If you’ve spent any time on the Meta’s Threads app in the last year, you’ve probably seen what I like to call “the guys responding to Mr Beast:” A spam account responds to a popular post with a nonsensical phrase and a low-quality screenshot from the British newspaper. The times featuring a fictional story about Mr. Beast. There is usually a second, seemingly random image – often a bouquet of flowers with an iPhone. The formula has some minor variations, but these posts are absolutely everywhere.
Like a lot of social media spam, this is part of a massive crypto scam.
According to an analysis by Infoblox security researcher Zach Edwards, the person or group behind these accounts runs more than 10,000 malicious “crypto-casino” websites. Woozad identified dozens of accounts posting spammy Mr Beast replies on Threads, some of which have racked up hundreds of thousands of views over the past 30 days. All accounts promoted websites identified by Edwards as being part of the same network.
While scammers are constantly using new tactics to lure people into financial schemes, according to Edwards and Mark Beare, head of consumer at scam detection platform Malwarebytes, the way these messages were spread on Threads is unusual. For one thing, the posts don’t contain obvious links to the scams they promote. Even the odd phrases that appear alongside the images, like “pencil shavings curl like pansies,” don’t read like the typical get-rich-quick crypto scam content that many social media users frequently encounter. But look closely at the fake screenshots and you’ll see that every low-res photo of the YouTuber is accompanied by fake news claiming he’s launching a new “project” or “promotion” and giving away money if you visit a sketchy website.
Edwards believes the accounts’ bizarre posting habits are an effort to both evade detection by Meta’s systems and test which types of posts are most likely to gain visibility. “This network is a monster for A/B testing,” he told Woozad, referring to their ability to try different variations of the same content to determine which is most effective. “These bad actors potentially figured out that their domains were being grabbed too quickly when they embedded them in the post, so they tried this weird process where you bury the domain and you make the person feel like it’s a treasure hunt. If you’re promoting a simple image and there’s an obscure URL that’s not even very visible, a lot of these AI (detection) systems might miss it.”
The Mr Beast reply scammers seem to have also figured out how to optimize their spam for the unique quirks of the Threads algorithm. Replying to popular posts is a proven strategy for gaining visibility in discussions; Meta said that half of the opinions on Threads come from replies. Nonsense phrases and low-resolution screenshots, which often require enlarging the image to view it properly, likely encourage more users to linger on posts. All of this could end up being a recipe for receiving some algorithmic amplification.
“They’re trying to feed an algorithm, and every platform has a different algorithm,” says Mark Beare, head of consumer at scam detection platform Malwarebytes. Although Beare said he was unfamiliar with this particular network of crypto scammers, he was not surprised by their apparent fixation on Mr. Beast. Mr. Beast, he says, is now one of the most ubiquitous public figures in scams, with the YouTuber’s mentions outnumbering other frequently cited celebrities like Elon Musk.
Many of these scam websites (like the one above) offer simple deposit scams, Edwards says. The sites promise some sort of “free reward” or sign-up bonus in order to entice people to create an account. Once they sign up and get their promotional credits (one website visited by Woozad called it “free money”), they are presented with a host of online slots and other simple games. The websites claim that users can withdraw and deposit funds at any time, prompting them to disclose their credit card information or connect crypto wallets.
After entering a promotional code supposedly from Mr Beast spam on one of these sites, I was informed that I was “among the winners of our $10 million bonus event promotion” and had won $3,000. Withdrawing these winnings would only require a wallet address or credit card number. This fits the model described by Edwards.
“It’s usually the case: sign up for your deposit bonus, then they start showing you fake returns, then they encourage you to deposit more money,” he explains. “They’re not really looking for long-term counters, they’re looking for quick stakes.”
It is unclear how many people could fall victim to these scams. Analysis of over 10,000 domains collected by Edwards shows that many of these so-called crypto casinos see very little traffic. But on Threads, a handful of accounts posting spammy Mr. Beast replies got nearly a million views in the last 30 days, according to Threads’ public view statistics. Some of these accounts appeared to have been hacked accounts of normal users, while others were relatively new accounts that appeared to have little use beyond promoting casino sites. A few also frequently posted half-second pornographic clips linking to Telegram channels advertising “Threads Hot Video 18+.” (Interestingly, posts containing pornographic clips do not appear in the Threads app, although they are viewable on threads.com.)
Edwards, who has tracked similar campaigns on other sites, suspects the scammers are active on platforms other than Threads. Threads’ posts bear some similarities to a spam wave that targeted Discord last year, and there is some overlap between the malicious domains promoted on the two platforms. He also noted that many of the latest websites he discovered incorporate X ads as well as the Meta Pixel, which allows Facebook advertisers to track how people use their websites. “I’m convinced they spend a lot of money on advertising,” he says.
What’s unclear is how aware Meta is of its Mr Beast-centric spam problem. Although the company appears to be removing some of the accounts linked to this group, the frequency with which these posts appear raises questions about the effectiveness of its enforcement.
Screenshots of the fake Business section of The times have been appearing for over a year. It’s even become something of an inside joke on the platform. “Someone else thinks your post was successful when you start getting spam comments from Mr Beast,” one user said in April. “Baby, wake up! The new Mr Beast spam is gone,” someone posted earlier this month when a new variation of Mr Beast’s screenshot – this one showing a fake CNN article – appeared.
Edwards and Beare said Meta should have the ability to detect these types of campaigns, even if fraudsters use stealth techniques to hide the URLs they are promoting. Meta did not provide any comment to Woozad at the time of publishing this article.
“Meta has great AI detection models, they have a very, very good model for this on Facebook,” Beare says. “It really comes down to a question of priority. If these tactics still work and they work for a very long time, that means… they haven’t been fixed as a priority.”
