A Russian hacker responsible for a highly aggressive crypto-spam campaign recently spoke about their strategy in an interview after creating a considerable disruption in several Mastodon communities. The hacker claimed they had used their spam software privately before deciding to release it as open-source code. Renaud Chaput, a programmer, working to modernize and scale Mastodon’s project infrastructure, including joinmastodon.org, mastodon.online, and mastodon.social, recalled how on May 4, 2023, a spam torrent targeted Mastodon users via “private mentions,” a type of direct messaging on the platform. The messages stated that recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade.com. Since then, the same spammers have used this method to advertise over 100 crypto investment-themed domains.
Chaput said that at one point this month, bot accounts’ volume that registered for the crypto-spam campaign began to overwhelm the servers that handle new signups at Mastodon.social. He stated that, “We suddenly went from like three registrations per minute to 900 a minute. There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.” Seeking to get a grip on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, the same servers came under a sustained distributed denial-of-service (DDoS) attack.
The spam waves have died down, now that Chaput has fitted mastodon.social with a CAPTCHA, which is designed to stop automated account creation tools. However, he is worried that other Mastodon instances may not be as well-staffed and might succumb to the same fate. Speaking with KrebsOnSecurity, Chaput said, “We don’t know if this is the work of one person or if this is [related to] software or services being sold to others. We’re really impressed by the scale of it — using hundreds of domains and thousands of Microsoft email addresses.”
Subsequent research indicates that most of the newly registered Mastodon spam accounts used the same 0auth credentials, and a domain common to those credentials was quot[.]pw. Edgard011012@gmail.com registered this domain in March 2020, according to DomainTools.com. This email address is also connected to accounts on several Russian cybercrime forums, including “__edman__,” who had previously sold “logs,” which are typically stolen data from a large number of bot-infected computers.
Zipper, registering as ципа or edged011012@gmail.com, advertised a service called ‘Quot Project’, claiming they could be hired to write programming scripts in Python and C++. The spam botnet was powered by hundreds of residential proxies, according to Quotpw, who claims to have earned more than $2,000 sending roughly 100,000 private mentions to Mastodon users over the past few weeks. They negated concerns and justified their spam’s use, saying in their hometown, “They pay more for such work than in ‘white’ jobs” and that “Any spam is made for profit and brings illegal money to spammers.”
Although it may sound unlikely that spammers would go to great lengths to spam Mastodon users over several weeks using a large number of resources, it is likely that whoever is running the various crypto-scam platforms advertised by Quotpw’s spam messages pays lucrative sums for the investment; hence, the recent rise in crypto-investment scams reported by the FBI. According to the FBI, financial losses from cryptocurrency investment scams rose from $907 million in 2021 to $2.57 billion in 2022, dwarfing losses from all other types of cybercrime.