1,841 reads

Exposing the Nigerian Crypto Scam Group - "Operation N-Fiverr"

by Wayne HuangNovember 7th, 2020

Too Long; Didn't Read

Exposing the Nigerian Crypto Scam Group - "Operation N-Fiverr" Wayne Huang is CEO to XREX, Wayne was VP Engineering to Proofpoint, and CEO to Armorize Technologies. 1000+ people from worldwide, scammed into making 2,079 transactions. Scam group has been running multiple campaigns starting 2017 Dec. 2017. Victims are offered high-interest rates and high referral commissions. Scammers use stolen passports and IDs to create KYC'ed accounts at exchanges to collect funds.

People Mentioned

Companies Mentioned

Coins Mentioned

featured image - Exposing the Nigerian Crypto Scam Group - "Operation N-Fiverr"

Yesterday the secops team noticed an AML alert — one of our users tried to withdraw funds into wallet: ;

Our system blocked this withdrawal due to its high risk score.

[Investigation Summary]

=======

Victims: 1000+ people from worldwide, scammed into making 2,079 transactions.

Scammed funds: 205.4925067 BTC (roughly $3M at writing time).

Attribution: Nigerian “Operation N-Fiverr.”

Time frame: they’ve been running multiple campaigns starting 2017 Dec.

Tool supplier: outsourced to (also Nigerian), in PHP+Laravel.

Websites: they've worked with iPongDev.Tech to launch more than 30 different scam websites, by modifying from the same codebase.

Stolen passports and IDs: by asking victims to KYC, we believe they've stolen these victim's IDs to create KYC'ed accounts at exchanges; they use these accounts to collect defrauded funds from victims.

Wallets: a combination of own wallets, as well as compromised, KYC’ed wallets of Remitano, Gemini. We published a list of 48 wallet addresses used by this actor.

Domains and IPs: we published a list of 49 domains and 13 IP addresses used by this actor.

Investigation method: obtained source code and admin panel access.

=======

[Investigation]

Having stopped our user’s withdrawal into this actor’s wallet, we started to trace back into their infrastructure. We stumbled upon a directory listing vulnerability within the actor’s infrastructure, which allowed us to obtain the source code of their attack tools:

Investigating into our obtained source code of this actor, we understood they bought their codebase from the Nigerian company . iPongDev sold codebases relating to crypto exchange, wallet, and investment. For the basic framework, they mostly used PHP and Laravel, and for k-line and other visualizations they used TradingView and coinlib.io widgets.

From this actor’s backend admin panel, we can see that their entire scam tooling is modified from a crypto investment platform sold by :

Using the backend panel, we can see the list of victims and their defrauded amounts and dates:

The profit numbers are of course fake but importantly, they do not approve withdrawals, which effectively makes this own operations a scam. While they’ve not approved a single withdrawal request, some users have sadly reached out to them via their customer support system hundreds of times. Of course, they’ve never replied.

[Money Flow]

Operation N-Fiverr’s money flow has been consistent — as soon as a victim is defrauded into transferring BTC into one of their wallets, they will immediately forward those BTC into either a) their other on-chain wallets, or b) their exchange wallets.

We’ve also found them to be directly using compromised Remitano and Gemini wallets for victim deposits.

[Attack]

Operation N-Fiverr attracts victims by pitching them various high-interest rate crypto investment platforms. By modifying from the same codebase, they've worked with iPongDev.Tech to launch more than 30 different scam websites:

In general, these fraudulent platforms offer:

$20 USD signup bonus
Minimum deposit amounts ranging from $1,000 USD to $50,000 USD
Very high interest rate: 10% in 12 hours, 20% in 24 hours, etc
Referral features and high referral commissions
The profits are shown in realtime

Once a victim wants to withdraw funds, Operation N-Fiverr will launch a second wave of attack:

Asking the victim to further deposit 10%-20% of the earned profits prior to withdrawal, saying that this is “per company policy.”

Many victims have been defrauded into sending in more funds. Once a victim finally realizes she may never be getting her funds back, the actor cuts off all communication.

Using the particular wallet address used against our user, we were able to find the following abuse reports of Operation N-Fiverr:

[Collaboration]

secops was able to block our user’s withdrawal into Operation N-Fiverr’s wallet due to AML triggers by ; we thank them also for their strong technical support during this investigation.

This investigation is by no means complete; we’ve had very limited time but wanted to publish asap so the community can collectively blacklist this actor’s resources and mitigate this attack.

We will appreciate any help from the community; please feel free to reach us at .

[Blacklists and Blocklists]

Operation N-Fiverr domains: