Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客


Elon Musk and YouTube Advertising Scams: Fake SpaceX “Coin” Promoted in Ads During Cryptocurrency Videos

Scammers are on pace to steal nearly $1 million USD from unsuspecting users through a popular decentralized finance protocol, Uniswap, by abusing YouTube to promote a fake SpaceX coin as part of ads appearing before and during cryptocurrency videos.


In early May, scammers compromised Twitter and YouTube accounts to promote a series of cryptocurrency scams ahead of Tesla and SpaceX founder Elon Musk’s appearance on Saturday Night Live, stealing over $10 million dollars in Bitcoin, Ethereum and Doge tokens. The scams conducted via YouTube were the most successful, resulting in a theft of over $9 million dollars.

Please note that both “tokens” and “coins” are used interchangeably to describe cryptocurrency like Bitcoin, Ethereum, Dogecoin, and many others.

Since the end of May, scammers have stolen over $430,000 in cryptocurrency from unsuspecting users by purchasing advertising space on YouTube cryptocurrency videos to promote a fake SpaceX coin (or $SpaceX token) claiming to be created by Musk. At the time this blog post was published, the scammers had one ongoing campaign that, once complete, would potentially increase the total amount of stolen cryptocurrency to nearly $1 million.


As early as May 22, YouTube advertisements designed to scam users out of their cryptocurrency appeared before or during videos about cryptocurrency from popular creators in the space. The advertisements featured a variety of unrelated videos of Musk, who’s garnered much attention for his support of cryptocurrencies like Bitcoin and Dogecoin in recent months.

Breaking down the template

The advertisements are three to five minutes long and feature a template that includes a falsified tweet at the top from Elon Musk that claims he’s launching his own cryptocurrency called $SpaceX.

Within the same template is a description section, featuring a header with the Tesla logo. The description says “Elon Musk is launching his own cryptocurrency, $SpaceX.” The purpose of the coin, the scam advertisement claims, is to “take everyone to mars and make human life possible there.” Finally, they add that for each transaction involving the $SpaceX coin, a donation will be made “towards space research companies” in order to “help Elon’s mission.”

The embedded video in the advertisement above is a clip from Elon’s interview for the Computer History Museum and KQED’s “Revolutionaries” from 2013. The scammers use various videos of Musk indiscriminately in these YouTube ads.

Videos hosted on compromised YouTube accounts

These advertisements are hosted on compromised YouTube accounts.

When they appear, the name of the user associated with the advertisement is visible.

When browsing the user’s profile, we see that this user joined YouTube in August, 2011. Many of the accounts I encountered were created between 10-12 years ago. In this instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.

We reached out to YouTube to share our findings prior to publication, but we did not receive a response.

Same template used in previous YouTube Live scam campaign

These advertisements leverage the same template I saw being used in the SNL-themed Musk scams from earlier in May, including the Tesla logo.

In the YouTube ads regarding the supposed SpaceX coin announcement, you would think the scammers might have swapped in the SpaceX logo instead of keeping the Tesla logo, but it appears they just copied the template outright.

Users directed to multiple websites

The YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template. During my analysis, I found at least twelve different websites being promoted through these fake YouTube advertisements, which include:

Domain Registrar Registered
buyspacex.com NameCheap, Inc. May 21, 2021
buyspx.com NameCheap, Inc. May 27, 2021
getspx.com NameCheap, Inc. May 29, 2021
spxlaunch.com NameCheap, Inc. May 29, 2021
spacexbuy.com REG.RU LLC May 30, 2021
officialspx.com REG.RU LLC June 1, 2021
missionspx.com REG.RU LLC June 2, 2021
spacexsale.com REG.RU LLC June 3, 2021
salespacex.com REG.RU LLC June 9, 2021
buyspxcoin.com REG.RU LLC June 15, 2021
muskspx.com REG.RU LLC June 16, 2021
falconspacex.com REG.RU LLC June 17, 2021

Please note this may not be an exhaustive list of all domains used in these campaigns.

Websites include step-by-step directions on installing MetaMask and using Uniswap

The websites used in this campaign were designed using Telegram’s anonymous blogging platform, Telegra.ph.

To get users to purchase the fraudulent $SpaceX coins, the scammers include a step-by-step walkthrough on how to install MetaMask, a popular browser-based wallet used by millions of users, on their computers. I verified that the scammers are linking to the legitimate MetaMask extension for Google Chrome instead of a fake extension.

From there, the website instructs users to click on a customized link to Uniswap, a popular decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols. As a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature. At the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.

Uniswap allows individuals to create their own tokens to be tradeable on the platform. In this instance, the scammers are linking users to Uniswap to import a fraudulent $SpaceX token contract that they created.

When attempting to import the $SpaceX token, Uniswap’s interface provides a warning that it “doesn’t appear on the active token list(s)” but only cautions the user to ensure “this is the token that you want to trade.”

The walkthrough includes several screenshots on how users can swap their Ethereum tokens in exchange for the alleged $SpaceX coin. It also includes guidance on how to ensure the coins are visible within the MetaMask wallet.

At least three fake $SpaceX coins in circulation

Across the twelve websites I encountered, I observed three different contracts for $SpaceX coins. During this research, seven were pointing to the same $SpaceX token contract, which I will refer to as Alpha, while two sites, spxlaunch.com and salespacex.com, pointed to two separate $SpaceX token contracts, which I will refer to as Beta and Gamma. However, since the Alpha campaign ended on June 13, the remaining sites are now pointing to the Gamma campaign.

Swept up by a Rug Pull: How users end up holding worthless tokens

Conventional cryptocurrency scams ask users to send cryptocurrency to a specific address in order to “double” their money, which never happens. However, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user’s MetaMask wallet. So how do users get scammed through fake tokens? It’s a concept known as a rug pull.

In order to list and facilitate the trading of the fraudulent $SpaceX coin on Uniswap, the scammers have to provide some liquidity.

Across the three token contracts I encountered, scammers provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.

As users purchase the coins on Uniswap, they add to the liquidity of the $SpaceX contract. At some point, the scammers behind this operation will remove the liquidity from the contract, thus “pulling the rug” on those who own the $SpaceX coins, making them worthless.

Honeypotting: Users locked in with their purchase of the fraudulent $SpaceX coins

Recently, a user that purchased $SpaceX coins associated with the Alpha contract, posted on the Uniswap subreddit saying they weren’t able to swap their coins back to Ethereum. This is another concept known as honeypotting in the cryptocurrency space. It is different from the traditional use of the term in the cybersecurity space, which is focused on trapping bad actors. What it means in this context is that unsuspecting users are drawn into investing in this fake $SpaceX coin, but the contract created by the scammers was designed to prevent users from being able to swap their coins back to Ethereum. The only address capable of moving funds out of the contract is the creator. So even if the scammers don’t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway.

Scammers purposely burned coins from the contract

When these fake $SpaceX contracts were created, the scammers minted 1 billion coins (1,000,000,000) in each contract and added liquidity to the contract for 200 million (200,000,000) coins. The scammers also burned 800 million (800,000,000) $SpaceX coins for each contract by sending the coins to wallets for popular exchanges like Vb, Binance and Huobi.

Since these fraudulent $SpaceX coins aren’t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply. My understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.

Fake comments seeded on Etherscan pages

Etherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects. In the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof.

The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.

Fake $SpaceX coin rug pulls have earned the scammers over $430,000 thus far, with potential to earn nearly $1 million

Across three of the fake $SpaceX contracts I encountered, two have already completed their rug pulls. The following graph shows a breakdown of the liquidity provided by the scammers, the amount of liquidity removed from the contracts and the difference (profit) they made from their scams.

At the time this blog post was published, the Alpha and Beta campaigns had ended and the Gamma campaign was still active. These figures reflect data collected up until June 21, 2021, but do not include any additional funds sent to the Alpha and Beta contract post liquidation.

The Alpha campaign began on May 22 and concluded on June 13 and netted the scammers a profit of over $403,000. Through the Beta campaign, which operated from May 29 through June 9, the scammers profited off unsuspecting users to the tune of nearly $28,000. The Gamma campaign, which began operating on June 9 and was ongoing at the time this blog post was published, has seen a high volume of activity already, earning the scammers an estimated $543,000. This means the scammers are set to make another six figure sum from this campaign once they pull the rug, bringing the total cryptocurrency they’ve stolen to nearly $1 million.

One caveat: the scammers likely send additional funds to these contracts to make them appear more legitimate so the figures listed could be partially inflated by the scammers’ own funds.

DeFi protocols are rife with rug pulls and honeypots

While DeFi protocols on Ethereum (such as Uniswap and SushiSwap) or those on the Binance Smart Chain (BSC) (like Pancakeswap) facilitate a new era of investments on the blockchain, the decentralization of these platforms means that scammers have free reign. With traditional forms of finance like banks, which are centralized, stolen funds can potentially be recaptured and returned to victims. However, on the blockchain, stolen funds are lost with little to no recourse on recovery, and in the world of DeFi, it is an unfortunate tradeoff that exists within the protocol. As a result, terms like “rug pulls” and “honeypots” have become part of the dialogue within DeFi.

The reason this particular campaign stands out is that it didn’t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube. It did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it’s an ideal channel for promoting a fake coin.

How cryptocurrency enthusiasts can protect themselves from fraudulent coins

Remember to DYOR: Cryptocurrency enthusiasts may be familiar with the acronym DYOR, which stands for Do Your Own Research. It is a common refrain within the community for good reason. It is vital for potential investors to do their own research before investing in any asset, especially in the cryptocurrency space.

Look for cautionary signs when using a DEX: While DEXes like Uniswap and SushiSwap operate autonomously, they have put up some roadblocks for users when interacting with their services.

As I discussed earlier, Uniswap displays a limited warning about the scam token not appearing on active token lists. It also adds a banner of “Unknown Source” when displaying the address for the contract. Users should see this as a red flag before importing the token contract and swapping it for their cryptocurrency. While not every coin on Uniswap will appear on an active token list, investors should be wary of a token when they see this warning.

Be wary of fake coins for real projects: While there is no such thing as a $SpaceX coin, potential investors should also be wary of fake coins for real projects. There is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.

Look for official announcements from the creators of these projects. They will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment.

When in doubt, sit this one out: There’s a pent up demand to try to capitalize gains on new and emerging coins in the cryptocurrency space. However, if you have even the slightest bit of doubt about the legitimacy of a coin or project, even after you DYOR, it’s probably best to sit this one out. The potential losses that stem from investing in fake coins and projects can be significant, so it’s better to miss out on a potential opportunity than to find yourself holding onto worthless tokens in your wallet.


加入 Tenable Community 中的 Tenable 安全响应团队



输入您的电子邮件以在收件箱中接收最新的 Cyber Exposure 警报。



Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产



免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。






Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产



试用 Tenable.io Web Application Scanning

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

Tenable Web Application Scanning 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN



试用 Tenable.io Container Security

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

试用 Tenable Lumin

通过 Tenable Lumin 直观呈现及探索 Cyber Exposure,长期追踪风险降低状况,并比照同行业者进行基准度量。

Tenable Lumin 试用版还包括 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助获取整个企业的洞见并管理网络安全风险。

试用 Tenable.cs


Tenable.cs Cloud Security 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

联系销售代表购买 Tenable.cs

联系销售代表,了解有关 Tenable.cs 云安全的更多信息,并了解如何轻松加入您的云帐户,并在几分钟内获得云错误配置和漏洞的可见性。

免费试用 Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Nessus Professional?
免费升级到 Nessus Expert 7 天。

购买 Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。


促销价格延长到12 月 31 日。