Bitstil Crypto (bitstil-crypto.com): An Investigation

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Recently we received a complaint about a website Bitstill Crypto (bitstil-crypto.com). Bitstil Crypto claims to be a cloud mining platform asking users to “Invest any amount to participate in profits from Cryptocurrency Mining.”

Our first stop was the about page where we performed a reverse image search of the CEO’s photo.

It showed the images were used on two other websites.

The websites were:

1) https://blog.followjulian.com/wall-street-mine-review-looks-like-a-quick-scam/

2) https://heritageinvest.ltd/?a=cust&page=aboutus

The first link was a post about a Ponzi mining scam wallstreetmine.com that had earlier gone by the name promine.co and duped many investors. The second, heritageinvest.ltd, also has the same CEO pictures as the already listed websites. Googling the contact number +44 2033184540 listed on both wallstreetmine.com and heritageinvest.ltd, we were able to discover other websites with similar features and the same phone number, below is a list:

DomainHosting Company/Link/Notes
incomestream.orgHosted on namecheap
archive.vn/qX7cr
earnmuch.netHosted on fcomet.com
http://web.archive.org/web/20210521224000/https://earnmuch.net/?a=cust&page=aboutus
demo.kawsar.clubHosted on NameCheap
https://archive.vn/AJoGC
coinillion.comHosted on NameCheap
http://web.archive.org/web/20210522140937/https://coinillion.com/?a=cust&page=aboutus
Neovest.ir
Neovest.trade
Hosted on Hetzner Online GmbH
https://archive.ph/cORXI – google web cache
Whois records led to Twitter profile @IrAliyar – https://archive.vn/xOzZd
Instagram profile @persian.forex
cryptolab.liveHosted on fastcomet.com
http://web.archive.org/web/20210522145742/https://www.cryptolab.live/?a=cust&page=aboutus
kawsar.xyzHosted on Namecheap
http://web.archive.org/web/20210522211454/https://www.kawsar.xyz/demo7/?a=login
cloudhashrate.ioHosted on Namecheap
http://web.archive.org/web/20210522220921/cloudhashrate.io/?a=cust&page=aboutus
cloverfinances.comHosted on NameCheap
http://web.archive.org/web/20210522221540/https://cloverfinances.com/?a=cust&page=aboutus
zanetrade.comHosted on Name Cheap
http://web.archive.org/web/20210522222258/https://www.zanetrade.com/?a=cust&page=aboutus
Found using the contact number +1(408)9154818 from incomestream.org about page
primecapitaltrades.comHosted on NameCheap
http://web.archive.org/web/20210522222651/https://primecapitaltrades.com/?a=cust&page=aboutus
Found using the contact number +1(408)9154818 from incomestream.org about page
pfs-investment.comHosted on NameCheap
http://web.archive.org/web/20210528202139/https://pfs-investment.com/?a=cust&page=aboutus
Found using the contact number +1(408)9154818 from incomestream.org about page
alphacoins.netHosted on NameCheap
http://web.archive.org/web/20210715122811/https://alphacoins.net/

Also, an examination of the source code on bitstil-crypto revealed a connection to two other domains, capital-traders.ltd and coin-pay.org

Some of the websites above had outright fake certificates of incorporation, while others used the certificates for known UK companies. The modus operandi of these fraudsters was to go to the online portal of Companies House (United Kingdom’s registrar of companies), obtain incorporation certificates of legitimate companies then buy domains that closely mirror the company names. This was done to make the schemes appear legitimate.

During our analysis, we also found connections to 3 social media profiles.

The First social media profile linked to this scheme was found while looking at the promine.co twitter page. The @Promine_co account has @heatstreak_2012 as one of the people it follows.

This account had several tweets promoting the fraudulent Pro Mine Limited. The Twitter profile of @heatstreak_2012 had a link to its Telegram channel. The telegram channel had a warning that several users had reported the account as a scam.

Looking at posts made in the telegram channel, we found it was dedicated to the promotion of fake investment schemes.

The second social media profile was discovered from neovest.ir

A whois search of the domain revealed the name, Amir AliYar, which upon further searching led to a Twitter and an Instagram account.

The third social media account was discovered while doing a Google search using the number +44 2033184540 from the websites above. This led to a google web cache of a profile on vk.com called Anatoly Nenakhov

Of the three social media profiles, the Instagram and Twitter account of persian.forex is the strongest link to the bitstil crypto scam.

Moving on, our complainant provided a wallet address of which the crooks behind Bitstil Crypto used to collect bitcoin from him. Plugging the address 1Q1orCkg5FY4U74uVKDjZZqdLpnmXGD2DN into Bitcoin whos who we got the details below:

This address has a “Last known Output” that leads to the bitcoin address 1AHwdvrkv7Tc33BFrhTiTpwHeQb6rrRsH6 that was flagged as being involved in a scam. The scam report listed the website coinsmatt.com which was hosted on Namecheap but has since been suspended.

This address in turn had five repeated outputs to 17UciCr45kQB9KcNHxeKHhkpr3jkuLGjJg

Then this address had ten repeated outputs to the address 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, which is Binance’s hot wallet. Binance allows users to withdraw up to 2 BTC without going through a strict KYC/AML process, so these fraudsters were funneling the funds through it.

In conclusion, the major learnings points are don’t trust an investment scheme because it claims to be incorporated. Do further research to verify if their claims are legitimate. High interest with little or no risk is always a sure sign that you might be dealing with a scam.

More To Explore

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.