{"id":9647,"date":"2026-01-05T04:03:32","date_gmt":"2026-01-05T04:03:32","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/05\/32594\/"},"modified":"2026-01-05T04:03:32","modified_gmt":"2026-01-05T04:03:32","slug":"32594","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/05\/32594\/","title":{"rendered":"Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th)"},"content":{"rendered":"<p>    Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th)<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><em><strong>Introduction<\/strong><\/em><\/p>\n<p>In October 2025, a work colleague documented <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2025-10-30-IOCs-for-cryptocurrency-scams-using-fake-chatbots.txt\">a cryptocurrency scam using a fake chatbot<\/a>. After investigating this, I was able to receive messages from the campaign, and these emails have continued\u00a0to land in my honeypot account since then. This diary documents the cryptocurrency scam campaign as it continues in 2026.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-01.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-01.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: My honeypot email inbox with several emails from this cryptocurrency scam campaign.<\/em><\/p>\n<p><em><strong>Details<\/strong><\/em><\/p>\n<p>This campaign promises cash payouts on cryptocurrency that potential victims unknowingly have.<\/p>\n<p>This campaign primarily abuses the minimalist publishing platform <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span>, which anyone can use to publish a simple web page very quickly. Many of these emails have minimal messaging and contain links to these <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> pages.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-02.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-02.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Example of an email from this campaign with link to a <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> page.<\/em><\/p>\n<p>\n<a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-05.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-05.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Example of a <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> page from this campaign.<\/em><\/p>\n<p>This campaign is not limited to abusing <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span>. Many of these emails contain Google Forms pages that lead to the\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> page.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-03.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-03.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Example of a Google Forms email from this campaign.<\/em><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-04.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-04.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Example of a response from the Google Forms link that leads to a <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> page for this campaign.<\/em><\/p>\n<p>These <span style=\"font-family:Courier New,Courier,monospace;\">telegra[.]ph<\/span> pages generally lead to the same type of cryptocurrency scam, stating you have over $100K in US dollars worth of Bitcoin from an automated Bitcoin mining cloud platform.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-06.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-04-ISC-diary-image-06.jpg?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Example of a page to begin the cryptocurrency scam.<\/em><\/p>\n<p>In November 2025, I posted <a href=\"https:\/\/www.youtube.com\/watch?v=yUV7OkQqSBk&amp;t=7s\">a video on YouTube<\/a>, where I went through the website step-by-step, interacting with the fake chatbot to get to the actual scam. The scam involves paying a fee to convert the supposed Bitcoin to US dollars, which potential victims would send to a wallet controlled by the criminals.<\/p>\n<p><em><strong>Final Words<\/strong><\/em><\/p>\n<p>Many free services are easy to abuse for these types of campaigns. While these emails may seem obviously fake, they continue to be cost-effective for criminals to send, and criminals can easily abuse other services to host everything needed for this scam.<\/p>\n<p>Bradley Duncan<br \/>\nbrad [at] malware-traffic-analysis.net<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32594\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th) Introduction In October 2025, a work colleague documented a cryptocurrency scam using a fake chatbot. After investigating this, I was able to receive messages from the campaign, and these emails have continued\u00a0to land in my honeypot account since then. This diary documents [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-9647","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9647"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9647"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9647\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}