Nigerian cryptocurrency scams: uncovering the schemes

This post opens a series of articles dedicated to research of online crypto scam schemes orginated from Nigeria, which have emerged in the recent times on social media platform like Instagram, Facebook and Telegram. We are looking at these scams not only from a technical and investigative point of view (how exactly scam is commited), but also will touch social aspects of such crimes as well – why people are choosing this business of scamming others online this way.

Criminal outlaws or amateur swindlers?

Nigerian crypto swindlers perform lowest-grade scams, promoting things like bitcoin ‘investments’ or crypto mining services, enticing people to flashy websites and promising unbelievable returns in a matter of just a few days. This should look crappy to most sane and savvy people on the internet, but surprisingly many victims are still falling into this trap over and over again. Looking at just a few news headlines regarding online cryptocurrency scams reveals that, though it’s not usually a million dollar scams, many gullible people are still losing their money to scammers.

Why this happens? One definitely wouldn’t call these scams a highly organized crime, and most of these swindlers, as you will see, are still really amateur actors in the field of financial crime. Yet they profit. And they are able to learn and improve once they succeed to put easy money into their pockets.

We see that some of the cases might be really worth 6-digits of stolen money. On the other side, a thousand or even a few hundred dollars will also be a good profit for a scammer, and it still might be a significant sum for those who lose it. The worst thing that all victims perfectly realize that they were scammed and how exactly it was done …. but only afterwards. The money are already gone and, unless you act fast, there is usually little to no hopes for getting them back.

So far, we aim not only to describe most common scam schemes and investigate them, but also provoke awareness for everyone out there who might still be falling into scam traps in belief for easy profits.

Why bitcoin

Aside of all technological advances of crypto technology used for the good, it allows very important aspect of privacy, which can be exploited by con artists aiming to perform scams using cryptocurrency. This particular aspect is the one causing much pain for traditional financial institutions regarding cryptocurrency regulation.

Bitcoin, being the most popular digital currency, makes it really easy for everyone to enter the cryptocurrency world. No wonder that if anyone has heard at least something about crypto, most certainly that would be bitcoin on the first place. And one can use literally hundreds of variuos exchanges and apps to buy and send bitcoins, making it very affordable financial instrument. This said, bitcoin stays not only the most popular cryptocurrency per se, but also the most eagerly used by scammers.

Preconditions for crypto market boom in Nigeria

Statista, a leading provider of market and consumer data, shares some interesting insights based on 2020 survey results, which places Nigeria on the first place in the world by the share of population which uses cryptocurrency:

Reliance on remittances and the prevalence of peer-to-peer phone payments have led to a steep rise of cryptocurrency use in Africa’s largest economy. Out of 74 countries in the Statista Global Consumer Survey, Nigerians were the most likely to say they used or owned cryptocurrency. 
Almost a third of Nigerians said this applied to them. The high cost of sending money across borders the conventional way has caused many to turn to local cryptocurrency exchanges catering to overseas workers and their families, according to Bitcoin.com. Nigerians also often use their phones to send money to each other or to pay in shops. Recently, businesses in the country have been adding crypto plugins to their phone payment options, adding another way in which Nigerians can use cryptocurrency in their everyday lives.

Statista.com
Source: Statista.com

Chainalysis report as of September 2020 shows Nigeria along with Kenya and SAR as three African countries with highest adoption rate of cryptocurrency. It also puts these three countries in world’s top 10 countries of cryptocurrency adoption.

Chainalysis estimates measured cryptocurrency activity occurring on the various P2P exchanges and distributing it by country based on the breakdown of countries accounting for web traffic to each platform’s website.

This said, the results are somehow different from what we see in the survey data. However, both sources agree on Nigeria being one of the major players on cryptocurrency market.

Source: Chainalysis.com

Even recent Nigerian Central Bank’s banning all banks and financial institutions from offering services to cryptocurrency exchanges and suspending their bank accounts seemingly didn’t affect crypto popularity in Nigeria.

Unfortunately, with such high adoption rate comes high scam and fraud rate as well. To a greater extent this happens due to current unstable economic conditions, high poverty rate, unemployment and corruption in Nigeria.

BBC article from 2019 outlines that internet scammers have become role models for many youths in Nigeria:

The first wave of Nigerian scammers were mostly uneducated criminals. The next group comprised young, educated men who were frustrated by the lack of formal jobs in an economy ruined by a series of military dictatorships and years of mismanagement. They noticed the uneducated scammers accumulating wealth and esteem, and decided to join them. After that followed a batch that simply admired the scammers.

BBC News, 23.09.2019

New York Times tech reporter Jack Nicas, who did a research on Nigerian ‘love scams’, reflects on their nature:

It isn’t exactly clear why this crime has gained popularity there [in Nigeria], but in speaking with the scammers themselves and academics who track them, here is what I found. Nigeria has three ingredients that help foster such scammers: widespread internet access, English fluency, and poverty. I also think simple momentum is a partial explanation. As scammers find success with such crimes, they pass the trade on to friends and siblings.

Jack Nicas

Instagram as scammers’ main outpost

Instagram stays among the top favourite scammers’ platforms, mostly for the reasons it is extremely popular and provides an easy way to setting up a profile, in case of scammers these profiles are fake and use someone’s else personal photos to be populated with. Scammers on Instagram pretend to be either bitcoin traders, or just wealthy persons showcasing their luxury and money they obtained through ‘trading’ and ‘investing’.

How it all starts

A scammer usually would approach a prospective victim on the Instagram chat, asking whether they heard of bitcoin, if they want to earn huge profits from it and such:

The bullshit degree of their story usually escalates quite fast. One of the first scammers that tried to engage me into such ‘super profitable scheme’ claimed he trades ‘Microsoft tools’ (whatever it might mean):

For some reason the majority of scammers refer themselves to as ‘binary traders’ and ‘binary trading’, however their scam schemes at the end obviously boil down to bitcoin and not to any other financial instrument. Maybe for them this sounds more serious and convincing? However, this is a sad irony that subconsciously puts crypto swindles and shady binary options trading into the same scam category.

The descriptions of ‘services’ that the offer are as naive as they can ever be, a mix of seemingly random around-trading terms and sky high returns:

Let’s take a closer look how these scam profiles look like.

Examples of scammers’ profiles

Here are just a few examples of scammers profiles found on Instagram:

Most scammers are usually not too creative with account naming, so we see patterns with “trade”, “trading”, “btc”, “fx”, “invest” and the like. It is really easy to pull a whole list of scammers’ accounts by searching related words just like this:

Other warning sign is that many such profiles have unusually high number of followers (most probably bot generated), but the accounts are pretty new. Sometimes all photos on the profile are uploaded in a matter of just a few days.

Fake and stolen identities

There are a few ways for scammers to create a fake digital identity, from simple photos misuse to some relatively well thought out schemes.

Photos misuse

On instagram, scammers most likely use some seemingly random names, and also use other person’s photos to post on the profile. These usually might be random photos taken from internet and other instagram accounts. Sometimes origins of these photos can be found using reverse image search (Google, Yandex, TinEye), uncovering interesting findings.

This scammer (left) has carefully chosen photos from an actual Instagram account of Brandon Green (right), however used different name for the fake identity:

In some cases scammers unknowingly use photos of public persons, politicians, etc. taken from various online sources. This scammer used different photos of Swedish Prime Minister Stefan Löfven (far right) on his profile:

As a ‘proof’ of his identity he also sent a copy of US driving license (initially belonging to some other person) with not very accurately tampered holder name on the card (Marc Lagarde is a fake name, not an actual license holder’s name) and also replacing holder’s photo for that of a Swedish politic:

Inaccurately tampered photo of US driving license.
One can notice the holder’s picture is definitely NOT that of a person born in 1982.

In many cases scammers impersonate themselves as women, using random photos taken from internet, sometimes taken in certain office or corporate setting and sometimes, again, depicting someone surrounded by luxury like cars, resorts, yachts and the like stuff. Possibly the reasoning is that an attractive woman’s profile would be trusted more?..

This scammer (left) used in their Instagram profile photos of Margarete Schramböck (right), an Austrian Minister of the Economy:

I have also seen some comical cases where sammers’ profiles are populated with photos of public persons or officials which are too obviously unrelated to the scammer’s ‘legend’, like these photos in the account of some God fearing ‘forex trader’ (left) which actually depict Russian business ombudsman Olga Gorelova of Arkhangelsk region (far right):

Identity theft and impersonation. Case study.

As mentioned, identities used by scammers usually are completely random, and they use Instagram photos taken from some online source and names unrelated to these photos. True stolen identity cases are more rare, but also are more dangerous for an unexperienced victim who may fall into such trap once he is presented with a seemingly convincing ‘proof’ of identity by the scammer.

One case I encountered recently was of a scammer who used an actual stolen identity for impersonation. His profile itself looks pretty much normal from the first glance, unlike usual ‘traders’ and ‘financial consultants’, however the bitcoin pitch goes on as usual in the chat:

Note he has only 20 posts but 158,000 followers alreday, which for an average Colorado guy with mostly blurry-looking selfies on his Instagram feed already looks weird. The dialog escalates pretty fast as he eventually sends a copy of the US passport (originally not blurred) to prove me his identity. Oops!

Curious thing here is that this passport blank looks perfectly legit, however passport is not valid. First, it lacks a holder’s signature. Second, It was issued in 1995 and expired in 2005, 16 years ago.

It is really interesting how and where from this unsigned US passport copy has leaked and how the scammer got hold of that. Let’s get back to this question a bit later.

In the meanwhile, the scammer continues his monologue, as like following some script without even taking care much to interact with me on the chat:

As a next move in proving his identity the scammer sends a photo of US driver license (again, originally not blurred) issued on the same name, and this time the document is perfectly valid:

Valid US driver license

And here’s yet another curious detail coming from a chat with the scammer, where he mentions ‘car business open at 27 years’:

Let’s now investigate some facts about who John Sandhoff is. Quick googling about him gives us some information that this person is real and actually lives in Colorado. Person by that name seems to have accounts in Linkedin and Facebook (though not actively maintained), and records on a few open directory sites:

There are also two Twitter accounts under this name as well:

Just a few things to notice here:

  • John Sandhoff is a real person from Colorado, aged 40s, which corresponds to his date of birth in the documents.
  • Place of living is the same in Linkedin and Facebook, and it’s Longmont, CO. Same home city is present in personal address on current driver licence (a valid one) as well.
  • First Twitter account has no tweets at all and no profile pic, so cannot be clearly attributed.
  • Second Twitter account seems active, features already familiar pictures of real John but consists from retweets only. This account much more likely to be a fake one, because of wrong names sequence (John Sandhoff Derek) whereas an American not likely to put a second name after a surname like that. It also corresponds to Instagram username with the same names sequence (incorrect one).
  • Linkedin profile cannot be linked to him with confidence due to lack of information / photo.
  • Facebook profile features his actual photo as well, but it is not clear whether the account is real or fake.
  • “Works at BTC” record on Facebook profile raises some questions. BTC may likely stand for:
    • BT Construction, Inc., Colorado construction company (https://www.btconstruction.com/)
    • Boulder Transportation Connections, Colorado non-profit transportation management organization (https://www.bouldertc.org/)
    • Finally, BTC stands for Bitcoin, which fits well into current scam scheme, however in this case this profile should be a fake one as well (though we don’t have any evidence of that currently).
  • Opencorporates business directory (far right picture) links John Sandhoff to now defunct automobile related company incorporated in 1998 also in Longmont, CO. Which makes John Sandhoff to be roughly around 26 years old at the same time. But wait! Here’s a screenshot from a chat with the scammer once again:

Is this a pure coincidence, or a carefully taken approach to impersonating?.. I personally doubt that the scammer might have had done some research by himself but rather got hold of some ready identity and other data belonging to real person (including documents photos) which then can be used for impersonating.

It might even possibly be the case that such identities can be bought on dark market ‘out of the box’ – along with copies of documents and a ‘legend’.

Putting all this together, such impersonation case seems a bit more dangerous compared to amateurish attempts in a style of just ‘send me your bitcoins to invest’. Not everyone might know how a foreign ID document should look like, not everyone might be sharp-eyed to spot a genuinely-looking but otherwise invalid document, as well as one might be easily tricked into scam attempt by presenting a perfectly valid document. And if a scammer tries and practices enough, he finally could convince a victim in his fake or stolen identity.

Scam websites

In the course of the dialog scammer usually offers to register on a certain website to ‘deposit your account and start trading’. I have seen at least a few dosens of such sites, and I don’t think they deserve a thorough overview. All of them are built based on a certain template, so it’s common to see almost identical website appearance once in a while, just with a different domain name and only very slight variations in design.

Tha appearance is usually pretty flashy and sometimes eye bleeding, something a serious site won’t look like at all. These are just a few examples of a front page:

In reality, such a website might be usually bought out-of-the-box and all a scammer needs is a hosting and a domain name. In some cases these guys don’t even bother with personalization and share the same website among a group of a few scammers (which is obviously cheaper to run), and each member is supposed to get their own profit from enticing victims there. Other scammers really put some effort into that and have a fellow programmer to run and improve their own site.

Next, let’s take a look inside of such a website. Yes, you need to register an account to be let in. I have even seen sites which also included a ‘verification’ step, where after initial registration you are asked for a copy of your ID for an account to be activated (be smart enough not to send your ID to anyone on the internet unless you are absolutely sure this is legit!). As expected, uploading random kitten photos works equally well for ‘verifying’ your identity and in a short while the account is automatical ‘activated’. However, in couple of cases scammers went even further and these uploaded images are actually checked by the site owner, so kitten pics are rejected and account is not ‘activated’. No messing with the KYC procedure, you know.

All in all, inside you are greeted by same eye-bleeding content along with some serious looking charts:

Here, the interesting part from an investigation point is usually a ‘Deposit’ page. Sometimes you are even presented with choice of various deposit ‘options’ like wire transfer, even credit card or PayPal…

Scam account funding options

…all of which obviously lead to nowhere except for bitcoin. And in this case you are shown a wallet you should fund as ‘your trading wallet’, or ‘official company wallet’. Yikes!

This wallet address is basically what we are looking for to start a meaningful investigation. Most often scammers do not care to update these addresses very often, so there’s a good chance we already can investigate flow of funds if there is at least one outgoing transaction exists for such address. Still, sometimes this addresses are newly created and have zero transactions. In such case the address can be monitored until a transaction happens (and in most cases it actually happens, giving us an evidence to investigate further funds flow).

Uncovering scam schemes: what to look for

Basically, what we can find out regarding a certain swindler and a scam case to investigate it?

We already mentioned a wallet address as the key element of the investigation, because as soon as the wallet performs at least one transaction, in many cases we can track the funds further until they are eventually cashed out atsome exchange, or at least find associated wallets and exchanges.

Most often this is an address which can be found on a scam website. Sometimes such addresses might have only a couple of transactions but sometimes there can be hundreds or even thousands. Another option is when a scammer directly sends a personal wallet address to a victim for a deposit, claiming it as ‘official company wallet’ (as mentioned earlier, wallet addresses on websites might be used collectively by many people).

Scammer’s website address alone would give us information about hosting company and domain name registrar, as well as geolocation of hosting servers. In some cases it is also possible to check certain risk metrics of hosting IP addresses, especially if some shady provider is used, which allows hosting of insecure resources containing malware or other scamming sites. We can also check other domains hosted on the same IP in case of virtual hosting.

Another interesting datapoint is an IP address belonging to a scammer. Of course it is not shared directly but can be obtained by sending a trackable link or using service like Grabify (and of course a little bit of social engineering). In this case it is possible to uncover not only an IP address but also other data from a scammer’s mobile device like location, user agent string and various device parameters and settings. This is just one example of what can be found by tracking scammer’s smartphone:

Data obtained from scammer’s mobile device

So far, these datapoints (active wallet address, website address and IP address) are enough already to start an investigation and build a fairly comprehensive picture of the scam scheme in question. We will take a look at detailed investigation diagrams in the next articles.

Scammers are usually pretty excited when you share with them some of their own details later in the course of the chat:

A scammer amused by being uncovered

What it takes to take scammers down

Now, as we looked at basics of scam schemes, the reasonable question to ask is how well scammers are actually doing on Instagram and alike social platforms?..

From over 20 scam accounts on Instagram I encountered within a period of less then 2 months only a smaller fraction was actually suspended after being reported as scam. Well over 50% of those accounts are still active, and it actually takes a few weeks on average from reporting to suspension.

Reporting scam websites is a different story as it is not such a transparent process as on a social network, it takes time finding right contacts of the hosting company, and reporting such sites still gives absolutely no guarantee whatsoever. I am not specifically tracking the state of these websites, but eventually I have encountered ony one case where the website was actually suspended.

Also, in the course of investigations each wallet directly associated with scammers social accounts or websites is added to a monitoring tool in order to track future transactions. At the moment of writing, 14 out of 28 monitored wallets were active in a period of 30 days, having in total 112 transactions. Almost all of this activity comes from addresses used in scam websites. Total balance history of these 14 wallets in 30 days suggests there’s still money turnaround going on:

Wallet activity, as we mentioned, may not be necessarily associated with a certain scammer, because scam websites may be used by many people, and the wallets might be involved in other activities as well. However, there’s little doubt that, once a wallet address appears on such a website, it will be used mainly for nothing but activities in the nature of scam and fraud.

Levy Itsik, CEO of Israeli blockchain analytics company Whitestream, emphasized the same problem regarding activity of crypto scam accounts on Instagram:

Whitestream CEO Itsik Levy argues that Instagram and its parent company, Facebook, have a duty to stop these scams. The accounts have already been flagged as scams – but there’s nowhere to turn to get them taken down. “The Instagram platform creates fake reality for young investors who are bored during the COVID-19 situation, and they are losing their savings because of these fake, imaginary accounts. The accounts are still active, and the scam is still attracting new people. It makes no sense,” Levy said.

Yahoo.Finance

What does this mean? A simple thing: scammers are still doing pretty well, continuing to exploit their social network accounts (and rather easily creating lots of new ones instead of suspended), enticing victims to scam websites to steal their crypto. Sadly, we don’t expect platforms like Facebook and Instagram to tackle with such ‘small fish’ efficiently enough, however, when added up, it turns into pretty rapacious fish shoal.

What next?

In further articles on the topic we are going to investigate various crypto scam cases and see in details how stolen money flows are organized – basically what is called ‘following the money’. We will also research social backgrounds of crypto scams. Stay tuned.


Got feedback or want to share your experience with crypto scammers? Leave comment below, send email to blog@whatthefraud.wtf or use the contact form.

Leave a Reply

Your email address will not be published.