The Federal Bureau of Investigation (FBI) has warned the public about a new wave of cybercriminal activity targeting victims of cryptocurrency scams. These fraudsters are posing as lawyers and law firms, offering bogus cryptocurrency recovery services to steal funds and personal information from those already defrauded. This latest cryptocurrency investment scam alert is an update to a previous warning from the FBI's Internet Crime Complaint Center (IC3), which had highlighted a surge in scams involving fake services for recovering digital assets. The updated Public Service Announcement (PSA), titled "Increase in Companies Falsely Claiming an Ability to Recover Funds Lost in Cryptocurrency Investment Scams," was originally published on August 11, 2023. Moreover, in April 2024, the FBI warned of financial risks tied to using unregistered cryptocurrency transfer services, highlighting potential law enforcement actions against these platforms. The announcement focused on crypto transfer services operating without registration as Money Services Businesses (MSBs) and non-compliance with U.S. anti-money laundering laws. These platforms are often targeted by law enforcement, especially when used by criminals to launder illegally obtained funds, such as ransomware payments.

Cryptocurrency Scam: Emerging Criminal Tactic

The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:

• Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
• Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
• Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
• Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
• Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.

Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by these fictitious law firms reported losses totaling over $9.9 million, according to the FBI Internet Crime Complaint Center (IC3).

Tips to Protect Yourself

The FBI offers several tips to help individuals protect themselves from falling victim to these scams:

• Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
• Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
• No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.

Victim Reporting

The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:

• Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
• Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.

The FBI's announcement highlights the importance of vigilance and caution when dealing with unsolicited offers of assistance, particularly in the highly targeted and vulnerable area of cryptocurrency investments. By staying informed and following the FBI's guidelines, individuals can better protect themselves from becoming victims of these crypto scams.

Last week I was reviewing a publication by the United Nation Office on Drugs and Crime published in January 2024, titled "Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat."

(URL to the UNODC report: UNODC: Casinos, Money Laundering, Underground Banking ... full report)

(URL to the USIP report: https://www.usip.org/node/160386 )

The reason I was looking into the report is that this 106 page report is about how Chinese organized crime has planted themselves in Casino complexes across Cambodia, Indonesia, Lao PDR, the Philippine, Thailand, and Viet Nam. The same modus operandi that we associate with the crypto investment scams that use the horrible name "pig butchering" to describe the financial grooming that leads to the complete financial devastation of so many Americans. In fact, I discovered the UN report, only by seeing it quoted in he report by the United States Institute of Peace, "Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security" where it was mentioned in a footnote.

Examining Chinese Ministry of Public Security reports

The UNODC report shares statistics from a Ministry of Public Security of China note, without providing a URL, that "between January to November 2023, authorities in the country successfully resolved 391,000 cases related to telecommunications and network fraud, totaling the arrest of 79,000 suspects, including 263 'backbone members or paymasters' of cyberfraud groups" (in the countries mentioned above.) This included:

• interception of 2.75 BILLION fraud calls
• interception of 2.28 BILLION fraud messages
• the removal of 8.36 million fraud-related domain names
• and 328.8 billion yuan (US $46 billion) in funds related to fraud cases.

Since I am working on a project that we call "Twenty Targets for Takedown" that is attempting to shut own illicit websites by terminating their domain registrations and hosting arrangements, the number "8.36 million fraud-related domains" made me shudder.
I am fortunate to count among my network some of the leading experts in domain-name related fraud and abuse, the number seemed overwhelmingly high, and I asked my colleagues from CAUCE, the Coalition Against Unsolicited Commercial Email, for assistance in looking into it. One quick opinion was that this could include a definition of domain name that would be more akin to a hostname, similar to what we have on Blogspot. "garwarner.blogspot.com" is a hostname on the domain "blogspot.com" ... but some would call it a "fully qualified domain name" and consider it a separate FQDN than other xyz.blogspot.com or abc.blogspot.com "domains."

John Levine helped me solve the "did they really mean millions, or is this possibly a bad translation" by helping me find the Ministry of Public Security site where the article was coming from and share several updated versions of these statistics.

The post Millions and Millions of Fraud Domains: China attacks Illegal Gambling and Telecom Fraud appeared first on Security Boulevard.

A new deepfake investment scam has emerged on the internet, misusing prominent Indian figures like Asia's richest person, Mukesh Ambani, and former captain of the Indian national cricket team, Virat Kohli. These deepfake scam videos falsely depict the billionaire and cricket star endorsing betting apps, leading unsuspecting viewers into potential scams. Using advanced deepfake techniques, the video manipulates their appearances and voices to make it seem like they are endorsing the app. This deceptive tactic exploits the trust and influence these figures hold.

The Strange Case of Deepfake Scams

This deepfake investment scam also targets well-known TV journalists, manipulating footage to create a false impression of authenticity. These altered videos imply endorsements from reputable sources, exploiting public trust for illicit gains. In the video, which is widely being circulated online, Ambani is falsely quoted as saying, “Our honest app has already helped thousands of people in India earn money. There is a 95% chance of winning here.” https://www.facebook.com/watch/?v=2401849440205008 Meanwhile, Kohli is shown endorsing the app, stating, "Aviator is an investment game where you can make huge profits. For example, if you have 500 Rupees, that will be enough because when the airplane flies your stake will automatically multiply by the number that the airplane reaches. Your investment can multiply 10 times. I personally recommended this app.” Both individuals seem to be discussing the game and promising high returns, claiming minimal investments can lead to significant profits. Such false promises prey on the aspirations of viewers seeking easy financial gains, ultimately leading to financial losses for many who fall victim to these deepfake investment scams. The Cyber Express has investigated these Aviator game scams and found out most of these apps have been banned on platforms like Google Play Store and Apple App Store due to their deceptive practices. Despite this, scammers continue to circulate these apps through alternate channels, using deepfake investment scams to lend a spirit of legitimacy.

The Aviator Game Scams Leveraging Deepfake Technology 

Similar incidents involving other public figures have also come to light, including cricket legend Sachin Tendulkar. Fake videos were created to deceive the public, and Tendulkar himself spoke out against such misuse of technology. In one deepfake video, Tendulkar is depicted talking about his daughter Sara playing a particular game, falsely quoting him as saying, “I am surprised how easy it is to earn well these days." [caption id="attachment_78100" align="alignnone" width="720"] Sachin Tendulkar Deepfake Scam (Source: X)[/caption] Following this, Sachin Tendulkar himself posted a tweet explaining the deepfake investment scam behind the deepfake videos. Tendulkar tweeted, “These videos are fake. It is disturbing to see rampant misuse of technology. Request everyone to report videos, ads & apps like these in large numbers. Social Media platforms need to be alert and responsive to complaints. Swift action from their end is crucial to stopping the spread of misinformation and deepfakes.” Previously, the Indian media company The Quint decoded another instance of deepfake videos involving Mukesh Ambani's son, Anant Ambani, and Virat Kohli promoting gaming apps in viral clips circulating on social media. Concerns arose about Ambani's video due to discrepancies in lip-sync and mechanical movements, suggesting a potential deepfake. [caption id="attachment_78102" align="alignnone" width="720"] Anant Ambani Deepfake (Source: The Quint)[/caption] Investigation revealed the original context of Ambani's video related to an animal rescue program launch. Similarly, Kohli's video was traced back to a different context involving discussions on religious harmony, debunking claims of both videos promoting gaming applications as false. In all the cases combined, a single app that was heavily promoted by social media pages and deepfake videos was the Aviator game. Aviator, an online casino game developed by Spribe, has become the most controversial game on the internet. The game’s unique, “easy to make money” has been tried and tested to be too good to be true. Inside the game, players engage by flying planes to earn money, influencing outcomes through their actions—a unique feature in online gaming. The game includes bonus rounds and mini-games, accessible on desktop, mobile, and tablet platforms to reach a broad audience. However, despite its popularity, the Aviator game has garnered notoriety for its misleading promises and unfair practices. Users have reported massive financial losses after investing in what turned out to be a fraudulent scheme. Reviews and user experiences highlight consistent patterns of manipulation and rigged outcomes designed to benefit the operators at the expense of trusting players. To top it all off, these fake deepfake videos of celebrities endorsing the app adds more questions about the authenticity of the app and the intent behind this aggressive marketing strategy.  The proliferation of deepfake videos exploiting the reputations of public figures like Mukesh Ambani and Virat Kohli highlights the urgent need for stringent measures against digital deception. As consumers, vigilance and skepticism are essential in understanding an increasingly complex technological era with potential scams and misinformation.

Donald Trump’s presidential campaign is known for aggressively trying to raise money, even sending emails to donors hoping to cash in on setbacks like his conviction late last month on 34 felony counts for illegally influencing the 2016 campaign. Bad actors now are trying to do the same, running donation scams by impersonating the campaign..

The post Cybercriminals Target Trump Supporters with Donation Scams appeared first on Security Boulevard.

Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting Earlier this month our expert takedown team responded to a bad actor that used link shortener services to obfuscate a link to a phishing page that impersonated one of our financial institution customers. The destination was a sign-in webpage presenting malicious content including […]

The post Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting first appeared on alluresecurity.

The post Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting appeared first on Security Boulevard.

A 22-year-old British national, allegedly the leader of an organized cybercrime group that targeted nearly four dozen U.S. companies, was arrested in Palma de Mallorca at the behest of the FBI, said the Spanish National Police. The young man allegedly orchestrated attacks on 45 companies in the United States through phishing campaigns, and subsequently gained unauthorized access to sensitive company information and cryptocurrency wallets.

Cyber Scammer Used Familiar Playbook

The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.

Laptop, Phone Seized

The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.

Linked to Scattered Spider?

The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-underground

The initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.

At the RSA Conference last month, Netcraft introduced a generative AI-powered platform designed to interact with cybercriminals to gain insights into the operations of the conversational scams they’re running and disrupt their attacks. At the time, Ryan Woodley, CEO of the London-based company that offers a range of services from phishing detection to brand, domain,..

The post Netcraft Uses Its AI Platform to Trick and Track Online Scammers appeared first on Security Boulevard.

The U.S. Attorney today announced charges against three UK nationals for their involvement in the “Evolved Apes” NFT fraud scheme. The United States Attorney for the Southern District of New York Damian Williams and James Smith, the Assistant Director of the New York Field Office of the FBI, announced the unsealing of an indictment charging three UK nationals: Mohamed-Amin Atcha, Mohamed Rilazh Waleedh, and Daood Hassan, with conspiracy to commit wire fraud and money laundering.

“Evolved Apes” Rug Pull Scam

The charges are in connection to their scheme of defrauding victims through the sale of non-fungible tokens (NFTs) from the “Evolved Apes” collection. According to the indictment, Atcha, Waleedh, and Hassan orchestrated a “rug pull” scam in the fall of 2021. In crypto vocabulary a rug pull is a type of exit scam in which developers first raise money from investors through the sale of tokens or NFTs and then abruptly shut down the project vanishing away with the raised funds. Evolved Apes was a collection of 10,000 unique NFTs. They advertised the NFT project in a way where the funds raised would be used to develop a related video game that would in turn increase the NFTs' value. The promised video game never materialized as the anonymous developer "Evil Ape" vanished a week after its launch, siphoning 798 ether [approximately $3 million at today's market price and $2.7 million at the time] from the project's funds. The trio then laundered the misappropriated funds through multiple cryptocurrency transactions to their personal accounts, the indictment said.

“As alleged, the defendants ran a scam to drive up the price of digital artwork through false promises about developing a video game. They allegedly took investor funds, never developed the game, and pocketed the proceeds. Digital art may be new, but old rules still apply: making false promises for money is illegal.” - Williams

Williams said thousands of people were tricked into believing in their false promises and thus bought these NFTs. But "NFT fraud is no game, and those responsible will be held accountable,” he stated. FBI Assistant Director James Smith called out the trio for "ghosting customers" and perpetrating the NFT scam "out of a selfish desire for a quick profit.”

"[This] not only reflects poor business integrity, it also violates the implicit trust buyers place in sellers when purchasing a product, no matter if that product is in a store or stored on a blockchain." - Smith

Atcha, Waleedh, and Hassan, all aged 23, are charged conspiracy to commit wire fraud and money laundering, both of which carries a maximum sentence of 20 years in prison. The actual sentences will be determined by a judge based on the U.S. Sentencing Guidelines and other statutory factors.

Rug Pulls and their Murky History

Rug pulls and cryptocurrency scams have reportedly cost people $27 billion till date. Total number of such incidents stands at 861 with the largest rug pull so far being that of OneCoin which was costed $4 billion in stolen funds. OneCoin, at its peak, was thought to have more than 3 million active members from across the globe. To date it is believed to be the most “successful” crypto scam as search continues for its perpetrator the “Cryptoqueen” Ruja Ignatova. She was added to the FBI’s ‘Ten Most Wanted Fugitive List’ in July 2022 - where she remains today.

The Missing Cryptoqueen was reported dead in unconfirmed reports but an investigation from the BBC team, whose results were published last week, said the investigating team received details on Ignatova’s various sightings and whereabout tip-offs even after her alleged murder took place. She allegedly has links with the Bulgarian underworld, whom she also entrusts with keeping her physically safe.

According to data released by the FTC in its annual Consumer Sentinel Network Data Book, nearly half of the fraud reported to the federal government in 2023 fell into the category of impersonation fraud — 330,000 scams impersonating businesses and 160,000 scams impersonating government institutions. Allure Security’s online brand impersonation detection data corroborates the FTC’s […]

The post FTC: Half of Fraud Involves Impersonation first appeared on alluresecurity.

The post FTC: Half of Fraud Involves Impersonation appeared first on Security Boulevard.

This weekend a scammer tried his luck by reaching out to me on WhatsApp. It’s not that I don’t appreciate it, but trust me, it’s bad for your business.

I received one message from a number hailing from the Togolese Republic.

“Jay, your financial account has been added. Account Csy926. Password [********] USDT Balance 1,660,086.50 EUR: 592,030.92 [domain] Keep it in a safe place.”

I asked them to send the message in English, pretending not to understand Dutch, but received no reply.

But since it was a rainy day and I’d never seen this type of WhatApp scam before, I decided to investigate.

Sometimes it takes some effort, especially when the domain is blocked for fraud by your favorite security software, but nothing was going to stop me now from looking for my new-found wealth.

To fully understand the message, it’s good to know that USTD stands for Tether, a cryptocurrency referred to as a stablecoin because its value is pegged to a fiat currency. In the case of USTD the fiat currency is the US dollar. The link makes a stablecoin’s value less volatile than that of other cryptocurrencies, which is attractive for traders that like to switch quickly between cryptocurrencies and fiat currencies.

So, I visited the domain which, no surprise there, turned out to be a fake trading platform. I tried the login credentials which were so kindly provided to me.

Once logged in I checked my wallet and lo and behold, I’m rich! (Or “Jay” is.)

The wallet belongs to Csy926 who has VIP5 access and contains 1658670.31 USDT or $602,494.07.

I can either recharge, withdraw, or transfer my USDT tokens or transfer the cold hard cash in dollars. Knowing that in this type of scam the victim always has to invest a—relatively–small amount to get the bait, I knew what to expect.

The easiest way would have been if I could transfer the dollars to a bank account, so I tried that first.

Sadly, there were obstacles:

• Transfers can only be done to other accounts on the platform and the recipient needs to be at least a VIP1 level.
• Only VIP members can transfer without a key. Assuming Jay is the one with the key, it’s a good thing that the account has a VIP5 status.

So, to be a recipient of a US$ amount, I’ll need a VIP1 level account on the same platform.

Sadly, that’s not me. So I decided to see what I can do with the USDT tokens.

The form shows a security tip warning users to fill in their withdrawal account accurately, as assets can’t be returned after transferring them out. That sucks for Jay.

But all in all, that looks promising, but again there are some problems.

• I’ll need a TRC20 wallet. A TRC20 wallet app is an application, accessible on mobile/web or desktop devices, designed specifically for storing, managing, and engaging with TRC20 tokens.
• Once I filled out the form and clicked on Withdraw, it turned out I needed a key.

Looks like it’s time to read the FAQs. Fortunately, this has the answers to all the “right” questions.

Long story short. You set the key when you open the account, and it cannot be retrieved. But…..if you have two VIP accounts you can transfer funds from the old account to your new account. And there is no need for a KEY if you have a VIP account. Considering Jay has a VIP5 account there lies an opportunity.

And here comes the catch all of our regular readers saw coming by now, VIP accounts that are able to receive funds cost money. The cheapest—VIP1—requires a deposit of 50 USDT (roughly $50) which is not refundable and can’t be canceled. But with a VIP1 account I can only receive $30 per month and it’s only valid for 2 months. So, that’s not a big help when you are as rich as I am, sorry, Jay is.

It would take me until the next ice age—4600 years—to transfer the entire amount at that rate, with the off chance that the rightful owner would drain the account or change the password as soon as they noticed the leak.

Any unsuspecting victim that has come this far and is willing to steal from the treasure dropped in their lap, now realizes that before they can enjoy all that money, they first:

1. Need to open a new account.
2. Make a deposit to turn it into a VIP account. The amount depends on their greed and impatience because the higher the VIP level, the larger the amount you can transfer in one day and per month.
3. Transfer the funds from Jay’s account to their own account.
4. Set up a TRC20 account.
5. Withdraw the money from the new account to their TRC20 wallet.

We decided not to sponsor the scammers, so this is as far as we were willing to go, but we have a distinct feeling that along the steps we outlined there might be other fees and deposits needed.

Don’t fall for scammers

• Any unsolicited WhatsApp message from an unknown person is suspect. No matter how harmless or friendly it may seem. Most pig butchering scams start with what seems a misdirected message.
• Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
• If it’s too good to be true, then it’s very likely not true.
• Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
• Use a web filtering app to shield you from known malicious websites. Preferably Malwarebytes Premium or Malwarebytes Browser Guard.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers.

With a ticket scam, you pay for a ticket and you either don’t receive anything or what you get doesn’t get you into the venue.

As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. Roughly 90% of these scams were said to have started on Facebook.

Many of these operations work with compromised Facebook accounts and make both the buyer and the owner of the abused account feel bad. These account owners are complaining about the response, or lack thereof, they are getting from Meta (Facebook’s parent company) about their attempts to report the account takeovers.

Victims feel powerless as they see some of their friends and family fall for the ticket scam.

“After I reported it, there were still scams going on for at least two or three weeks afterwards.”

We saw the same last year when “Swifties” from the US filed reports about scammers taking advantage of fans, some of whom lost as much as $2,500 after paying for tickets that didn’t exist or never arrived. The Better Business Bureau reportedly received almost 200 complaints nationally related to the Swift tour, with complaints ranging from refund struggles to outright scams.

Now that the tour has European cities on the schedule the same is happening all over again.

And mind you, it’s not just concerts. Any event that is sold out through the regular, legitimate channels and works with transferable tickets is an opportunity for scammers. Recently we saw a scam working from sponsored search results for the Van Gogh Museum in Amsterdam. People that clicked on the ad were redirected to a fake phishing site where they were asked to fill out their credit card details.

Consider that to be a reminder that it’s easy for scammers to set up a fake website that looks genuine. Some even use a name or website url that is similar to the legitimate website. If you’re unsure or it sounds too good to be true, leave the website immediately.

Equally important to keep in mind is the power of AI which has taken the creation of a photograph of—fake—tickets to a level that it’s child’s play.

How to avoid ticket scams

No matter how desperate you are to visit a particular event, please be careful. When it’s sold out and someone offers you tickets, there are a few precautions you should take.

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like eBay. Should you decide to use sites other than well-known entities like Ticketmaster, check for reviews of the seller.
• Are the tickets transferable? For some events the tickets are non-transferable which makes it, at least, unwise to try and buy tickets from someone who has decided they “don’t need or want them” after all. You may end up with tickets that you can’t use.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organizers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.
• Use a blocklist. Software like Malwarebytes Browser Guard will block known phishing and scam sites.

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

For the second time in only four months, all is not well on the ALPHV (aka BlackCat) ransomware gang’s dark web site. Gone are the lists of compromised victims. In their place, a veritable garden of law enforcement badges has sprouted beneath the ominous message “THIS WEBSITE HAS BEEN SEIZED.”

So far, so FBI, but all is not what it seems.

ALPHV is arguably the second most dangerous ransomware group in the world. It sells Ransomware-as-a-Service (RaaS) to criminal affiliates who pay for its ransomware with a share of the ransoms they extract.

When a task force of international law enforcement agencies score a hit on a target this big, they tend to make a bit of a song and dance about it. At a minimum, there are announcements. Last time the FBI disrupted ALPHV with an unscheduled home page redecoration in December, the law enforcement agency was very happy to tell everyone.

When the UK’s National Crime Agency (NCA) took a slice out of the LockBit gang last month it didn’t just tell everyone in a press release, it celebrated with a week-long fiesta of premium-grade trolling on LockBit’s own website.

They have every reason to celebrate their success, but this takedown—if that’s what it really is—has been greeted with nothing but silence from law enforcement.

In fact, ransomware experts have weighed in with an alternative explanation: ALPHV has recycled the takedown banner provided by law enforcement in December, and staged a fake takedown to cover its tracks while it runs off with its affiliates’ money.

The story starts on February 21, 2024, when an ALPHV affiliate attacked Change Healthcare, one of the largest healthcare technology companies in the USA. The attack has caused enormous disruption and been described by the American Hospital Association (AHA) President and CEO Rick Pollack as “the most significant and consequential incident of its kind against the US health care system in history.”

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the Change Healthcare attack. They alleged that two days earlier Change Healthcare had paid ALPHV $22 million—backing up their claim with a link to a Bitcoin wallet that shows a 350 bitcoin transfer on March 1—and that ALPHV then suspended their account.

VX Underground reported that a day later, other ALPHV affiliates were also locked out of their accounts, while ALPHV issued an “ambiguous” message seemingly pointing the finger at the FBI for…something, before putting the source code to its ransomware up for sale for $5 million.

The final act in this entirely unconvincing drama was the appearance of a “THIS WEBSITE HAS BEEN SEIZED” banner on the ALPHV dark web site. Not only was the banner identical to the one used by law enforcement in December, it appeared to have been lazily copied from the compromised site.

The giveaway, spotted by ransomware researcher Fabian Wosar, was the URL of the takedown image, which was being kept in a directory called THIS WEBSITE HAS BEEN SEIZED_files.

“An image URL like this is what Firefox and the Tor Browser create when you use the ‘Save page as’ function to save a copy of a website to disk,” he pointed out.

Of course, it’s not impossible that law enforcement would do this, but it’s a far cry from the no-stone-left-unturned effort of the recent LockBit takedown. Unconvinced, Wosar took to X (formerly Twitter) to say he’d reached out to contacts at Europol and the NCA, and they declined “any sort of involvement”.

It’s the second reminder in under a month, following revelations that the LockBit gang didn’t delete its victims’ stolen data when they were paid a ransom, that you just can’t trust criminals.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.