~/Crypto currency ads on Facebook in 202025 June 2020
Lately, every 4th post or so on Facebook I see is an Ad for something cryptocurrency related - kudos for getting my interests right, but Facebook definitely need to have stricter review policies on ads, especially because;
- Some of the ads are using link-masking using legitimate domains - Facebook does not unfurl these properly, so the ads look more legitimate by showing the trusted domain in the ad space
- Some of these are straight-up scams that you can tell just from the type of language and promises they use
Currently on Facebook (and Instagram), there is a massive ad campaign pushing bogus articles explaining how young people are making a lot of money on these Bitcoin trading platforms and Forex Telegram groups.
The websites are “boring” because it is the same rehashed stuff over and over again asking for a small deposit. However, there are also a wave of Telegram links beig pushed via Facebook ads that are very interesting (to me atleast) because they include a lot of messages and users (some over 100k, though most likely botted as they don’t have the same talk traffic as what you would expect from 100k users) but also because they post a lot of video proof of people “vouching” for their services. For this writeup we will be focusing on the bogus articles being pushed and the type of websites users land on.
Here’s a dump of some of the posts that are being promoted by Facebook Ads.
Let’s take a look at the websites
This advert looks exciting because it leaves the reader on a 'cliffhanger' to find out more - it is actually brilliantly done. I can imagine a lot of people clicking on this to see the full story.
I should start by saying these ads, at least the majority of them, do have some logic in the landing webpage to see if the user clicked from Facebook instead of finding the webpage organically via a search engine or copy and paste the link. If they detect that you did not come from Facebook, the webpage will show completely different content - this makes them harder to track.
When a user clicks on the ad from Facebook, it opens up a webpage with a big catchy headline and an image of a newsdesk with some public figures and logos of some news networks.
I'll dump the content of the article in numerous screenshots - but take note that most cryptocurrency ads that lead to the same webpage (structurally wise, they are all different domains) at the end have the same or similar copy, at least the same narrative of "making lots of money with this [weird] Bitcoin trick". It's a long list of images, so if you're not interested in reading the entire article then scroll down past the image dump.
It's a compelling article... I mean who doesn't like a crazy tale of making money with a method that even the celebrities endorse?! It's got to be true because all I hear about Bitcoin is is "Bitcoin $$ MOOOON" and I can participate in "TO THE MOOON" with a small £200 investment! And even better, it's _all automated_.
After someone has read the article, they see the big orange button to get access to this "amazing" platform to generate mega wealth. When their browser does a couple of redirects through various domains, they are landed on a site that looks the same as below (there are multiple domains running this with small reskinning techniques).
All of these sites have this edited video to make Bitcoin look like a mega-profit-maker. Here's is a mirror: bitcoin.mp4. A glorified video of Bitcoin from various news casts and other broadcasts. This video coupled with the (fake) news article from an ad within Facebook that demonstrates how much of a "cash cow" Bitcoin really is.
But ofcourse, nobody has heard of "Package Adventure" or this unbranded news so why should we trust them? Well, the same path of a fake news article to land users on the same page from a Facebook Ad occurs with ads taking advantage of Facebooks unfurling engine to enforce the "this is legitimate" feelings from a reader... because everybody has heard of "Forbes", "The Mirror", "Google", and "BBC News".
"You'd be a sucker to not invest in this!" especially with old headlines like 'Everyone Is Getting Hilariously Rich and You're Not' from 2018 (the time of the biggest value bubble bursts in cryptocurrency where Bitcoin went from ~$10,000 to ~$20,000 in 16 days then crashed to $14,000 in 8 days).
So... Let's sign up (under a VPN and give fake data)...
Once you are signed up, they generate you a password and prompt you to make a deposit. What is interesting is they refer you to an entity called QuantomCapital to make your deposit of £250. Let's also skip over the line "Most brokers require a minimum deposit of £100. But with QuantomCapital, you can get started for as little as £250.00."... I mean, math and sanity tests check out!
This domain is particular seems to be in its infancy/untested because to make a deposit on it they iframe QuantomCaptial, however because of settings on modern browsers, third-party cookies are disabled so the integration is not working and a user is shown an empty screen. Also the domain `trade.quantom-capitals.com` cannot be resolved.
Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document. at d (https://trade.quantom-capitals.com/vendor.80a7e3d24450d301abdb.js:1:256763) at Object.60XN (https://trade.quantom-capitals.com/vendor.80a7e3d24450d301abdb.js:1:257424) at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507) at Object.21+v (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:312) at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507) at Object.nRe+ (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:68916) at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507) at Object.Rg9G (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:50803) at c (https://trade.quantom-capitals.com/runtime.8ce93afac8967a47bc2a.js:1:507) at Object.o/AL (https://trade.quantom-capitals.com/main.0638e202631c8aab3396.js:1:74098)
However, these ads are so frequent on Facebook that we can find one that is working — btc-era.com. The same design as before except it's using a different "broker" to take the deposit of £250 (this one has fixed copy of "Most brokers require a minimum deposit of £1000. But with TradingTeck, you can get started for as little as £250.00.").
I am not going to make an deposit, but instead let's collect some data about what the site is doing, what other sites there are, and checkout the infrastructure.
If we choose a payment method and fill out the form, our details are sent to another third-party called praxispay.com which seems legitimate?
Whilst I don't have concrete evidence of this being a scam - as I am not completing the £250.00 deposit - it is very suspicious that a lot of Facebook ads are being pushed to convince users of their trading platform being able to guarantee profit in the thousands for every user with a lot of different domains hosting the platforms and pretending to be legitimate sites with branding and making use of unfurling engines for ads (ofc this could be some sort of guerrilla marketing but I very much doubt that). There have also been submissions to app.any.run that show the redirects the user goes through are potentially malicious in nature, dropping encrypted hidden payloads to the client.
Some of these domains are using their own configured nameservers, specifically
ns1.dedicated-server-03.com, ns2.dedicated-server-03.com. This is interesting because (and I'm not saying they're the same actors behind this) but I've only ever come across 1 other phishing scam domain (that I can remember and was targetting cryptocurrency users) which was written about in Dissecting some of the latest cryptocurrency exchange phishkits about a domain using
My guess at the end-goal of these campaigns is that they are money laundering.
- Create a fake Bitcoin trading platform
- Create a fake article that promotes a fake automated-always-win Bitcoin trading platform
- Purchase Facebook Ads for the fake article
- Get users to sign up to your fake Bitcoin trading platform
- Funnel users through a fake payment/broker service (that uses a legitimate payment processor)
- Users deposit small amount of fiat money to them via the fake trading platform > fake broker > legitimate payment processor
- Bad actors recieve the cash and send illicit/tainted Bitcoin to users (at a loss for the bad actors)
- Bad actors now have clean fiat and are offloading their tainted Bitcoin
Below is a bunch of domains and URLs relating to this mentioned in this writeup. Whilst not all of them were found from Facebook ads, there was a good amount from Facebook ads. I did find a lot via PassiveDNS and pivoting on infrastructure. This is by far not a complete list of domains (for example, on
220.127.116.11 there is over 400 domains serving similar content)
1k-daily-profitz.com 1kin1daysoftapp.com 30kin30daysapp.com 30kincomeapp.com 50kaweekapp.com bigmoneyrushapp.com bitcoin-aussiesystem.com bitcoin-champion.com bitcoin-millionaires-pro.com bitcoin-optimizer.com bitcoin-revolution-apps.com bitcoin-trend-app.com bitcoin-trendapp.com bitcoinaussiesystemsoft.com bitcoinbankbreakerweb.com bitcoinbankcodeapp.com bitcoinboostapps.com bitcoincircuitsoft.com bitcoincode-app.com bitcoincode.live bitcoincodeappsoft.com bitcoincodedesoftapp.com bitcoincodesoftapp.com bitcoindecoderweb.com bitcoinera.bestoffers.to bitcoinerawebsoft.com bitcoinevolutionsoft.com bitcoinfreedomsoftapp.com bitcoinfuturewebsoft.com bitcoinheroapp.com bitcoinkiwisystemapp.com bitcoinlifestyle.io bitcoinlifestyleapp.com bitcoinloophole2web.com bitcoinloophole.io bitcoinloophole.software bitcoinloopholesoft.com bitcoinmalaysystemsoftware.com bitcoinmillionaireproapp.com bitcoinrevivalapp.com bitcoinrevolution.software bitcoinrevolutionofficial.com bitcoinrevolutionsoft.com bitcoinrush.net bitcoinrushnow.com bitcoinscircuit.com bitcoinsecretsgtapp.com bitcoinseraapp.com bitcoinserawebapp.com bitcoinsuperstarsoft.com bitcoinsystemapp.com bitcoinsystemsoft.com bitcoinsystemwebapp.com bitcointrader.software blazingtrader2018app.com btc-era.com btcprofit.com btcprofitnowsoftwareapp.com btcsystemapp.com btcwealthapp.com btcsystem-web-app.com btradeautomated.com c-nation.fxplatform.pro c-nation.fxprovider.pro cannabisblueprintapp.com cannabisfortuneapp.com cannabisinvestmentapp.com cannabisstocktradesapp.com cannabiswealthapp.com cashcapitalapp.com cmtradingapp.com compoundtradersoftware.com coronamillionaireapp.com crypto-cash.co crypto-hopper.com crypto-trader-app.com cryptoblueprintapp.com cryptocode.software cryptocontractsapp.com cryptodominationapp.com cryptoedgesystemapp.com cryptogoldapp.com cryptogoldsoft.com cryptonation.brokerselection.pro cryptonationprosoft.com cryptoprofitapp.com cryptotraderpro.securedoffer.to debitcoinbillion.info deltatechapp.com detectormillionapp.com earntoday.vip ethcode2app.com financialpeakapp.com fortunetonight.com freebitcoinmachine.blogspot.com freshvantion.com getimmediateedgesapp.com globalmarketsecretapp.com greengoldapp.com house-article.space investmentopportunitiesapp.com investorscenterweb.com kryptonexsoft.com libramethodapps.com mirrortradersoftapp.com mti24.com mubasherpro10gtapp.com myprofitbtc.com neo2app.com opticalsignaltraderapp.com orioncodeapp.com orioncodesoft.com profitbitcoinapp.com profitrevolutionapp.com promo.365profx.com real-btc-era.com securebitgain.com secureriches.com securestwealth.com securlygains.com securlyriches.com specialinvite.co stocksinvestment2020.com telegram10app.com tesler3app.com tesler3soft.com tesler-team.com teslerappsoft.com teslersoftwareapp2.com teslersoftwareapp3.com teslersoftwareappwh.com testfunnelsoftware.com the-bitcoincompass.com the-bitcoinscodes.com the-ethereumcodes.com thebitcoin-wealth.net thebitcoincircuit.com thebitcoincode.com.au thebitcoinevolution.live thebitcoinloophole.co thebitcoinstorm.com thecannabismillionairesoft.com thecannabisrevolutionweb.com thecrypto-genius.net thecryptosoftwaresoft.com thenewsspyapp.com thenewsspyappwh.com theprofitmaximizer.net tntprofitsapp.com tomorrowcrypto.vip trustablecrypto.info sites.google.com/view/uyuop ... --- getbestprofit6.com --- quantom-capitals.com tradingteck.com praxispay.com
As mentioned earlier, all of these website domains have the same rehashed promotional video. Below is a couple of examples...