How Imposters Scam Entrepreneurs Out of Their Crypto

On Jan. 31, a Telegram user calling himself “Danny Nelson” contacted Karla Vilhelem, a public relations professional, with an unseemly proposal.

Pretending to be the CoinDesk reporter of the same name, he said he would publish a post about her client but wanted $600 for his trouble, a small sum for exposure on the crypto site of record.

Vilhelem was wary. After three years in the industry, she was used to scammers impersonating major players in the crypto ecosystem and, more frustratingly, so-called journalists asking for cash. She advised clients never to pay for coverage, and the proposition made her suspicious of this so-called Danny Nelson.

“I knew CoinDesk doesn’t take money,” she said.

Another tell-tale sign was her interlocutor’s atrocious grammar, and mispunctuation of the brand name, which is spelled with a capital D.

“I’ll get the vital informations [sic] needed to write and publish your project article review on your website or whitepaper,” the faux Danny Nelson wrote. “It cost [sic] $600 to write and publish your project article on Coindesk because I’ll have to pay for some logistics.”

Still, Vilhelem was curious. When would she have to pay?

“You have to pay Before [sic] I can proceed with the work because I’ll have to pay for some logistics,” he said.

Whatever the “logistics” involved, Vilhelem refused his offer after checking the real Danny Nelson’s Twitter profile and seeing his real Telegram handle. She contacted the CoinDesk team to report the imposter and sent along images of their Telegram exchange. (You can look for real contacts for CoinDesk reporters on our masthead.)

This impersonator never made off with Vilhelem’s money. Others weren’t so lucky.

At least three startup founders have been scammed in similar situations, CoinDesk has found. We explored two of these scams to better understand how they worked.

Working with blockchain investigations company Coinfirm, we wanted to see where the money was going and if we could learn anything about the perpetrators. The ultimate goal: to prevent it from happening to anyone else.

This scam is as old as journalism. Someone pretending to represent a major media company will approach a small business offering to write about them… for a price.

In the days before the internet, corrupt public relations professionals and fake reporters would offer pay-for-play articles in newspapers. Now, online imposters request products like computers, laptops and cameras from companies, offering to “review” them on major news sites. Thanks to anonymous payments, scammers can ask for cash in exchange for ink.

What makes this particular scam unique are the lengths the perpetrators will go to appear legitimate. Many create fake Telegram accounts – the hacker who tried to scam Vilhelem used @danielnelson – and then approach entrepreneurs in chat rooms on the internet. The exchange usually is straightforward unless the victim asks for more proof.

To maintain the facade, the scammers use a few other tricks, including spoofing email addresses. For example, some mail clients let you hide the source of emails, but in many cases, even the email headers are insufficient in identifying real or fake emails.

In Gmail, users can click on “Show Original” from the top right:

Yes, the header often can look very confusing to someone who’s never seen one. But here’s the most important part: The first thing to look for in the header is an email address that is not part of the email conversation. That’s clearly a sign of misdirection and something to bring up with a sender.

Here’s a rough example (for illustrative purposes only, as headers are subject to change depending on email and anti-spam providers):

Remy Eisenstein, victimized by a fake CoinDesk reporter, was so frustrated by past scams he created a system to prevent email spoofing. Called SafePost, he said it uses a blockchain to confirm emailers are sending from a verified address. So how did he, of all people, get hoodwinked?

Eisenstein noticed his scammer (posing as CoinDesk’s Ian Allison) had a strong-looking LinkedIn profile, another tool scammers use to fool victims.

“I told myself, ‘Okay, let’s imagine you have just 10 contacts on your Linkedin the page. I can imagine this is a fake’,” he said. “But in this case I saw more than 500.”

In another case we saw, the scammers created a real-looking LinkedIn profile for a CoinDesk writer and then immediately deleted it after the victim checked him out, erasing the evidence.

Almost all the scammers are stuck in the digital realm, although one sent a faked passport for CoinDesk Executive Editor Marc Hochstein, complete with a date of birth that made him seem older than he is. The constant know-your-customer (KYC) information requests of many exchanges seem to have trained scammers to forge official-looking documents.

All these tricks are often enough to fool busy entrepreneurs who will happily send payment in exchange for coverage. Then the whole thing unravels.

Once the scammers receive payment, said Pawel Kuskowski, CEO of Coinfirm, they usually transfer it to an exchange where they could, in theory, be tracked but in reality, rarely are. That’s where the trail ends because they never reply to the victim again.

“Working with CoinDesk to highlight these cases shines a light on how industry players need to further work with security platforms so they don’t facilitate these scams,” said Kuskowski. 

To understand more about the scammers and where they were sending their ill-gotten gains, we worked with Coinfirm to trace payments made by two victims who contacted us only after falling for our impersonators.