On July 16, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an alert to financial institutions emphasizing a recent scam exploiting Twitter accounts to fraudulently solicit virtual currency payments.  The cyber threat actors involved in the scam compromised accounts of various public figures, organizations, and financial institutions in an attempt to solicit virtual currency payments by claiming these payments would be doubled and returned to the senders.  FinCEN asked financial institutions not to send money or provide identifying or confidential information if they receive such a solicitation before verifying its authenticity, and reminded virtual currency exchanges and other financial institutions to identify and report suspicious transactions determined to be associated with the scam. Included in those Suspicious Activity Reports (SARs) should be any “relevant technical cyber indicators related to cyber events and associated transactions.”   Examples of possible cyber indicators include chat logs, suspicious IP addresses, suspicious email addresses, suspicious filenames, malware hashes, CVC addresses, command and control (C2) IP addresses, C2 domains, targeted systems, MAC address or port numbers.  This appears to be a reference to the types of “cyber-related information” that FinCEN previously has instructed financial institutions to include in SARs where it is available.

FinCEN included in the alert a list of “red flags” to help financial institutions identify and report suspicious activity potentially related to the scam:

  • Promises of high or guaranteed investment or donation returns for payments made to accounts with which a financial institution had no prior business relationship.
  • Communications, including social media posts, soliciting payments that have misspellings or messages out-of-profile for the counterparty, soliciting payments from individuals or organizations with whom a financial institution had no prior existing business relationship, including celebrities or public figures.
  • Solicitations requesting donations via social media where the solicitor is not affiliated with a reputable organization.
  • Social media posts that solicit donations or advertise give-aways that appear from accounts that are not “verified” through the social media platform account verification processes or that misspell the celebrity or financial institution’s name.
  • Multiple social media accounts communicating the same message soliciting funds for an unknown purpose or to an unknown account.
  • Communications, including social media posts, that provide the same CVC address across multiple celebrity or prominent financial institution social media accounts.

FinCEN directed financial institutions to include the term “FIN-2020-Alert001” in SARs reporting this activity.  Financial institutions may also reference FinCEN’s May 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency for additional red flags of illicit CVC activity, and its Cyber Event FAQs for additional information on reporting cyber events.