From Fake W-8BEN Forms to Crypto Deposits: Scammers Exploit SpaceX IPO Hype

|

|

Reddit logo
A screenshot displaying Netcraft's newly updated dashboard with a cleaner user experience.

Executive summary

Netcraft identified scammers exploiting public interest in the SpaceX IPO with fake investment portals impersonating SpaceX, Elon Musk, and other well-known financial brands. The campaign uses domains such as spacexshares[.]xyz, fidelityspacexipo[.]site, robinhoodspacex[.]com, and muskspacexipo[.]vip to invite visitors to register for access to SpaceX shares, select an investment tier, and, in some cases, deposit funds using cryptocurrency.  

The lure works because IPO participation is often complex and broker-mediated. A victim may reasonably expect a legitimate investment process to involve a recognized brokerage platform, eligibility checks, tax paperwork, and funding instructions. The scam mirrors that process: emails direct recipients to fake onboarding pages or W-8BEN-style forms, which are normally used by non-U.S. investors to certify their foreign tax status for certain U.S.-source income; branded pages create a sense of legitimacy; and deposit pages that turn investor interest into direct financial loss. 

This activity is thematically consistent with the W-8BEN tax-form lures and investment-brand impersonation reported in Proofpoint's tracking of TA2730, though the monetization differs: TA2730 harvests investment-account credentials for account takeover, whereas this campaign solicits cryptocurrency deposits directly.  

How the scam works 

The campaign combines email lures, fake investment portals, impersonated brokerage brands, and cryptocurrency payment instructions into a convincing end-to-end fraud funnel.  

The emails Netcraft examined direct recipients to fake onboarding pages or W-8BEN-style forms. The use of tax documentation is significant as it creates the appearance of a legitimate investment process. Rather than asking for payment immediately, the scam first asks victims to complete familiar-looking admin steps. This lowers suspicion and makes the interaction feel more legitimate. 

Some of the sites ask visitors to select a “target investment tier” or otherwise indicate how much they intend to invest. This serves two purposes for scammers. First, it encourages victims to think about the process as a legitimate investment decision. Second, it allows the scammers to prioritize higher-value victims based on their stated willingness to deposit funds. 

One of the sites, spacexshares[.]xyz, included a deposit page listing cryptocurrency wallets for BTC, ETH, and USDT. The ETH and USDT addresses are identical, as USDT is issued as an ERC-20 token on the same Ethereum address. The end goal is direct financial theft. 

Observed wallet addresses include: 

  • BTC:  bc1q3ad4npa6qqxrcdrgd2gmmgttsakq9635q6uz50 

  • ETH & USDT:  0xc4cf58a782cCa0dB793bE5fBE145361533A6AF30 

At the time of writing, the BTC address had received 0.14174492 BTC, worth roughly $8,700. 

An example of one of the lure pages promising to allow you to invest in the SpaceX IPO.

Campaign infrastructure 

The campaign uses two broad categories of domains: randomized domains and more explicit SpaceX- or broker-themed domains. 

One cluster consists of long pseudo-random .live domains: 

  • 467jtzbkqcfl22t9hxh[.]live

  • ddgaoylh4h420fvm7o5[.]live 

  • u7aq3ocwrexd70ulpdj[.]live 

  • zavpejjyz432d577l2e[.]live 

  • 8fv4dxp7lx035f8ylk7[.]live 

  • cd7yt860whhm7g7ylj8[.]live 

  • g8iqelymkc4eya9zs49[.]live 

  • hy0zu0fuf7rc2ou5aje[.]live

  • k1rg2oz4zpzw91pdx90[.]live 

  • ogqw9cpz7t7et3j1rur[.]live 

A second cluster uses clear SpaceX-, IPO-, Elon Musk-, and brokerage-themed naming: 

  • spacexshares[.]xyz 

  • fidelityspacex[.]site 

  • fidelityspacexipo[.]site 

  • robinhoodspacex[.]com 

  • adanispacex[.]com 

  • muskspacexipo[.]vip 

  • muskspacexipo[.]com 

These specific domains are more directly tied to the lure itself, designed to resemble domains a potential victim might search for or expect to receive. 

The domains “muskspacexipo[.]vip” and “muskspacexipo[.]com” also pointed their MX records to mail[.]musksapcex[.]space, which uses the misspelling “sapcex” instead of “spacex”.  

Another lure page offering access to the SpaceX IPO.

Why the lure is effective 

The campaign does not fully rely on the SpaceX name alone. The sites copy parts of the normal investment process, asking victims to complete a W-8BEN-style form, select an investment tier, and then deposit funds. Making the process appear legitimate.  

The use of tax paperwork and broker names helps the sites look more legitimate. Asking victims how much they want to invest also makes the process appear like a genuine offer. This allows the scammers to exploit both interest in the SpaceX IPO and uncertainty over how investors can participate. 

Conclusion 

This specific SpaceX IPO campaign shows how scammers exploit major financial events. While this campaign centers on the SpaceX IPO, the techniques are not unique to SpaceX. High-profile IPOs and other widely anticipated investment opportunities naturally generate significant public interest, media coverage, and uncertainty around how investors can participate. Threat actors can exploit these uncertainties by impersonating companies, brokers, and financial institutions associated with the offering, creating fraudulent registration portals that closely resemble legitimate investment workflows.  

As new IPOs and other major investment events emerge, organizations should expect attackers to continue adapting these techniques to capitalize on public interest. Rather than viewing this as a one-off SpaceX-themed campaign, defenders should recognize it as a repeatable fraud model that can quickly be repurposed in future campaigns. Monitoring for newly registered investment-themed domains, broker impersonation, and fraudulent onboarding portals will be critical to identifying and disrupting similar campaigns before they reach potential victims.  

Indicators of compromise (IOCs) associated with this campaign are published in Netcraft’s public GitHub repository

Don't want to miss out on updates?

Don't want to miss out on updates?

Don't want to miss out on updates?

Join our mailing list for regular blog posts and case studies from Netcraft.