CoinEgg Scam Campaign Steals Victims’ Cryptocurrency and Data

Originally published at: CoinEgg Scam Campaign Steals Victims’ Cryptocurrency and Data | Threat Intelligence

CloudSEK researchers’ investigation discovered CoinEgg Scam/cryptocurrency scam conducted by threat actors. We discovered an on-going malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.

Category:

Adversary Intelligence

Industry:

Cryptocurrency

Type of Threat:

Phishing/Fake Domain

Source*:

CoinEgg

Executive Summary

  • CloudSEK’s Threat Analyst team has discovered an ongoing malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam.
  • During the course of the investigation, CloudSEK researchers identified multiple fake domains using the keyword “CoinEgg” and targeting the users of the legitimate cryptocurrency trading platform (https://www.coinegg.com).
  • The investigation also found that once a fake domain is taken down, the threat group communicates the same with unsuspecting victims via email and provides alternate domains to access the crypto exchange.
  • CoinEgg is a large cryptocurrency exchange based in the UK, offering trading services for digital cryptocurrency assets.
Fake CoinEgg domains that show up on Google Search

 

Analysis and Attribution

How the CoinEgg Scam Works

  • CloudSEK researchers’ investigation discovered that the CoinEgg cryptocurrency scam was conducted by threat actors in multiple phases. They’re masquerading as the legitimate CoinEgg crypto trading platform by replicating the dashboard and user interface of the official website, on fake domains of CoinEgg VIP.
  • In the first phase of the scam, CoinEgg users are deceived into depositing an amount to the fake wallet, to invest it in a listed cryptocurrency. After which, threat actors freeze the amount in the CoinEgg VIP wallet and prohibit users from retrieving it.
  • Multiple fake phishing applications are also being propagated on the web, claiming to be CoinEgg. Generally, these applications, on installation, require unwanted permissions and are reported as malicious on various platforms.
  • Threat actors have created several fake CoinEgg domains so far so that taking down any of these domains does not affect their malicious campaign.
  • When the threat actors switch domains, they use email and Telegram to communicate the same to users, so that the large-scale scam goes undetected.

Information from the Post

In the process of scamming unsuspecting users, the operators behind CoinEgg VIP implements the following conditions:

  • Customers have to pay 22% of their earnings/ deposits as “tax”, before they can reclaim their funds.
  • Imposition of “deposit”, if account earnings cross USD 250,000.
  • Permanent freeze of assets, if the conditions mentioned above are not fulfilled.

Aggrieved by these conditions, customers of CoinEgg VIP have raised concerns about the operations of the shady cryptocurrency trading website, on multiple platforms. Furthermore, suspicious investigation agencies are also piggybacking on these accusations, promising to help victims of the scam, to reclaim their frozen assets. In the pretense of an investigation, victims are asked to provide asset information and ID card photos, through email communication.

Mail from suspicious investigation agency dubbed “Global Anti-Fraud Center”

 

The homepage of the website https://www[.]ceggcc[.]vip

Information from OSINT

From a generic Google search of the keyword “CoinEgg with the top-level domain (TLD) ‘vip’, CloudSEK researchers discovered various websites that were most likely being used by the scammers.

List of Suspicious Domains from OSINT

CloudSEK researchers discovered the following list of fake CoinEgg domains and their details:

Domain Name Registry Date Registrar
https[:]//coinegg[.]fun 24/09/2019 GoDaddy
https[:]//coinegg[.]club 26/09/2021 HiChina
https[:]//m[.]ceggca[.]vip 03/03/2022 GoDaddy France
https[:]//m[.]ceggccxs[.]vip 03/03/2022 GoDaddy Australia
https[:]//www[.]ceggi[.]vip 22/01/2022 NameCheap
https[:]//coinegg[.]vip 14/03/2019 GoDaddy US
Google results displaying “CoinEgg VIP” as a scam

 

CloudSEK researchers observed the following details on the coinegg.vip domain’s page source:

  • The website mentions “CoinEgg” on the index page.
  • It uses a fake logo of CoinEgg to scam the users.
  • They also have a customer service chatbot that redirects users to the domain v[.]chatabc[.]xyz
Chatbot for customer service

 

  • However, this domain was later taken down and a new CoinEgg VIP domain was used to conduct the scam: https[:]//m[.]ceggccxs[.]vip/
Image of alternate domain details provided

 

  • In the image provided above, threat actors are announcing a system maintenance, and have provided the users with two alternate domains to access CoinEgg VIP:
Domain IP Address Registrar
https[:]//m[.]ceggca[.]vip 108.156.107.108 GoDaddy France
https[:]//m[.]ceggccxs[.]vip 108.156.91.107 GoDaddy Australia
  • Both these domains have been registered on GoDaddy on 3 March 2022, and are part of the threat actor’s tactics to register multiple backup domains in the event of a takedown.
  • The threat group has created these new domains with a similar user interface as the previous ones.

 

Interface of the new domain

 

Registration on the new domain

Information from Security Vendors Including BeVigil

  • CloudSEK’s Threat Research team discovered an APK (Android Package) for CoinEgg with the option to download.

 

CoinEgg APK

 

 

  • Once the download is completed, the following message pops up.
URL to share among friends

 

  • Security vendors have tagged the URL as malicious and it is flagged as a phishing site by VirusTotal.
Fake URL flagged as malicious

 

 

  • Multiple trojans like Antiy-AVL, ESET-NOD32, Fortinet, Ikarus, Jiangmin, etc. were also detected in the malicious application. (Please refer to the Appendix)
  • CloudSEK’s BeVigil security search engine detected that the application required various permissions listed as dangerous including write settings, system alert window, request install packages, location access and process outgoing calls.
The application’s dangerous permission requirements

 

  • Another application was also discovered through the domain coinegg[.]club, which had similar malicious permissions enabled.
CoinEgg.club requiring dangerous permissions

 

Reach and Financial Impact of the CoinEgg Scam

  • CloudSEK researchers found that the CoinEgg VIP group utilizes an active and verified Telegram channel to communicate with its investors and that they have close to 2K subscribers.
  • A user has also claimed to have lost INR 50 lakhs to this cryptocurrency scam, including additional costs such as the deposit amount, tax, etc.
  • The loss of users to the CoinEgg VIP scam is estimated at INR 10 billion.

 

Impact & Mitigation of CoinEgg Scam

Impact Mitigation
  • Multiple fake phishing applications are being propagated on the web, which could result in temporary, and possibly permanent, loss of data.
  • Victims are asked to provide asset information and ID card photos, which contains PII. Such data can be used, in tandem with social engineering or identity theft.
  • The data shared could also be used to gain initial access to the user’s crypto wallet.
  • Financial loss associated with freezing crypto wallets.
  • Fake CoinEgg applications, on installation, require unwanted permissions and are reported to be malicious. It would equip malicious actors with details required to launch sophisticated ransomware attacks.
  • Identifying phishing websites and subsequently suspending them is the quickest way to mitigate the threat of such scams.
  • Make use of cybersecurity solutions like CloudSEK’s XVigil to continuously scan for more fake websites that pop up on the internet.
  • Report the phishing campaign to the Cyber Crime Cell and provide them with the necessary details to curb the continuous attempts of threat actors.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams. This will lead to fewer people falling for these scams.

References

Appendix

Domain details of ceggca.vip

 

Domain details of ceggccxs.vip

 

Domain details of coinegg.fun

 

Domain details of coinegg.club

 

Users calling ceggi.vip a scam platform

 

Reddit forum posts about avoiding CoinEgg VIP

 

Trojans detected in the fake application

 

Screenshot of fake CoinEgg m(.)ceggccxs(.)vip page