“I’m fighting with Google now,” Townsend told Ars. “I don’t expect any real answers from them.”
How YouTubers can avoid being targeted
As YouTube appears evasive, Townsend has been grateful for long-time subscribers commenting to show support, which may help get his videos amplified more by the algorithm. On YouTube, he also said that because “the outpouring of support was beyond anything” he could’ve expected, it kept him “sane” through sometimes 24-hour periods of silence without any updates on when his account would be restored.
Townsend told Ars that he rarely does sponsorships, but like many in the fighting game community, his inbox gets spammed with offers constantly, much of which he assumes are scams.
“If you are a YouTuber of any size,” Townsend explained in his YouTube video, “you are inundated with this stuff constantly,” so “my BS detector is like, okay, fake, fake, fake, fake, fake, fake, fake. But this one just, it looked real enough, like they had their own social media presence, lots of followers. Everything looked real.”
Brian_F echoed that in his video, which breaks down how the latest scam evolved from more obvious scams, tricking even skeptical YouTubers who have years of experience dodging phishing scams in their inboxes.
“The game has changed,” Brian_F said.
Townsend told Ars that sponsorships are rare in the fighting game community. YouTubers are used to carefully scanning supposed offers to weed out the real ones from the fakes. But Brian_F’s video pointed out that scammers copy/paste legitimate offer letters, so it’s already hard to distinguish between potential sources of income and cleverly masked phishing attacks using sponsorships as lures.
Part of the vetting process includes verifying links without clicking through and verifying identities of people submitting supposed offers. But if YouTubers are provided with legitimate links early on, receiving offers from brands they really like, and see that contacts match detailed LinkedIn profiles of authentic employees who market the brand, it’s much harder to detect a fake sponsorship offer without as many obvious red flags.
A jury has unanimously convicted Avi Eisenberg in the US Department of Justice’s first case involving cryptocurrency open-market manipulation, the DOJ announced Thursday.
The jury found Eisenberg guilty of commodities fraud, commodities market manipulation, and wire fraud in connection with the manipulation on a decentralized cryptocurrency exchange called Mango Markets.
Eisenberg is scheduled to be sentenced on July 29 and is facing “a maximum penalty of 10 years in prison on the commodities fraud count and the commodities manipulation count, and a maximum penalty of 20 years in prison on the wire fraud count,” the DOJ said.
On the Mango Markets exchange, Eisenberg was “engaged in a scheme to fraudulently obtain approximately $110 million worth of cryptocurrency from Mango Markets and its customers by artificially manipulating the price of certain perpetual futures contracts,” the DOJ said. The scheme impacted both investors trading and the exchange itself, which had to suspend operations after Eisenberg’s attack made the exchange insolvent.
Nicole M. Argentieri, the principal deputy assistant attorney general who heads the DOJ’s criminal division, said that Eisenberg’s manipulative trading scheme “puts our financial markets and investors at risk.”
“This prosecution—the first involving the manipulation of cryptocurrency through open-market trades—demonstrates the Criminal Division’s commitment to protecting US financial markets and holding wrongdoers accountable, no matter what mechanism they use to commit manipulation and fraud,” Argentieri said.
Mango Labs has similarly sued Eisenberg over the price manipulation scheme, but that lawsuit was stayed until the DOJ’s case was resolved. Mango Labs is expecting a status update today from the US government and is hoping to proceed with its lawsuit.
Ars could not immediately reach Mango Labs for comment.
Eisenberg’s lawyer, Brian Klein, provided the same statement to Ars, confirming that Eisenberg’s legal team is “obviously disappointed” but “will keep fighting for our client.”
How the Mango Markets scheme worked
Mango Labs has accused Eisenberg of being a “notorious cryptocurrency market manipulator,” noting in its complaint that he has a “history of attacking multiple cryptocurrency platforms and manipulating cryptocurrency markets.” That history includes allegedly embezzling $14 million in 2021 while Eisenberg was working as a developer for another decentralized marketplace called Fortress, Mango Labs’ complaint said.
Eisenberg’s attack on Mango Markets intended to grab tens of millions more than the alleged Fortress attack. When Eisenberg was first charged, the DOJ explained how his Mango Markets price manipulation scheme worked.
On Mango Markets, investors can “purchase and borrow cryptocurrencies and cryptocurrency-related financial products,” including buying and selling “perpetual futures contracts.”
“When an investor buys or sells a perpetual for a particular cryptocurrency, the investor is not buying or selling that cryptocurrency but is, instead, buying or selling exposure to future movements in the value of that cryptocurrency relative to another cryptocurrency,” the DOJ explained.
The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.
A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.
SIM-swap attacks occur when someone fraudulently induces a wireless carrier to “reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor,” the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.
Powell’s accused crew allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores in Minnesota, Illinois, Indiana, Utah, Nebraska, Colorado, Florida, Maryland, Massachusetts, Texas, New Mexico, Tennessee, Virginia, and the District of Columbia.
According to the indictment, many of the alleged victims did not suffer financial losses, but those that did were allegedly hit hard. The hardest hit appears to be an employee of a company whose AT&T device was allegedly commandeered at a Texas retail store, resulting in over $400 million being allegedly transferred from the employee’s company to co-conspirators’ financial accounts. Other individual victims allegedly lost cryptocurrency valued between $15,000 and more than $1 million.
Co-conspirators are accused of masking stolen funds, sometimes by allegedly hiding transfers in unhosted or self-hosted virtual currency wallets. If convicted, all stolen funds must be forfeited, the indictment said.
Powell has been charged with conspiracy to commit wire fraud and conspiracy to commit aggravated identity theft and access device fraud, Special Agent Brent Bledsoe said in the indictment. This Friday, Powell faces a detention hearing, where he has been ordered by the US Marshals Service to appear in person.
Powell’s attorney, Gal Pissetzky, told Ars that Powell has no comment on the indictment at this time.
SIM swaps escalating in US?
When Powell’s alleged scheme began in 2021, the FBI issued a warning, noting that criminals were increasingly using SIM-swap attacks, fueling total losses that year of $68 million.
Since then, US law enforcement has made several arrests, but none of the uncovered schemes come close to the alleged losses from the thefts Powell’s crew are being accused of.
In 2022, a Florida man, Nicholas Truglia, was sentenced to 18 months for stealing more than $20 million from a single victim. On top of forfeiting the stolen funds, Truglia was also ordered to forfeit more than $900,000 as a criminal penalty. According to security blogger Brian Krebs, Truglia was connected to a group that allegedly stole $100 million using SIM-swap attacks.
Last year, there were a few notable arrests. In October, the Department of Justice sentenced a hacker, Jordan Dave Persad, to 30 months for stealing nearly $1 million from “dozens of victims.” And in December, four Florida men received sentences between eight and 27 months for stealing more than $509,475 in SIM-swap attacks.
Ars could not find any FBI warnings since 2021 raising awareness that losses from SIM-swap attacks may be further increasing to amounts as eye-popping as the alleged losses in Powell’s case.
A DOJ official was unable to confirm if this is the biggest SIM-swapping scheme alleged in the US, directing Ars to another office. Ars will update this report with any new information the DOJ provides.
US officials seem aware that some bad actors attempting SIM-swap attacks appear to be getting bolder. Earlier this year, the Securities and Exchange Commission was targeted in an attack that commandeered the agency’s account on X, formerly known as Twitter. That attack led to a misleading X post falsely announcing the approval of bitcoin exchange-traded funds, causing a brief spike in bitcoin’s price.
To protect consumers from SIM-swap attacks, the Federal Communications Commission announced new rules last year to “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.” But an Ars review found these new rules may be too vague to be effective.
In 2021, when European authorities busted a SIM-swapping ring allegedly targeting high-profile individuals worldwide, Europol advised consumers to avoid becoming targets. Tips included using multifactor authentication, resisting associating sensitive accounts with mobile phone numbers, keeping devices updated, avoiding replying to suspicious emails or callers requesting sensitive information, and limiting personal data shared online. Consumers can also request the highest security settings possible from mobile carriers and are encouraged to always use stronger, longer security PINs or passwords to protect devices.
Enlarge/ A screenshot from Jack Gamble’s video outing Stephen Harrison as HyperVerse’s fake CEO, posted on Gamble’s “Nobody Special Finance” YouTube channel.
An Englishman currently living in Thailand, Stephen Harrison confirmed to The Guardian that HyperVerse hired him to pose as CEO Steven Reece Lewis. Harrison told The Guardian that he was “deeply sorry” to HyperVerse investors—who lost a reported $1.3 billion after buying into a cryptocurrency-mining operation that promised “double or triple returns,” but did not exist, Court Watch reported.
Harrison claimed that he had “certainly not pocketed” any portion of those funds. Instead, he told The Guardian that he was paid about $7,500 over nine months. To play the part of CEO, he was also given a “wool and cashmere suit, two business shirts, two ties, and a pair of shoes,” The Guardian reported.
Harrison said that he had no part in HyperVerse’s alleged scheme to woo investors with false promises of high returns.
“I am sorry for these people,” Harrison said. “Because they believed some idea with me at the forefront and believed in what I said, and God knows what these people have lost. And I do feel bad about this.”
He also said that he was “shocked” to find out that HyperVerse had falsified his credentials, telling investors that Harrison was a fintech whiz—supposedly earning prestigious degrees before working at Goldman Sachs, then selling a web development company to Adobe before launching his own IT startup.
Harrison claimed that he only found out about this resume fraud when The Guardian investigated and found that nothing on his resume checked out.
“When I read that in the papers, I was like, blooming heck, they make me sound so highly educated,” Harrison told The Guardian.
He confirmed that he had received general certificates of secondary education but that his expertise was “certainly not on that level” that HyperVerse claimed that it was.
“They painted a good picture of me, but they never told me any of this,” Harrison told The Guardian.
Getting hired as fake CEO
According to The Guardian, Harrison was working as an unpaid freelance sports commentator when a “friend of a friend” told him about the HyperVerse gig.
The contract that Harrison signed was with an Indonesian-based talent agency called Mass Focus Ltd. It stated that he would be hired as “presenter talent,” The Guardian reported. However, The Guardian could find “no record of a company of this name on the Indonesian company register.”
Harrison’s agent allegedly told him that it was common for companies to hire corporate “presenters” to “represent the business” and reassured him that HyperVerse was “legitimate.”
Even after those assurances, Harrison said that he was still worried that HyperVerse might be a “scam,” researching the company online but ultimately deciding that “everything seemed OK.”
“So, I rolled with it,” Harrison told The Guardian.
Harrison said that promotional videos that he recorded as HyperVerse CEO were filmed in “makeshift studios” in Bangkok. He said that he was asked to start using the fake name Steven Reece Lewis while filming the second video. When he questioned why a fake name was necessary, HyperVerse allegedly told him that he was “acting the role.”
His agent allegedly told him that this was “perfectly normal” and after that, he “never went online and checked about Steven Reece Lewis,” he told The Guardian.
“I looked on YouTube occasionally, way back when they put the presentations up, but apart from that I was detached from this role,” Harrison said.
Over nine months, Harrison mostly worked one to two hours monthly, making videos posing as HyperVerse’s CEO.
There was also a Twitter account launched under the fake name Steven Reece Lewis. The Guardian noted that the date of Harrison’s final paycheck from HyperVerse “coincided with the last date the Twitter account was active,” but Harrison told The Guardian that he “had no oversight” of that account. When he was ending his stint as fake CEO, Harrison told The Guardian that he “requested that the Twitter account be shut down.”
Harrison also told The Guardian that he had “no contact at any point” with HyperVerse heads Sam Lee and Ryan Xu, exclusively dealing with a local contact in Thailand.
There’s currently a surge in cryptocurrency and phishing scams proliferating on X (formerly Twitter)—hiding under the guise of gold and gray checkmarks intended to mark “Verified Organizations,” reports have warned this week.
These scams seem to mostly commandeer dormant X accounts purchased online through dark web marketplaces, according to a whitepaper released by the digital threat monitoring platform CloudSEK. But the scams have also targeted high-profile X users who claim that they had enhanced security measures in place to protect against these hacks.
This suggests that X scammers are growing more sophisticated at a time when X has launched an effort to sell even more gold checks at lower prices through a basic tier announced this week.
Most recently, the cyber threat intelligence company Mandiant—which is a subsidiary of Google—confirmed its X account was hijacked despite enabling two-factor authentication. According to Bleeping Computer, the hackers used Mandiant’s account to “distribute a fake airdrop that emptied cryptocurrency wallets.”
A Google spokesperson declined to comment on how many users may have been scammed, but Mandiant is investigating and promised to share results when its probe concludes.
In September, a similar fate befell Ethereum co-founder Vitalik Buterin, who had his account hijacked by hackers. The bad actors posted a fake offer for free non-fungible tokens (NFTs) with a link to a fake website designed to empty cryptocurrency wallets. The post was only up for about 20 minutes but drained $691,000 in digital assets from Buterin’s unsuspecting followers, according to CloudSEK’s research.
Another group monitoring cryptocurrency and phishing scams linked to X accounts is MalwareHunterTeam (MHT), Bleeping Computer reported. This week, MHT has flagged additional scams targeting politicians’ accounts, including a Canadian senator, Amina Gerba, and a Brazilian politician, Ubiratan Sanderson.
On X, gold ticks are supposed to reassure users that an account can be trusted by designating that an account is affiliated with an official organization or company. Gray ticks signify an account is linked to government organizations. CloudSEK estimated that hijacked gold and gray checks could be sold online for between $1,200 to $2,000, depending on how old the account is or how many followers it has. Bad actors can also buy accounts affiliated with gold accounts for $500 each.
A CloudSEK spokesperson told Ars that its team is “in the process of reporting the matter” to X.
X did not immediately respond to Ars’ request to comment.
CloudSEK predicted that scams involving gold checks would continue to be a problem so long as selling gold and gray checks remains profitable.
“It is evident that threat actors would not budge from such profit-making businesses anytime soon,” CloudSEK’s whitepaper said.
For organizations seeking to avoid being targeted by hackers on X, CloudSEK recommends strengthening brand monitoring on the platform, enhancing security settings, and closing out any dormant accounts. It’s also wise for organizations to cease storing passwords in a browser, and instead use a password manager that’s less vulnerable to malware attacks, CloudSEK said. Organizations on X may also want to monitor activity on any apps that become connected to X, Bleeping Computer advised.
