If you’ve spent any time on Meta’s Threads app in the last year, then you’ve likely seen what I like to call “the Mr Beast reply guys:” A spam account replies to a popular post with a nonsensical phrase and a low-quality screenshot of the British newspaper The Times featuring a fictitious story about Mr Beast. There’s usually a second, seemingly random, image — often a bouquet of flowers with an iPhone. The formula has some minor variations, but these posts are absolutely everywhere.
Like so much spam on social media, it’s part of a massive crypto scam.
According to an analysis from Zach Edwards, a staff security researcher at Infoblox, the person or group behind these accounts is running more than 10,000 malicious “crypto casino” websites. Engadget identified dozens of accounts posting Mr Beast reply spam on Threads, some of which have racked up hundreds of thousands of views over the last 30 days. All of the accounts were promoting websites that Edwards identified as being part of the same network.
While scammers are constantly using new tactics to lure people into financial schemes, according to both Edwards and Mark Beare, head of consumer at scam detection platform Malwarebytes, the way these posts have played out on Threads is unusual. For one, the posts don’t contain obvious links to the scams they’re promoting. Even the strange phrases that appear alongside the images, like “pencil shavings curl like thoughts,” don’t read like the typical get-rich-quick crypto scam content many social media users frequently encounter. But look closely at the faked screenshots and you’ll find that every low-res photo of the YouTuber is accompanied by a fake news story claiming that he’s launching a new “project” or “promotion” and giving away money if you visit a sketchy website.
Edwards believes the accounts’ bizarre posting habits are an effort to both evade detection by Meta’s systems and stress-test the types of posts most likely to gain visibility. “This network is a monster for A/B testing,” he told Engadget, referring to their ability to try different variations of the same content to determine which is more effective. “These threat actors have potentially figured out that their domains are being picked up too quickly when they embed them in the post, so they’ve tried this weird process where you bury the domain and you make the person sort of feel like it’s a scavenger hunt. If you’re promoting just an image and there’s an obscure URL that’s not even super prominent, a lot of these AI [detection] systems may miss it.”
The Mr Beast reply scammers seem to have also discovered how to optimize their spam for the unique quirks of the Threads algorithm. Replying to popular posts is a proven strategy for gaining visibility on Threads; Meta has said that half of the views on Threads come from replies. The nonsensical phrases and low-res screenshots, which often require you to enlarge the image to view it properly, are likely drawing more users to linger on the posts. All that could end up being a recipe for receiving some algorithmic amplification.
“They’re trying to feed an algorithm, and each platform has a different algorithm,” says Mark Beare, head of consumer at scam detection platform Malwarebytes. While Beare said he wasn’t familiar with this particular network of crypto scammers, he wasn’t surprised by their seeming fixation on Mr Beast. Mr Beast, he says, is now one of the most ubiquitous public figures in scams, with mentions of the YouTuber outnumbering other frequently-cited celebrities like Elon Musk.
Many of these scam websites (like the one above) are running simple deposit scams, says Edwards. The sites promise some kind of “free reward” or sign-up bonus in order to entice people to make accounts. Once they’ve signed up and gotten their promotional credits — one website Engadget visited labeled it “free money” — they’re presented with a bevy of online slot machines and other simple games. The websites claim users can withdraw and deposit funds at any time, enticing users into giving up credit card information or connecting crypto wallets.
After entering a supposed promo code from the Mr Beast spam into one of these sites, I was informed that I was “among the winners of our $10M Bonus Event promotion” and had won $3,000. Withdrawing these winnings would only require a wallet address or credit card number. That fits the pattern described by Edwards.
“It’s usually: sign up for your deposit bonus, and then it starts to tell you fake returns, and then they’re encouraging you to deposit more money,” he explains. “They’re not really looking for long cons, they’re looking for quick stakes.”
It’s not clear how many people might be falling for these scams. Analysis of the more than 10,000 domains collected by Edwards shows that many of these supposed crypto casinos are seeing very little traffic. But on Threads, a handful of accounts posting Mr Beast reply spam have gotten nearly a million views in the last 30 days, according to Threads’ public-facing view metrics. Some of these accounts appeared to have been the hacked accounts of normal users, while others were relatively new accounts that seemed to have little purpose beyond promoting the casino sites. A few also frequently posted half-second porn clips linking to Telegram channels that advertise “Threads Hot Video 18+.” (Interestingly, the posts with porn clips do not appear in the Threads’ app, though they are visible on threads.com.)
Edwards, who has tracked similar campaigns on other sites, suspects the scammers are active on platforms besides Threads. The Threads posts bear some similarities to a wave of spam that targeted Discord last year, and there is some overlap between the malicious domains promoted on both platforms. He also noted that many of the latest websites he uncovered have X ads integrated as well as the Meta Pixel, which allows Facebook advertisers to track how people are using their websites. “I’m confident that they’re spending significant amounts of money on ads,” he says.
What’s not clear is to what extent Meta is aware of its Mr Beast-centric spam problem. While the company does seem to be taking down some of the accounts linked to this group, the frequency with which these posts appear raise questions about how effective its enforcement is.
The screenshots of the fake Business section of The Times have been appearing for over a year. It’s even become something of an inside joke on the platform. “Anyone else think your post has ‘made it’ when you start getting the Mr Beast spam comments,” one user said in April. “Babe, wake up! New Mr Beast spam has dropped,” someone posted earlier this month when a new variation of the Mr Beast screenshot — this one showing a fake CNN article — appeared.
Both Edwards and Beare said that Meta should have the ability to detect these types of campaigns, even if scammers are using stealthy techniques to hide the URLs they’re promoting. Meta did not provide comment to Engadget by the time of this article’s publication.
“Meta has great AI detection models, they have a very, very good model for that on Facebook,” Beare says. “It really just comes down to a matter of priority. If these tactics still work and they work for a very long time, it means … they haven’t been prioritized to be fixed.”








