Scams in crypto projects: how investors lose money
If you have invested in cryptocurrencies at least once, you probably know that there are many ways to lose your assets, from phishing to hacking attacks on decentralized protocols.
Attackers are trying to find increasingly advanced ways to steal funds from investors and traders.
In this article, you will learn what a cryptocurrency scam is, how cybercriminals can steal your assets and what methods of fraud are most common, as well as how to protect yourself from them.
What is a crypto scam?
Put simply, a scam is fraud aimed at stealing cryptocurrency. The main goal of the attacker is to take possession of the victim’s digital assets by any means.
In the crypto environment, fraud has become very common due to the fact that the field is still poorly regulated, and many newbies do not really know how to secure their coins. This allows fraudsters to avoid liability because cryptocurrencies are harder to trace.
In addition, cryptocurrencies are known for their abnormally rapid growth, and inexperienced investors’ thirst for quick profits can play a cruel joke on them: as a result, the victim favors rash actions and loses his cryptocurrencies. According to the Federal Trade Commission (FTC), from October 2020 to May 2021 alone, the damage to users amounted to about $80 million.
Crypto scam methods
The methods of deception themselves have not fundamentally changed: scammers use the same means as before the popularization of cryptocurrencies, but the ignorance of many novice users of cryptocurrency plays into their hands. Let’s list the most popular methods of stealing cryptocurrencies used by cybercriminals.
Fake websites and wallets
Attackers can fake a DApp or crypto wallet website. This method is best known as phishing. Its essence is to obtain account credentials or private keys by deception. Unsuspectingly, the victim goes to a fake website or launches an application and enters private information that attackers steal in order to gain access to his account or wallet.
Unfortunately, cybercriminals bypass moderation in stores such as Google Play and even the App Store. Scammers have already managed to publish a fake Trezor wallet app on several occasions. The fact is that an official application has not yet been released for this hardware wallet, which is what cybercriminals are taking advantage of. Also, fake Trezor websites can often be found on the Internet, which allegedly report a security breach and requires you to enter seed phrases in order to restore access and protect funds. Of course, after entering the data, the funds from the victim’s wallet disappear.
- Always check the domain address before use.
- Keep the site in bookmarks and in the future open it only through them.
- Don’t click on advertisements provided by search engines such as Google Adwords: they often contain links to phishing sites and apps. For example, Trezor’s original domain is trezor.io. Other domains are fake.
- Do not enter your seed phrase on third-party sites. A mnemonic password is required only in two cases: if you need to restore access to a lost wallet or client on a new device.
- Complain about the advertisement and ask your acquaintances in messenger chats to do the same. The more complaints there are, the faster the moderators will pay attention to the ad and block it.
Extracting private data
Another crypto scam method is to request and receive confidential data directly from users. Fraudsters can introduce themselves as employees of a company (crypto exchange or wallet) and request your details.
Here is an example: a fraudster approached the victim, posing as an exchange employee, and said that the funds on his exchange account were blocked. By using deception, the attacker managed to obtain account credentials and withdraw about $100,000 in cryptocurrency.
Methods of protection
- Remember that employees will never write you first and will not ask for private information: passwords, seed-phrase, private key, etc.
- Do not resolve issues through private chats. If you find a problem, contact the company’s support service using the methods indicated on the website or in your personal account: via mail, support chat, or messenger.
- Do not share sensitive data even if requested by a prospective employee. No one but you should know this information.
- Install advanced account protection, if possible: two-factor authentication (2FA), for example, via SMS or Google Authenticator, multi-signature, and other security methods.
This method was widespread long before the popularization of cryptocurrencies, but as the demand for digital assets grew, the founders of financial pyramids switched to the crypto industry. As stated above, this provides more freedom and avoids liability due to the fact that cryptocurrency transactions will be more difficult to track.
It is very easy to recognize financial pyramids: they offer depositors unreasonably high returns, but at the same time it is not clear how the company provides them. Often, the creators of such projects do not disclose any information about the company or its team, which is the main red marker when checking. For example, the high profitability of pharming in the Uniswap and PancakeSwap protocols is ensured by the commissions paid by traders and the accrual of native UNI and CAKE tokens, respectively.
Methods of protection
- Do not invest in projects if it is not clear how and from what the investors’ income is generated.
- Invest only those funds that you are ready to lose.
- Carefully check the information about the project on thematic forums, blogs, and YouTube. As a rule, pyramids appear on specialized sites dedicated to pseudo-investments.
- Check out ratings for the project such as DeFi Pulse, DeFi Prime, or DeFi Llama. There is also the service DappRadar, but it does not have such a strict selection (vetting) procedure. For example, the SharkTron scam project was on the DappRadar list of applications, although it was published in the High-Risk category.
Some pyramids disguise themselves as AMM protocols. Outwardly, their interface and functionalities are similar to classic DeFi applications such as Uniswap or PancakeSwap. These pyramid schemes can be difficult to distinguish from real DApps due to the fact that decentralized protocols also offer high returns to holders.
One such example is the Shark Tron and Shark DeFi projects. The attacker launched DApps that resemble regular applications but ultimately performed an exit scam, stealing more than $7 from investors in the TRX cryptocurrency. The farming of native Sword tokens (SWD) was available to users, so the project was very similar to a DeFi protocol, but there were also signs of a pyramid scheme. To attract users, the price of SWD tokens was held in place using funds from previous contributors.
Methods of protection
- When you connect to a wallet, you should read the rules carefully before signing a transaction so you know what permissions the protocol requires. Some protocols grant permission to spend cryptocurrency from a wallet that has interacted at least once with the protocol’s smart contract. This means that attackers can still withdraw coins from your wallet decades later if the protocol is hacked or a backdoor is found in it.
- Get a separate wallet to connect to DApps. In the event that the funds from it disappear, the rest of the assets will remain intact. Transfer coins to another (old or new wallet) if you are no longer using this DeFi protocol.
- Review security audit reports. Audits conducted by large companies like CertiK are a sign of credibility. But remember that the audit is not a guarantee that the protocol cannot be hacked.
Infecting your computer with Trojans
Trojans encrypt your hard drive and extort cryptocurrencies. If the coins are not transferred within the specified period, the data is formatted and cannot be restored.
Some cybercriminals act in a more trivial way, simply by sending messages to a potential victim that an attacker has taken over his data and will sabotage it if the user does not transfer the specified amount in BTC or another cryptocurrency within a limited time.
- Do not transfer cryptocurrency to unauthorized persons. Most likely, you will not solve the problem, and the attacker will demand more and more.
- If you are being blackmailed and someone is trying to extort you for cryptocurrency, contact law enforcement agencies!
- Do not store private keys on your hard drive – this is unsafe. Or create copies so that if you lose your private key, you can restore access to the coins in your wallet.
Other Scam Methods
Attackers can get creative with fraud and come up with exotic scam methods. One of them is doubling. Its essence is that users are asked to transfer cryptocurrency, and in return, they receive a double amount. You don’t need to be a security analyst to realize that this is an obvious scam, but it’s not that simple.
There was a case where hackers managed to break into a Twitter database and obtain user credentials. Using the accounts of famous people, they published tweets on their behalf promising to double the amount if users transfer them to the specified wallet. Famous entrepreneurs, politicians, and celebrities have become victims of cybercriminals. Among them were the accounts of such famous people as Elon Musk, Bill Gates, and even former US President Barack Obama.
In the previous paragraphs, we have already talked enough about methods of protection: you just need to be attentive and careful not to transfer your assets to hackers. And if in doubt, you can always enlist the support of the crypto community and ask them for help by describing the situation on thematic sites such as BitcoinTalk or CryptoTalk, or on specially designated threads, for example, on Reddit (you can create your own thread).
How hacker attacks differ from hacking
The difference between these methods of stealing cryptocurrencies is that a hacker uses technical programming skills to find vulnerabilities in the code and withdraw cryptocurrencies from the wallet or smart contract. The hacker does not interact with users directly, and their losses will happen regardless of their actions.
In the case of scams, users most often fall victim to their own inattention and lack of necessary knowledge in the field of crypto security. Attackers use fake websites or accounts to trick the user, or social engineering skills by interacting directly with the victim.
Nevertheless, awareness of the methods of hacker attacks will help, if not avoid, then at least reduce the likelihood of losing funds or reduce the risks when using cryptocurrencies. Let’s talk about popular methods of hacker attacks and ways to combat them.
Exploits and other types of malware
These are viruses that infect your device, computer, or phone in order to extract private keys that are stored in the computer’s memory, or modify programs. Even though private keys are usually stored encrypted, hackers can decode them and then gain access to the user’s assets.
There are also more advanced exploits that can be injected into the code of existing customers to use cryptocurrency. There have been cases when a virus entered the program and changed the wallet address. For example, one Ledger Live user lost his coins without noticing the address spoofing. The malicious code changed all the symbols of the sending address, except for the first two and the last – these are the ones most often checked by holders.
Means of protection
- Stop sending funds if you suspect something.
- Create a backup wallet. Restore it to a “clean” device and transfer the cryptocurrency to it so that the coins are temporarily stored on it until you understand the situation.
- Update your antivirus software.
- Check the entire address when making transactions in order to notice the substitution in time.
- If necessary, perform a full cleaning of the device or format the disk, and then reinstall the system. We recommend that you create a separate disk and install an operating system on it in order to use only crypto wallets – this way you reduce the likelihood of infecting your device with malicious code. Another option is to use a virtual machine.
- Store your private keys in a secure place that cannot be accessed over the Internet.
Hacking DeFi Contracts
According to research company Elliptic, in 2021, the damage to DeFi users from hacker activities amounted to about $10.5 billion. The funds of holders in the wallet are rarely affected, as cybercriminals steal assets locked in the DeFi protocol contract.
It is important to remember that decentralized projects do not follow anti-money laundering (AML) rules and do not protect their investors from a legal perspective. It doesn’t matter which way you got your cryptocurrency: legal or not. DEX Exchanges do not restrict users and hackers can easily withdraw your funds.
The methods of protection against these attacks are the same as with using fraudulent centralized protocols.
You need to be very careful not to fall victim to crypto scammers and follow the simple rules we have outlined in this article. Remember that blockchain and cryptocurrencies are a relatively new field for law enforcement agencies, and it will be difficult for them to protect you legally in case of an incident.
Monetary losses will most likely not be able to be compensated if the attackers have taken care to remain anonymous and have carefully hidden their identities. It is much more effective to master the basic principles of security when using cryptocurrencies and carefully analyze each of your actions in the digital environment.