As Musk reaches for the stars, crypto scammers reach for their wallets

by Gareth Halfacree

For Elon Musk, the successful launch of the Falcon Heavy rocket and its Tesla payload on Tuesday was a moment of triumph; for a growing army of scammers it was an opportunity to flex an increasingly popular technique: celeb-jacking on Twitter.

The concept is simple, taking advantage of the way replies and threads are displayed and sorted on Twitter. First, the attacker picks a celebrity with a healthy number of followers. Next, a new account is made or an existing account modified to match the celebrity account as closely as possible, using a copied profile image, biography, and whatever misspelling of the profile name is currently not registered – switching out lower-case Ls for upper-case Is, for instance, or repeating a letter. After that, it’s a waiting game.

When the target celebrity account publishes a tweet likely to garner attention, the attacker pounces by instantly posting a reply – which, owing to the way Twitter sorts and displays messages, will appear immediately below the genuine tweet when users click through for more information. At a glance, the message seems to be a threaded continuation of the original – unless a keen eye spots the tell-tale signs of a scam, such as the lack of a Verified tick next to the account name, the misspelling, or the often parlous grammar and syntax used in the message.

The contents of the message? A simple and ages-old “advanced fee” scam, asking users – in this instance – to send 0.2 Ether to the attacker’s account based on the promise of receiving 2 Ether in return as part of a celebratory give-away.

For most, the attack seems too transparent to work: between the missing Verified tick, the tell-tale switch in writing style, and the almost-immediate replies warning of the scam the majority of readers move on with no loss of funds. Those new to the cryptocurrency game, those paying less attention, or simply those who rush to be part of the time-limited give-away are profitably present, however: at the time of writing a single scammer who tied his attack to Musk’s rocket launch had raised 4.709 Ether in 0.2 Ether increments from his or her victims – nearly $4,000/£3,000 at the cryptocurrency’s current exchange rate.

The attacks are only becoming more common, and are hard to detect and prevent en masse. A popular celebrity tweet may receive tens of thousands of replies, making it difficult for the celebrity targeted to spot the spoof and warn their followers. Twitter’s recent closure of its account verification service hasn’t helped matters, leaving some popular accounts without the tell-tale tick that might have otherwise warned followers of the ruse.

For Twitter, though, there are no real excuses: the attacker targeting Elon Musk first posted on the 5th of February, and began the attack the day after with a message that immediately resulted in reports to Twitter’s safety team. More than 12 hours later, though, and long after the original, genuine Musk messages have been read and retweeted with their malicious payload attached, the account is still active – a response time which, where cryptocurrencies can be permanently and irrevocably transferred in seconds, is far too slow to be of any protection.