I watch YouTube more frequently due to COVID-19 and I found these pesky Dick Smith ads soliciting a get-rich-quick scheme popping up recently. The ads are illustrated with a photo of the Aussie entrepreneur himself claiming that everyone can become a millionaire within a matter of months. So what is this scam about and who runs the YouTube campaign?

What the scam is all about

One thing about these YouTube ads that poke out immediately is the Punycode text of the advertisements. The purpose of these bogus characters is (presumably) preventing Google flagging these ads by searching for certain keywords.

A YouTube ad soliciting dodgy investment schemes is featuring a photo of Dick Smith.
A YouTube ad soliciting dodgy investment schemes is featuring a photo of Dick Smith.

Once the victim clicks the ad, it takes the gambit to a phoney article resembling a real one published on news.com.au, but it’s fake news. This article is a ‘special report’ about Dick Smith announcing a ‘wealth loophole’ allowing everyone ‘transforming into a millionaire’. The key to success is a cryptocurrency auto-trading program called Bitcoin Up.

The YouTube ads point to this landing page featuring a deceptive article promoting the investment scheme.
The YouTube ads point to this landing page featuring a deceptive article promoting the investment scheme.

Every link in the story takes to the ‘money page’ on https://bitcoin-up.cash, which makes further attempts to convince its victims to sign up to the money-making scheme. The page features a video of John McAfee (currently arrested over tax evasion charges), Bill Gates and Stephen Colbert, and step-by-step instructions showing the sign-up process.

The money page promoting the fake binary options trading get-rich-quick scheme.
The money page promoting the fake binary options trading get-rich-quick scheme.

The faux binary options scheme

According to this blog, what Bitcoin Up fails to mention is that the service Bitcoin Up is soliciting is a binary options broker. “Through a binary options broker, you don’t actually ‘invest’ in anything. Instead, you simply place ‘bets’ on whether or not you think the value of something will go up or down over a certain period of time (usually under 60 seconds).”. MoneySmart simply calls binary options “a high-risk, unpredictable investment that is really just a gamble”. Bitcoin Up receives a commission after every transaction on the platform no matter if the trader wins or loses the bet.

It gets worse: “The creators of the Bitcoin UP scam have actually gone to the extreme lengths of creating a fake trading app. […] The app isn’t really connected to any live markets. The truth is that it’s really nothing more than a simple video game & all of the so-called “profitable trades” are completely make-believe.”

ABC reported that hard-working Australians are known to lose a substantial amount of life savings to this scam. In one instance, the victim said he “lost nearly $82,000 and it felt like his heart had been ripped out of his chest.”.

On a side note, a variation of this scam also ran in the UK but with other celebrities such as Prince Harry and Bear Grylls.

A variation targeting the UK audience.
A variation targeting the UK audience.

Analysis of the YouTube ads

So who runs this rip-off scheme and how to avoid being scammed?

What I noticed is that the Dick Smith YouTube ads seem to be rotating several times a day. I found that each variation of the ad points to a randomly generated domain name hosting the same bogus news.com.au article.

A YouTube ad featuring Dick Smith and promoting the get-rich-quick scheme. A YouTube ad featuring Dick Smith and promoting the get-rich-quick scheme. A YouTube ad featuring Dick Smith and promoting the get-rich-quick scheme.
Variations of the ad pointing to different domain names.

There is a large number of domain names I was able to trace, all generated possibly to evade any ad blacklisting on the Google/YouTube side or ad blocking attempts on the visitor side. The full list of these randomly-generated domain names hosting the news.com.au story is published at the end of this blog post.

A Maltego visualisation of the Bitcoin Up hosting infrastructure.
A Maltego visualisation of the Bitcoin Up hosting infrastructure.

Further attempts of evasion

The news stories running on a large number of domain names are hosted on unique IP addresses at different web hosting providers. The reason behind this is to evade detection and blacklisting attempts by YouTube/Google, antivirus software with web reputation filters and ad-blockers.

The interesting thing is that the fabricated news.com.au report does not show up in two cases:

  • When the news story isn’t visited from an Australian IP address;
  • The domain name isn’t ready for the YouTube ads.

In both cases from above, the website on the domain names disguises itself as an informative one-page website about swimming, nature, cooking, gardening and similar topics. This evasion attempt makes it more difficult for researchers and cybersecurity companies to identify and block these domain names.

An innocuous website about the joys of swimming. Page full of stolen photos and fabricated claims and quotes.
The same page visited from an overseas and an Australian IP address.
Web server refusing to serve the fake news.com.au article.
Web server refusing to serve the fake news.com.au article.

The Ukraine Connection

After analysing the domain names, I found two instances where the domain names imply that the adversary is located in Russia. The WHOIS records of 120+ domains are registered by someone called Eugenii Ermolenkov from Moscow.

Domain names registered by 'Eugenii Ermolenkov'.
Domain names registered by 'Eugenii Ermolenkov'.

About 200+ other domains are registered to another person with a Russian-sounding name: Grisha Polaykov and Timur Romantsev both also living in Moscow.

WHOIS records feature a contact email address hosted on Yandex, a popular local email provider in the Eurasian region.

Further domain names registered by 'Grisha Polaykov'.
Further domain names registered by 'Grisha Polaykov'.

And the McAfee video from the ‘money page’ hosted on https://www.youtube.com/watch?v=uApKfdWnELA? It is an unlisted YouTube video heavily relying on soundbites taken from Russia Today.

Unlisted YouTube video linked from bitcoin-up.cash featuring soundbites from RT.
Unlisted YouTube video linked from bitcoin-up.cash featuring soundbites from RT.

Furthermore, inline comments in the web page source code and linked JavaScript assets feature code comments are written in Cyrillic.

Code comments written in Cyrillic.
Code comments written in Cyrillic.

But why Ukraine, and not Russia the possible link is here?

Because when we attempt to sign up to Bitcoin Up from the money page with a Ukrainian phone number, it gets rejected with a message ‘country is not support’ (sic!). By analysing the JavaScript files, this appears to be the only country that triggers the error message.

Applicants with a Ukrainian phone number are rejected by the sign-up page.
Applicants with a Ukrainian phone number are rejected by the sign-up page.

Who is Ardaman83?

What ties all the bogus news stories together is a single domain name registered at ardaman83.com. I found that all static assets (CSS, JavaScript, images) from the Bitcoin Up page and all bogus news.com.au stories are all hosted on this domain name.

Static assets of the fake news.com.au stories are hosted by ardaman83.com
Static assets of the fake news.com.au stories are hosted by ardaman83.com

A blacklisting or take down of ardaman83.com would certainly stop the YouTube ads and the money page from working — at least temporarily.

Further insight into this domain name and server possibly with a subpoena would potentially take the authorities closer to the operators of this scheme. Sadly, ardaman83.com runs behind Cloudflare preventing to identify the real IP address of the web server.

Summary

The Bitcoin Up get-rich-quick scheme seems to:

  • Cause financial damages to Australians and overseas citizens alike;
  • Rely on YouTube clickbait ads using photos from Dick Smith and other celebrities;
  • The ads point to bogus news.com.au articles featuring more photos of celebrities, fabricated quotes and fake testimonials;
  • The bogus news.com.au articles are hosted on hundreds of randomly-generated domain names;
  • The bogus news.com.au articles are hosted on hundreds of different IP addresses spanning multiple hosting providers;
  • The links in the bogus news.com.au articles all point to a single sign up page to a scheme called Bitcoin Up at bitcoin-up.cash;
  • The Bitcoin Up scheme does not exist and money transferred to the trading platform is never invested nor returned;
  • All static assets are hosted on a single web server running on ardaman83.com;
  • WHOIS data, code comments and the registration page indicates that the scam is tied to an adversary in Russia or Ukraine.

Update (3/12/2020): The OCCRP has published a in-depth article of similar schemes.

TTPs

WHOIS registered email address:

ermolenkoveugene@yandex.ru
popkaartem322@yandex.ru
kukleraniolkerala@rambler.ru

WHOIS names:

Eugenii Ermolenkov
Grisha Polyakov
Timur Romantsev

Domain names:

abbijdiada.com
abfgnasdfoawa.com
abfhiawfas.com
abfhsahdiowa.com
abfhuabdawfas.com
abfyfaudhiwaa.com
abghdnaudfada.com
abnfjudiaida.com
abnrfufawad.com
abnsaifjia.com
absauwa.com
absfaijdaw.com
absfbahfwada.com
abshfaindiawda.com
adsnfijdsnifds.com
aeyrawiaodas.com
aiolfhjsauiwa.com
aiusibsadafa.com
anbjfiawd.com
anbjgiansdadwa.com
anfgjanfas.com
angfasndfaiowia.com
anifgnadibnfga.com
anifnisalwa.com
anjigdkoawa.com
anjiwfiawrafa.com
ansdjiandfa.com
ardaman83.com
asawdaurfas.com
asbfaufbauwa.com
asbfhabfyeaa.com
asbfhfbaiudbwa.com
asbfhuasaiffa.com
asbfhubfaudwad.com
asbfiaffa.com
asbndabfyada.com
asbndafnasd.com
asbufabdada.com
asdfiawokla.com
asdjanfia.com
asdjiajnfasda.com
ashfuafjiaads.com
ashuekjldsa.com
asikefhauwbudfa.com
asjdfaaoopa.com
asjdoiadija.com
asjfuarbbsada.com
asjifakda.com
asjnaidiafas.com
askdanudad.com
asmjnfiajsdawd.com
asnahifamwfda.com
asnbasndfaujwa.com
asnbfasndfijadaw.com
asnbfiasioawda.com
asnbfuasdawd.com
asndaijfaisd.com
asndasijrkfa.com
asndfbasdan.com
asnfaiiawa.com
asnfaisfnijasdasd.com
asnfanwdinfa.com
asnfdikjea.com
asnfiaowofas.com
asnfijasaoiwfa.com
asnfnaisjiada.com
asnganfijadwad.com
asnifaisahifa.com
asnjafojsbad.com
asnjsaiwa.com
asnufhuawa.com
aspjfandfiadadsa.com
auenbdasera.com
awjainsfnfaw.com
bduafjiawasd.com
beafertgefa.com
befagyhera.com
begyhjeakioera.com
begyhukujera.com
behujkera.com
behujkerafera.com
behujkerage.com
bejukilera.com
benmsaojda.com
berghayj.com
berhsauikfra.com
bevgerafeda.com
bfauhsduawda.com
bfuuewjaera.com
bhyjerafera.com
bitcoin-up.cash
bnjafiaa.com
bnsbaufaiwoa.com
bnsdoaaw.com
bujkmernadesa.com
cerdasqweda.com
djfugaad.com
dmnkfaoa.com
dnjsainfijnfawa.com
egsyaujrra.com
esasdjillsa.com
ewgthayjweragwe.com
fbnasndaiwa.com
fieoawrafera.com
fijbnawufawrrfea.com
fiknmergesa.com
fjnidsnasa.com
fndaikaowdadas.com
fndshuah.com
gedaswer.com
hengujolk.com
herafterade.com
heyusajera.com
hifasjawaf.com
hujkieaferageraa.com
hyejsikasola.com
hyjbukerafera.com
hysjaqadera.com
hysuajeisa.com
idfgbisawa.com
iesajehra.com
ijnbeageryjuera.com
ikeasd.com
ikelasodfa.com
ikeloperfea.com
ikeolsajidms.com
ikeragea.com
ikjnhyujeafera.com
ikjulerafera.com
iklegethyjerades.com
ikloperaze.com
iknbeardewase.com
iknedrearfeole.com
iknjukera.com
iksaonsauwa.com
iksjauke.com
iolknukiera.com
isajfniaiwda.com
jefvawyuffasda.com
jekaragera.com
jenksaiolerra.com
jerakilerda.com
jfuaiosowkfa.com
jgdsoisad.com
jgisjhawa.com
jkerailopa.com
jkwaislalwrasa.com
jsaifjasda.com
jsaokwfawol.com
jsaukxera.com
jsiakelosa.com
jsiakerae.com
jueafergetagera.com
juiklopera.com
juikwlsaol.com
jukeragerta.com
jukeragertage.com
juskaioleafera.com
kasejukileraf.com
kdfihjasirsa.com
keraskio.com
kidsaolwrefaea.com
kielrsakm.com
kieoasdfasd.com
kierysahda.com
kileadewase.com
kilehyjreta.com
kilerafera.com
kilopeaferades.com
kiloperfera.com
kiloplera.com
kilzergyta.com
kioelsajk.com
kiolplera.com
kisahehfa.com
kisajurfasda.com
kisaolrisauja.com
kjdfbnaiiowafsa.com
kleraikoler.com
kofasjuifasdaw.com
kolknerfea.com
krisaleed.com
ksafiaofasa.com
ksaheamnmera.com
ksialeragerthaera.com
ksianfauhaa.com
ksnajfaiwiafas.com
kwiabsydawda.com
learfertyhera.com
loepasilad.com
lopaskiedas.com
masjauzeda.com
merhasudfkoada.com
mfkoasdmoaa.com
najukeafergadfe.com
nasdaiwjakea.com
nasjdnasijdas.com
nasjifbaiwdawace.com
nbufsaierafea.com
nbyeiksae.com
nebadcera.com
nebahujekra.com
nebhyujera.com
nejukiolera.com
nekilopera.com
neragerta.com
nerahtyjera.com
nerasjukrro.com
nfgijadfowad.com
nfjasndfiawa.com
nfjdasiadfsa.com
ngfjasoawa.com
nheyakiolope.com
niafajsidfaoa.com
niklmertage.com
nikoslada.com
njeuisaoa.com
njeuksioalefa.com
njiklertgera.com
njsaiijerasa.com
njukelrokara.com
njukeragera.com
njukeragertafe.com
nsaioowadea.com
nsaiufiaerfa.com
nsauhebkijra.com
nsauhejfa.com
nsauhjfsaol.com
nsauosfoawa.com
nsayheuja.com
nsdijfnsijsd.com
nsjafiawrfa.com
nsjukerfea.com
nuashebahea.com
nujkeliokoplera.com
nukioerafera.com
nusahuejksa.com
oasdaofawa.com
odknasfplea.com
oiklnjukeragera.com
okleaferade.com
okleraferac.com
oklnjilolkera.com
olaspdaowha.com
oleveratyhera.com
olikjukela.com
olkeisahad.com
olkijuewade.com
olkirjsaosa.com
olpasldnha.com
olpoikera.com
omnukilerafes.com
opakensua.com
oplekixol.com
opleragera.com
oplkimerafe.com
paoskefuasdaw.com
pasodlawida.com
pasonruiaiwa.com
pokhrsaa.com
polasitebu.com
poleakshnfdua.com
polejsuaikea.com
polerayhera.com
polneafera.com
posdkawidad.com
prjafiawdas.com
qaikolopreda.com
qawertera.com
qxomobi.com
ruasdadfa.com
saikeolpoe.com
sanfijafniadwada.com
sanfjasfjifas.com
sanfoiaskea.com
sanifiajssa.com
saniwajfa.com
sanjfaisdjwa.com
sanueioawda.com
sapoejfiai.com
sbasuaofasdca.com
sbauiwopac.com
sbnafaowiofasd.com
siskasaoa.com
sjaofmakosfa.com
sjsaiaiwbfsa.com
sknfisaiofasa.com
snafaiegetyhera.com
snfaufgauwa.com
snfijaioadaw.com
sugfbawad.com
tewasedwasq.com
toneow.com
uehhfasda.com
ujbeahygerafe.com
ujbveraferolra.com
ujbyheafera.com
ujeabhyjeadera.com
ujekisolea.com
ujeksolera.com
ujheragera.com
ujkbujkerafera.com
ujkilerafera.com
ujkmnerfeda.com
ukearefdea.com
vavieea.com
vbeaxeolki.com
vearhujsakloe.com
verafyjera.com
waderagyhjera.com
waderhujkera.com
wandiafiaidad.com
wasdfexuioke.com
waserewsa.com
weaysuaia.com
werafedesa.com
werajuskila.com
xeraferolpos.com
xiklopleraty.com
xujkilertgera.com
zikloplrega.com
ziolkiopera.com
zolkioplera.com