Glaive and Nitro Dubz/ January 8, 2018/ ICO, News

With 2017 behind, we see no slowing down of the ICO Fraud momentum. ICO is the abbreviation of Initial Coin Offering and is the cryptocurrency equivalent of a company offering stocks. An ICO is a crypto-token that acts as a share in a company or project.  They are typically created by a company which sells it to investors in  exchange for established cryptocurrencies such as Bitcoin and Ethereum.

The problem with ICOs is that they are an unregulated digital asset.  They are not classified as a security and because of this, anyone with modest technical knowledge can create an ICO and crowdfund money from the public with zero intentions of actually delivering a product.

There have been many instances where individual create a fictitious company that promises to solve a problem with revolutionary and groundbreaking technology.  They typically have a whitepaper (a guide on their company/project/ICO tokens), a roadmap (a timeline of events and releases the company has planned), a sleek and aesthetic website, and a healthy social media presence which makes it hard to distinguish the scam/fraudulent ICOs from the legitimate ones.

Today we will talk about one particular ICO and the red flags behind it: FinaCoin.

John McAfee and Security Vulnerabilities

On January 4, 2018, John McAfee promoted FinaCoin via his Twitter account which was met with mixed responses.

Many pointed the poor design of FinaCoin’s site alongside the fact that it was storing registered user’s password in cleartext (unencrypted) due to the site’s mail server, sending their passwords back to them in cleartext immediately after registration.

It is highly recommended that if you did not use a unique password for FinaCoin that you immediately change all of your other passwords.

The FinaCoin Team

The lack of ability to secure investors’ passwords is one thing, however, as you look deeper into FinaCoin, the scam becomes more and more apparent.

To start off the initial suspicions regarding Finacoin’s nature, the website does not include any information regarding the names of any owner or team members.  The only section detailing their team mealy mentions that the “have a team” and that they are in some way skilled enough for the job.  This behavior while not indicative of a scam in itself, is highly associated with ICOs that do end up exit scamming investors who look back to the site in order to try and indentify the owner who swindled them.

The White Paper

By inspecting the metadata of Finacoin’s whitepaper, we  can see that certain information was not scrubbed from the document prior to being uploaded to Finacoin’s website.  Before we get into that, it is important to note that the whitepaper itself, was plagiarized.

Here we can see that the FinaCoin whitepaper copies a nearly year-old article written by Ravelin, word for word.

You can find the FinaCoin whitepaper and see for yourself at

The Con Artist

Next, we can also see that the metadata of the .pdf reveals a lot about our con artist.  As you can see, in the Author field we have the name “Ebi Dominic”.  Take note of this, as this will be the indentifying name later on in connection to the owner of FinaCoin’s other scams.

Since the domain uses Cloudflare as an intermediary web-host, we are able to use public Cloudflare nameserver pair data to locate all other domains that might possibly exist under the Finacoin owner’s Cloudflare account.  Put differently, Cloudflare nameserver pairs are completely inclusive of all other domains under a given Cloudflare account, but are not completely exclusive.  Meaning the results will be mixed between some other accounts.  But through such an analysis, we can gain insight into the other sites that the Finacoin owner runs. uses the Leia and Noel Cloudflare nameservers.  Here is a screenshot showing the other domains using these same nameservers via the nameservers via Crimeflare’s free database lookup functionality. Within these results we see five other cryptocurrency related domains.  Based on what we know about Cloudflare’s inclusiveness of same account domains under the same nameservers pairs, we can reasonably assume these domains of the same topic belong to one account.

That list being:


Taking a look at any of these sites reveals a very similar trend.  To start off, all of these domains invoke Cloudflare’s browser check. The fact that all of these domains have this usually unpopular setting enabled adds further evidence to them being under the same Cloudflare account.  As for the contents of the sites themselves, each is near a bare bones state.  Almost all of them have non-working link within the footer of each page and have default placeholder text within many sections.

So now knowing the nature of these other domain under the same account as, let us look at the passive DNS history of these domains to gather more intelligence.

Here we are looking at the passive DNS history of  Alongside the same Cloudflare nameservers of Leia and Noel, we can see this domain briefly held nameserver records values pointing to  Let’s pivot off of this domain and look at the passive DNS records for it too.

Here we see that the domain briefly held an SOA record for only a day.  While this SOA record may have been only added by mistake it gives us a very attributable value, an email address.  Let us look back to the Author field of the initial Finacoin whitepaper PDF.  Here we see the exact same name as shown within the SOA record of, Ebi Dominic.

So what do all of these connections mean besides Ebi Dominic running many poorly constructed ICO and other crypto sites with zero deliverable products?  Let’s pivot one more time using this email address that we acquired to view all other domain names that might have been registered with this address.

– Here we find two earlier domains registered under this email.  A quick search reveals that both domains had been quickly suspended by the domain name registrar.  Now why  on Earth would they have been suspended?

Here we can see that the domain had been reported as having been associated with a Nigerian advance-fee scam.  The reporter cites a different name, but based on the WHOIS data we recovered earlier we know that the true owner is Ebi Dominic.

So can we tie this Ebi Dominic character to anything within social media?  Absolutely.

Here is an excerpt from a Facebook page going under the name ‘Look Joshua’, which lists under its lists of owned websites.  Surely this is our man, also listing Nigeria as his country of origin.

That’s all for now folks!  Make sure you do your due-diligence before you invest in any sort of ICO or Cryptocurrency!

Please send all tips, comments and inquiries via the contact form below:


Chris Hoff is a cryptocurrency trader, investor, journalist, and bitcoin enthusiast since 2011.