How Cybercriminals Trick You Into Giving Up Your Crypto
We often hear cautionary tales of people waking up one day to find their crypto wallets drained of funds after falling prey to a hack or scam. There’s been several painful occasions where the theft involved precious NFTs, which are often unique and irreplaceable.
It’s terrible, and yet it keeps happening. We want to stop that. We want to help protect you from theft, and so we’ll get right to the chase.
In this article, we’ll tell you about the methods used by cybercriminals to steal your crypto valuables, and how you can prevent yourself from falling into their traps.
The Bait & Switch
This technique is simple to understand: scammers will attempt to pass off a fake website of a popular DeFi protocol or service to drain your wallet.
Cybercriminals can create websites that look very similar to legitimate crypto sites, and take advantage of Google ads (due to the small “ads” icon) to trick users who are Google-searching for a site.
They also buy domains that are similar to the legitimate one. For example, they may use “ensdomain[dot]net” as the scam site, while “https://ens.domains” is the real site.
Can you tell which is which?
Spoiler: the second one is fake
Be sure to bookmark the websites and dApps you use, and ensure that you do not use Google to find the link to a dApp’s website. One alternative to bookmarking is to use Twitter (as most projects have one) to find the project’s profile and website instead. But do watch out for fake Twitter profiles, as well!
Be sure to verify the website from multiple sources, including news articles, Twitter, Discord, Telegram, etc. If an account has a funny spelling in its name, or a surprisingly low number of followers and engagement on its posts, it should be a dead giveaway.
The Twitter account may even have a verified blue checkmark, which makes life easier.
Stay on your toes and do your due diligence to ensure that the website you are on is indeed the real one.
Even then, it’s also important to watch out for offers that seem too good to be true. For example, bitcoin.org is a genuine website for distributing the Bitcoin Core software. However, after being hacked earlier this year, it started displaying a popup of a scammer’s wallet QR code with a false promise to “double your money” if you sent Bitcoin to that address.
If you see any similar offers, it’s most probably a scam.
Like pickpockets, scammers often walk into crowded communities on Discord or Telegram to look for victims, where there is an abundant supply of crypto newbies. They use bots to join servers that don’t prohibit DMing other users and then mass spam users. They know not everyone will fall for it. But it doesn’t matter. It’s about statistics. They know a very small percentage of users will get sucked into their scam, so all they need is a large number of users to message.
Scammers may want seed phrases, private keys, or usernames and passwords. But in some cases, all they need to do is to get their victim to click on a link and connect their wallet.
If you were on Discord recently, you’ve probably already received messages like this:
Here’s another example, where the scammer is using the news drummed up around SushiSwap’s tease of Trident, a next-gen AMM, to find gullible users who might click the link:
The ‘Helpful Bystander’
You will notice on Twitter that every time you tweet something that mentions wallets or the name of a crypto exchange/app, a ‘helpful’ stranger will come along to tell you that they had a great experience with so-and-so support (which links you to a fake support account/site).
It can be as simple as a Google Forms page (like this one) that asks you to enter your seed phrase, or as nuanced as a page that pretends to be from MetaMask.
Someone might even add you to a “support” Discord server or group. One way to avoid getting scammed is always have your guard up and verify the link independently (e.g. look for the official dApp website or official Twitter account and check if that same link is mentioned by that account, or in their bio.)
Some Discord servers also come with verified checks, so that you know it is the genuine one:
Fake MetaMask Website/Popup
There have been known to be websites that create a fake MetaMask popup tab asking for your password. The difference is that the fake popup tab would accept any password, even if it is the wrong one. On the other hand, the real MetaMask popup would only accept the correct password.
For more information, do check out this thread.
This isn’t really a scam, but it certainly is worth mentioning for safety reasons.
Be careful about posting photos online, especially those that could reveal where you live (via an open window/sunlight/landmarks) and may have your address. Even if you delete it right away, once it is online it tends to stay there.
Do not talk about your crypto holdings to people around you. A man living in Madrid, Spain, was with at least two other people in the house when five burglars broke in and tortured him to get the private keys (original story in Spanish) to his Bitcoin wallet.
The burglars had “repeatedly beat [the victim] for hours. After being cut and electroshocked, the victim finally gave in and confessed the password of his Bitcoin account.”
One possible strategy to avert this or at least mitigate your loss is to have a “mugger’s wallet” with a convincing amount, and to distribute your remaining holdings between multiple paper wallets held in separate secure locations.
Be as wary of your real-life security as well as your virtual security, although if you are not holding millions of dollars worth of crypto, it is much less likely that someone will track you down in real life to steal your crypto.
Your own judgement and experience are the best defenses against scams and theft. Crypto wallets may come with some highly advanced security features, but you can still get scammed if you don’t pay attention.
Practice the habit of never clicking on unfamiliar links without independently verifying them, and be very careful about accepting DMs from strangers. Remember to double and triple-check addresses that you are sending crypto to, even if you copy and paste, because there is malware that can take advantage of your complacency and hijack your clipboard to substitute in the attacker’s address.
Some scams that aren’t covered here include very elaborate social engineering that could take weeks or months to pull off, which sometimes includes someone posing as your genuine friend or creating a whole group of fake people to interact with each other (“sock puppeting”), so that you let your guard down over time.
Finally, a good angle for safety is to never trade or approve transactions while you are distracted, tired, or emotional (e.g. when someone sends you a message designed to provoke an emotional response). In fact, just don’t perform any transactions on your mobile phone, so that there is at least a delay for you to think things through.
So before you trade, make sure you are alert, well-rested, hydrated, and take the time to think things through before you approve anything with your crypto wallet.
Stay safe, and subscribe to Immunefi to stay informed about the latest Web3 security updates!
Review code. Prevent hacks. Build rep. Get paid.
🔒 For more guides on how to secure smart contracts, analysis of past hacks, and information on the latest bounties, make sure you follow us on Twitter or join our whitehat Discord community.
P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.