The last two years have left many of us with a feeling of isolation, loneliness, or both. As we all know, when a platform or category gains in popularity, people are bound to use it for nefarious purposes. Apple long promoted itself as safe from malware, but it turned out it was only because no one owned them, so it wasn't worth attacking. Dating apps were popular before, but now a new type of person is using them and so the scams begin. Here is a couple we have encountered in the past few months and what to look out for.
One of the ones we have seen the most in the past few months has been revolving around cryptocurrency. The trend has been (but is not exclusive to) matching with a profile that is a verified user with a couple of decent photos of an attractive Asian person. The profile is filled out with a lot of details in nearly perfect English, but the grammar is a little off.
Once you match, one of the early questions is always some variation of "What are you looking for on here?" Your answer will not sway their response. They are always looking for a lifelong relationship and will tell you so. The accounts are obviously run by real people, because the interaction is natural, though English is a little broken. Another early question will be about work - yours again doesn't matter, but theirs will usually be either finance or import/export.
Soon into the conversation, they will ask you to move to WhatsApp. This is because WhatsApp is attached to a phone number. As most people only have a single mobile number, this means they know the phone number to try and target to text hijacking. Why would they do that? Because it gives them access to your 2-factor authentication (2FA) for platforms like your email and bank account.
The person in question will appear to become attached quickly and will use pet names and such early. Soon after, they will begin to tell you about their cryptocurrency experience. They're making a ton of money using a platform you've never heard of to do short trades. It sounds too good to be true, and it is. They'll show you a screenshot of a recent transaction, with a platform looking like this:
The next step is for them to encourage you to try it out. They are having success and they want you to have success, too. It sounds sweet, but it is not, because the platform does not actually exist. Instead, it is a complicated website that is designed to get you to input currency that you cannot get back out. You transfer crypto into a wallet address that the platform claims to be yours, but in reality, it's a general wallet that is used across these scams.
They will encourage you to try a small transaction to show that it works. They don't want you to lose a lot of money because they care about you, remember. So, you put in a small amount of money, and they will tell you when to hit go, because they research the market al day, you see. It just so happens that the perfect time to do a trade is when you're available to talk. Who would have guessed? It appears that the person running the scam has some control over when success strikes, because it always works, and you always make money. But, if you go on the platform and try it yourself, you'll always lose. They're the expert, you see, so now you trust their judgement.
Once you've built trust in your match and in the platform, they will encourage you to try bigger gambles. You'll put in more money, with the help of your match, who knows all the ways around the problems you'll face. For example, Chase bank won't let you buy crypto right now because they already know how this works. But you can use a bank transfer or a wire transfer. The expert is here to assist.
The real problem comes when you're ready to withdraw your money. You can't, you see - you don't have enough funds. Maybe you've got $4000 in your account, but you see, the rules (which don't exist) say you must have $7500 to be able to withdraw. Why would they have that rule? Don't think about it too hard or the whole house of cards will collapse.
But wait, there's more! You've also got to verify yourself with photos and your drivers' license. Why were you allowed to make the trades before verification, but you can't get the money back without it? Once again, don't worry about it. It's just the rules, and they make perfect sense. Whatever you do, there will always be another rule in the way, because it's all a lie. The platform is manually adjusted. The currency is a lie. The wallet is closed. None of it is real.
One of the commonalities we have noticed is that the domains almost always end in VIP. We've been cataloging some of the domain names we've seen, though all of them are gone at the time of this writing. If you have encountered other examples, let us know so we can keep the list up to date.
- https://bitcoinexap.vip/ (app at https://wap.bitcoinexap.vip/)
- https://bitcoinexos.vip/ (app at https://wap.bitcoinexos.vip/)
- http://bitexsap.vip/ (app at http://wap.bitexsap.vip/)
In our experience, the login screen always looks like this, though there are other versions of the scam running with different groups:
The important takeaway here is that if it sounds too good to be true, IT'S BECAUSE IT IS. There is no magic bullet to making money in cryptocurrency - especially on a domain that looks incredibly dubious.
Dating Verification Scam
This is a relatively new scam (to us) and is based on a real and rational fear of the unknown. When online dating, the first time you meet someone in person can be scary. Are they who they say they are on their profile? Are they really looking for a date or for something else? All of this can be scary, especially when you have no way to verify the other person. That is where this scam comes in.
The person you are talking to will tell you that they are super excited to meet. They're into exactly what you are. But they want to make sure you are who you say you are - a rational fear, and one that you probably have, too. They send you a link to a site to verify your identity. It seems like a great idea - you just didn't know this type of thing existed! Why haven't you used it before?
The problem, of course, is that the site they send you isn't legit. In our experience, the site they send you to is a decently styled WordPress-looking site (which it is not) with some seriously obvious issues. First, the phone number says it is in New York, but the styling is not US (###) ###-####. Second, the English on the site is not quite right. You'll encounter things like "Free Supports," "Free Cancellation of Membership withing 12 hours," and "Connect Alexa or Google Home to send help using juse your voice."
Third, the sites have social media icons all over them, but are not configured to take you anywhere. In fact, a lot of the links on the site don't go anywhere - including the social media sites, blog posts, and the company's copyright link in the footer. Fourth, all the sites have email addresses at Gmail, not their own domains. Most real businesses do not use Gmail, Outlook, Yahoo, or any other free email service's domain for their emails. Those that do, should stop, because it makes them look less legitimate. If they are not using something like firstname.lastname@example.org, something is wrong. These should all be red flags.
Upon further investigation into the site we were sent, we discovered that there are several other nearly identical domains with the same logo, mostly the same text (including typos and misspellings), and, most importantly, the same address and incorrectly styled phone number in New York. Also, the address that they are using is easily traceable to a wedding gown design studio (which, interestingly, uses a Yahoo email address). This site's got social media, though - with hundreds of photos and videos (the most recent being posted 22 hours ago, as of the writing of this piece).
The goal of this scam is twofold. First, they want your money. That one is obvious, as the promised service is really only useful if you pay for it. But it's really the information they are after. To verify, you'll need to enter personal information to verify that you are you, you see. It's a complicated process, so they must have a lot of information. Don't worry about the fact that it's the exact information that would make stealing your identity easy - it's important so you can meet this person from the dating site.
We've been cataloging some of the domain names we've seen, though this is likely not a complete list. If you have encountered other examples, let us know so we can keep the list up to date.
The last one in the list doesn't entirely follow the rules laid out earlier, as the favicon is different, the phone number at the top of the page is different and formatted for the US, and the email address is at Outlook instead of Gmail. It appears that this one might have been the original prototype, as its email address has 2018 in it.
Now, it's important not to take away the wrong thing here. There are serious platforms designed to protect you online. We interviewed SafetyPIN Technologies at Collision 2018, which provides a validation and verification service. But the ones in question here are not legitimate.
There are always new and exciting platforms being created. There are always new and exciting apps being created. Being an early adopter can be fun, because you're ahead of the curve. However, being an early adopter, and using a platform that you've never heard of before, comes with the responsibility of doing your own research. These will not be the only online dating scams, but hopefully you can use the logic we used to research these issues to validate and verify things that seem a little off in your online experiences.