

Vanity Address

Some of the addresses used in the attacks used vanity addresses to create a sense of trust and legitimacy. Some of them are:

  • 1Musk18ezNXyS1Am9WrYxdWbHnqNCPrAMb
  • 1EMuskPyw1irYmZrXfy26mgATarN1bfwp7
  • 1SpacexRRTziVHZqGzc6GzR76oQsZEc85
  • 1Musk1hzEwBMB9aqv2rQqkJ4GjSUFMLK9U
  • 1SpacexRRTziVHZqGzc6GzR76oQsZEc85
  • 1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj

The β€œMusk”, β€œSpacex”. etc. at the beginning of the addresses boosted their trust and the victims took the bait.Β 

Attention to Detail

https://spacex-btc.net/#Caption

The attackers kept a live loop of fake transactions at the bottom of the page. They were meticulous enough to have the transaction out 2X greater than the transaction in. Giving the victims the impression that previous participants had gotten their rewards.

Sense of Urgency

https://spacex-btc.net/#Caption

The countdown bar showing supposedly how much bitcoin is left for the giveaway creates a sense of urgency, a useful tool for the attackers, the victims were prompted to act fast before the bitcoin ran out and hence acted without thinking it through.

At the time of writing, the total amount of money these attacks stole is well over $150K. It was predicted that these types of attackers will continue to increase in frequency.Β 

Protecting yourself online

To learn how to protect yourself from scams like these read this blog post on How to Spot Phishing Attacks.

PhishFort Protect Browser Extension

Indicators of Compromise

Domains

spacex-tesla[.]me

spacex[.]money

spacex-btc[.]net

spacex-btc[.]infoSpacex-btc[.]com

spacex-btc[.]live

spaceufx[.]site

btcspacex[.]com

officialelonmusk[.]com

elonmusckbtc[.]com

teslagain[.]com

spacexbitcoins[.]com

spacexdrop[.]info

tesla-giveaway[.]getforge[.]io

spacetesla[.]info

teslagives[.]info

bonustesla[.]com

teslaearn[.]com

teslabtc[.]live

Bitcoin Addresses

1SpacexRRTziVHZqGzc6GzR76oQsZEc85

1Musk1hzEwBMB9aqv2rQqkJ4GjSUFMLK9U

18PBHxS9q62KpKUrxu6Ss7AKjUn1W11PRc

1SpacexRRTziVHZqGzc6GzR76oQsZEc85

1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj

1GwMM8uSPgX15Z58bVu5AdoFK9HE3rfaVL

18W11awT6UHMgnAMCqTtrcj2GYV662HY5V

1B2U5swpSH6hmboFWrbfwZK1c84horiJeT

12wV4uEvFcVZgKbH34vQgfU6Gh2rt6XyRt

18W11awT6UHMgnAMCqTtrcj2GYV662HY5V

15mt8E5RTGHuhYtJAg12HkccTxnVBTxqpM

1TESLAYDMZUGQuxFNWP8nkwvSj7p1juHh

YouTube channels

Interview with Elon Musk (Exclusive Interview)

πŸ”·Elon Musk Live/ Bitcoin BTC Talk BTC Mass Adoption & SpaceX update [4 May, 20

πŸ”·Elon Musk Live/ Bitcoin BTC Talk BTC Mass Adoption & SpaceX update [4 May, 20

Elon Musk Live: Bitcoin Talk & SpaceX update [May, 2020]

Elon Musk Interview (Special)

Elon Musk Interview: Exclusive

Elon Musk Officially Confirms BTC Giveaway (Check Description)

Β