The number, frequency, and scale of scams involving impersonations are growing like fungi. It’s probably the sign of our times and it’s worrisome. And it’s not just amateur operations run from basements. It’s reached the level of organized crime. The recent impersonating saw hundreds of ads and websites deployed from multiple accounts and locations. It took YouTube several days to deal with the issue. YouTube ads scam Vitalik Buterin their newsletters had fallen victim too, with fake newsletter-like emails directing unsuspecting victims to XRP “reallocation” fraudulent sites. I could feel the pain of , Director or Research, when she wrote “And please, please, for the sake of my pride, assume that I would never write anything like… .” Coindesk recently reported Noelle Acheson your bags are in for a happy week Few things are more disheartening than seeing your hard-earned reputation tarnished by fraudsters. Yes, the odd, clumsy teenage hacker plays the game too, like the — over the phone — into giving him access to admin systems, which led to the hijacking of multiple high-profile Twitter accounts to perpetrate a well-known crypto scam impersonating celebrities. 17-year-old who fooled a Twitter employee double-your-coins It’s clear that impersonators are upping their game. Long gone are the days in which the Nigerian Prince scam or the broken-English phishing emails impersonating banks you’d never worked with were the main threats. The staging is ever more elaborate and considerate, thus credible at first sight. Even low-profile scammers are taking the game up a notch too. Take this example coming from my own experience running the still-young Telegram group. Superalgos Community A new user came to us to report that someone with a Telegram profile seemingly identical to that of — the project’s lead developer — had contacted him in a way that raised slight suspicions. Luis Fernando Molina After a quick, friendly chat, the impersonator had offered to run a trading bot for him. That would save him the hassle of setting it up himself. All the would-be victim needed to do was to surrender his exchange API keys, and he would be up and running in no time. What could possibly go wrong, right? Trying to scam crypto traders out of their API keys is certainly not a new endeavor. What is concerning is the level of consideration evidenced by the precise formulation of the heist, and how fitting it was in the context of Superalgos. This is not the same kind of low-cost, carelessly deployed scammy propositions thrown out in the open in the hope that a very small percentage of the public may engage with it. Take the kind of a scam as an example. This is likely to be the most common scam message in any given crypto trading group these days. thank you Mr. Jackson for diligently investing my capital, I’ll forever be grateful- How effective can such a ridiculous bait be? My take is that — if they keep doing it —it works. The tactic involves luring certain kinds of people into trusting the supposedly forever-grateful, uninterested referrer of Mr. Jackson. Trust the referrer enough, and getting to trust Mr. Jackson himself is just one step away. The scam is based on what Robert Cialdini called , by which — given an ambiguous proposition — certain kinds of people tend to take action provided that other people take action first. By the way, this is also one of the psychological principles upon which marketers have been crafting referral programs for decades. social proof It used to take certain personality traits, or a certain level of Internet illiteracy to qualify for being scammed. However, the quality of the staging and the care for details of the new generation of scams is now threatening even knowledgeable, sensible people. The recent attack on Superalgos users is a good example. The scam was specifically tailored to the context, and resulted in a credible proposition, at least for new users. Getting to a credible proposition must have required considerable dedication and planning. To illustrate the investment involved in formulating such a targeted attack, this is the shortest mental process required for someone new to Superalgos to come up with such an idea: * The scammer must have found us while searching for crypto trading groups. Scammers understand the power of diversification, so they constantly search for new groups to target. * However, he didn’t act impulsively. He didn’t attempt any of the typical scams. Instead, he took his time and studied what Superalgos was about. * He noticed that Superalgos wasn’t the typical crypto-trading group, where traders discuss recent price action, BitMex funding, or market predictions. * He realized the group deals with trading bots and the Superalgos software in particular. * He also noticed that Superalgos is not a company offering an online service, but an open-source project run by the community, developing software that runs on users’ machines. * He studied the nature of personal interactions in the group and noticed users usually help each other to get started. * He identified Luis as one of the admins helping out with the technical aspects. He witnessed how Luis would help someone get started or troubleshoot an issue, right then and there. Only after observing and processing all of the above information was it that it all clicked-in. All the scammer needed to do then was to set up a Telegram account with a username similar to Luis’, steal his profile picture, copy the bio, and attack his first victim. Fake — real, real — fake… which is which? He contacted a new user: someone who had recently introduced himself to the community acknowledging he was new to trading bots. Luckily, the would-be victim was sharp as a tack. He let the impersonator spill the beans to find out what the scam was about and swiftly reported the scammer to the real Luis. So, the good guys win, the scammer gets unmasked Scooby Doo meme, and everyone’s happy… Sweet, right? ala Not so fast, cowboy. Unmasking after the fact is not enough! It took us five minutes to track the offender and craft a quick message to alert the community. By that time, several other users had been attacked already. Fortunately, no one had acted upon the malicious offer, but still, the experience made us realize how vulnerable our community was to impersonators. Telegram Can't Handle the Threat , running away from other platforms that won’t offer the most basic privacy guarantees or grant ownership over users’ data. The crypto community has adopted Telegram However, Telegram seems unable to find a technological solution to the impersonation conundrum and scams in general. The challenge seems to lie in the unlikely balance required for successful group communication, in which personal privacy embodied in anonymity seems to be at odds with the quality of the interactions and general users’ safety. Anyone who has spent any time on Internet forums knows that the quality of the conversation is proportional to how invested participants are in keeping a personal reputation. After all, and communication vices. anonymity enables multiple forms of identity deception While anonymity is a desirable feature, the option to have a unique, unforgeable identity is too, even when the online identity may be pseudonymous — that is, not tied to a physical identity. In the context of a community, pseudonymity is always preferable to anonymity, as a pseudonymous member may keep a reputation, while an anonymous one may not. However, Telegram accounts are easily forgeable, as shown earlier with the fake Luis Molina profile. If anyone may easily pretend to be anyone else, then it’s pretty much like rendering everyone anonymous. Attacking Impersonators’ Weak Spot So it seems that we are left with the sole option of taking matters in our own hands. What do we do then? First, we need to understand how impersonators operate in the context of a Telegram group. They wouldn’t try to impersonate a trusted member of the community out in the open, right? The answer is no — most of the time. Impersonating an admin out in the open would be risky, as admins’ messages in the group are tagged with either the default label or a custom label that may be set by the group owner. admin Impersonators may hijack other identities in the open, but they also run the risk of the owner of the identity noticing it and raising the matter to the group admins. As a rule of thumb, it’s safe to assume that a criminal investing time and effort infiltrating a community does everything possible not to get caught, as the cost of getting caught is blowing the details of the scam out in the open, alerting the otherwise unsuspecting community. Impersonators may only deal with their victims in private. That is their weak spot. How may group admins interfere with unknown impersonators’ private communications? The answer lies in the Community Policy. A Solid Anti-Scam Community Policy If impersonators may only trick community members by contacting them in private in an unsolicited fashion, then the community’s first and foremost, the rule must be: 1. Group admins will never contact you in private unless you contact them first. Let community members know that if anyone ever contacts them claiming to be an admin in your group, it’s a scam; period. This is a clear and unambiguous policy that every Telegram group should adopt if we are ever going to eradicate Telegram impersonators. If an admin ever needs to have a private conversation with a community member, the admin must call the member in the public group and publicly ask the member to be contacted in private. For a community member to contact an admin in private, he or she will find one of the admin’s messages in the group, which are properly labeled, click on the admin’s user name, and click on the admin’s profile. Send Message By doing this, the community member establishes a trusted channel, with a virtually 100% guarantee that the party on the other side is the real admin. Once the private communication channel is established, it may be safely used by either party in the future. 2. Identify what else community members should never expect from admins, and state it explicitly. In the case of Superalgos — being an open-source project developing a free and trustless system to build, test, and deploy crypto trading bots — that would be: Admins will never ask you to submit exchange API keys or funds, for any reason. In fact, we will never ask you — and you should never need — to trust us in any way. 3. Make it a priority to educate newcomers about the first two rules. In the case of Superalgos, a warning message awaits newcomers right on top of our pinned welcome message, before information on how to download and install the software is provided. We also educate users about how to stay safe while operating the software and interacting with the community in prominent pages of the documentation. 4. Use a tried and tested Telegram bot to help with managing the community. Implementing a host bot to help manage repetitive tasks can free up human resources, which may be better used for things that may — or should not — be automated. At Superalgos, we are using . Miss Rose In our case, the first and foremost automated task is greeting newcomers and pointing them to the pinned message, so that they may be briefed on all the important matters of the project before they get started with the software. 5. Lock abuse-prone user functions and enable member-policing tools. Telegram offers limited admin control over what user actions may be locked. The good news is that your bot host may expand the built-in admin functionality incorporating finer-grain controls to manage the group. In our case, we started by locking the ability for users to: It’s crazy that Telegram’s admin interface does not provide this function, as it is crucial. If you allow users to add bots to the group — which is enabled by default — you are guaranteed to have an endless stream of spambots harassing the group until the end of time. Add bots to the group While it would be nice to allow users to post links to useful resources, the truth is this is one of the most abused user functions and a major source of scams. Telegram allows blocking URLs, but Miss Rose expands the functionality by keeping a whitelist of domains and URLs. This allows filtering out all URLs but the ones that are deemed to be of use to the community, such as links to the documentation, specific GitHub repositories, the official website, or the project’s social media. Post URLs We’ve seen users accidentally sharing their location and random contact details, so locking this ability, which has no particular use in our case is a way of protecting community members. Share their location and contact cards In our case, there is no interest in such things, thus locking such functions helps keep the community-focused. Post polls, games, and buttons By default, Miss Rose allows users to interact with her in many ways. The problem is that those interactions happen publicly within the group, which may be annoying when abused. Send commands to the host bot On the other hand, we enabled a couple of features that help keep the group clean and tidy, and enable members to take part in caring for the community: Miss Rose enables community members to report any message by replying to the offending message with a simple command: . This not only helps the group stay civilized; it’s also a great tool for members to report scammers and fraudulent messages that may go unnoticed by admins. The report is sent to the group of admins, pointing to the offending message so that they may take appropriate action. Report bad behavior /report Miss Rose may take care of deleting welcome messages, as well as entry and exit notifications. This helps keep conversations streamlined and easy to follow. Auto clean-up of administrative messages The more Telegram groups implement these policies, the more Telegram users will become familiar with the notion that when someone — whomever that may be — contacts you in an unsolicited manner, it is enough reason to be suspicious, and act accordingly. Julian Molina is Co-Founder of Superalgos , an open-source crypto trading bots project managing an incipient Telegram community group. ( ) Read Behind a Paywall here

Dash

Funding

Target

Twitter

YouTube

Converting Your Raspberry Pi Into a Crypto Trading Bot

Here's Why We Built An Open-Source Goldmine of Crypto-Markets Datasets

Automate your crypto-trading!

Read My Stories

Too Long; Didn't Read

Fight Telegram Impersonators With A Bit Of Common Sense And A Dash Of Vigilance

Fight Telegram Impersonators With A Bit Of Common Sense And A Dash Of Vigilance

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Building Crypto Trading Intelligence into Your Trading Bots - A How-To Guide

106 Stories To Learn About Community

4 Cost-effective Ways to Find New Customers for Your Startup

5 Small Businesses Give a Masterclass in Community During COVID-19

6 Lessons Learned From Building Tech Communities Across Sri Lanka

A Q&A with MongoDB's Marcus Eagan on Developer Mentorship & Building a More Equitable World

Building Crypto Trading Intelligence into Your Trading Bots - A How-To Guide

106 Stories To Learn About Community

4 Cost-effective Ways to Find New Customers for Your Startup

5 Small Businesses Give a Masterclass in Community During COVID-19

6 Lessons Learned From Building Tech Communities Across Sri Lanka

A Q&A with MongoDB's Marcus Eagan on Developer Mentorship & Building a More Equitable World

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps