By Shweta Patel: Fraudsters are usually amongst the first ones to adopt into any new technology before it matures. While the knowledge is limited among users and wide open gaps exist in the security, controls, knowledge and regulation in a novel domain, they cash in on the initial chaos. And this is true of Cryptocurrencies as well. While crypto currencies investments have proved very successful to many, there are several different scams to watch out for. This is a collation of the various scam typologies when it comes to cryptocurrencies. While this may not be an exhaustive list, the goal is to spread more awareness of the various attack vectors in this relatively fraud prone product.
- The Infamous Pump and Dump – This scam is certainly not unique to crypto. This technique has been used historically with illiquid stocks by influential investors in the stock market. In the same spirit, with respect to cryptocurrency markets, a few influencers on social media platforms with lots of following can guide a systematic increase in demand for their favourite crypto and once the price reaches their artificially jacked up levels, they sell out and book their personal gains, while later entrants lick their wounds.
- The Ponzi or Pyramid scheme – For ages, Ponzi schemes have also been run successfully before the advent of cryptocurrencies. Right from India’s very own Sarada chit fund scam, City Limousines all the way to Amway, these have fooled millions of investors worldwide and somehow always obvious in hindsight. Crypto is no stranger to Ponzi schemes. A Ponzi or pyramid scheme is when investors are lured into making an investment with unreasonably high returns that are initially sustained artificially by the money invested by subsequent investors. Only a few, very early investors make any money, if at all. In recent memory is the GainBitcoin scam that reportedly stole more than Rs 1 trillion from a 100K victims across India. Another example is the Dekado coin scam where returns of 40-70% was promised and soon after launch the website went down and people could not access their accounts any more.
- The Rug Pull Scam, Shit coin crypto project scams and Scam ICOs – A rug pull scam which is fairly unique to crypto is the sort of scam where the developers who create the token run away with the investor funds by creating a crypto project with that intention from the start. Typically, they would list the token on decentralized exchanges. They launch the token, attract investors and once the token gains significant appreciation from the inception point, the insiders pull the proverbial rug. This is a different scheme than the Ponzi which involves multi-level marketing. The rug pull however may not involve anyone other than the promoter themselves who hold the majority of the token, which may crash to zero once the developers exit. A great example of this is the Squid Coin, which ironically for its investors, gets its name from the Netflix show Squid game where all but one survives. Suffering the same fate as its namesake, this one didn’t leave many survivors. Selling the token was barred, thereby trapping all the investors in, while the creators sold out and disappeared without a trace. Scam ICOs (initial coin offerings) and Shit coin crypto projects are similar in spirit where coins with no value are peddled by scammers. The infamous Morris coin ICO was also a fake crypto currency that was not listed on any exchange and thereby making it impossible to trade. Here the investors were asked to put in a minimum Rs. 15K to get back Rs. 270 per day for 300 days which was a 4.4x profit.
4: The Airdrop Crypto Scam – The airdrop crypto scam is one where a dodgy token is “airdropped” into the victim’s digital wallet. Airdropping itself is quite legit as it allows to grow a community. However, the attackers step in at the time the airdrop token is being exchanged it opens up way more permissions than the victim would want to. Thus opening up access to the hacker to the all the assets in the target’s wallet.
5: Phishing Scams in Crypto – Crypto victims are not immune to the all-pervasive charm of the scammer’s old bag of phishing tricks. Phishing of course is not unique to crypto either. Similar to trying to steal credit card and account numbers, or personal information, phishing in crypto, targets stealing of private keys to a crypto wallet or crypto exchange login credentials. Here phishing hooks may come through a link on emails pretending to be from a well-known cryptocurrency exchange, or could be from a profile impersonating a community moderator, or fake ads featuring notable businessmen and figures supposedly promoting a cryptocurrency investment. In another variant of this MO scammers create full blown imposter crypto exchange websites that resemble legit trading platforms with a technique called ‘typosquatting’. The webfake in this case would only be a letter different from an authentic crypto exchange. In one such scam uncovered by Netherlands and the British, scammers were relying on common typing accidents by their victims, to get access to their credentials.
6: Fake Trading Professionals – These are everywhere on YouTube, WhatsApp and other social media. Typically, the “professional trader” will offer services of investment and trading in crypto currencies for you. It is extremely difficult to time any market much less the crypto market. When someone offers such services very likely that they will at some point try to gain access to the victim’s crypto wallet or otherwise social engineer their victims into compromising their account or assets. Scammers can be very talented in convincing their mark by offering all the right words and disclaimers around the perils of trading, but most are just out to get access to the target’s crypto wallet.
7: Fake / Impersonator Crypto exchanges – In one variant, scammers create altogether fake exchanges. The example that comes to mind is South Korea’s BitKRX which deliberately was made to sound like it was related to the country’s largest exchange KRX. Having deceptively established this credibility through spoofing a reputed name, scammers lured investors into ‘purchasing’ cryptocurrency, while their investment actually landed in the scammer’s pockets. In some examples, scammers attracted customers, by doling out freebies like a $100 credit note as an introductory offer. This not only attracts victims but also creates an aura of trust around the platform. Subsequently the victims bring their own funds into the platform, after making some initial gains. Once the victims are fully reeled in, the withdrawal capability gets suspended on the platform and users have no access to their own funds. In another flavor to this scheme, users are drawn into legit platforms initially and once the trust is built made to switch over to a fake. Many such baiters find their targets on social media platforms like LinkedIn through fake profiles.
8: Fake Bounty / Giveaway Scams, Bitcoin Doubler scams and HYIP crypto investment platforms – In this MO, scammers promise to give away free or cheap cryptocurrency by asking for an initial crypto deposit in order to be eligible. The scammers may create fake social media profiles and fake weblinks to attract victims. An example of this was the fake ‘5000 BTC Binance Giveaway’ scam. This one had fake advertisements on YouTube with an image of Binance Founder ChangPeng Zhao! Users were asked to send bitcoins to receive double in return. HYIP or high yield crypto investment platforms are just another variation of this theme where scam websites offer a spectrum of various other investment options as well. In further variants of this scheme, the perpetrator is an ‘expert’ on crypto and makes claims to have a “doubler script” that he coded – that can double the victim’s crypto currency for a ‘fee’.
9: Crypto exchange hacks and theft – Organized cybercrime rings are continuously trying to hack into crypto exchanges and relatively large wallets too. It is important here to understand that a crypto owner can leave their crypto in a crypto wallet or in the crypto exchange. The security of the wallet is something that is more in the control of the owner, as opposed to the security of an exchange. History is replete with examples of crypto exchanges getting hacked right from Mt. Gox way back in 2013 and has shown no signs of abating. Even relatively large crypto exchanges like Binance and Coinbase have been hacked. While this may be due to the nascency of the domain, but truly no amount of security and controls can be considered 200% hack proof.
10: BitCoin Blackmail – These sorts of scams are delivered mostly via email. Here the scammers convince the victim using some publicly available private information example password, and threaten to have other information that the scammer can expose in return for a ransom to be paid in cryptocurrency. Sometimes they may claim to have installed malware on the victim’s device to get access to their webcam and/or access to the victim’s contacts. They demand to send the crypto to the blackmailer’s BTC address. These are like any sextortion type racket, where the scammers cast a wide net and get lucky with some.
11: Fake Wallets & Counterfeit Crypto Trading Apps – In one research it was found that scammers befriended victims on social media and convinced them into downloading a crypto currency trading app by sending these victims a link (with options for both Android and iOS). Such links impersonated popular trading and investment companies. The victims went ahead and purchased crypto currencies using the app or transferred their crypto into these wallets. Eventually, the scammers would block the accounts and ghost the victims.
12: Pig Butchering Crypto Scam – This is a variant of the romance scam but involves crypto and believed to have originated in China. The ‘Pig’ here is typically a victim on a dating site. The scammer attracts their mark with an attractive profile and slowly works on the victim to ‘fatten them up’ (hence the name pig-butchering). Once they have them where they want them the victim is lured into an attractive crypto investment scheme. The scammer pulls off the scam by sharing returns on the ‘crypto account’ by sharing fake links to fake sites showing the strong returns. The victim once juiced out for what they can ‘invest’ is then left in the lurch.
As one can see that its raining scams in crypto. This article was meant to serve as a brief introduction to the cross section of typologies of scams and fraud risk in this domain. However, investors may do well to do their research to ensure that they are aware of the market risks inherent to any financial market, and transactional and operational risks in the crypto currency market (such as sending the wrong crypto currency to the wrong account crypto address etc.) As far as scams are concerned, like viruses they have a tendency to evolve and keep mutating into new variants and hybrids. So, caveat investor, know thy risks!
About The Author: Shweta Patel, CEO, Co-founder, Humint Solutions (Fraud & Scam Prevention Experts)