Security researchers have discovered a major new scam operation designed to trick job seekers into parting with cryptocurrency, by getting them to complete meaningless tasks they believe will earn them money.
Dubbed “WebWyrm” by CloudSEK, the operation has already targeted more than 100,000 individuals across over 50 countries by impersonating over 1000 companies across 10 industries. It has already potentially netted the scammers over $100m.
The scammers approach victims primarily on WhatsApp, potentially using data from recruitment portals to target their schemes to those most likely to respond.
Promising a weekly salary of $1200-1500, they request the victim to complete 2-3 “packets” or “resets” per day, with each containing 40 tasks.
After depositing funds into a cryptocurrency wallet like KuCoin or Shakepay, the victim is told that once a task is performed, the platform will take the money out of their account and put it back in along with commission.
They are then told that “combo tasks” could earn them a huge sum of money, but that it requires more money than the $100 in USDT deposited in their account by the scammers on starting the scheme.
The catch is that a user can’t withdraw their returns until all combo tasks in a row have been completed, with each new task requiring twice the amount invested the previous time.
“Once the victim encounters a combo task, they are stuck in a recurring loop of WebWyrm. In an attempt to complete the tasks and access their returns, the victim deposits twice the original amount for each successive task. However, these relentless combo tasks persist even as the victim exhausts their bank account,” CloudSEK explained.
“On contacting the referral person or the platform developers, they start intimidating them by asking them to finish the assigned tasks of the day or the account would be frozen.”
Eventually, their accounts are frozen.
The operation is particularly sophisticated, featuring dedicated contacts who interact with victims on WhatsApp and other platforms, and approximately 6000 fake websites where they are told to register their accounts. These sites spoof legitimate companies in a highly geo-targeted way, with associated WhatsApp numbers featuring country codes relevant to the victim’s location, CloudSEK said.
“Scammers exploit the transient nature of their scheme, hosting fake domains on an IP address or Autonomous System Number (ASN) for an average of 2-4 months,” the security firm continued.
“When abuse reports arise, scammers swiftly transition to new infrastructure, preserving the integrity of their operation. This adaptive tactic ensures sustained anonymity and operational continuity while evading detection.”
CloudSEK said it has shared its research with global law enforcement agencies.