CoinEgg Scam Campaign Steals Victims’ Cryptocurrency and Data

CloudSEK researchers’ investigation discovered that the CoinEgg Scam/cryptocurrency scam was conducted by threat actors. We discovered an on-going malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.
Updated on
April 19, 2023
Published on
June 14, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Category:

Adversary Intelligence

Industry:

Cryptocurrency

Type of Threat:

Phishing/Fake Domain

Source*:

CoinEgg

 

Executive Summary

  • CloudSEK’s Threat Analyst team has discovered an ongoing malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.
  • During the course of the investigation, CloudSEK researchers identified multiple fake domains using the keyword “CoinEgg” and targeting the users of the legitimate cryptocurrency trading platform (https://www.coinegg.com).
  • The investigation also found that once a fake domain is taken down, the threat group communicates the same with unsuspecting victims via email and provides alternate domains to access the crypto exchange.
  • CoinEgg is a large cryptocurrency exchange based in the UK, offering trading services for digital cryptocurrency assets.
[caption id="attachment_19548" align="alignnone" width="948"]Fake CoinEgg domains that show up on Google Search Fake CoinEgg domains that show up on Google Search[/caption]

Analysis and Attribution

How the CoinEgg Scam Works

  • CloudSEK researchers’ investigation discovered that the CoinEgg cryptocurrency scam was conducted by threat actors in multiple phases. They’re masquerading as the legitimate CoinEgg crypto trading platform by replicating the dashboard and user interface of the official website, on fake domains of CoinEgg VIP.
  • In the first phase of the scam, CoinEgg users are deceived into depositing an amount to the fake wallet, to invest it in a listed cryptocurrency. After which, threat actors freeze the amount in the CoinEgg VIP wallet and prohibit users from retrieving it.
  • Multiple fake phishing applications are also being propagated on the web, claiming to be CoinEgg. Generally, these applications, on installation, require unwanted permissions and are reported as malicious on various platforms.
  • Threat actors have created several fake CoinEgg domains so far so that taking down any of these domains does not affect their malicious campaign.
  • When the threat actors switch domains, they use email and Telegram to communicate the same to users, so that the large-scale scam goes undetected.

Information from the Post

In the process of scamming unsuspecting users, the operators behind CoinEgg VIP implements the following conditions:

  • Customers have to pay 22% of their earnings/ deposits as “tax”, before they can reclaim their funds.
  • Imposition of “deposit”, if account earnings cross USD 250,000.
  • Permanent freeze of assets, if the conditions mentioned above are not fulfilled.

Aggrieved by these conditions, customers of CoinEgg VIP have raised concerns about the operations of the shady cryptocurrency trading website, on multiple platforms. Furthermore, suspicious investigation agencies are also piggybacking on these accusations, promising to help victims of the scam, to reclaim their frozen assets. In the pretense of an investigation, victims are asked to provide asset information and ID card photos, through email communication.

[caption id="attachment_19549" align="alignnone" width="1596"]Mail from suspicious investigation agency dubbed “Global Anti-Fraud Center” Mail from suspicious investigation agency dubbed “Global Anti-Fraud Center”[/caption][caption id="attachment_19550" align="alignnone" width="1728"]The homepage of the website https://www[.]ceggcc[.]vip The homepage of the website https://www[.]ceggcc[.]vip[/caption]

Information from OSINT

From a generic Google search of the keyword “CoinEgg with the top-level domain (TLD) ‘vip’, CloudSEK researchers discovered various websites that were most likely being used by the scammers.

List of Suspicious Domains from OSINT

CloudSEK researchers discovered the following list of fake CoinEgg domains and their details:

Domain Name Registry Date Registrar
https[:]//coinegg[.]fun 24/09/2019 GoDaddy
https[:]//coinegg[.]club 26/09/2021 HiChina
https[:]//m[.]ceggca[.]vip 03/03/2022 GoDaddy France
https[:]//m[.]ceggccxs[.]vip 03/03/2022 GoDaddy Australia
https[:]//www[.]ceggi[.]vip 22/01/2022 NameCheap
https[:]//coinegg[.]vip 14/03/2019 GoDaddy US
[caption id="attachment_19551" align="alignnone" width="948"]Google results displaying “CoinEgg VIP” as a scam Google results displaying “CoinEgg VIP” as a scam[/caption]

CloudSEK researchers observed the following details on the coinegg.vip domain’s page source:

  • The website mentions “CoinEgg” on the index page.
  • It uses a fake logo of CoinEgg to scam the users.
  • They also have a customer service chatbot that redirects users to the domain v[.]chatabc[.]xyz
[caption id="attachment_19552" align="alignnone" width="830"]Chatbot for customer service Chatbot for customer service[/caption]
  • However, this domain was later taken down and a new CoinEgg VIP domain was used to conduct the scam: https[:]//m[.]ceggccxs[.]vip/
[caption id="attachment_19553" align="alignnone" width="1365"]Image of alternate domain details provided Image of alternate domain details provided[/caption]
  • In the image provided above, threat actors are announcing a system maintenance, and have provided the users with two alternate domains to access CoinEgg VIP:
Domain IP Address Registrar
https[:]//m[.]ceggca[.]vip 108.156.107.108 GoDaddy France
https[:]//m[.]ceggccxs[.]vip 108.156.91.107 GoDaddy Australia
  • Both these domains have been registered on GoDaddy on 3 March 2022, and are part of the threat actor’s tactics to register multiple backup domains in the event of a takedown.
  • The threat group has created these new domains with a similar user interface as the previous ones.
[caption id="attachment_19554" align="aligncenter" width="1332"]Interface of the new domain Interface of the new domain[/caption][caption id="attachment_19555" align="aligncenter" width="1075"]Registration on the new domain Registration on the new domain[/caption]

Information from Security Vendors Including BeVigil

  • CloudSEK’s Threat Research team discovered an APK (Android Package) for CoinEgg with the option to download.
[caption id="attachment_19556" align="aligncenter" width="1367"]CoinEgg APK CoinEgg APK[/caption]
  • Once the download is completed, the following message pops up.
[caption id="attachment_19557" align="alignnone" width="1368"]URL to share among friends URL to share among friends[/caption]
  • Security vendors have tagged the URL as malicious and it is flagged as a phishing site by VirusTotal.
[caption id="attachment_19558" align="alignnone" width="972"]Fake URL flagged as malicious Fake URL flagged as malicious[/caption]
  • Multiple trojans like Antiy-AVL, ESET-NOD32, Fortinet, Ikarus, Jiangmin, etc. were also detected in the malicious application. (Please refer to the Appendix)
  • CloudSEK’s BeVigil security search engine detected that the application required various permissions listed as dangerous including write settings, system alert window, request install packages, location access and process outgoing calls.
[caption id="attachment_19559" align="aligncenter" width="1408"]The application’s dangerous permission requirements The application’s dangerous permission requirements[/caption]
  • Another application was also discovered through the domain coinegg[.]club, which had similar malicious permissions enabled.
[caption id="attachment_19560" align="aligncenter" width="1402"]CoinEgg.club requiring dangerous permissions CoinEgg.club requiring dangerous permissions[/caption]

Reach and Financial Impact of the CoinEgg Scam

  • CloudSEK researchers found that the CoinEgg VIP group utilizes an active and verified Telegram channel to communicate with its investors and that they have close to 2K subscribers.
  • A user has also claimed to have lost INR 50 lakhs to this cryptocurrency scam, including additional costs such as the deposit amount, tax, etc.
  • The loss of users to the CoinEgg VIP scam is estimated at INR 10 billion. (Clarification: Through our fake domain monitor and fake app monitor, we observed various similar instances around the world where fake domains and fake apps were used to mimic several legitimate crypto exchanges including CoinEgg. The estimated losses mentioned (INR 10 Billion) is an estimate of the worldwide figure.) 

Impact & Mitigation of CoinEgg Scam

Impact Mitigation
  • Multiple fake phishing applications are being propagated on the web, which could result in temporary, and possibly permanent, loss of data.
  • Victims are asked to provide asset information and ID card photos, which contains PII. Such data can be used, in tandem with social engineering or identity theft.
  • The data shared could also be used to gain initial access to the user’s crypto wallet.
  • Financial loss associated with freezing crypto wallets.
  • Fake CoinEgg applications, on installation, require unwanted permissions and are reported to be malicious. It would equip malicious actors with details required to launch sophisticated ransomware attacks.
  • Identifying phishing websites and subsequently suspending them is the quickest way to mitigate the threat of such scams.
  • Make use of cybersecurity solutions like CloudSEK’s XVigil to continuously scan for more fake websites that pop up on the internet.
  • Report the phishing campaign to the Cyber Crime Cell and provide them with the necessary details to curb the continuous attempts of threat actors.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams. This will lead to fewer people falling for these scams.

 

References

Appendix

[caption id="attachment_19561" align="aligncenter" width="971"]Domain details of ceggca.vip Domain details of ceggca.vip[/caption][caption id="attachment_19562" align="aligncenter" width="1105"]Domain details of ceggccxs.vip Domain details of ceggccxs.vip[/caption][caption id="attachment_19563" align="aligncenter" width="792"]Domain details of coinegg.fun Domain details of coinegg.fun[/caption][caption id="attachment_19564" align="alignnone" width="862"]Domain details of coinegg.club Domain details of coinegg.club[/caption][caption id="attachment_19565" align="aligncenter" width="1229"]Users calling ceggi.vip a scam platform Users calling ceggi.vip a scam platform[/caption][caption id="attachment_19566" align="aligncenter" width="1132"]Reddit forum posts about avoiding CoinEgg VIP Reddit forum posts about avoiding CoinEgg VIP[/caption][caption id="attachment_19567" align="aligncenter" width="1061"]Trojans detected in the fake application Trojans detected in the fake application[/caption][caption id="attachment_19568" align="aligncenter" width="1165"]Screenshot of fake CoinEgg m(.)ceggccxs(.)vip page Screenshot of fake CoinEgg m(.)ceggccxs(.)vip page[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations