The DeFi revolution presents new risks and challenges for innovators, regulators, cybersecurity experts and early adopters of the powerful technology. These are the top 5.
“Where money goes, crime is never far behind.”
In our new digital world this age-old saying still rings true, especially in regard to the emergent cryptocurrency and NFT landscapes.
According to a recent report by blockchain analytics firm Elliptic, cybercriminals have laundered $4B through DEXs, bridges, and coin swaps since 2020. Much of that was related to the top 10 crypto hacks of all time, half of which have occurred since 2020, but much of it also comes from casual everyday scams and investment schemes that plague the crypto community.
In this article we’ll discuss the 5 most common crypto scams and how you can avoid falling victim to them.
Bitcoin Investment Schemes
Bitcoin investment schemes usually come in the form of random private messages, spam comments, or ads online that promise to give extraordinary returns on Bitcoin investments. The scammer will claim to be a “professional investment manager” or something similar, and they’ll often provide fake credentials and a fabricated history of profitable trading to convince a target to trust them. Once their trust is gained, the scammer will direct the target to transfer their Bitcoin to the scammer, or request an upfront fee for “investment management”, and then they’ll disappear with the money.
Scammers use various deceptive tactics to gain the trust of their targets, including online celebrity impersonations, fabricated endorsements, fake websites that imitate authoritative sources, and a whole slew of other lies and falsehoods. For example, one popular Twitter scam is to take control of a ‘Verified” account (one with a blue check mark), change the name to match that of a popular crypto personality (Vitalik Buterin or Binance’s CEO, CZ, for example), change the picture and the bio too, and then spam investment schemes in the comments section of popular tweets.
It should be noted, of course, that while Bitcoin is the most popular cryptocurrency among these kinds of schemes, they can be done using any cryptocurrency.
How to Avoid Bitcoin Investment Schemes:
Since these types of schemes mostly rely on social engineering and gaining the trust of investors, the best approach you can take to avoid them is to be very sparse with who you trust online.
Be skeptical of any and all claims about high-return investment strategies, especially from people you don’t know, but even from those you do, as they could have just as easily fallen into a crypto investment scheme themselves. Furthermore, refrain from taking investment advice from or acting on celebrity endorsements, even when it’s from a verified account, because even celebrities can fall victim to crypto investment schemes or worse – their account could have been taken over by a malicious actor.
Rug Pulls and Exit Scams
To “pull the rug out from under [somebody]” is when you pretend to be their friend and offer support, but then betray them. In crypto it’s no different.
A ‘rug pull’, or ‘exit scam’, is when a team (or individual) builds a cryptocurrency or NFT project with the sole intent to collect investment funds and then abandon the project. Sometimes this wasn’t the intent from the beginning, but a team faces insurmountable challenges or a failure to execute on their plans for some reason, and decides to drain the project’s liquidity and run off with the money. This usually happens rapidly, leaving investors no time to withdraw their funds before their investments drop to essentially $0, but there are also slower forms of rug pulls, where the team in charge of a given project slowly drains the liquidity over time.
In the case of deliberate exit scams where a project is built for that sole purpose, often some flashy and unrealistic promises will be made and a range of endorsements will follow, from small-time crypto shillers all the way up to big name celebrities who don’t really understand what they’re being paid to promote. Additionally, fake claims about big partnerships with brand name companies and projects in the crypto or financial sectors will be used, and sometimes even deep fake videos or fabricated news websites will be made to give the impression of legitimacy.
How to Avoid Rug Pulls and Exit Scams:
The euphemism “if it sounds too good to be true, it probably is” applies well here.
There’s another saying in the crypto community, “DYOR” (Do Your Own Research). To make good investment decisions, you need good information. This starts with learning all the various metrics that can be examined about an NFT or cryptocurrency project, such as its tokenomics (supply and distribution characteristics), market activity, and its team’s background. You’ll never fully remove the risk of getting rug pulled if you’re investing in high-risk assets like altcoins or NFTs, but you stand the best chance of not getting scammed if you cultivate and rely on your own extensive research criteria instead of trusting endorsements, celebrity or otherwise.
Phishing scams are nearly as old as the internet itself.
First coming in the form of spam emails and AOL messages, a phishing scam is when an attacker sends a malicious link that, if clicked, can potentially steal vital banking and identification information from an unsuspecting victim, and this now extends to cryptocurrency wallet keys and digital assets such as NFTs as well. The most common kind of crypto phishing scam involves a promotional message with a link that leads to a fake website or dApp (decentralized application) that asks the victim to connect their wallet and give permission to make transactions, after which their crypto is transferred out of their wallet.
You’ll notice many phishing scam attempts if you’re active in crypto-related communities across platforms such as Discord, Telegram, Twitter, Facebook, YouTube, and TikTok. Attackers will use spambots to mass DM (direct message) crypto community members or followers of popular crypto accounts with phishing links, and it’s this method of ‘throwing bait into a sea full of fish’ from which “phishing scams” derive their name.
How to Avoid Phishing Scams:
“Think before you click,” as the saying goes.
Any link on the internet has the potential to be a phishing scam, but some are far more suspicious than others. Learning about the most common phishing techniques, as we outlined above, is step one to avoiding them. Links from random DMs that make unrealistic claims and promises, emails that you weren’t already expecting, and even celebrities on social media should always be regarded with high suspicion, and basically never clicked. DYOR also applies here, as if you’re tempted to click on a link you can always conduct some background research first to verify multiple sources of the information and make sure you’re visiting the official website of interest.
This is social engineering on steroids.
A romance scam is, like it sounds, when an attacker poses as a romantic interest to gain the trust and affection of a target. Sometimes spanning weeks or months, romance scams often involve elaborate impersonations of attractive men or women who weave complex webs of lies and excuses to emotionally manipulate their target before eventually leading them into an investment scheme or even flat out asking for money, often in the form of Bitcoin or other cryptocurrencies.
The most common places frequented by romance scammers are online dating apps, streaming and video websites, and general finance or cryptocurrency communities where they suspect they will find their primary targets which are lonely individuals with access to large sums of money. The FBI reported that in 2021 some 24,000 victims lost approximately $1B to romance scams in the United States alone.
How to Avoid Romance Scams:
This should go without saying, but if you meet a love interest on a dating site, or anywhere else on the internet, and they want you to send them money or make an investment of any kind before at least meeting in the real world, it’s almost guaranteed to be a scam. Set boundaries for yourself when engaging with people online.
This is as close to “real hacking” as it gets in terms of the most common ways people get their crypto stolen.
A man-in-the-middle (MITM) attack is when a malicious actor gets in between two data access points and then has control over all incoming and outgoing information through a given channel. These kinds of attacks usually require the attacker to have close proximity to the target. For example, you go to your favorite cafe and connect to their free wifi but it lacks proper security, and now the hacker has gained access to your device through the wifi connection. They may intercept your incoming messages or send fictitious messages from contacts you trust, or they might gain access to your banking details, your identity, and your crypto wallet credentials.
How to Avoid Man-in-the-Middle Attacks:
While not using sketchy public wifi connections is an obvious one, you could also be at risk of MITM attacks if your home or office setups aren’t secure.
The first line of defense is to make heavy use of password protection on all devices and network access points. Second, you can use a VPN (Virtual Private Network) to encrypt the data you send online. Third, you can beef up your security by hiring professionals to orchestrate pentesting to look for vulnerabilities in your networks and recommend solutions.
Other Common Crypto Scams
The DeFi space is ripe with ways to lose your money.
Many so-called “meme coins” and NFT projects deeply resemble Ponzi schemes; social media giveaways are usually some combination of fake (meaning they never actually give out the prizes they “offer”) and malicious (phishing scams); DEXes, NFT marketplaces, and P2P exchanges can contain all sorts of bad code that can be exploited; and there are even fake “employees” and “employers” who present themselves as professionals in a business setting only to gain access to your information or crypto.
Innovators, developers, early adopters, cybersecurity experts, regulators, and law enforcement all need to work together to protect the people who use this new paradigm-shifting technology.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.