![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure1.jpg\")
<\/p>\nFigure 1. Arabella\u2019s Telegram profile<\/p>\n<\/div>\n
![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure2.jpg\")
<\/p>\nFigure 2. Initial messages from Arabella<\/p>\n<\/div>\n<\/div>\n
This business and the domain name are legitimate. But I was sure Arabella was part of an increasingly large scam industry and this was all a ruse. As a threat researcher, I know all about the concepts of these scams, but Arabella was giving me the chance to get the real experience of a victim.<\/p>\n
I jumped at the opportunity and told her I\u2019d love to work for Corner Office Consultants. Over the days that followed, I interacted with several different accounts, some seemingly human, some seemingly AI. I performed meaningless tasks and was asked to pay various amounts of cryptocurrency into the scammer\u2019s wallet. I tried and failed to scam the scammers and then tried again. And of course, I recorded everything along the way. This blog is a blow-by-blow account of my adventure, twists and turns included.<\/p>\n
Soon after accepting the job offer, a different \u201cemployee\u201d named Maria (Figure 3) contacted me. She told me that she got my contact info from Arabella and provided this job description: \u201cMarble Media provides a work platform where users can click on and submit apps, helping them achieve better rankings and ratings in the app store, and through this process, we can earn commissions and salary.\u201d Marble Media is also a real company, but the domain Maria gave me, marblemediaseo[.]cc, is a lookalike unrelated to the marketing firm.<\/p>\n
![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure3.jpg\")
<\/p>\n
Figure 3. Maria\u2019s Telegram profile<\/p>\n
Maria gave me credentials for a training account on the lookalike domain and then had me register an account of my own. To prevent unwanted users from signing up, she provided me with an invite code that I had to enter during the account creation process. The account keeps track of my balance and profit. The balance is used to place the orders, and the profit is how much I have earned from my work.<\/p>\n
I started my training and quickly became proficient at my new job, which involved mindlessly clicking the same two buttons over and over and over again: \u201cStarting\u201d and \u201cSubmit\u201d (see Figures 4 and 5). I was asked to fill 40 so-called \u201corders\u201d for my \u201ctraining\u201d assignment, but their website was a bit slow so I had to wait a couple of seconds between each click for it to work. This quickly became very monotonous; but hey, easy money!<\/p>\n
![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure4.jpg\")
<\/p>\n
Figure 4. Screenshot of the scam task website highlighting the \u201cStarting\u201d button<\/p>\n
![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure5.jpg\")
<\/p>\n
Figure 5. Screenshot of completing one of the orders, highlighting the \u201cSubmit\u201d button<\/p>\n
During my time working for the scammers, there was a lot of text communication. I suspect that they were using a mix of AI\/large language models (LLMs) along with human interaction for the chat messages. Some of the responses from them were nearly instant, as well as being somewhat lengthy, while others took a while longer even if the message was shorter. It seemed to me that some responses may be automated, but it was not clear whether there was some sort of process to hand off the interaction to a human in some cases.<\/p>\n
There were other red flags. One of the orders I received was for the app \u201cApollo for Reddit,\u201d which shut down in June 2023,1<\/sup> well over a year before this interaction took place. It seems the template or data they used for this domain was quite out of date.<\/p>\n It wasn\u2019t clear at first, but I actually needed to pay money in order to work and earn money! While attempting to complete the rest of my 40 orders, I hit a roadblock: an error message stated, \u201cInsufficient account available balance\u201d and indicated that the balance was (\u2013)$616 on the training account (Figure 6). At this point, I could not fill any more orders due to the negative balance, so I messaged Maria to ask what to do next.<\/p>\n Figure 6. Screenshot of website showing \u201cInsufficient account available balance\u201d <\/p>\n Maria explained that I needed to deposit money into the account to continue, but the reasoning was a mystery. She said I was \u201cvery lucky\u201d and got a \u201chigh-profit order,\u201d which pays ten times the normal commission (see Figure 7 below). In order to keep me working, she would pay the balance this time. How generous! It still wasn\u2019t clear why I had to deposit funds, but I soldiered on.<\/p>\n Figure 7. Asking Maria about the insufficient account balance<\/p>\n<\/div>\n Figure 8. Maria\u2019s explanation of \u201clucky orders\u201d<\/p>\n<\/div>\n<\/div>\n Maria walked me through the deposit process and introduced me to a new contact\u2014Marble Media\u2019s Customer Support Agent\u2014who handles the financial transactions. I reverse image searched the profile picture and found that they were using a stock photo for this account (Figure 9).<\/p>\n Figure 9. Customer Support Agent\u2019s Telegram profile<\/p>\n Maria told me to reach out to this Customer Support Agent, who gave me the address of the Ethereum wallet where Maria would make the deposit to clear my path (Figure 10). Being a threat researcher, I was curious, so I looked up the wallet and saw that it held over 18 Ethereum, worth over $70,000 at the time (Figure 11).<\/p>\n Figure 10. Customer Support Agent sending the wallet address<\/p>\n<\/div>\n Figure 11. Screenshot of the wallet\u2019s balance<\/p>\n<\/div>\n<\/div>\n This gave me an idea and I decided to test it out. Instead of giving Maria the address that the Customer Support Agent supplied, I edited a screenshot of the chat and put in my own wallet address, then sent it to Maria. I was hoping that she would deposit the money to me. Unfortunately, Maria did not fall for this and deposited the money into the wallet that the Customer Support Agent had supplied. How did she know?! Perhaps it\u2019s some kind of standard wallet for the training phase. When Maria sent me a screenshot of the transaction with her deposit and instructed me to send it to the Customer Support Agent, I did.<\/p>\n At this point, I figured they wouldn\u2019t be interested in working with me anymore since I blatantly tried to scam them, so I stopped messaging them for the day. They didn\u2019t call me out for my trick though, either.<\/p>\n After some sleep, I devised a way to continue pushing this interaction forward. I told Maria that I think I contacted the wrong customer support agent and was actually talking to a scammer! She replied \u201cok\u201d and I completed my 40 tasks, concluding my training.<\/p>\n Next, Maria gave me the green light to start working in my own account and \u201cdeposited\u201d some money into my account on their website. She also dangled a carrot in front of me: during training, the account earned $243 in profit; presumably, I could be making that soon (Figure 12).<\/p>\n Figure 12. Maria telling me how much profit the training account made<\/p>\n Motivated, I got down to business working in my own account. I completed my 40 tasks and told Maria I had finished. I was looking forward to figuring out the payment process for my account when she threw me a curveball and told me that there are actually two sets of tasks to complete, and I could not start working on the second set until I \u201creset\u201d my tasks. This was a new twist, so I asked her how I should do that? I was not entirely surprised when the answer was to send them cryptocurrency. Specifically, she needed $26 worth of Ethereum before I could continue (Figure 13).<\/p>\n Figure 13. Maria tells me I need to send her $26 of Ethereum to continue working<\/p>\n Once again, I contacted the Customer Support Agent to get the address of the wallet to make my payment, theoretically (Figure 14). I wanted to see how everything worked, but I also was not going to send them any money. Luckily, one of my colleagues had a genius idea: fake a screenshot showing my \u201ctransaction.\u201d<\/p>\n Figure 14. Customer Support Agent sending me a new wallet address<\/p>\n I searched online for a crypto transaction screenshot and edited it to make it look like I sent approximately the correct amount to their wallet (Figure 15). In hindsight, there were several discrepancies that could have easily been noticed, but to my delight, they did not seem to validate my claim to have made this transaction.<\/p>\n Figure 15. Edited screenshot of a cryptocurrency transaction<\/p>\n I wasn\u2019t in the clear yet, though. Customer Support did have a problem: they could not find my deposit and asked for the transaction ID so that they could confirm it. I had not included a transaction ID in my screenshot, so I searched through the history of their wallet and caught a lucky break. There happened to be a transaction earlier that day for an amount similar to what I claimed to have paid. I hoped they wouldn\u2019t notice the minor difference if I sent that transaction ID to them (Figure 16).<\/p>\n Figure 16. Sending the Customer Support Agent the transaction ID<\/p>\n For the next 12 minutes I waited in anticipation for a reply. Would they believe it? Was I too sloppy?<\/p>\n Finally, the Customer Support Agent replied, \u201cYour tasks have been reset.\u201d I logged back into my account and saw the balance had increased. They fell for it! Newly inspired, I completed my second set of tasks for the day so that I could withdraw my hard-earned money.<\/p>\n Despite spending time digging around the website trying to figure out how to do so, I couldn\u2019t get past one seemingly simple roadblock. The withdrawal section allows the user to set an amount to withdraw but it did not allow a wallet address to be entered. It was impossible to type in that box. See Figure 17.<\/p>\n Figure 17. Scam website\u2019s withdrawal page<\/p>\n I was stuck and reached out to Maria for help in figuring out the withdrawal process. Figures 18 and 19 show the conversation; spoiler alert: it didn\u2019t go well.<\/p>\n Figure 18. Maria explaining the hypothetical salary for the job<\/p>\n<\/div>\n Figure 19. Maria dodging my questions about how to withdraw my earnings<\/p>\n<\/div>\n<\/div>\n Maria and I went back and forth for about 20 minutes, but she avoided answering my question and ultimately tried to redirect me with the messages \u201cNow I invite you to join my working group … You can communicate and learn together. I will teach you how to withdraw funds later.\u201d I was not interested in joining this work group though, I was focused on getting my crypto currency. Frustrated, I turned to the Customer Support Agent for answers, but they didn\u2019t reply to me.<\/p>\n In the hopes that taking a different angle with Maria would lead to progress, I went back to her and asked specifically how to set the wallet address in the withdrawal screen. Success! Turns out I had to go into my account settings and set the withdrawal address from there. It would then be filled in the withdrawal page automatically. I set my address, submitted the request to cash out the $129 that I had earned and messaged Customer Support. To my surprise, the request was approved. I eagerly stared at my wallet app for several minutes and eventually I received a notification:<\/p>\n Figure 20. I finally received the 0.0339 ETH<\/p>\n They sent me 0.0339 ETH; thanks for the free crypto!<\/p>\n Naturally, the next day I wanted to do this again (minus the hiccups, of course). I had discovered these scammers had a flaw in their validation system and I wanted to continue exploiting it. Feeling highly motivated, I completed my tasks planning to pull off the same stunt.<\/p>\n Unfortunately, they threw a huge wrench into my plan: they sent me a different wallet address. One that hadn\u2019t been used before. One with zero transactions associated with it.<\/p>\n I assumed there was no way my scheme would work this time. Their validation wasn\u2019t great, but it wouldn\u2019t take a genius to see that the balance of their wallet was $0.00. The transaction history is what made this plan work. A bit disappointed, I decided to just ignore them and try again later.<\/p>\n The next day, I woke up to a message from Maria saying that she wanted to have breakfast with me (Figure 21). This was different from our previous conversations, which were strictly business related. It felt like she was trying to go down the route of a more typical, romance-themed pig butchering scam.<\/p>\n Figure 21. Maria sending me winking emojis and saying she wants to have breakfast together<\/p>\n She told me she really enjoys cooking and asked me what I like to do in my free time. I was not distracted by this, however\u2014 there was money to be made. Back to work.<\/p>\n Once I completed my first set of tasks, I needed to reset them before starting on the second set, which included depositing more money. Again, they sent me a different address, but fortunately, this time it actually had a transaction history. Time to get a little artistic. I significantly improved my Photoshop job this time around, made it look just like a recent transaction to the wallet and even included the transaction ID in the screenshot (Figure 22).<\/p>\n Figure 22. Customer Support Agent confirming my transaction and resetting my tasks<\/p>\n It worked on the first try! My tasks got reset and I could continue working for the day. This was important because I could only withdraw after completing both sets of tasks for a day.<\/p>\n I was nearly done with the second set when disaster struck: I hit another high-profit order. My account was in the hole again and I needed to make another deposit before I could finish my tasks for the day and be able to withdraw. I was down close to $342, which presented a couple of problems. First, it\u2019s significantly more money so I assume they may look at the transactions more closely. Second, there are not many transactions going to their wallets that are this large. The previous transactions were about $26 and $90.<\/p>\n I decided to wait and see if a larger transaction happened to hit one of these wallets. If so, I could swoop in with my usual trick and claim it to be mine. Until that happened, I was dead in the water.<\/p>\n In the meantime, I tried to stall with Maria and asked her about the VIP tiers for this job (Figure 23). For only $1,000, I can become a tier 2 VIP. Supposedly, it would increase how much I earned, but it would also increase the number of tasks per set from 40 to 50, so it actually seems like a costly downgrade to me.<\/p>\n Figure 23. Maria explaining the VIP tiers<\/p>\n About an hour later I caught a big break: there was a large transaction to one of their wallets. It was even bigger than I had been hoping for\u2014about $1,600. This would let me \u201cgo big.\u201d For $1,600, I could both cover my negative balance and get the upgrade. I messaged Maria and told her I wanted to step up to the next VIP tier.<\/p>\n I photoshopped another transaction and sent it to Customer Support. She gave me some pushback, asking about the transaction ID (twice) even though I had already included it in the screenshot just like last time (Figure 24). It felt like something was going wrong, making me both frustrated and concerned that this may be the end of my experiment.<\/p>\n Figure 24. Customer Support has some problems with my transaction<\/p>\n My trick had worked the first time. It worked the second time. But it didn\u2019t work the third time. They said the money had been reviewed and deposited into another user\u2019s account half an hour ago (Figure 25). Darn, busted.<\/p>\n Figure 25. Customer Support figured out \u201cmy\u201d transaction was not mine<\/p>\n They even had the audacity to say that it was \u201cmeaningless\u201d to look up the transaction history of the wallet! Well, the joke\u2019s on them because it wasn\u2019t meaningless when I got $129.<\/p>\n Nevertheless, at this point I was grasping at straws, so I went for one last Hail Mary. I complained to Maria that the Customer Support Agent was not verifying my deposit and I claimed that someone else was carrying out my trick on me. I told her that I was the real person who made the transaction and an imposter was claiming it as their own (Figure 26).<\/p>\n Figure 26. Telling Maria someone else claimed my transaction as their own<\/p>\n To my disappointment, Maria did not believe me and stopped replying.<\/p>\n By the next day, I had accepted that I wouldn\u2019t get any more money from this experiment, so I thought I\u2019d throw out one last question on the off chance that I might at least get some information or insight. I thanked Maria for the Ethereum and asked her about the scam. Unfortunately, she seemed to take offense and began hurling insults at me in Chinese.<\/p>\n Shortly after, both Maria and the Customer Support team deleted our conversations. Arabella did not do the same to our brief conversation, but her account has been deleted.<\/p>\n On a more serious note, I did research the scam domain, marblemediaseo[.]cc, and found additional, related domains. marblemediaworks[.]cc<\/span> is highly likely to be used by the same actor because it shares the same content on the website, similar hosting TTPs, such as the high-risk TLD \u201c.cc,\u201d and both appear to be lookalike variations of \u201cmarblemedia.\u201d Additionally, I found dozens of other domains that seemed to be using the same \u201ckit,\u201d as the contents on the sites were very similar. However, due to differences in the hosting and registration information, I suspect there are multiple actors, possibly affiliates using a template, operating the domains.<\/p>\n Crypto scams continue to be a lucrative method for bad actors to steal money. In 2024, consumers reportedly lost an estimated $9.3 billion from crypto scams.2<\/sup> This blog is part of an ongoing series of reports on our findings about groups operating scams worldwide. Stay tuned!<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure6.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure7.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure8.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure9.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure10.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure11.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure12.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure13.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure14.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure15.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure16.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure17.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure18.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure19.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure20.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure21.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure22.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure23.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure24.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure25.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/telegram-tango-dancing-with-a-scammer-figure26.jpg\")
<\/p>\nIndicators of Activity<\/h3>\n