Chasing an Online Scam Through the Blockchain – an OSINT Investigation

This is my first blockchain investigation and also my first original OSINT investigation.  I’ve been inspired to do this through reading others in the space and I’m sure their work will be more thorough and done with more precision than mine.  However, using new techniques I’ve explored, such as finding unlisted Pastebin pages, I’ve found quite a bit of information intended to be unseen such as online scams, child pornography, malware and ddos attacks, etc.  This post will talk about an online scam I’ve been tracking for about a week that I found early on which has had success and will likely continue to have success.

The Scam

This online scam takes the form of a sextortion scheme.  To elaborate, the individual sending the email claims to have found compromising information about you by hacking another email of yours.  If you glance at the “from” section of the email header, you will find that, indeed, the email is coming from the email address it claims.  Here’s an example of the scam, which has taken on many forms with many different names. At the time I discovered this scam, the BTC address listed only had 3 transactions, each a deposit.  At the time of this writing, it has received a total of 25 transactions totaling 1.61 BTC or  $10361.  The first transaction was on October 13, 2018.  Since then, the scam has received BTC every day from a variety of people at ~$500 each.  Let’s take a look at the scam itself and break it down.  It’s also cloned itself and advertised with two other BTC wallets.  More on that later.

The Details

The title of the email is usually “[insert email address] was hacked”.  This will clearly generate a click-through as the reader, who recognizes it as their email, fears the worst.  The next thing to notice is “My nickname in darknet is [insert nickname here]”.  The English is poor, which is an early indicator.  The nickname also changes frequently but is usually a name followed by two numbers (i.e. werner10, adolfo12, etc.).  The text continues with poor English but uses the fear of having access to all of your accounts with threats of leaks if not paid $500 to the BTC wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq within 48 hours.  They establish credibility (with email), create fear (through threats), and create a call to action to stop the threats; a very straightforward strategy taken right out of the social engineer’s playbook.

The Truth

It turns out the email is fake, surprise!  The “hacker” manages to convince you that they’ve hacked into your account by mirroring your “hacked” email.  They do this by using OSINT to find other emails attached to your name.  You can select “forgot your password?” on websites to discover recovery emails.  You can also find these through data breaches and leaks.  They then mirror your account using a email forwarding technique.  If you want to learn more about that, read this. Essentially, the email looks like your email but your responses get forwarded to the real email that the “hacker” uses.

The Target

Using open source information, I’ve found that one of the targets for this scam are students at The University of Miami in Oxford, Ohio (@miamioh.edu).  The university responded with the statement:

“The Information Security Office recommends that students, faculty, and staff treat unsolicited email and spam with a high degree of skepticism. If you receive a similar email, simply delete the message and do not reply, and do not open the message, or click any links provided. If you have already responded to this message or clicked a link, please contact IT Help immediately.”

It also seems to be targeting people internationally.  The username “mellowtones242” on malwaretips.com is from the Bahamas and was a target of the scam.  It’s also appeared on Twitter and Reddit.

OSINT

Using Google Dorks and a few other techniques, I used the text from the Paste to find all other instances of this scam on the web.  I also looked for the BTC wallet to see if that had appeared anywhere else on the web.  As stated already, it appears mostly on forums asking whether or not it’s legitimate and what to do about it. I found two pieces of information that could be useful in finding the identity of the blackmailer.  The first was in a comment on Google Forums stating “I traced a few of these emails and this scammer used some proxy IPs but the guy is Indian 122.166.165.151”.  I entered that IP address into Intel Techniques IP tool.  It checks out that it’s from India and users have rated it as “malicious”.  But with VPN technology, it’s possible that anyone could use that IP.  The information I found about the IP also showed activity from 2015, not 2018.  So I kept digging and found something even more interesting.

An article titled “Remove 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq Darknet Email Trojan” was published on October 16th, 2018 on VirusResearch.org by Emilian Varsanov.  The article is so preposterous, you just have to read it to fully understand how ridiculous it is. It gives you a tutorial on how to remove the “trojan” but tells you twice in bold letters “Warning: Stopping the wrong file or deleting the wrong registry key may damage your system irreversibly. If you are feeling not technical enough you may wish to use Spyhunter Professional Malware Removal Tool to deal with malware problems!”  followed by a download prompt for Spyhunter.  That’s very suspect for a phony article about a phony scam.  It turns out this guy posts articles on Virusresearch.org about how to remove malware, adware, trojans, etc. every single day.  What’s even more ridiculous is he gives the exact same instructions every time, word for word, followed by a download prompt.

I’ve archived his archive on Virusresearch.org to ensure integrity of this evidence.

If you read carefully through the headlines of the articles, there are exact clones of the sextortion scam with “how-to” guides on how to remove them as if they were malware or trojans. However, what I found interesting is there are none before October 13th, 2018, when the first transaction had taken place on BTC wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq.  I checked the other two clones of the sextortion scam and all of their transactions started on October 16th, as soon as scam 1 started to prove successful.  The total BTC balance for all three accounts is 2.51 BTC or $16,148.  What’s also interesting is the clones for the sextortion scam can’t be found anywhere else online.  Virusresearch.org is the only instance of them yet they continue to receive BTC deposits of $300-$500 everyday.  Varsanov is the only one talking about it. Through deductive reasoning alone, I can make an educated guess that Emilian Varsanov is behind the sextortion scam or is at least exploiting victims of it to download SpyHunter. Or Both.  But to be sure, I did some OSINT on him.  He made it quite easy.  On the same website, virusresearch.org, he posts a contact page including address, phone number, and email address.  I’ve archived it hereNote: I don’t intend to target this individual in a malicious way, but the evidence leads me to him as a possible source of the scam.  I ran the email through Intel Techniques email tool.  Nothing.  So I ran his first and last name and found a profile on LinkedIn and Google+ (right before they shut it down).  Here’s what he looks like.

btctarget

I know this is him because on his Google+ page he posts links to virusresearch.org with “removal guides” dating back to 2014.  I also found him on LinkedIn.  Here’s that profile.  It says he works for Enigma Software, which is based out of Ireland.

I also found out that Enigma Software is the creator of the Spyhunter software Varsanov keeps advertising.  Spyhunter has received multiple bad reviews, including one person claiming it to be Ransomware. I couldn’t find any instance online that he actually works for this company or is still employed.  I did find out through the contact page that he’s from Plovdiv, Bulgaria.  That might be useful.

Blockchain

To continue this OSINT investigation, I want to look at the blockchain for all three BTC wallets.  Here they are listed:

1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq

19D67Tgb3neJiTHd8pZDEBYmUn2qSjxEeB

1KGjDZ7RFV39r2q1JeSpZAF5L3fnpuenmT

Now, we know the scam asks for $500 to remove the blackmail threat.  Currently, that exchanges to ~0.08 BTC.  Because BTC fluctuates so frequently, we’ll look at a range of +- 0.005 BTC.  Keep in mind, the dollar amount requested is subject to change.  What we’re looking for is a consistent amount of money being requested.  For example, 1KGjDZ7RFV39r2q1JeSpZAF5L3fnpuenmT frequently receives ~$300 worth of BTC, whereas 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq frequently receives ~$500 worth of BTC.

What I’m looking for is any transaction that doesn’t fit that mold.  There are a few transactions in each wallet address, but they seem to be the work of a BTC tumbler.  None of the transactions seem to be connected every account, but that would require additional analysis.  After scanning for the BTC transactions that didn’t fit the mold using Google Dorks, I wasn’t able to find any additional information.  It’s important to note that his scam is only 5 days old.  There might be more information revealed in time.

Conclusion

Emilian Varsanov can be one of two things.  He can either be responsible for the sextortion scam or he could be exploiting people who have fallen victim of the sextortion scam by creating phony guides that lead readers into downloading SpyHunter.  The timeline shows his posts related to the sextortion scam the same day all three BTC wallets started receiving transactions.  He’s also the only one talking about the clones of the original scam. So either he is trying to plug any and all malicious activity back to SpyHunter or he is creating the scams in order to lead people back to SpyHunter.  Either way, it’s shady.

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s