Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam

The kid was busted after abusing Google Ads to lure users to his fake gift card site. 

During the early days of the pandemic, while the rest of the world was stress streaming and working on sourdough starter, an ambitious teen stuck in his bedroom decided to set up a fake “Love2Shop” gift card site to harvest people’s payment information, invest the stolen money in cryptocurrency and become a millionaire.

The intrepid 17-year-old in the U.K. collected just under $9,000 before the real Love2Shop caught on when customers started to complain, according to a local report from Lincolnshire Live. The boy’s name is being withheld because he’s a juvenile.

His age certainly didn’t prohibit the scammer from being allowed to purchase Google ads to help lure people to his phishing scam site, according to prosecutors, ultimately ranking the scam phishing site over the legitimate one.

Infosec Insiders Newsletter

In all, law enforcement said they found 12,000 credit card numbers and 197 PayPal accounts on his computer. They added that he had collected more than $440,000 in stolen money.

“He had received through his PayPal accounts between January and March 2020 a total of £323,000,” the case’s prosecutor, Sam Skinner, said, according to Lincolnshire Live. “These sums came into his account and were transferred into cryptocurrency.”

Grift Cash Invested in Crypto

Turns out not only did the teen set up a lucrative criminal enterprise, but he’s also a wicked investor. His cryptocurrency investments were enormously profitable, ultimately climbing to more than $2.5 million.

“The police found a large quantity of cryptocurrency,” Skinner added, “There were 48 Bitcoins and a smaller number of other coins. At the time they were worth £200,000. They are now worth a little over £2 million.”

The teen was sentenced to a year in youth rehabilitation for fraud and money laundering. His Bitcoin was also confiscated.

Cybersecurity Fundamentals

A bored kid being able to pull off a heist of this size is a symptom of the wider cybersecurity community’s lack of fidelity to fundamentals, according to John Bambenek, principal threat hunter with Netenrich.

“Ultimately, 40 years on with Internet-connected technologies and we still can’t resolve two basic problems: How can consumers verify that the websites they visit are legitimate? And, How can financial institutions validate transactions are legitimate?” Bambenek told Threatpost. “We’re failing so profoundly at the very basics that children can literally become millionaire criminals.”

And the blame so often placed on users for falling victims to cybercrime hasn’t helped anyone but the attackers, as pointed out to Threatpost by Archie Agarwal, CEO of ThreatModeler. He added that companies with massive platforms like Google and PayPal have a responsibility to protect their platforms from being abused.

Securing Massive Platforms from Abuse

“With the prevalence of open-source tools that scrape and rebuild replica existing websites in minutes, this type of crime is very hard to prevent,” Agarwal wrote. “And we must not make the mistake of blaming the victims for clicking links on a system built on clicking links. It is the duty of the security community and the large Internet companies such as Google and PayPal, who were used in this scam, to find ways for alarms to trip to protect users as fast as possible.”

Threatpost asked Google directly about the U.K. teen’s ability to use Google’s advertising platform for criminal gain, and a spokesperson provided this response:

“Our goal is to create a safe and trustworthy experience for users. We take matters of ad fraud very seriously and continue to vigorously enforce our policies and be nimble when faced with new threats.”

Google’s current ad policies prohibit brand impersonation, replicating original content and various other forms of misrepresentation scammers use to abuse Google’s platform.

When last March’s Ads Safety Report was released, Google vice president Scott Spencer acknowledged that the pandemic and disinformation campaigns aimed at elections around the world have presented the company with a complicated set of challenges over the past year; but pledged to continue to invest in cybersecurity at scale.

Spencer explained that it’s just smart business: “Preserving trust for advertisers and publishers helps their businesses succeed in the long term,” he wrote. “In the upcoming year, we will continue to invest in policies, our team of experts and enforcement technology to stay ahead of potential threats.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles