I’m a big fan of the Brave browser and BasicAttentionToken — an innovative idea to radically improve the web. And so I was excited to see their (legit) tweet. My startup Public.Law is a verified publisher, and I’m investigated the partnership program:
It’s awesome to see the new digital ad program getting testing. Following this tweet, Twitter displays these:
E-coin faucets have been around for a while, and I’ve never had a problem with them. So I clicked the link, and saw the dwindling amount left to give away. I saw that I just needed to send 0.5 ETH to get the payment, which also sounded ok, because several different e-coin apps (like the Brave browser) sometimes need you to put some money in to get started. 0.5 ETH didn’t sound like much at all.
I was ready to convert $$ to ETH, but then I saw how much money that’d actually be: $400. I was ready to go, but I’ve never sent that much money online:
And so I went back to the giveaway site to look closer. I saw some red flags: there isn’t actually the BasicAttentionToken logo or name anywhere on it. And the domain name is completely unrelated. I asked about it, but haven’t heard back from @AttentionToken, who is also cc’d:
https://twitter.com/dogweather/status/992103024054042625
Then I realized that this follows the standard scam strategy of getting the victim to pay a “small amount” to “win” a much larger amount. Just like lottery and Nigerian email scams.
https://twitter.com/dogweather/status/992103522773553154
Finally, I realized that there’s a series of fake BasicAttentionToken Twitter accounts. Notice the extra letter l at the end: @AttentionTokenl. Ouch. This is 100% scam.
I picked up on it probably because they asked for a lot of money. I was about to send real cash in, but stopped at the $400 amount. (And yeah, I thought it was just $200 at first.)
I’m embarrassed to say that I study these scams as a hobby, and still got taken in.
My Observations: Both Twitter and BasicAttentionToken need to take action
- The mechanism for this scam exploits Twitter’s platform; the way it looks and acts for a user. It hacks the user’s trust and knowledge how Twitter works.
- BasicAttentionToken’s official Twitter account doesn’t have the blue checkmark; that’d help people identify fake accounts, and might get faster response to Twitter for these problems.
- The scammers use the official BAT logo and name; surely there’s an algorithmic way that Twitter could act earlier on these.
- BasicAttentionToken needs to reply quickly and decisively to fraud reports; they need dedicated fraud staff if they don’t have it. And they need to reply quickly to build confidence in the financial system they want to create.
Update 1
I’ve traced the domain name and IP address to Namecheap DNS & web hosting. I’ve contacted them, and they’ve begun an investigation.
Update 2
Namecheap has suspended the account; great, quick work on their part.
Dogweather 