Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Elon Musk and YouTube Advertising Scams: Fake SpaceX “Coin” Promoted in Ads During Cryptocurrency Videos

Elon Musk and YouTube Advertising Scams: Fake SpaceX “Coin” Promoted in Ads During Cryptocurrency Videos

Scammers are on pace to steal nearly $1 million USD from unsuspecting users through a popular decentralized finance protocol, Uniswap, by abusing YouTube to promote a fake SpaceX coin as part of ads appearing before and during cryptocurrency videos.

Background

In early May, scammers compromised Twitter and YouTube accounts to promote a series of cryptocurrency scams ahead of Tesla and SpaceX founder Elon Musk’s appearance on Saturday Night Live, stealing over $10 million dollars in Bitcoin, Ethereum and Doge tokens. The scams conducted via YouTube were the most successful, resulting in a theft of over $9 million dollars.

Please note that both “tokens” and “coins” are used interchangeably to describe cryptocurrency like Bitcoin, Ethereum, Dogecoin, and many others.

Since the end of May, scammers have stolen over $430,000 in cryptocurrency from unsuspecting users by purchasing advertising space on YouTube cryptocurrency videos to promote a fake SpaceX coin (or $SpaceX token) claiming to be created by Musk. At the time this blog post was published, the scammers had one ongoing campaign that, once complete, would potentially increase the total amount of stolen cryptocurrency to nearly $1 million.

Analysis

As early as May 22, YouTube advertisements designed to scam users out of their cryptocurrency appeared before or during videos about cryptocurrency from popular creators in the space. The advertisements featured a variety of unrelated videos of Musk, who’s garnered much attention for his support of cryptocurrencies like Bitcoin and Dogecoin in recent months.

Breaking down the template

The advertisements are three to five minutes long and feature a template that includes a falsified tweet at the top from Elon Musk that claims he’s launching his own cryptocurrency called $SpaceX.

Within the same template is a description section, featuring a header with the Tesla logo. The description says “Elon Musk is launching his own cryptocurrency, $SpaceX.” The purpose of the coin, the scam advertisement claims, is to “take everyone to mars and make human life possible there.” Finally, they add that for each transaction involving the $SpaceX coin, a donation will be made “towards space research companies” in order to “help Elon’s mission.”

The embedded video in the advertisement above is a clip from Elon’s interview for the Computer History Museum and KQED’s “Revolutionaries” from 2013. The scammers use various videos of Musk indiscriminately in these YouTube ads.

Videos hosted on compromised YouTube accounts

These advertisements are hosted on compromised YouTube accounts.

When they appear, the name of the user associated with the advertisement is visible.

When browsing the user’s profile, we see that this user joined YouTube in August, 2011. Many of the accounts I encountered were created between 10-12 years ago. In this instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.

We reached out to YouTube to share our findings prior to publication, but we did not receive a response.

Same template used in previous YouTube Live scam campaign

These advertisements leverage the same template I saw being used in the SNL-themed Musk scams from earlier in May, including the Tesla logo.

In the YouTube ads regarding the supposed SpaceX coin announcement, you would think the scammers might have swapped in the SpaceX logo instead of keeping the Tesla logo, but it appears they just copied the template outright.

Users directed to multiple websites

The YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template. During my analysis, I found at least twelve different websites being promoted through these fake YouTube advertisements, which include:

DomainRegistrarRegistered
buyspacex.comNameCheap, Inc.May 21, 2021
buyspx.comNameCheap, Inc.May 27, 2021
getspx.comNameCheap, Inc.May 29, 2021
spxlaunch.comNameCheap, Inc.May 29, 2021
spacexbuy.comREG.RU LLCMay 30, 2021
officialspx.comREG.RU LLCJune 1, 2021
missionspx.comREG.RU LLCJune 2, 2021
spacexsale.comREG.RU LLCJune 3, 2021
salespacex.comREG.RU LLCJune 9, 2021
buyspxcoin.comREG.RU LLCJune 15, 2021
muskspx.comREG.RU LLCJune 16, 2021
falconspacex.comREG.RU LLCJune 17, 2021

Please note this may not be an exhaustive list of all domains used in these campaigns.

Websites include step-by-step directions on installing MetaMask and using Uniswap

The websites used in this campaign were designed using Telegram’s anonymous blogging platform, Telegra.ph.

To get users to purchase the fraudulent $SpaceX coins, the scammers include a step-by-step walkthrough on how to install MetaMask, a popular browser-based wallet used by millions of users, on their computers. I verified that the scammers are linking to the legitimate MetaMask extension for Google Chrome instead of a fake extension.

From there, the website instructs users to click on a customized link to Uniswap, a popular decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols. As a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature. At the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.

Uniswap allows individuals to create their own tokens to be tradeable on the platform. In this instance, the scammers are linking users to Uniswap to import a fraudulent $SpaceX token contract that they created.

When attempting to import the $SpaceX token, Uniswap’s interface provides a warning that it “doesn’t appear on the active token list(s)” but only cautions the user to ensure “this is the token that you want to trade.”

The walkthrough includes several screenshots on how users can swap their Ethereum tokens in exchange for the alleged $SpaceX coin. It also includes guidance on how to ensure the coins are visible within the MetaMask wallet.

At least three fake $SpaceX coins in circulation

Across the twelve websites I encountered, I observed three different contracts for $SpaceX coins. During this research, seven were pointing to the same $SpaceX token contract, which I will refer to as Alpha, while two sites, spxlaunch.com and salespacex.com, pointed to two separate $SpaceX token contracts, which I will refer to as Beta and Gamma. However, since the Alpha campaign ended on June 13, the remaining sites are now pointing to the Gamma campaign.

Swept up by a Rug Pull: How users end up holding worthless tokens

Conventional cryptocurrency scams ask users to send cryptocurrency to a specific address in order to “double” their money, which never happens. However, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user’s MetaMask wallet. So how do users get scammed through fake tokens? It’s a concept known as a rug pull.

In order to list and facilitate the trading of the fraudulent $SpaceX coin on Uniswap, the scammers have to provide some liquidity.

Across the three token contracts I encountered, scammers provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.

As users purchase the coins on Uniswap, they add to the liquidity of the $SpaceX contract. At some point, the scammers behind this operation will remove the liquidity from the contract, thus “pulling the rug” on those who own the $SpaceX coins, making them worthless.

Honeypotting: Users locked in with their purchase of the fraudulent $SpaceX coins

Recently, a user that purchased $SpaceX coins associated with the Alpha contract, posted on the Uniswap subreddit saying they weren’t able to swap their coins back to Ethereum. This is another concept known as honeypotting in the cryptocurrency space. It is different from the traditional use of the term in the cybersecurity space, which is focused on trapping bad actors. What it means in this context is that unsuspecting users are drawn into investing in this fake $SpaceX coin, but the contract created by the scammers was designed to prevent users from being able to swap their coins back to Ethereum. The only address capable of moving funds out of the contract is the creator. So even if the scammers don’t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway.

Scammers purposely burned coins from the contract

When these fake $SpaceX contracts were created, the scammers minted 1 billion coins (1,000,000,000) in each contract and added liquidity to the contract for 200 million (200,000,000) coins. The scammers also burned 800 million (800,000,000) $SpaceX coins for each contract by sending the coins to wallets for popular exchanges like Vb, Binance and Huobi.

Since these fraudulent $SpaceX coins aren’t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply. My understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.

Fake comments seeded on Etherscan pages

Etherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects. In the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof.

The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.

Fake $SpaceX coin rug pulls have earned the scammers over $430,000 thus far, with potential to earn nearly $1 million

Across three of the fake $SpaceX contracts I encountered, two have already completed their rug pulls. The following graph shows a breakdown of the liquidity provided by the scammers, the amount of liquidity removed from the contracts and the difference (profit) they made from their scams.

At the time this blog post was published, the Alpha and Beta campaigns had ended and the Gamma campaign was still active. These figures reflect data collected up until June 21, 2021, but do not include any additional funds sent to the Alpha and Beta contract post liquidation.

The Alpha campaign began on May 22 and concluded on June 13 and netted the scammers a profit of over $403,000. Through the Beta campaign, which operated from May 29 through June 9, the scammers profited off unsuspecting users to the tune of nearly $28,000. The Gamma campaign, which began operating on June 9 and was ongoing at the time this blog post was published, has seen a high volume of activity already, earning the scammers an estimated $543,000. This means the scammers are set to make another six figure sum from this campaign once they pull the rug, bringing the total cryptocurrency they’ve stolen to nearly $1 million.

One caveat: the scammers likely send additional funds to these contracts to make them appear more legitimate so the figures listed could be partially inflated by the scammers’ own funds.

DeFi protocols are rife with rug pulls and honeypots

While DeFi protocols on Ethereum (such as Uniswap and SushiSwap) or those on the Binance Smart Chain (BSC) (like Pancakeswap) facilitate a new era of investments on the blockchain, the decentralization of these platforms means that scammers have free reign. With traditional forms of finance like banks, which are centralized, stolen funds can potentially be recaptured and returned to victims. However, on the blockchain, stolen funds are lost with little to no recourse on recovery, and in the world of DeFi, it is an unfortunate tradeoff that exists within the protocol. As a result, terms like “rug pulls” and “honeypots” have become part of the dialogue within DeFi.

The reason this particular campaign stands out is that it didn’t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube. It did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it’s an ideal channel for promoting a fake coin.

How cryptocurrency enthusiasts can protect themselves from fraudulent coins

Remember to DYOR: Cryptocurrency enthusiasts may be familiar with the acronym DYOR, which stands for Do Your Own Research. It is a common refrain within the community for good reason. It is vital for potential investors to do their own research before investing in any asset, especially in the cryptocurrency space.

Look for cautionary signs when using a DEX: While DEXes like Uniswap and SushiSwap operate autonomously, they have put up some roadblocks for users when interacting with their services.

As I discussed earlier, Uniswap displays a limited warning about the scam token not appearing on active token lists. It also adds a banner of “Unknown Source” when displaying the address for the contract. Users should see this as a red flag before importing the token contract and swapping it for their cryptocurrency. While not every coin on Uniswap will appear on an active token list, investors should be wary of a token when they see this warning.

Be wary of fake coins for real projects: While there is no such thing as a $SpaceX coin, potential investors should also be wary of fake coins for real projects. There is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.

Look for official announcements from the creators of these projects. They will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment.

When in doubt, sit this one out: There’s a pent up demand to try to capitalize gains on new and emerging coins in the cryptocurrency space. However, if you have even the slightest bit of doubt about the legitimacy of a coin or project, even after you DYOR, it’s probably best to sit this one out. The potential losses that stem from investing in fake coins and projects can be significant, so it’s better to miss out on a potential opportunity than to find yourself holding onto worthless tokens in your wallet.

Related articles

Join Tenable's Security Response Team on the Tenable Community.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training