The rise of TikTok has been swift and seemingly unstoppable, due to an algorithm that digs up and connects dots better than a private investigator — that is a topic for another post.
Here we focus on the users, or rather a subset of users that exist within a niche akin to the “thot bots”… the crypto scammers.
Let’s start at the beginning. I first noticed them on the MetaMask subreddit in late 2020, a user had posted lamenting about how someone (pretending to be MetaMask) had completely drained their wallet by pretending to be customer service. MetaMask had no such customer service, nor access to the person’s email, but they still sent the scammer their private key, losing everything almost immediately.
I had a chill run down my spine when I realized I was probably not the only person who thought “Huh, that seems like really easy money”. Morality kicked in and I hoped that the post would not get traction, letting the idea slip from my mind. The next day, a couple more people emerged with the exact same story. Then, an exponential onslaught of people, due to the recursive training nature of the story inspiring copycats and the ease of deployment of the tactic, the phishing attacks quickly became rampant.
These days, every comment section on the subreddit is nearly unreadable due to the huge automatic text walls that warn you not to get scammed, but still to this day, people tell stories of giving away their passphrases. Things only improved in the sense that the default phishing story of being customer support got spread around, so they moved on to other methods which brings us to the point of this post.
Nefarious links, deepfake stories, SIM swapping… the proverbial cat is out of the bag now that the low hanging fruit of simple phishing have been rinsed and repeated into the collective consciousness. But there is one particularly sinister play — using the avatar and a one-letter different account to pretend to be a known and trusted figure, to disarm the target and have them go through the motions of getting scammed.
These started out as basic as you’d imagine, by spamming you in every comment section to call them on WhatsApp (and still do, TikTok please fix your app). Recently, I have noticed the attack get exponentially more sophisticated, via the “long con” (queue the ragtime music from The Sting).
The long con is in no hurry, the long con does not reveal its hand, and the long con polishes every corner before making the attempt. Not only are they hijacking the identities of these influencers, they are building accounts that directly mirror their avatar, bio, and content, and then simply following people like me, slowly and steadily building their account.
These advanced ones make me do a double take nearly every time — “Wait, what? I thought we were mutuals… hold on a second… oh, clone account.” These accounts are carefully crafted and marketed to fly under the radar until they can pass the “level 2” scrutiny of a casually suspicious person. They convince real humans to follow them, the curve of sophistication is worrying — but how to combat it?
As I mentioned in the beginning, education can often lead to inspiration of the worst kind, by becoming a playbook for future scammers.
Still, I think it is worth it to drill the basic protections, as they are useful inside and outside niches on TikTok. Critical thinking, not rushing through an exciting moment, copy-pasting into a nice serif-ed font that can easily show the difference between l, i, and 1, feeding suspicious links to https://any.run , as well as a few other scam avoidance tactics can go a long way. These will probably get their own post.
Hopefully as a community we will strive to build protections that avoid these avenues of attack, as well as be on the lookout for the next evolution of social engineering.
