Men Pretending to Be Women in Crypto

InfoSec Seinfeld do you know who else is a man?

By Dominic Alvieri

@AlvieriD

11/20/2021

Fake account and shady investment warnings. These female accounts have man hands and Twitter thumbs.

A picture tells a thousand words. A jpeg tells thousands of bytes. More actually and precious metadata. Location, camera lens, etc. These images above are the snapshots used by several woman of crypto currently online believed to operated by men.  Students, models, actors and all walks of life are used.

Stella Catrin @stellacatrin
Joined November 2021
10,000 followers. 

Today is November 21st, 2021.

This new image used above was taken by Omar Lopez and is fresh from Orlando, Florida in April and uploaded in May 2021. She is new, dangerous and readily available online for free. I would expect to see her image again. More examples to watch out for. Data points an alleged foreign man behind this Californian woman. Suspect name is unconfirmed as of posting.

Super Model Thylane Blondeau is now crypto investor Henley Nava. Thylane has been named the most beautiful in the world. Now pitching Chinese mining among other suspect investments. 

Monday, November 22nd, 2021 addition.

Henley Nava @henleynava
June 2021
58,000 followers

This account has been "giving" away crypto and pitching suspect mining and crypto. The modus operandi is similar in pattern and recognition to the suspected accounts in this article. 

Another suspected fake has even more data pointing to India including Twitter handles, IP addresses, Telegram chats and more. There is even a name for the man behind one of "The Janet Trio."

Newest active part of the Janet Trio...

Taya Janet @tayajanet
Joined August 2021
62,000 followers

The man in the photograph is Gopal Krishna and alleged new Taya Janet. An aspiring Linux developer and failed movie critic from Mumbai, India. Irrefutable technical evidence links this man to this account. If it isn't him, he sure knows who it is. Money is on the sloppy developer.

Gopal Krishna
Joined unknown
Mumbai, India
Twitter profile...

One of several missed forensic links left behind by Mr. Krishna...a link to a Twitter account.

Adhish Ramkurrun. Another forgotten fake account. Technically sloppy.

From Montreal to Minsk...and Medium.

These crypto queens above and below are retweeting the same garbage as their group. One is a self proclaimed Crypto Professor with nearly 100,000 followers on Twitter and he and the crypto queen below have very similar tweets and likes. Yesterday a Chinese mining "legit investment.' Today multiple tweets with mining and investments many registered the same day of September 2nd.

Tron[.]AC,  TRX[.]Blue and TRX[.]ST are all registered on September 2nd, 2021. All three share the same IP and have obfuscated their origins. Two of the three are utilizing a Singapore data center to forward packets to China. There are many others registered, Tron-Life, TRX[.]in...

A Russian man is operating out of Belize is behind an account. A Chinese national is also guilty of running crypto scams. Both pending confirmation.

The Professor is Gilligan

Crypto Queen @coin_mining1
Joined June 2021
40,000 followers

Associating with Russian tweets and Chinese mining.

Does anyone verify these giveaways? 

The amount of crap tweeted today is unbelievable. All have tweeted again today, November 21st, 2021 The Professor is acting like Gilligan tweeting hidden Chinese based mining and other shady crypto investments.

Building a crypto followers database is as valuable a commodity as a crypto brokerage firm breach. You can cross reference data, send malicious cryptominers, clipboard stealers...

There is a new trading firm just found with ties to other crypto scams, follow up details and reveals pending.

Stay safe.

Dominic Alvieri

The Cyber Show

Chinese Babysitting and Surveillance Co. Ltd.

Chinese compromise domains ranging from housekeeping and babysitting services to industrial machinery

By Dominic Alvieri

Twitter  @AlvieriD

November 16th, 2021

Nearly every day new domains are acquired with company names like Nehe Maternity Matron's Housekeeping, Wengniu Teqi Housekeeping Services, Co., Ltd. and many others.

 

All are using the same IP Record No of 18dfds740-2. Every domain has a fake company name.

Over 200 domains within a 12 month period all with new fake housekeeping names and all traffic and data heading back to Beijing 

Researching this from many different machines and networks surprisingly only a VPN IP from Northern Virginia was blocked on any sites.

The domains are being acquired through multiple registrars and hosted all over the world. 

Twitter is a group favorite. Twitter has been banned in China since 2009.

Premium short domain names also include variants of Facebook, Amazon, Netflix and others...

TheStock-Exchange[.]com                     TwitterPictures[.]com              

TwitterPhoto[.]com                                 NikeAirMaxRetail[.]com                                                      Wrestlemania2016[.]com                       UrbanExchangeAZ[.]com                      

TwitterCar[.]com                                    CongressOnTwitter[.]com

HotmailSetUp[.]com                              CapiatalOneBank[.]com

Over 200 domains within a 12 month period. They are even using Congress on Twitter dotcom. Many of the hosts and registrars are famous for hosting and deploying malware. The links, files and traffic patterns are discernable. Malspam quickly came to a new research email once registered with one of the shams and traced back to China.

TheStock-Exchange[.]com

The cover for this article is TheStock-Exchange[.]com site which has changed this week from the babysitting/housekeeping platform to a Chinese recruiting agency with several names as well. After several months of searching and countless misdirections the immutable data packets and domain traffic point to Beijing. An office building to be specific. After several contact attempts neither Luminaire, Lightning, any babysitters or communist party agents were available but probably listening. I got hung up on several times. Mention re-education and the call is abruptly over.

The customer service hotline was ice cold. So was everyone else.

Now recruiting in all areas and provinces of China including Xinjiang. 

The extensive network and multiple addresses reek of the panda with traces to Beijing.  All phone numbers are in Beijing with a call center in Germany another favorite asset. Other fake companies are being utilized in different industries and are following the same modus operandi including an industrial packing company which is active in attempting to sell to United States based companies.

I have not been able to locate any of the non-existent packaging equipment export companies but they do respond. All the files, links and traffic patterns are the same. They will respond for a quote but beware of malspam that will follow.

My favorite name so far is Guangzong Multifunctional Pillow Packaging Machine Factory. It is easy to find the air quality in Guangzong, China. Finding information about the packing company is another story. Shenzhen has no listing either.

Guangzong Multifunctional Pillow Packaging Machine Factory is linked to Beijing

Air quality in Guangzong is easy to find.

Hug the Big Panda

None of the industrial packing company names are real or have any listings in any of the major Chinese exporters websites or shipping port transfer agents. One way or another the data points to this one block in Beijing, 

Visitors beware there is a bit of a pattern developing.

Stay safe online and off.

Dominic Alvieri    @AlvieriD

The Cyber Show