While Community Notes and automatic filtering tend to do a great job at keeping X timelines scam free, there are certain techniques which cyber criminals use in order to evade these countermeasures. We spotted such techniques being used for a pump-and-dump scheme – a crypto scam where investors are manipulated to invest in artificially inflated token, before it’s sold off and only a few benefit from it.
The simplest of these is directly tagging users in scam posts, which will appear in users’ notifications even if the scam account is already flagged and shadowbanned by X’s automatic detection systems. In this article, I will analyze one such crypto scam example, reveal all the red flags marking it as a scam, and finally mapping it to F-Secure Scam Kill Chain.
OSINT verdict: a spam bot in action
)
Let’s begin by analyzing the spammer’s account:
Features a common first name ("ARTHUR") paired with a random numeric string (001624779), a standard pattern for bot-generated handles in scam networks to enable quick creation.
NFT-style avatar to fit in with the crypto crowd.
250 posts in less than 12 hours. Way beyond normal human posting cadence.
The posts promote a Telegram channel.
0 followers and 0 following. Neither are needed for this scam.
Blank bio, no profile link, no location, no banner image. On its own, this isn’t conclusive, but it strengthens the case that this is a quickly created bot account.
Using a custom prompt to do light OSINT analysis of the account with xAI’s Grok – which has a direct access to a lot of X data – it returned a verdict with 96% confidence level that @ARTHUR001624779 is highly likely a disposable bot deployed for mass-spamming crypto pump-and-dump scam promotions. Personally, I’d give the same verdict with even higher confidence.
Dissecting the message
Next, looking carefully at the message, we can see that both hashtags involve homograph obfuscation: Cyrillic characters in "#Сryрtо" and "#РUMР" visually mimic "#Crypto" and "#Pump". These homographs (e.g., Cyrillic 'С' for 'C', 'р' for 'p', 'Е' for 'E') are a known tactic in phishing and spam campaigns to bypass detection algorithms that would detect certain keywords, while appearing normal to users. As a side note, the post starts with an emoji which often is a telltale sign of an AI-generated content.
The bot account keeps spamming the same identical message but tagging seemingly random accounts in every post. This time they tagged @FSecure – a big mistake.
More scam warning signs on the Telegram channel
At this point we can be pretty certain about the nature of this scam. However, I peeked at the promoted Telegram channel just in case, and immediately noticed more red flags.
)
Exaggerated claims of trust and ranking also conflict directly with the number of public subscribers the channel has.
“This is not a typical pump-and-dump scheme” is ironically one of the biggest red flags. You’d be surprised to know how many scams begin with “This is not a scam”!
The scammer’s instructions forbid participants from using major exchanges such as Coinbase. The scammer even admits that “popular exchanges often detect pumps and counteract them”.
The scammer has a referral code to their preferred trading platform. This is essentially a secondary revenue stream for them.
VIP / premium membership is another way of scamming users’ money/crypto without the need of actually providing anything in return.
Additionally, these kinds of scams can involve malicious links or fake wallets too. This layered approach aims to maximize the scammer’s chances of making a profit.
Mapping to F-Secure Scam Kill Chain
1. Reconnaissance and Target Acquisition
In this scam, perpetrators likely identify potential victims by targeting crypto enthusiasts on platforms like X, using automated tools to scrape user data from public posts, profiles, or hashtags related to trading (e.g., scanning for users engaging with #Crypto or similar terms).
Demographics focus on tech-savvy individuals interested in quick gains, building target lists from open sources like X interactions or crypto forums.;
Emotional manipulation begins subtly here through baits that exploit greed and curiosity about "insider" opportunities.
2. Resource Development
Scammers develop resources such as bot accounts on X (e.g., @ARTHUR001624779 with generic profiles and NFT avatars), obfuscated spam messages (using homographs like "#Сryрtо" to evade detection), and the Telegram channel (@premium_pump_signal) with hyped bios claiming "trusted by 10,000+ traders."
They acquire infrastructure like Telegram groups and referral-linked exchanges (e.g., cex-trade.com), crafting bait posts with flame emojis and urgency to build credibility.
Emotional manipulation at this stage involves creating FOMO (fear of missing out) through exaggerated promises of massive profits.
3. Victim Contact and Engagement
Contact occurs via X spam posts that tag random users and urge joining the Telegram channel with phrases like "The BIGGEST #Crypto #PUMP is here! Join the action!"
On the channel, engagement ramps up with announcements and FAQs denying scam risks while promising exclusive signals. Emotional manipulation is key here, using scarcity/urgency (e.g., countdowns to pumps) and peer pressure (implied community of "10,000+ traders") to hook victims into believing they're part of a winning group.
4. Persistence of Scam
The channel maintains engagement through psychological tactics like gradual commitment (e.g., starting with free signals to build trust, then pushing VIP access for >0.1 BTC), positive reinforcement (boasting past "500-700%" gains), and community building (e.g., turning notifications on for "tuned" updates).
Obfuscation and platform shifts (from X to Telegram) help avoid detection; emotional manipulation shines via likeability/seduction (portraying admins as helpful "insiders") and reciprocity (offering "bonuses" via referrals to create obligation).
5. Access and Exfiltrate Information
Victims divulge info by joining the channel, following signals to buy on specified exchanges, and potentially sharing wallet details or signing up with referrals.
Scammers may deploy malware via linked sites or impersonate support in DMs (@Chris_Crypto) to steal credentials.
Account takeovers could occur through phishing.
Emotional manipulation exploits greed and urgency, pressuring quick actions without verification to extract data or funds indirectly.
6. Lateral Movement
Scammers create growth by encouraging victims to promote the channel (e.g., via referral bonuses for inviting contacts), compromising additional accounts through phishing on the exchange, or leveraging victim access (e.g., using shared signals to expand the pump's reach).
Spam bots tag unrelated users on X to widen the net.
Emotional manipulation uses community building and peer pressure, making victims feel part of an elite group that should recruit others for mutual gains.
7. Monetization
Scammers profit by pre-buying the coin, hyping the pump to inflate prices via coordinated victim buys, then dumping holdings at peak for gains, leaving recruits with losses.
Indirect transfers occur through referral fees or exchange cuts.
Emotional manipulation culminates in greed exploitation, with false narratives of "massive success" (e.g., "500-700% peaks") driving investments before the rug pull.
While these tactics may seem obvious when broken down, they remain surprisingly effective at scale. Platforms like X have introduced Community Notes to help users identify misleading content, and Telegram has started cracking down on criminal use of its service. We covered both of these developments in F-Alert, February 2025.