Abercia Exchange/ARIVA Text Scam
I get a text.
Kelvin, I'm moving to a new house next month and I'd like to invite you to a party at my house.
...? Am I Kelvin? Is that my name?
I responded:
Nice. 👍
What can I say, I'm a normal guy.
Their reply:
😱 What does not bad mean? i didn't understand you at all
Oh. 'Nice' and 'Not bad' are close enough that it'd mess up with an online translator. This person is not a native English speaker.
From here, I try to put up an act and a fake persona.
I correct them. My name is not “Kelvin” but “Kevin”.
(They keep calling me Kelvin.)
I send an AI generated picture of someone's face, saying that's me.
I'm invited to chat on Telegram. I join.
This person's profile is “Aileen” (the face is cut off on “her” profile pic of course) and “she” nonchalantly sends me a photo of people gathered in suits for a crypto conference.
They then ask me about crypto investments; I play along.
Eventually they linked me to a website, abercia.com
, and they insisted to open it on my phone and download and install the app.
The website seems quite strange at first glance on PC, and leads you to download an .apk file if you open it on a browser with an android useragent.
I ran the file through VirusTotal and these are the results of the scan. Not much to look at, even behavioral seems pretty normal.
Even if it appears safe, I'd urge whoever reads this to avoid installing this software on their phone.
So then I decide, why not make an account and try to buy crypto?
Logged in
So I do. And then I'm greeted with this:
So then I of course need to verify my identity to buy crypto:
Ah. Real name and real driver ID number? Of course! I put in very correct (fake) information, and I see this:
Wow, fast! So next, I have to upload photos of my ID and me holding it and time of day:
So I do a very high-effort (bare minimum) version of that to get to the next screen:
This design all hurts to look at, especially the watermarking and terrible stretching of the “photos”.
I end up at a screen saying the uploaded information is pending review.
Now I'm starting to see the point behind the site...
Buying crypto
There is no actual functionality to buy crypto on the site.
Here's a page where you can, theoretically, get over 100% yearly returns in crypto:
So I click to buy, and it says to buy with USDT.
On another page to deposit, it says:
It is temporarily unavailable to use other types of coins. Please understand!
So clearly, they're an established and trustworthy exchange that lets you deposit... only USDT?
Why do they need to verify your identity if there's no functionality to connect your bank account and deposit actual money?
So I go back to “lock-in” some (nonexistent) USD-T for some nice returns.
Oh, you can't change the input field to anything other than zero.
Although, I did anyway. I just modified its value directly with a line of code.
Even then, it still says in a pop-up in the corner:
Purchase amount must be greater than the minimum
So it seemed to be hardcoded.
I spent some time looking at the actual handlers and code that launches when you click on the button – turns out it does connect to a server.
But here's the URL when I set the field to that big number:
https://www.abercia.com/v1/rest/pc/lumProject/addOrder?projectId=770210224039526400&buyCount=0
Notice how even when I manually modify the amount, it still says buyCount=0
?
Conclusion
It appears this is a scam to get people's private information in order to make actual crypto accounts using their identity, and then turn around and pull money out of stolen credit cards or bank accounts, or perhaps tax refund fraud.
Clearly, the start of this is some sort of organized crime group that, texting random phone numbers, fools older gullible lonely men into giving their info into a site, effectively to steal their identity.
I'm not reporting this scam to the government since I don't want to give my personal information out and tie myself into the investigation.
If you're reading this and there really are multiple cases of the same site being used as a scam, then other people are likely being screwed over. Please report it to some agency.
Domains and IPs related to this that came about from the VirusTotal scan of the app:
arivaex.com
av1.xdrig.com
av1.xdrig.com.td.fusion.iaas.jdcloud.com
cloud.xdrig.com
cloud.xdrig.com.td.fusion.iaas.jdcloud.com
i.tddmp.com
me.xdrig.com
me.xdrig.com.td.fusion.iaas.jdcloud.com
116.196.71.30:80
116.198.14.128:443
116.198.14.42:443
52.194.64.30:443