Being a victim of fraud can be devastating enough, but that’s not always the end of the story. Often, fraud victims can be targeted again — only this time by people claiming that they can recover the victim’s initial losses.
Recovery scams are a type of advance-fee fraud in which fraudsters promise to help scam victims get their money back in return for an upfront fee. The victim loses even more money by paying the fraudster for a so-called ‘fraud recovery service’ that never materializes. In some variants of this scam, fraudsters claim to be able to recover cryptocurrency, often targeting people who have fallen victim to investment scams. Unfortunately, however, these ‘crypto recovery services’ are not genuine.
In December of 2023, the FTC issued a warning about the growing trend in recovery scams and how they exploit the most vulnerable populations, those who’ve already fallen victim to scams. So, how are they targeted?
Finding new ‘customers’ — building credibility
Every successful scam starts by luring potential victims and then building credibility. For recovery scams, criminals advertise in several ways, including social media, copied websites from other scammers, and review sites intended to establish trust for consumers.
Many recovery scammers contact known victims of fraud, either through social media (for example, if the victim has posted publicly about being scammed) or by obtaining their details from a so-called sucker list — a list of people who have previously fallen for a scam that contains details such as their name, email address, or phone number, which is sold to fraudsters on the dark web. In some cases, the recovery scammer may even be the same person from the first scam.
Looks can be deceiving — @cybstrive deep dive
Recovery scams can often be found in the comment sections of platforms like YouTube and Reddit, typically using bot accounts. For example, the image below shows some comments made by the user RobinsonkLfb2 on Reddit in response to other users’ posts in subreddits, such as r/phishing. These comments all advertise the services of user @cybstrive on Instagram and Telegram, claiming that they were able to retrieve the funds that they had lost to fraud.
Figure 1: Comments posted by RobinsonkLfb2 on Reddit advertising @cybstrive on Instagram
A search for @cybstrive on Instagram brings up the profile in the images below, which has all the hallmarks of a recovery scam: exaggerated claims that they are ‘experts’, a Telegram contact link, and various out-of-context, poor-quality images that vaguely related to scams, computing, and cryptocurrency to seem believable.
Figure 2: @cybstrive’s Instagram profile
Another notable trait of profiles like this is the username count, which some social media platforms display to aid users in judging whether a profile could be misleading. As shown here, @cybstrives’s Instagram has changed its username six times since its registration in July of 2023.
Figure 3: Information on @cybstrive’s Instagram account, including the number of username changes
Additionally, the frequent username changes combined with the high follower count (50.3K at the time of writing) suggest the possibility that the account may have either been hacked and changed the name or that the account owner has purchased fake followers in the form of bot accounts to appear more legitimate.
Figure 4: @cybstrive’s follower count
Freelance fraud recovery?
In addition to advertising on social media or using a list of people, fraudsters can even be found using the freelance services platform Fiverr to lure victims. A search for ‘bitcoin recovery’ on the platform brings up a plethora of ads for recovery scams associated with crypto, PayPal, and other platforms. Interestingly, many of these listings have unique listing images but the same descriptions, a common feature of fraudulent app listings, fraudulent services, and fake investing platforms where criminals just copy content for efficiency and speed.
Figure 5: Results for ‘bitcoin recovery’ on Fiverr
The actual profile descriptions contain slightly more variation, but if bad grammar and copy-pasted text aren’t enough of a red flag, one seller gives away that the text is most likely autogenerated by introducing himself simply as ‘(Name)’:
Figure 6: Profile description belonging to a seller of ‘bitcoin recovery services’
Considering Fiverr’s chargeback policy, it’s currently unclear how successful these fraudsters are in taking money from victims, assuming they request a refund through the platform for a service they have not received. In any case, the evidence suggests that these profiles are anything but legitimate.
A hacker for any service
Many profiles and websites that promote fake recovery services will often claim to be able to do a lot more than just recover funds. The initial lure is similar to what we covered earlier in the article; fraudsters will often use bot accounts to spam YouTube comments, such as in the below example:
Figure 7: YouTube bot comments endorsing the services of Cryptic Webster
The comments don’t include direct ways of contacting the fraudsters, such as an email address or a link to a social media account, but instead repeatedly mention the name of the alleged service in bold, prompting anyone reading the comments to use a search engine to find it. Upon searching for the phrase ‘Cryptic Webster’, the top result was a website claiming to offer hacking services for just about anything — including recovering lost social media accounts, fixing credit scores, and even improving grades.
Figure 8: Hacking services allegedly offered by Cryptic Webster
Additionally, fraudsters claiming to offer ‘legit’ hacking services for such purposes can even be seen advertising using Google Ads, as shown in the second sponsored listing for hxxps[://]hacklancer[.]com in the image below. No self-proclaimed hacker can legitimately fix credit scores (or provide any of the services they claim to offer). In the case of credit scores, these ‘hackers’ will, at best, disappear with the victim’s money and, at worst, steal the victim’s identity after the victim has given them all kinds of information.
Figure 9: Google Ad listing which advertises fraudulent hacking service ‘hacklancer’ (second result)
How can Netcraft help?
Scams evolve daily, and Netcraft works around the clock to detect and disrupt over 100 different types of cybercrime to keep your organization safe. In addition, we continuously monitor emerging threats to ensure we stay ahead of criminals at all times. Our robust detection capabilities, combined with automated countermeasures, allow Netcraft customers to see more threats and take action in real-time to disrupt criminal behavior and protect their brand and customers from phishing, fraud, and scams.
Contact our team or book a demo today if you want to learn more about how Netcraft can protect your brand.