Top 5: Crypto Crimes and Scammers to Avoid This Year

A new year has come, and new hacks and scams are brewing in the cryptocurrency world. Besides the classic old ransomware, phishing emails, and fake investment platforms, some other tactics to steal are getting quite popular among cybercriminals. These attacks have evolved in tandem with the maturation of the crypto space, emphasizing the pressing need for enhanced security measures.

According to estimates by Chainalysis, over $24 billion were received by illicit addresses in 2023. That’s an important decrease compared with 2022 and previous years, but it’s, by no means, an insignificant figure. Frauds, scams, darknet markets, malware, sanctioned entities, and other stolen funds in stablecoins, Bitcoin, Ether, and more altcoins are included in their report.

The message seems clear: we have to take good care of our coins. To do this, besides applying some basic measures, we also need to know about potential threats. Let’s discover what the scammers are up to lately.

Smishing

Maybe you’ve already received a text message (SMS) of this style: “Coinbase informs you of an approved transaction for $570 in BTC on 01/30/24. If you don’t recognize this operation, cancel here [Link].” Or perhaps a stranded relative or friend could ask you for some coins after losing their wallet overseas, or a dubious crypto exchange is showing you an enticing offer to join their website.

The “smishing” pattern is similar in all cases: you receive an SMS, often from an unknown number, asking you for private information or urging you to click a link after using diverse excuses and fake identities. IBM defines it this way:

“Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals. The term “smishing” is a combination of “SMS”—or “short message service,” the technology behind text messages—and “phishing.”

Coinbase experienced this in their quarters, indeed. Some “smishers” tricked their employees via SMS into sharing institutional credentials. Luckily, the incident was quickly spotted, and the scammer was blocked. To avoid being a victim yourself, always check the phone number sending the text (even this number can be faked though), and don’t click on links sent via SMS unless you fully know and trust the source and recognize the domain the link leads to.

Romance Scams (Pig-butchering)

This scheme isn’t new, but it’s growing exponentially. Losses of at least $1 billion in the US were reported for 2022, while the cybersecurity firm Verafin estimated that $3.8 billion were stolen with these scams in 2023, taking up to $1 million per victim. Scammers are hunting especially non-tech savvy elder people worldwide, but it could happen to anyone, everywhere. Whole criminal networks are working on it, and experts are predicting a higher severity for 2024.

Social media, chats, apps, and forums have let us connect with all kinds of people globally, and they’re not always to trust. Scammers could start pretending to like the same things as their victims, visiting the same websites or online events to start a fake friendship. In other cases, they directly write via Facebook, Discord, Twitter (X), or dating apps like Tinder. They’re patient, as they can talk daily with their victims for months.

Just when they have a certain level of trust, or even after declaring their undying love for the victim, they start asking for money or expensive favors. They can include sobbing stories about a financial crisis, shipping fees, kids back home, a medical emergency, or you name it. Payments are often asked in cryptocurrency.

On the other hand, instead of asking directly for money or things, they can recommend a crypto investment platform, talking about how they got juicy earnings with it. Of course, this is all fake, and they’re either owners or part of the staff of such a fraudulent scheme. As the US Federal Trade Commission advised: “If an online love interest asks you for money [or to invest money] — that’s a scam.”

Fake QR Codes / Quishing

These days, it’s quite common to find Quick Response (QR) codes everywhere. They’re just small squares with a monochrome pattern inside, easy to scan with any smartphone to discover a wide array of digital stuff: restaurant menus, payment systems, websites, emails, app installers, crypto addresses, and… malware. Or fraudulent sites. Or not the crypto address you intended to send funds to.

As the Aura cybersecurity team explained, QR codes aren’t always safe to scan. It’s pretty easy for anyone, everywhere, to create their own QR image with a customized link or data, and quickly share it digitally (via social media, chats, mail, fraudulent websites, etc.) or physically (by printing it). In this last case, it’s even common to paste a fraudulent QR code over a legitimate one —for instance, in parking lots.

This type of scam is often called “Quishing,” from the fusion between QR and phishing. It can affect all kinds of QR users, including the ones with a crypto wallet. They could find an enticing offer or airdrop via social media, scan a QR code, and be sent to a malicious website that either asks for their private keys or installs malware.

Fraudulent QR Generators

Another way to scam crypto users using QR codes is by building a fraudulent QR Generator platform. In this vein, ZenGo found out that “4 out of the first 5 results presented when querying Google [Bitcoin QR Generator] were leading to scammer sites” in 2019. In these platforms, when the user tried to generate a QR code for their BTC address, the system would automatically generate a code for the scammer’s BTC address instead.

That doesn’t seem to be the case anymore, as we’ve checked by ourselves. However, this type of scam isn’t over but has apparently moved to private coins like Monero (XMR), as recent reports pointed out. That’s why it’s always important to visually check every crypto address and URL before sending funds or typing credentials.

AI Threats

We’re likely in the Artificial Intelligence (AI) boom in every industry. And that also includes the crime sector. AI tools are growing in sophistication, availability, and user-friendliness, something that had to be noticed by cyber-criminals. Today, it’s possible to clone voices, copy exact faces on video (deepfakes), and generate quite convincing written content, thanks to a myriad of free tools online.

Therefore, a scenario in which a loved one calls you asking for some urgent financial help, and you recognize their voice (even if it’s not them), it could happen. Several experts are already advising to create a family password to prevent this kind of scam. The AI videos may be more difficult to spot since cyber-criminals can modify any original video to make its participants look like someone else (like a celebrity) and/or talk about something else entirely —like an “incredible” crypto investment platform.

That’s what happened to Ottawa News in January 2024. They published a story of an elderly couple that suffered a common crypto scam, and, two weeks later, a fake video of them appeared on social media, based entirely on the original story. However, in the fraudulent version, they were recommending the use of a dubious crypto investment platform.

How to know what’s real, then? In the case of video deepfakes, it’s advisable to check facial expressions, blinking, lip movements, and the angles of light. If any of these traits look weird in some sense, it’s likely a deepfake. Besides, common sense could help a lot: is this famous person or news portal really recommending a get-rich-quick scheme? Probably not. If it sounds too good to be true, it’s likely not true.

Fake Trading Bots

Some other times, scammers don’t even need to use real AI technology, but just pretend they’re using it. Numerous crypto investment websites claim that they use the help of bots, automated trading algorithms, and AI, in general, to invest or trade with the funds given by their customers, promising impossibly huge returns.

This is all false, of course. Commonly, they create fake dashboards for the victims to check on the “growth” of their investment, while in reality, they took everything from the start. Only when the user tries to withdraw their supposed earnings is that they realize there are no funds there, crypto or otherwise. The US Commodity Futures Trading Commission (CFTC) warned about this:

“Fraudsters are exploiting public interest in artificial intelligence (AI) to tout automated trading algorithms, trade signal strategies, and crypto-asset trading schemes that promise unreasonably high or guaranteed returns. Don’t believe the scammers. AI technology can’t predict the future or sudden market changes.”

Discord Hacks

Discord is a useful communication platform, used by millions worldwide. That also includes most of the cryptocurrency world: it’s weird for a crypto project, coin, or brand not to have its own Discord server to share with its community. A fact that’s widely known by cybercriminals, who happily mingle inside that community, waiting for a chance to scam someone.

This could be not that different from common phishing, but the major problem here is that hackers are targeting crypto servers on Discord and somehow snatching the accounts of the admins to publish fake announcements and malicious links. Trusting the leaders and moderators, the users would click on those links and potentially lose their crypto funds and Non-Fungible Tokens (NFTs).

Numerous crypto projects have suffered this attack, including popular NFT brands like the Bored Ape Yacht Club (BAYC), Mars Cats Voyage, Known Origin, and Homeless Friends. Other crypto servers like Orbiter Finance, Metakey, Arbitrum, Sei Network, Polemos, Valheim, Sui Network, and even Obyte have briefly passed through this hack as well, with different results.

It’s important to remember that, unlike cryptocurrencies, Discord and other chat platforms weren’t designed for security since the beginning. Always remember to check the announcements first in other sources (especially official websites/blogs) before sending any funds or typing credentials on external websites.

Apply security measures!

Now that you know some potential threats, you surely can apply some measures to protect your crypto funds and personal data.

• Keep your devices and antivirus software updated. You can also install additional security tools, like a browser extension for web3 security (of course, be skeptical about anything that promises “security”). They can help you to identify and block phishing or fraudulent websites.

  
  

• Never click on links of questionable origins, whether they arrive by SMS, email, or social media. If you don’t know the sender (phone number, email, or URL), don’t open them.

  
  

• Don’t blindly trust when asked for money or given investment recommendations, especially in cryptocurrency. Be cautious of emotional manipulation and maintain a healthy level of skepticism.

  
  

• Always double-check your crypto addresses and QR codes, or replace them with textcoins, usernames, or emails in Obyte. This feature is available through the wallet (Send and Receive Tabs).

  
  

• Be sure to activate every security feature available on social media (like 2FA) and in your personal crypto wallet. In Obyte, it’s possible to delete your backup words (after saving them elsewhere), require a password for sending funds and opening the wallet, and connect via the private browser Tor.

Featured Vector Image by Freepik