The WhatsApp Pump-and-Dump

Earlier today, I got this message through WhatsApp. I don’t use WhatsApp very much. I’ve received spam there before, but not much, and nothing that looked quite like this. A few moments later I saw this in my Twitter feed:

HOT TIP pic.twitter.com/VCJtyeLV9c

— Marisa Kabas (@MarisaKabas) August 21, 2015

Oh. Oooh!!

I searched around and found lots of complaints:

First instance of @WhatsApp spam? pic.twitter.com/lBhG2eDt4I

— Michael Wang (@michaelwang20) August 21, 2015

I just got… Spam on WhatsApp. Looked like an attempt to phish or scam somehow. “This is Jack from Morgan Stanley” Adding no Jack, bihhh

— Broke Boi Bill (@TheBeatnikBill) August 21, 2015

@WhatsApp Great, my first WhatsApp spam came in today. How did this guy get my number??? #nothappy pic.twitter.com/Av6qWjYH3X

— Alexander Teusch (@alexanderteusch) August 21, 2015

A number of people on Twitter complained that this was their first-ever WhatsApp spam; others noted that the spam was fairly obviously an attempt to pump and dump a low-cap stock in a new and novel way. So let’s see:

Here’s an article about the spike on this penny stock site, which notes the stock spiked after “a massive whatsapp text message went out this morning.” Not bad at all! WHAT A MOVE!!! Etc. The company description is excellent as well:

AVRA Inc (OTCBB:AVRN) is focused on solutions in the digital currency markets, particularly in offering payment solutions to businesses worldwide. The Company’s business model is divided into four distinct categories: AvraPay: to develop a complete, turn-key and painless way for merchants to accept Bitcoin as Payment; AvraATM: to promote usage and acceptance of digital currencies through the Company’s proposed network of ATMs; AvraTourism: to provide cryptocurrency payment processing solutions for merchants such as hotels and casinos; AvraNews: to provide a news portal focusing on digital currency news.

Yes. Correct. Bitcoin penny stocks.

By the time I got my spam, the stock had already tanked. But others had received the post earlier. WhatsApp groups seem to be limited to 100 users, so maybe my group was just a little too far down the list.

@_TC_ received something similar pic.twitter.com/oyiOh5eoSn

— Michael T. Halligan (@mhalligan) August 21, 2015

Did WhatsApp inadvertently help move hundreds of thousands of shares in a penny stock scam? Unclear. But that certainly seems to have been the intent. Pump-and-dumpers practice all kinds of creative manipulations and come up with new ones all the time. A few years ago, a scammer’s best bet might have been to issue a fake press release, hoping for coverage that might produce the desired effect — to “hack” the media, more or less.

But a savvy scammer today might see a similar opportunity in the platforms that offer access to potentially much, much larger audiences. WhatsApp passed 800 million users in April. A spammer has discovered a way to access at least some of those users, reaching them with messages that are fairly obviously spam but which, unlike spam emails, are not common enough that people have completely tuned them out.

Small cracks (security or design) in platforms of unprecedented size can present major opportunities for those looking to exploit them. Just ask any publisher 🙂