Recently we received a complaint about a website Bitstill Crypto (bitstil-crypto.com). Bitstil Crypto claims to be a cloud mining platform asking users to “Invest any amount to participate in profits from Cryptocurrency Mining.”
Our first stop was the about page where we performed a reverse image search of the CEO’s photo.
It showed the images were used on two other websites.
The websites were:
1) https://blog.followjulian.com/wall-street-mine-review-looks-like-a-quick-scam/
2) https://heritageinvest.ltd/?a=cust&page=aboutus
The first link was a post about a Ponzi mining scam wallstreetmine.com that had earlier gone by the name promine.co and duped many investors. The second, heritageinvest.ltd, also has the same CEO pictures as the already listed websites. Googling the contact number +44 2033184540 listed on both wallstreetmine.com and heritageinvest.ltd, we were able to discover other websites with similar features and the same phone number, below is a list:
| Domain | Hosting Company/Link/Notes |
| incomestream.org | Hosted on namecheap archive.vn/qX7cr |
| earnmuch.net | Hosted on fcomet.com http://web.archive.org/web/20210521224000/https://earnmuch.net/?a=cust&page=aboutus |
| demo.kawsar.club | Hosted on NameCheap https://archive.vn/AJoGC |
| coinillion.com | Hosted on NameCheap http://web.archive.org/web/20210522140937/https://coinillion.com/?a=cust&page=aboutus |
| Neovest.ir Neovest.trade | Hosted on Hetzner Online GmbH https://archive.ph/cORXI – google web cache Whois records led to Twitter profile @IrAliyar – https://archive.vn/xOzZd Instagram profile @persian.forex |
| cryptolab.live | Hosted on fastcomet.com http://web.archive.org/web/20210522145742/https://www.cryptolab.live/?a=cust&page=aboutus |
| kawsar.xyz | Hosted on Namecheap http://web.archive.org/web/20210522211454/https://www.kawsar.xyz/demo7/?a=login |
| cloudhashrate.io | Hosted on Namecheap http://web.archive.org/web/20210522220921/cloudhashrate.io/?a=cust&page=aboutus |
| cloverfinances.com | Hosted on NameCheap http://web.archive.org/web/20210522221540/https://cloverfinances.com/?a=cust&page=aboutus |
| zanetrade.com | Hosted on Name Cheap http://web.archive.org/web/20210522222258/https://www.zanetrade.com/?a=cust&page=aboutus Found using the contact number +1(408)9154818 from incomestream.org about page |
| primecapitaltrades.com | Hosted on NameCheap http://web.archive.org/web/20210522222651/https://primecapitaltrades.com/?a=cust&page=aboutus Found using the contact number +1(408)9154818 from incomestream.org about page |
| pfs-investment.com | Hosted on NameCheap http://web.archive.org/web/20210528202139/https://pfs-investment.com/?a=cust&page=aboutus Found using the contact number +1(408)9154818 from incomestream.org about page |
| alphacoins.net | Hosted on NameCheap http://web.archive.org/web/20210715122811/https://alphacoins.net/ |
Also, an examination of the source code on bitstil-crypto revealed a connection to two other domains, capital-traders.ltd and coin-pay.org
Some of the websites above had outright fake certificates of incorporation, while others used the certificates for known UK companies. The modus operandi of these fraudsters was to go to the online portal of Companies House (United Kingdom’s registrar of companies), obtain incorporation certificates of legitimate companies then buy domains that closely mirror the company names. This was done to make the schemes appear legitimate.
During our analysis, we also found connections to 3 social media profiles.
The First social media profile linked to this scheme was found while looking at the promine.co twitter page. The @Promine_co account has @heatstreak_2012 as one of the people it follows.
This account had several tweets promoting the fraudulent Pro Mine Limited. The Twitter profile of @heatstreak_2012 had a link to its Telegram channel. The telegram channel had a warning that several users had reported the account as a scam.
Looking at posts made in the telegram channel, we found it was dedicated to the promotion of fake investment schemes.
The second social media profile was discovered from neovest.ir
A whois search of the domain revealed the name, Amir AliYar, which upon further searching led to a Twitter and an Instagram account.
The third social media account was discovered while doing a Google search using the number +44 2033184540 from the websites above. This led to a google web cache of a profile on vk.com called Anatoly Nenakhov
Of the three social media profiles, the Instagram and Twitter account of persian.forex is the strongest link to the bitstil crypto scam.
Moving on, our complainant provided a wallet address of which the crooks behind Bitstil Crypto used to collect bitcoin from him. Plugging the address 1Q1orCkg5FY4U74uVKDjZZqdLpnmXGD2DN into Bitcoin whos who we got the details below:
This address has a “Last known Output” that leads to the bitcoin address 1AHwdvrkv7Tc33BFrhTiTpwHeQb6rrRsH6 that was flagged as being involved in a scam. The scam report listed the website coinsmatt.com which was hosted on Namecheap but has since been suspended.
This address in turn had five repeated outputs to 17UciCr45kQB9KcNHxeKHhkpr3jkuLGjJg
Then this address had ten repeated outputs to the address 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, which is Binance’s hot wallet. Binance allows users to withdraw up to 2 BTC without going through a strict KYC/AML process, so these fraudsters were funneling the funds through it.
In conclusion, the major learnings points are don’t trust an investment scheme because it claims to be incorporated. Do further research to verify if their claims are legitimate. High interest with little or no risk is always a sure sign that you might be dealing with a scam.