Crypto educator Duo Nine, creator of the Your Crypto Community (YCC) platform, nearly fell victim to an impersonation scam on Sept. 30, according to an Oct. 1 X thread.
The scammers claimed to be executives from venture capital firm ParaFi. Their goal was to convince Duo Nine to download a “patch” that would allow his copy of Slack to work. In reality, the “driver” was likely malware, and the impersonators were attempting to steal his private key and drain his crypto wallet of everything it contained.
ParaFi Partner Kevin Yedid-Boton stated in an Oct. 1 X post that the scammers are not associated with his firm and that crypto users should not interact with the bogus accounts.
“Last night[,] I was the victim of one of the most complex social engineering scams I've ever seen impersonating @paraficapital staff,” Duo Nine stated, adding “If you're in crypto, you are a target.”
He explained that he had been contacted on X by a person claiming to be Ryan Navi, principal and head of venture at ParaFi Capital.
The person stated that he was representing Web3 protocols Layer3, Polymarket, Zapper and Coin98. These protocols were looking for “KOLs” (key opinion leaders) to help them market their products, the person stated, implying that they may be interested in partnering with Duo Nine.
The message came from a verified account on X.
Duo Nine responded by asking for an email from the company’s domain or a private message from the company’s X account.
The person refused to provide him with either but did refer him to ParaFi's official website, which listed “Ryan Navi” and several other team members. The person also showed Duo Nine that each member of the team had a verified X account and that all of these accounts were following his account. According to Duo Nine, he saw the person’s unwillingness to provide an email as an “instant red flag.” Even so, he “decided to play ball.”
Conversation with ParaFi impersonator. Source: Duo Nine.
After exchanging a few messages with him, the supposed “Ryan Navi” invited the crypto educator to a group Telegram chat with himself and two other people claiming to be ParaFi team members Nicole Ferguson and Stephanie Ng.
Through the chat, the four individuals agreed on the terms of a new partnership. However, at the last minute, “Nicole” suggested that the two meet via an audio call to hash out the final details. It was at this moment that the true purpose of the meeting began to unfold.
Recent: World Record Egg’s two crypto tokens smell kind of bad
The supposed team members sent him an authentic Calendly link, which he verified by inspecting the URL. Through this link, he set up a meeting with them. However, they warned him that the team would use a Slack server to have the call, which meant that he would need to sign up for a Slack account. He found this request to be “curious” but signed up anyway.
When Duo Nine received the link to the organization’s Slack server, he once again checked it to make sure that it came from the correct domain name — in this case, Slack.com.
Sure enough, the link did lead to a subdomain of the official Slack website. So far, the server appeared to be legitimate.
However, when clicked, it produced an error message. “Sorry! Something went wrong, but we’re looking into it,” the message stated.
Error message from impersonation scam server. Source: Duo Nine.
He told “Nicole” about the error message, and she asked “Ryan” about it. “You had this error last week, no?,” she reportedly asked the other supposed team member.
In response, “Ryan” claimed that the solution he found was to download a “driver” that was linked to from a Reddit forum post.
Suspecting that he was being asked to download malware, Duo Nine refused to install the “driver.”
Instead, he once again asked the individuals to send an email from the ParaFi domain to prove that they were not impostors.
In response, “Ryan” sent an email from paraficapital@outlook.com, featuring the wrong outlook.com domain and proving that he likely did not have access to the authentic one, parafi.com.
At this point, the game was up. Duo Nine confronted them with the evidence against them, and they responded by deleting their messages and ending all contact with him.
In the post, Duo Nine urged users to “raise awareness” of this scam and others like it and to keep funds in hardware wallets for extra protection against malware.
ParaFi warns users of impersonators
On Oct. 1, Yedid-Boton posted to X to warn the crypto community of the scam. “ALERT: FAKE ACCOUNTS IMPERSONATING @ParaFiCapital TEAM,” he stated from his official account.
According to the post, the impersonators “are verified with @X and pay a subscription, which implies that these scammers expect to profit from these fake accounts!”
Users can distinguish between the real and fake ParaFi accounts because the real one has a yellow badge, and the real team members who follow it have “affiliate” badges proving that they are truly affiliated with the company, the post stated.
Yedid-Boton suggested that users should not “interact or trust any posts, messages, or content” from the fake accounts.
The alleged malware Reddit post
The alleged malware Reddit post came from user u/andler_schust, whose account was created in March. The post was created on Oct. 22. It links to Flaudriver, which claims to be an app that scans a user’s computer and checks to see if they need to update drivers.
Flauidriver webapp, alleged to be malware. Source: Flauidriver
Driver-update scanning apps often require the user to approve extensive permissions, which makes them extremely risky to use. Users should generally not install these types of apps unless they are from a trustworthy source. Cointelegraph did not test the app to determine if it is malware.
According to website analytics platform Scamvoid.net, Flauidriver was released on Oct. 20. The Reddit post was created on Oct. 22, two days after the site was created.
Reddit post promoting Flauidriver. Source: Reddit.
Impersonation scams are a common problem in the crypto community. On June 15, Binance co-founder Yi He posted several examples of scam accounts she found on X that claimed to be hers but were in fact, impersonators. She sought to raise awareness of the problem and to convince X executives to be more vigilant in blocking these accounts.
Magazine: Bankroll Network DeFi hacked, $50M phisher moves crypto on CoW: Crypto-Sec
On the same day, the United States Cybersecurity and Infrastructure Security Agency (CISA), warned that scammers were impersonating government employees in order to steal users’ crypto.