I’m a big fan of the Brave browser and BasicAttentionToken — an innovative idea to radically improve the web. And so I was excited to see their (legit) tweet. My startup Public.Law is a verified publisher, and I’m investigated the partnership program:
It’s awesome to see the new digital ad program getting testing. Following this tweet, Twitter displays these:
E-coin faucets have been around for a while, and I’ve never had a problem with them. So I clicked the link, and saw the dwindling amount left to give away. I saw that I just needed to send 0.5 ETH to get the payment, which also sounded ok, because several different e-coin apps (like the Brave browser) sometimes need you to put some money in to get started. 0.5 ETH didn’t sound like much at all.
I was ready to convert $$ to ETH, but then I saw how much money that’d actually be: $400. I was ready to go, but I’ve never sent that much money online:
And so I went back to the giveaway site to look closer. I saw some red flags: there isn’t actually the BasicAttentionToken logo or name anywhere on it. And the domain name is completely unrelated. I asked about it, but haven’t heard back from @AttentionToken, who is also cc’d:
Then I realized that this follows the standard scam strategy of getting the victim to pay a “small amount” to “win” a much larger amount. Just like lottery and Nigerian email scams.
Finally, I realized that there’s a series of fake BasicAttentionToken Twitter accounts. Notice the extra letter l at the end: @AttentionTokenl. Ouch. This is 100% scam.
I picked up on it probably because they asked for a lot of money. I was about to send real cash in, but stopped at the $400 amount. (And yeah, I thought it was just $200 at first.)
I’m embarrassed to say that I study these scams as a hobby, and still got taken in.
My Observations: Both Twitter and BasicAttentionToken need to take action
- The mechanism for this scam exploits Twitter’s platform; the way it looks and acts for a user. It hacks the user’s trust and knowledge how Twitter works.
- BasicAttentionToken’s official Twitter account doesn’t have the blue checkmark; that’d help people identify fake accounts, and might get faster response to Twitter for these problems.
- The scammers use the official BAT logo and name; surely there’s an algorithmic way that Twitter could act earlier on these.
- BasicAttentionToken needs to reply quickly and decisively to fraud reports; they need dedicated fraud staff if they don’t have it. And they need to reply quickly to build confidence in the financial system they want to create.
I’ve traced the domain name and IP address to Namecheap DNS & web hosting. I’ve contacted them, and they’ve begun an investigation.
Namecheap has suspended the account; great, quick work on their part.