Scammers are on pace to steal nearly $1 million USD from unsuspecting users through a popular decentralized finance protocol, Uniswap, by abusing YouTube to promote a fake SpaceX coin as part of ads appearing before and during cryptocurrency videos.
Background
In early May, scammers compromised Twitter and YouTube accounts to promote a series of cryptocurrency scams ahead of Tesla and SpaceX founder Elon Musk’s appearance on Saturday Night Live, stealing over $10 million dollars in Bitcoin, Ethereum and Doge tokens. The scams conducted via YouTube were the most successful, resulting in a theft of over $9 million dollars.
Please note that both “tokens” and “coins” are used interchangeably to describe cryptocurrency like Bitcoin, Ethereum, Dogecoin, and many others.
Since the end of May, scammers have stolen over $430,000 in cryptocurrency from unsuspecting users by purchasing advertising space on YouTube cryptocurrency videos to promote a fake SpaceX coin (or $SpaceX token) claiming to be created by Musk. At the time this blog post was published, the scammers had one ongoing campaign that, once complete, would potentially increase the total amount of stolen cryptocurrency to nearly $1 million.
Analysis
As early as May 22, YouTube advertisements designed to scam users out of their cryptocurrency appeared before or during videos about cryptocurrency from popular creators in the space. The advertisements featured a variety of unrelated videos of Musk, who’s garnered much attention for his support of cryptocurrencies like Bitcoin and Dogecoin in recent months.
![]()
Breaking down the template
The advertisements are three to five minutes long and feature a template that includes a falsified tweet at the top from Elon Musk that claims he’s launching his own cryptocurrency called $SpaceX.
![]()
Within the same template is a description section, featuring a header with the Tesla logo. The description says “Elon Musk is launching his own cryptocurrency, $SpaceX.” The purpose of the coin, the scam advertisement claims, is to “take everyone to mars and make human life possible there.” Finally, they add that for each transaction involving the $SpaceX coin, a donation will be made “towards space research companies” in order to “help Elon’s mission.”
![]()
The embedded video in the advertisement above is a clip from Elon’s interview for the Computer History Museum and KQED’s “Revolutionaries” from 2013. The scammers use various videos of Musk indiscriminately in these YouTube ads.
Videos hosted on compromised YouTube accounts
These advertisements are hosted on compromised YouTube accounts.
![]()
When they appear, the name of the user associated with the advertisement is visible.
![]()
When browsing the user’s profile, we see that this user joined YouTube in August, 2011. Many of the accounts I encountered were created between 10-12 years ago. In this instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.
We reached out to YouTube to share our findings prior to publication, but we did not receive a response.
Same template used in previous YouTube Live scam campaign
These advertisements leverage the same template I saw being used in the SNL-themed Musk scams from earlier in May, including the Tesla logo.
![]()
In the YouTube ads regarding the supposed SpaceX coin announcement, you would think the scammers might have swapped in the SpaceX logo instead of keeping the Tesla logo, but it appears they just copied the template outright.
Users directed to multiple websites
The YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template. During my analysis, I found at least twelve different websites being promoted through these fake YouTube advertisements, which include:
| Domain | Registrar | Registered |
|---|
| buyspacex.com | NameCheap, Inc. | May 21, 2021 |
| buyspx.com | NameCheap, Inc. | May 27, 2021 |
| getspx.com | NameCheap, Inc. | May 29, 2021 |
| spxlaunch.com | NameCheap, Inc. | May 29, 2021 |
| spacexbuy.com | REG.RU LLC | May 30, 2021 |
| officialspx.com | REG.RU LLC | June 1, 2021 |
| missionspx.com | REG.RU LLC | June 2, 2021 |
| spacexsale.com | REG.RU LLC | June 3, 2021 |
| salespacex.com | REG.RU LLC | June 9, 2021 |
| buyspxcoin.com | REG.RU LLC | June 15, 2021 |
| muskspx.com | REG.RU LLC | June 16, 2021 |
| falconspacex.com | REG.RU LLC | June 17, 2021 |
Please note this may not be an exhaustive list of all domains used in these campaigns.
Websites include step-by-step directions on installing MetaMask and using Uniswap
The websites used in this campaign were designed using Telegram’s anonymous blogging platform, Telegra.ph.
![]()
To get users to purchase the fraudulent $SpaceX coins, the scammers include a step-by-step walkthrough on how to install MetaMask, a popular browser-based wallet used by millions of users, on their computers. I verified that the scammers are linking to the legitimate MetaMask extension for Google Chrome instead of a fake extension.
![]()
From there, the website instructs users to click on a customized link to Uniswap, a popular decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols. As a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature. At the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.
Uniswap allows individuals to create their own tokens to be tradeable on the platform. In this instance, the scammers are linking users to Uniswap to import a fraudulent $SpaceX token contract that they created.
![]()
When attempting to import the $SpaceX token, Uniswap’s interface provides a warning that it “doesn’t appear on the active token list(s)” but only cautions the user to ensure “this is the token that you want to trade.”
The walkthrough includes several screenshots on how users can swap their Ethereum tokens in exchange for the alleged $SpaceX coin. It also includes guidance on how to ensure the coins are visible within the MetaMask wallet.
![]()
At least three fake $SpaceX coins in circulation
Across the twelve websites I encountered, I observed three different contracts for $SpaceX coins. During this research, seven were pointing to the same $SpaceX token contract, which I will refer to as Alpha, while two sites, spxlaunch.com and salespacex.com, pointed to two separate $SpaceX token contracts, which I will refer to as Beta and Gamma. However, since the Alpha campaign ended on June 13, the remaining sites are now pointing to the Gamma campaign.
Swept up by a Rug Pull: How users end up holding worthless tokens
Conventional cryptocurrency scams ask users to send cryptocurrency to a specific address in order to “double” their money, which never happens. However, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user’s MetaMask wallet. So how do users get scammed through fake tokens? It’s a concept known as a rug pull.
In order to list and facilitate the trading of the fraudulent $SpaceX coin on Uniswap, the scammers have to provide some liquidity.
![]()
Across the three token contracts I encountered, scammers provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.
As users purchase the coins on Uniswap, they add to the liquidity of the $SpaceX contract. At some point, the scammers behind this operation will remove the liquidity from the contract, thus “pulling the rug” on those who own the $SpaceX coins, making them worthless.
Honeypotting: Users locked in with their purchase of the fraudulent $SpaceX coins
![]()
Recently, a user that purchased $SpaceX coins associated with the Alpha contract, posted on the Uniswap subreddit saying they weren’t able to swap their coins back to Ethereum. This is another concept known as honeypotting in the cryptocurrency space. It is different from the traditional use of the term in the cybersecurity space, which is focused on trapping bad actors. What it means in this context is that unsuspecting users are drawn into investing in this fake $SpaceX coin, but the contract created by the scammers was designed to prevent users from being able to swap their coins back to Ethereum. The only address capable of moving funds out of the contract is the creator. So even if the scammers don’t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway.
Scammers purposely burned coins from the contract
When these fake $SpaceX contracts were created, the scammers minted 1 billion coins (1,000,000,000) in each contract and added liquidity to the contract for 200 million (200,000,000) coins. The scammers also burned 800 million (800,000,000) $SpaceX coins for each contract by sending the coins to wallets for popular exchanges like Vb, Binance and Huobi.
![]()
Since these fraudulent $SpaceX coins aren’t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply. My understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.
Fake comments seeded on Etherscan pages
Etherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects. In the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof.
![]()
The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.
Fake $SpaceX coin rug pulls have earned the scammers over $430,000 thus far, with potential to earn nearly $1 million
Across three of the fake $SpaceX contracts I encountered, two have already completed their rug pulls. The following graph shows a breakdown of the liquidity provided by the scammers, the amount of liquidity removed from the contracts and the difference (profit) they made from their scams.
![]()
At the time this blog post was published, the Alpha and Beta campaigns had ended and the Gamma campaign was still active. These figures reflect data collected up until June 21, 2021, but do not include any additional funds sent to the Alpha and Beta contract post liquidation.
The Alpha campaign began on May 22 and concluded on June 13 and netted the scammers a profit of over $403,000. Through the Beta campaign, which operated from May 29 through June 9, the scammers profited off unsuspecting users to the tune of nearly $28,000. The Gamma campaign, which began operating on June 9 and was ongoing at the time this blog post was published, has seen a high volume of activity already, earning the scammers an estimated $543,000. This means the scammers are set to make another six figure sum from this campaign once they pull the rug, bringing the total cryptocurrency they’ve stolen to nearly $1 million.
One caveat: the scammers likely send additional funds to these contracts to make them appear more legitimate so the figures listed could be partially inflated by the scammers’ own funds.
DeFi protocols are rife with rug pulls and honeypots
While DeFi protocols on Ethereum (such as Uniswap and SushiSwap) or those on the Binance Smart Chain (BSC) (like Pancakeswap) facilitate a new era of investments on the blockchain, the decentralization of these platforms means that scammers have free reign. With traditional forms of finance like banks, which are centralized, stolen funds can potentially be recaptured and returned to victims. However, on the blockchain, stolen funds are lost with little to no recourse on recovery, and in the world of DeFi, it is an unfortunate tradeoff that exists within the protocol. As a result, terms like “rug pulls” and “honeypots” have become part of the dialogue within DeFi.
The reason this particular campaign stands out is that it didn’t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube. It did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it’s an ideal channel for promoting a fake coin.
How cryptocurrency enthusiasts can protect themselves from fraudulent coins
Remember to DYOR: Cryptocurrency enthusiasts may be familiar with the acronym DYOR, which stands for Do Your Own Research. It is a common refrain within the community for good reason. It is vital for potential investors to do their own research before investing in any asset, especially in the cryptocurrency space.
Look for cautionary signs when using a DEX: While DEXes like Uniswap and SushiSwap operate autonomously, they have put up some roadblocks for users when interacting with their services.
As I discussed earlier, Uniswap displays a limited warning about the scam token not appearing on active token lists. It also adds a banner of “Unknown Source” when displaying the address for the contract. Users should see this as a red flag before importing the token contract and swapping it for their cryptocurrency. While not every coin on Uniswap will appear on an active token list, investors should be wary of a token when they see this warning.
Be wary of fake coins for real projects: While there is no such thing as a $SpaceX coin, potential investors should also be wary of fake coins for real projects. There is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.
Look for official announcements from the creators of these projects. They will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment.
When in doubt, sit this one out: There’s a pent up demand to try to capitalize gains on new and emerging coins in the cryptocurrency space. However, if you have even the slightest bit of doubt about the legitimacy of a coin or project, even after you DYOR, it’s probably best to sit this one out. The potential losses that stem from investing in fake coins and projects can be significant, so it’s better to miss out on a potential opportunity than to find yourself holding onto worthless tokens in your wallet.
Related articles
Join Tenable's Security Response Team on the Tenable Community.
