FacebookTwitterLinkedIn

Necurs in Crypto Pump and Dump

Karolis Liucveikis Written by on

Necurs is considered the world’s biggest spam botnet with what is widely believed to be millions of bots at the creators’ disposal. In the latest use of Necurs, the spammers are currently sending millions of spam emails that push an obscure cryptocurrency named Swisscoin. Such schemes are called pump and dump schemes as spammers will buy stock in advance at a low price and sell it at a higher value when the spam campaign drives up the price. In order to drive up the stock price before selling this technique relies heavily on sending large quantities of spam to drive interest up towards a particular penny stock, in this case, the obscure and less than kosher Swisscoin.

This latest spam campaign looks to be the first time the Necurs botnet has been used to push a cryptocurrency albeit an obscure one like Swisscoin. This, however, is not the botnets first pump and dump scheme. In March 2017 the botnet was used in a similar fashion to influence the share price of InCapta stock. Then it was estimated that Necurs had anywhere between 5 million and 6 million bots able to easily send tens of thousands of emails an hour. Prior to the InCapta spam run, Necurs rather infamously was used to spread the Dridex banking trojan and several variants of the Locky ransomware family.

In this instance, the promoting of a cryptocurrency in order to influence stock prices immediately caught the attention of security researchers. This is because it differs drastically from the past method of targeting penny stocks that fall under 5 USD per stock. This left researchers questioning the choice of cryptocurrency. Why not look to influence the share price of a well-known altcoin?

Swisscoin is marketed as a decentralized blockchain, but in reality, it operates more like a token MLM (Multi-Level Marketing) affiliate program with an upline and downline structure. Users are asked to buy token packs paid for with euros or bitcoin as well as recruit members to join the Swisscoin organization. The project officially launched on June 4, 2016, and is reportedly run by the company director Manfred Mayer, a man with an extensive background in network marketing and MLM. Questions have been raised by investigators as to whether Swisscoin is indeed the decentralized blockchain it advertises itself to be. Investigators have been unable to find any traditional cryptocurrency infrastructure. The dashboard used is a clone of the NXT dashboard. There appears to be no blockchain explorer, and Swisscoin is not listed on market capitalization sites such as Coinmarketcap.com. The Swisscoin ‘whitepaper’ says a source code repository, and a blockchain explorer is “coming soon.” The company also claims to be based in Switzerland but relevant bank accounts and domain names are all registered in Germany. Investigators believe Swisscoin to be a Ponzi scheme when all the above is considered.

necurs crypto pump and dump

Regulators also must have had a similar opinion and trading was suspended last year based on the findings of a report. Trading resumed on January 15 and that is also when the Necurs botnet was activated again. Since the Necurs spam, the cryptocurrency lost 40% of its initial trading price. Determining the actual loss that accrued by the company will be exceedingly difficult as there was no previous trading to compare the impact against while serving the suspension period. To further complicate matters the dip in stock price can be explained as the result of people dumping Swisscoin when trading finally resumed after more than 50 days, and not necessarily the result of the "dump" phase following a Necurs pump-and-dump. Then there are Bitcoins declining price due to threats from countries banning or regulating the cryptocurrency giant which, in turn, could also have affected Swisscoin’s price.

The emails used the following taglines in an attempt to lure users:

swisscoin spam email

Text presented in this spam email:

If you don't already own a few coins of something, then surely at the very least, you must have heard about cryptocurrencies.
Bitcoin, the most famous one, minted countless multimillionaires but did you know that altcoins (bitcoin alternatives) are responsible for even more riches?
Among the "big" ones, NEM went up almost 10,000 percent and Ethereum, more than 4,000 percent
Among the small and unknown ones several gained more than 50,000 percent.
To put this in perspective, a small 1,000-dollar coin purchase in one of these small ones could have turned into more than 50 million bucks.
It seems crazy, doesn't it? Well, it's the reality of the cryptocurrency market today.
Raiblocks, a relatively obscure coin at the time, went from 0.20 on December first to $20 by New Year's Eve. It is now in the top 20 largest coins in the world.
All that to say, the next big winner could be found anywhere, and today I believe I've identified the next one.
After spending hundreds of hours looking at hundreds of different coins, I locked down on one specific target.
Swisscoin.
As the name says, this is a coin created and headquartered in Switzerland. It is one of the only coins in the world recognized as legal tender by the government.
Swisscoin is allowed by the Swiss government and has the potential to climb more than 5,000% before the end of January and more than 50,000% before the end of this year.
This is one of those rare buy-and-hold coins which you WANT to own, and hang onto for the long term, much like those people who bought bitcoin at $1 and kept it for 3 years. FYI, bitcoin is trading at $14,000 now. That's an increase of over 1 million percent.
I recommend you consider putting at least a thousand bucks in Swisscoin immediately. This could quickly turn into enough money to buy a new house, or at the very least a new car.
For those of you who already have bitcoins, all you need to do is open an account at coinexchange.io (this is the url/website, and it takes 1 minute to get setup), transfer some btc to your new account and buy SIC (Swisscoin).
For those of you who are still clueless about Cryptos, the process will be a little bit longer but well worth it.
Open an account at a large exchange such as Coinbase dot com or Coinmama dot com, then add some fund using your credit/debit card or Paypal.
That's the fastest way, but you will be limited to a few hundred bucks at most. It should be enough to get you quickly started but consider adding more funds using a bank transfer so that you can really have skin in the game.
Remember, every thousand bucks of SIC you buy today could easily turn into 500,000 by this time next year.

Not Just a Spam Email

One of the interesting things about Necurs and the people behind it is that they have in the past seemed to take holidays leaving the botnet inactive for a period. The end of 2017 and beginning of 2018 was no different. Again Necurs was inactive for two weeks over December and January as if the operators also celebrate the end of year holiday period. Once it was back to work time Necurs was active again from January 10. Not just sending spam emails in an attempt to influence the market but sending spam emails carrying the GlobeImposter ransomware. This campaign is defined by the use of emails that will entice, persuade, scare or shock a recipient to read the email and open the attachment.

While we can only speculate as to why the people behind Necurs chose a lesser known cryptocurrency that may turn out to be a Ponzi scheme to try a pump and dump. Perhaps the operators were inspired by cyber security guru Johan McAfee. For the past few weeks, the founder of the McAfee cyber-security firm has been promoting various cryptocurrencies in what he calls "Coin of the Day" tweets. The cryptocurrencies McAfee promotes on his Twitter account almost always see a huge price spike that many users have exploited to dump coins at higher prices. Numerous forum threads, tweets, and blogs have gone so far as to accuse McAfee of contributing to pump and dumps of the altcoin in question. McAfee believes that such volatility cannot be generated solely by himself and believes such spikes are a result of automated trading bots working off of his advice. Regardless this has left much more than a little angry when a tweet seems to result in the loss in value of something they have invested in.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog