Cybersecurity firm Kaspersky has uncovered a unique scam targeting cryptocurrency thieves. The scheme lures potential opportunists with seemingly loaded cryptocurrency wallets, only to withdraw their funds when they try to take the bait. This innovative ploy illustrates the growing sophistication of cybercriminals in the digital asset space.

According to Kaspersky, major scammers are posing as naive cryptocurrency users by publicly sharing seed phrases, the keys required to access cryptocurrency wallets, in YouTube comments. These comments, posted by newly created accounts, often include a plea for help in transferring funds from a wallet that supposedly contains large assets.

Recent blog post: “Scammers have come up with a new trick… They are posting crypto wallet seed phrases in YouTube comments using newly created accounts.”

There is no honor among thieves – How the private key scam works

One wallet observed by Kaspersky contained nearly $8,000 worth of USDT on the Tron network. To access these funds, the thief would first need to send TRX, the blockchain’s native token, to cover network fees.

The scheme primarily targets individuals looking to exploit the supposed “stupid” mistake of others. Once they enter the bait wallet, these digital thieves find it filled with USDT, a TRC20 token pegged to the US dollar.

Since the wallet lacks enough TRX for withdrawals, they are asked to send funds from their own wallets. This action triggers the “siphon”, transferring the TRX to the scammer’s address.

The scammers have rigged the system, and once TRX is sent, it is immediately redirected to a separate wallet controlled by the attackers, leaving the thief empty-handed.

Kaspersky’s analysis likens the scammers to digital Robin Hoods, targeting unethical actors in the cryptocurrency space. However, the ultimate victims are those who let their greed outweigh their caution.

The security firm urges cryptocurrency users to be wary of repeated use of dent seed phrases across multiple comments. This could be a well-planned and coordinated operation to steal their assets.

Kaspersky’s findings extend beyond seed phrase scams. In August, the company’s Global Emergency Response Team (GERT) identified a larger scam targeting Windows and macOS users worldwide.

This operation uses polished fake websites to mimic legitimate services, such as cryptocurrency platforms, online role-playing games, and artificial intelligence tools. These sophisticated imitations are designed to lure victims into sharing sensitive information or downloading malware.

“The interconnectedness of different parts of this campaign and the shared infrastructure between them points to a well-organized operation, possibly linked to a single actor or group with specific financial motivations,” said Ayman Shaaban, Head of Response at Kaspersky’s GERT team.

Kaspersky’s investigation, dubbed “Tusk,” revealed that the campaign includes various sub-operations targeting cryptocurrencies, gaming, and AI-related topics. The malicious infrastructure also extends to 16 other topics, either retired sub-campaigns or new campaigns that have yet to be launched.

Strings of malicious code uncovered during the investigation showed that the attackers’ servers were communicating in Russian, with references to the term “Mammoth” (“Мамонт”), a slang word for “victim” among Russian-speaking threat actors. This linguistic clue contributed to the campaign’s naming.

The Tusk campaign uses information-stealing malware such as Danabot and Stealc, as well as clipboard monitoring tools, some of which are open-source variants written in Go. The information-stealers track wallet details and other sensitive information, while the clippers intercept cryptocurrency wallet addresses copied to the clipboard, replacing them with malicious addresses controlled by the attackers.