How Did Deepfake Tech Drain a Brazilian Crypto Exchange Out of Liquidity?

<p>A sophisticated scam using deepfake tech managed to drain liquidity from a Brazilian crypto exchange. In June 2022, the FBI issued a warning that fraudulent investment scams on LinkedIn are rising.</p><p>As LinkedIn is widely used for business networking, many find investment offers on the social media platform to be legitimate.</p><p>Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento field offices said the following: “So the criminals, that’s how they make money, that’s what they focus their time and attention on. And, they are always thinking about different ways to victimize people, victimize companies.</p><p>”And, they spend their time doing their homework, defining their goals and their strategies, and their tools and tactics that they use.”</p><p>In a new <a href=”” target=”_blank” rel=”nofollow”>blog post</a>, LinkedIn highlights what to look out for:</p><p>”People asking you for money who you don’t know in person. This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings.</p><p>”Job postings that sound too good to be true or that ask you to pay anything upfront. These opportunities can include mystery shopper, company impersonator, or personal assistant posts.</p><p>”Romantic messages or gestures, which are not appropriate on our platform – can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests.”</p><p>Why Do Token Listings Matter?</p><p>In the case of the Brazilian crypto exchange, BlueBenx, the scam was highly sophisticated. It is very common for marketers to approach crypto companies that launched their own tokens.</p><p>The approach is often made via social media, Telegram, LinkedIn, Facebook etc. The marketers represent a crypto exchange that offers the company to negotiate listing offers.</p><p>When a token is listed in a top-tier exchange the price tends to spike higher. The token also benefits from greater exposure. A former managed at Coinbase, which is considered a top-tier exchange capitalized over listings at the exchange.</p><p>According to the allegations, the former manager alerted his brother and a colleague about which tokens to buy prior to the listing. In this case, once the token is listed and the price surges higher, the tokens are sold for a profit.</p><p>A new study suggests insider trading occurred on 25% of the new tokens’ listings at Coinbase.</p><p>Every crypto project wishes to be listed in a top-tier exchange, the bad actors took advantage of it as we’ll shortly elaborate.</p><p>The Deepfake Listing Scam</p><p><a href=”” target=”_blank”>Binance</a> is among the most sought crypto exchanges for listing. To filter inadequate tokens, Binance partnered with Certik and Peckshield to audit the tokens (dubbed as ‘project shield’) prior to being listed at the exchange.</p><p>A token that is listed on Binance is considered to be ‘safe’ although there are no guarantees.</p><p>A group of hackers were able to impersonate Patrick Hillmann, the Chief Communications Officer (COO) at Binance using Hologram AI. The deepfake tech was used by the hackers in video calls such as Zoom, offering crypto projects to be listed on Binance.</p><p style=”” class=”text-align-left”>The scam was exposed as one of the crypto projects that were contacted by the bad actors reached out to Hillmann to thank him for the listing.</p><p style=”” class=”text-align-left”>BlueBenx crypto exchange was among the victims of the group. According to the company, $200,000 were sent to the bad actors as 25 million of BlueBenx native token, BNX.</p><p style=”” class=”text-align-left”>The bad actors swapped the 25M BNX to USDT (Tether) using the exchange’s pools, draining the company out of <a href=”” target=”_blank” id=”47c3bef3-27ee-4953-8504-159e1b829b33_2″ class=”terms__secondary-term”>liquidity</a>. As a result, BlueBenx was forced to suspend withdrawals.</p><p style=”” class=”text-align-left”>BlueBenx fired most of its employees aside from 11 staff members and abandoned its HQ plans. Withdrawals are only expected to resume sometime in 2023.</p><p style=”” class=”text-align-left”>The crypto exchange released the following statement regarding the scam (translated into English):</p><p style=”” class=”text-align-left”>’During July, BlueBenx – fintech specializing in cryptoasset management – was targeted by scammers who impersonated representatives of an exchange in the midst of a trading listing of its own token, Benx.</p><p style=”” class=”text-align-left”>’The alleged representatives demanded a payment of $200,000, in addition to sending 25 million units of the Benx token, as a requirement to list the asset in the cryptoasset trading and trading company.</p><p style=”” class=”text-align-left”>’After payment and sending of tokens, security practice and common validation between operations, the false representative of the institution captured the amounts and carried out thousands of liquidity withdrawal transactions in the pools where the company kept its token listed in DeFi, leading to a flow, in minutes, of all liquidity of the assets invested in BlueBenx Finance, including USDT reserve funds.'</p><p style=”” class=”text-align-left”>BlueBenx added that out of its 25,000 clients, only 2,500 were affected.</p><p style=”” class=”text-align-left”><a href=”” target=”_blank” rel=”nofollow”>Full statement</a></p><p style=”” class=”text-align-left”>Malware Found in Crypto Jobs on LinkedIn</p><p style=”” class=”text-align-left”>It was recently discovered that the Lazarus Group (tied to North Korea) used LinkedIn crypto jobs to infect users’ devices. Since February, the hackers have posted open positions at <a href=”” target=”_blank”>Coinbase</a>, seeking engineering managers and product security.</p><p style=”” class=”text-align-left”>The job’s description was available in a PDF file, which if downloaded executed the malware (Coinbase_online_careers_2022_07[.]exe).</p><p style=”” class=”text-align-left”>The file would then display a decoy PDF doc as the DLL is loading in the background. Once the DLL is executed, GitHub is used as a C2 server for commands on the infected device.</p><p style=”” class=”text-align-left”>The aim of the attack is to gather information on financial experts and credentials in their current workplace.</p><p style=”” class=”text-align-left”><a href=”” target=”_blank” rel=”nofollow”>According to Checkpoint</a>, in Q1 2022 LinkedIn was at the top spot for global <a href=”” target=”_blank” id=”ab3b6971-b22e-40d3-9c34-9e4b3b557786_1″ class=”terms__main-term”>phishing</a> attacks (relating to 52% of all phishing attacks globally).</p><p style=”” class=”text-align-left”>Many LinkedIn users do not expect job offers to contain malicious scripts. It is essential to ensure and reaffirm the job offers are legitimate, even if it means using your connections to do so.</p>

This article was written by Matti Williamson at