The biggest crypto scam in Instagram history

Jason Sallman is a cryptocurrency investment advisor who enjoys considerable popularity on social media, primarily Instagram, where he has nearly 40,000 followers. Unfortunately, profiles like Sallman’s never go unnoticed by threat actors, who have found a new method of fraud using fake profiles of businessmen, celebrities and other public figures.

According to a CNBC report, by searching for the term “Jason Sallman” on Instagram, it is possible to find at least a dozen accounts using similar names and taking images directly from the legitimate profile of the self-named “crypto evangelist.”

Sallman calculates that there are at least 500 accounts on Instagram that impersonate him, of which he has reported dozens but considers this to be an insufficient measure: “There is a small function in the app where you can report an account; sometimes they review the reports and it can take anywhere just a couple of hours or even weeks, plus there are times when they don’t respond,” he adds.

Although some fake accounts only appear to have taken Sallman’s photos to gain followers quickly or without other apparent malicious purposes, many of these accounts are operated by threat actors trying to trick users of the app by offering fake investment opportunities via Direct Message (DM). This has also affected Sallman, who on multiple occasions has been contacted by the victims of these frauds demanding that his money be returned: “Some threaten to beat me or even kill me; there are those who claim to know where I live and other details.”

A widespread problem

Scammers aren’t just looking for profiles like Sallman’s, clearly focused on cryptocurrency enthusiasts. Brandy Morgan is an Instagram influencer with over 50,000 followers looking to familiarize more women on tech-related topics; for a couple of years now, Morgan has detected dozens of fake accounts taking pictures from her profile.

In 2021 alone, Morgan detected 50 accounts operated by fraudsters, a difficult process considering that cybercriminals often use variations of her name in an attempt to go unnoticed: “My followers have shared many profiles that they themselves find, this is how I have learned about many cases,” adds Morgan. This kind of fraud has affected her to the point that she had to dedicate a section of her featured stories to follow up on all the fake accounts detected so far.  

Specialists mention that in cases like these scammers simply look for the accounts with the highest number of followers and preferably associated with technological issues, although this does not seem to be an inconvenience. Hacking groups create dozens of fake accounts using hacking tools and fill these profiles with posts extracted from legitimate accounts, which is possible by simply taking screenshots or with a quick Google search.

In addition to identity and monetary fraud, other risks associated with this attack include gift card fraud, theft of sensitive information, and loss of legitimate accounts by the platform’s decision.

No solutions in sight

Both Sallman and Morgan know that it’s ridiculously easy for a cybercriminal to create a fake Instagram profile, so they believe the platform should make reporting malicious activity more efficient. However, the process of reporting a fake Instagram account is long, tedious and often fruitless.

To report an account, the first step is to click on the three dots next to the name of the account to be reported and choose the “Report Account” option because it is usurping the identity of another user. This seems easy but doesn’t really work; for example, the last report Morgan sent to the platform could not be finalized, as Instagram considered that the reported account did not violate the Community Guidelines.

As if that were not enough, the denied reports are final resolutions, since there is no other instance in which the affected users can appeal to obtain the desired result: “I wish these problems were taken care of by real people on Instagram … these frauds generate millions in losses and the platform should act according to the seriousness of the problem.”

On the losses derived from this kind of scams, it is difficult to name an exact number, although the U.S. Federal Trade Commission (FTC) estimates that cryptocurrency scams on social networks generated losses of up to $ 80 million USD between October 2020 and March 2021, becoming the largest digital asset scam on social networks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.