Type of Threat:
- CloudSEK’s Threat Analyst team has discovered an ongoing malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.
- During the course of the investigation, CloudSEK researchers identified multiple fake domains using the keyword “CoinEgg” and targeting the users of the legitimate cryptocurrency trading platform (https://www.coinegg.com).
- The investigation also found that once a fake domain is taken down, the threat group communicates the same with unsuspecting victims via email and provides alternate domains to access the crypto exchange.
- CoinEgg is a large cryptocurrency exchange based in the UK, offering trading services for digital cryptocurrency assets.
Analysis and Attribution
How the CoinEgg Scam Works
- CloudSEK researchers’ investigation discovered that the CoinEgg cryptocurrency scam was conducted by threat actors in multiple phases. They’re masquerading as the legitimate CoinEgg crypto trading platform by replicating the dashboard and user interface of the official website, on fake domains of CoinEgg VIP.
- In the first phase of the scam, CoinEgg users are deceived into depositing an amount to the fake wallet, to invest it in a listed cryptocurrency. After which, threat actors freeze the amount in the CoinEgg VIP wallet and prohibit users from retrieving it.
- Multiple fake phishing applications are also being propagated on the web, claiming to be CoinEgg. Generally, these applications, on installation, require unwanted permissions and are reported as malicious on various platforms.
- Threat actors have created several fake CoinEgg domains so far so that taking down any of these domains does not affect their malicious campaign.
- When the threat actors switch domains, they use email and Telegram to communicate the same to users, so that the large-scale scam goes undetected.
Information from the Post
In the process of scamming unsuspecting users, the operators behind CoinEgg VIP implements the following conditions:
- Customers have to pay 22% of their earnings/ deposits as “tax”, before they can reclaim their funds.
- Imposition of “deposit”, if account earnings cross USD 250,000.
- Permanent freeze of assets, if the conditions mentioned above are not fulfilled.
Aggrieved by these conditions, customers of CoinEgg VIP have raised concerns about the operations of the shady cryptocurrency trading website, on multiple platforms. Furthermore, suspicious investigation agencies are also piggybacking on these accusations, promising to help victims of the scam, to reclaim their frozen assets. In the pretense of an investigation, victims are asked to provide asset information and ID card photos, through email communication.
Information from OSINT
From a generic Google search of the keyword “CoinEgg” with the top-level domain (TLD) ‘vip’, CloudSEK researchers discovered various websites that were most likely being used by the scammers.
List of Suspicious Domains from OSINT
CloudSEK researchers discovered the following list of fake CoinEgg domains and their details:
|Domain Name||Registry Date||Registrar|
CloudSEK researchers observed the following details on the coinegg.vip domain’s page source:
- The website mentions “CoinEgg” on the index page.
- It uses a fake logo of CoinEgg to scam the users.
- They also have a customer service chatbot that redirects users to the domain v[.]chatabc[.]xyz
- However, this domain was later taken down and a new CoinEgg VIP domain was used to conduct the scam:
- In the image provided above, threat actors are announcing a system maintenance, and have provided the users with two alternate domains to access CoinEgg VIP:
- Both these domains have been registered on GoDaddy on 3 March 2022, and are part of the threat actor’s tactics to register multiple backup domains in the event of a takedown.
- The threat group has created these new domains with a similar user interface as the previous ones.
Information from Security Vendors Including BeVigil
- CloudSEK’s Threat Research team discovered an APK (Android Package) for CoinEgg with the option to download.
- Once the download is completed, the following message pops up.
- Security vendors have tagged the URL as malicious and it is flagged as a phishing site by VirusTotal.
- Multiple trojans like Antiy-AVL, ESET-NOD32, Fortinet, Ikarus, Jiangmin, etc. were also detected in the malicious application. (Please refer to the Appendix)
- CloudSEK’s BeVigil security search engine detected that the application required various permissions listed as dangerous including write settings, system alert window, request install packages, location access and process outgoing calls.
- Another application was also discovered through the domain coinegg[.]club, which had similar malicious permissions enabled.
Reach and Financial Impact of the CoinEgg Scam
- CloudSEK researchers found that the CoinEgg VIP group utilizes an active and verified Telegram channel to communicate with its investors and that they have close to 2K subscribers.
- A user has also claimed to have lost INR 50 lakhs to this cryptocurrency scam, including additional costs such as the deposit amount, tax, etc.
- The loss of users to the CoinEgg VIP scam is estimated at INR 10 billion. (Clarification: Through our fake domain monitor and fake app monitor, we observed various similar instances around the world where fake domains and fake apps were used to mimic several legitimate crypto exchanges including CoinEgg. The estimated losses mentioned (INR 10 Billion) is an estimate of the worldwide figure.)
Impact & Mitigation of CoinEgg Scam