Keypoints
- Over 1,000 domains linked to the Impulse Project affiliate program were identified, with registrations from January 2021 to May 2023 (and some related activity as far back as 2016).
- The scam is an advance‑fee scheme: victims are lured with a cryptocurrency reward and asked to pay a small activation deposit (commonly 0.01 BTC) to unlock funds they never receive.
- Affiliates register domains themselves, then deploy scripts and CloudFlare configuration supplied by Impulse Team; affiliates share a single database for their sites.
- Operators cloned a legitimate site (scamdoc.com) as scam‑doc[.]com to increase perceived trust and funnel victims to fraudulent platforms.
- Advertising and victim lures were delivered via social networks (Twitter, TikTok, Mastodon) and private messages; affiliates handled advertising individually.
- A public Telegram channel aggregated (bot‑fed) deposit notifications; Trend Micro observed ~US$5M in USDT transactions logged between Dec 24, 2022 and Mar 8, 2023.
- Indicators of compromise were compiled in a public IOC text file and shared with CloudFlare for remediation.
MITRE Techniques
- [T1566.003] Phishing: social‑media and private messaging used to lure victims — ‘…private message being spread on Twitter by an account created for the sole purpose of luring people into visiting a specific website: varbytrade[.]com.’
- [T1036] Masquerading – Impersonation: attackers cloned a trusted web tool to appear legitimate — ‘…a spoof of a legitimate web tool (scamdoc.com) that checks website authenticity.’
- [T1583] Acquire Infrastructure: large-scale domain registration and hosting configuration for the scam network — ‘…over a thousand domains related to this fraud, created within the timeframe of January 2021 to May 2023’ and ‘…configured with scripts provided by the Impulse Team that are used for CloudFlare services.’
- [T1566.002] Phishing: use of short links and advertised landing pages to redirect victims to fraudulent sign-up/payment pages — ‘The screenshot … shows the scam perpetrator offering a large cryptocurrency reward …’ (lure leading to account creation and activation payment).
Indicators of Compromise
- [Domains] fraudulent sites used for the scam – varbytrade[.]com, jarbytrade[.]com, and 1,000+ related domains (e.g., harbytrade[.]com, karbytrade[.]com)
- [Domain Impersonation] cloned legitimacy site used to build trust – scam-doc[.]com (spoofing scamdoc.com)
- [Public Logging] Telegram channel logging payments – public channel created Oct 2022 showing transaction logs from Dec 24, 2022 to Mar 8, 2023
- [IOCs file] compiled indicators published by Trend Micro – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/impulse-team-massive-years-long-mostly-undetected-cryptocurrency-scam/iocs-impulse-team-massive-years-long-mostly-undetected-cryptocurrency-scam.txt
- [Referenced Wallet] alleged Bitcoin wallet tied to Jarbytrade (commentary) – reported to have received ~US$500,000 (address not published in article)
Impulse Team operated a scalable affiliate pipeline: affiliates register and own individual domains, then install scripts and CloudFlare configurations provided by the Impulse Team to host sites that mimic legitimate crypto platforms. Each affiliate’s sites point to a shared backend database provided by the program, so account credentials and payment records are valid across that affiliate’s domain set; the admin/affiliate interfaces and promotional assets are supplied centrally to streamline deployment.
Victim acquisition relied on social‑media spam and targeted private messages linking to landing pages that promise large cryptocurrency rewards but require a small “activation” payment (commonly 0.01 BTC). To raise trust, operators copied real services (for example, a spoof scam‑doc[.]com) and displayed live crypto prices; payments were processed to cryptocurrency wallets and mirrored into a bot‑fed Telegram channel that publicly logged deposits to attract affiliates and create perceived legitimacy.
For defenders: focus on rapid takedown of malicious domains and CloudFlare‑protected sites, block and analyze affiliate provisioning scripts, monitor for impersonation of known reputation tools, trace and correlate shared backend databases across domains, and use the published IOC list (linked below) to detect and mitigate active sites and wallets.
Read more: https://www.trendmicro.com/en_us/research/23/f/impulse-team-massive-cryptocurrency-scam.html