CryptoRom scammers are ramping up their fraudulent tactics with the incorporation of an AI tool, according to research by cybersecurity solutions provider Sophos.

Sophos has been actively monitoring CryptoRom scams, a subset of fraudulent schemes aimed at deceiving users of dating apps into investing in fake cryptocurrencies.

In May 2023, Sophos identified additional techniques being employed by scammers, including the utilization of an (artificial intelligence) AI chat tool similar to ChatGPT. Also, scammers have escalated their efforts by disseminating false information about compromised accounts, pressuring victims to make upfront payments without sufficient time for evaluation.

Fake CryptoRom apps bypass Apple security — Sophos
CryptoRom scammers target Twitter, SMS users — Sophos

Sophos X-Ops, an integrated unit connecting SophosLabs, initially became aware of the utilization of an AI chat tool by CryptoRom scammers when a defrauded victim contacted the team.

Seven fake apps

“One of the main challenges for fraudsters with CryptoRom scams is carrying out convincing, sustained conversations of a romantic nature with targets; these conversations are mostly written by ‘keyboarders,’ who are primarily based out of Asia and have a language barrier,” said Sean Gallagher, principal threat researcher, Sophos. 

Sophos uncovered that scammers had stealthily introduced seven new fake cryptocurrency investment apps onto the official Apple App and Google Play stores, potentially escalating the victim count. Although these apps present seemingly innocuous descriptions in the app stores (such as BerryX, purporting to be reading-related), users are greeted with a fraudulent crypto-trading interface upon launching the apps.

These apps have seemingly benign descriptions in the app stores (BerryX, for example, claims to be reading-related). However, as soon as users open the app, they are met with a fake crypto-trading interface. 

Recycling techniques

To bypass the Apple App Store review process, developers of these apps employ the tactic initially disclosed by Sophos in February 2023. They submit the app for approval using legitimate web content. Once approved and published, they modify the app’s server with code for the deceptive interface.

Many of these newly surfaced apps share identical templates and descriptions, hinting at the involvement of one or two entities in orchestrating this scheme.

“These apps are also easy to recycle and reuse,” Gallagher said. “In fact, the BerryX app appears related to the fake apps we discovered and blocked earlier this year.”