Warning Against Smishing Campaign Related to Burning Cryptocurrency Distributed in Korea
Currently, various types of smishing related to cryptocurrency such as investment schemes and romance scams are being spread in Korea. These scams mainly use fake phishing sites or malicious apps to cause damage including personal information leaks, financial loss, and coin theft.
AhnLab Mobile Analysis team has investigated how the actual perpetrators steal money from victims through a smishing campaign spread under the guise of “Ethereum burning” and presents the analysis findings in this post.
The smishing campaign discussed in this post (see Figure 1) deceives victims into thinking they mined Ethereum coins in a past event they do not remember and encourages them to click on a real-time consultation link included in the message to recover the assets.
Figure 1. Smishing related to Ethereum burning
Clicking the link directs you to the “Naver Talk Talk” service provided by Naver as shown in Figure 2. In the messenger, the perpetrator impersonates a company named “DUALCOIN,” which does not exist.
Figure 2. Scam company representative operating on Naver Talk Talk
The scammer first verifies whether the victim has actually received the message. This is to verify the victim and the smishing content and determine the subsequent steps. Additionally, they conduct an identity check, requesting information such as name, date of birth, and phone number.
Even after providing fake personal information to the scammer, the victim is informed that the identity check has been completed. This suggests that the scammer does not actually possess the personal information of the targeted victim.
The victim is then informed that there is a record of mining a certain amount of Ethereum as stated in the smishing message shown below.
Figure 3. Messages about coin burning
The victim is instructed to sign up via the coin wallet link on the phishing site to cancel the scheduled burning of their Ethereum holdings.
The link directs to the DUALCOIN phishing site, and registration is only possible by entering a referral code provided by the scammer (see Figure 4).
Figure 4. DUALCOIN phishing site and registration page
After registering with the referral code provided by the scammer and informing them of the ID, one can see that the account displays 58 Ethereum as shown in Figure 5.
Figure 5. The phishing site displaying 58 Ethereum
The scammer then informs the victim that the linked Ethereum is still scheduled for burning and that they must follow the instructions of the cancellation manager to cancel the burning process, providing the LINE messenger ID of the manager (see Figure 6).
Figure 6. Connecting to the cancellation manager
The connected “manager” claims to gather people who want to cancel the coin burning as shown in Figure 7. To do so, they create a group chat by adding 3 people in addition to the scammer and the victim. Those added members appear to be the same individuals upon re-approach, suggesting that they are accomplices of the scammer.
According to the “manager”, a fee equivalent to 0.25% of the current Ethereum market price is required, so in the case of 58 Ethereum, approximately 480,000 KRW is needed.
Figure 7. Explaining about the burning cancellation fee with scammer accomplices
Once all instructions are carried out, the victim is directed to deposit the fee into an account provided by the phishing site (see Figure 8). If one deposits this amount, the money will be lost and the personal information provided during the registration process may also be leaked.
Figure 8. Account within the phishing website
The smishing campaign explained in this post has been ongoing since the beginning of the year. Users need to exercise particular caution by being aware of such smishing cases, using verified official sites, and double-checking cryptocurrency-related information.
