Published in


The Tale of Two Scams: Trojan Horse & Phishing

“Cryptocurrencies can feel secure, because they decentralize and often anonymize digital transactions. They also validate everything on public, tamper-resistant blockchains. But those measures don’t make cryptocurrencies any less susceptible to the types of simple, time-honored scams grifters have relied on in other venues.” -The Wired

There is a surprising mismatch between the level of scaming and the targeted technology — blockchain. One would think that crypto hackers must be super high-tech, but the reality is that these scammers bet on the consumers’ vulnerabilities more than anything else.

Remember the Trojan horse tale? If you don’t remember, here is what happened:

  1. The Greeks built a gigantic wooden horse and pretended to sail home.
  2. They left the wooden horse at the Trojan door and was like “Yo, here is my peace offering.”
  3. The Trojans were like “Yep, we like the horse so we will keep it.”
  4. While the Trojans were sleeping, the Greeks came out of the horse and killed everyone.
  5. The Greeks won the Trojan War.

There are 3 important lessons here:

  1. A wooden horse can be dangerous.
  2. Check the gift that you have received. Don’t wait until you’ve brought it home to check it.
  3. Don’t accept gifts from a stranger (especially your enemy).

So what is the link between a Trojan horse and crypto?

Introducing, CryptoShuffler trojan… a “basic” cryptocurrency scam. This malware works by lurking in the dark on a victim’s computer and monitoring the victim’s clipboard. When the victim copies and pastes their crypto wallet address, this Trojan horse switches out the victim’s wallet ID and replaces it with a malicious crypto wallet address as a recipient.

As most people do not double or triple check the string of random letters and numbers of their wallets before they complete a transaction, any transactions completed using the malicious crypto wallet address results in the crypto going to the hacker, who’s probably chilling on a tropical island somewhere. By the time the victims cry for help, it is too late and the fake crypto wallet address is cleared out. Bottom line? Don’t be a victim of a keylogger.

Phishing the Crypto Pound

“That firewall won’t mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. ”- CSO

Ah, social engineering also known as the art of scamming. Most of us don’t recognize it, but we are victims of “social engineering” on a day to day basis. Just how often do you turn around to the person behind you when you walk through the office door and asks him/her to show you his/her ID? In the world of crypto, that is precisely how scammers get you… when you think you are “safe”.

Fake Administrators

Easy phishing scams catch the consumers off guard by pretending to be administrators or official collaborating partners of a real business. They reach out to the individual via private message on theTelegram and often offer something that is too good to be true. Most of the time, what is too good to be true is a scam. Offering free bitcoins and ethers is a common scheme that these hackers use to sweeten the deal to get the unassuming consumers to hand over personal details like ether addresses or even coinbase wallet addresses. Some scammers even take the time to find out what programs are currently offered by the blockchain company and pretend to be customer service representatives to approach the consumers. Don’t get hooked! You don’t want to be the fish that the scammers have been waiting for.

Fake App

Another phishing horror story came from MyEtherWallet. A fake application was created by a scammer named Nam Le. As ridiculous as it sounds, the fake app was ranked #3 on the Apple Store (until Apple took it down). Techcrunch reported that around 3,000 people paid for and downloaded the fake app, accounting for losses up to $15,000.

Fake Email

As a trusted leader in the blockchain field, we often hear stories from other companies that were shared through the grapevine as cautionary tales. Recently, another company’s official email server was hacked. The hacker obtained all the details of the various people who signed up for newsletters and sent them phishing emails about sending funds to a malicious ether address to obtain a slot for the upcoming ICO. Since most people have FOMO, many fell for the phishing emails and sent out their ethers willingly.

Fake Wallet

If you think the hackers are in this to get rich fast, you are wrong. Nowadays, the scammers have a lot of patience. A hacker spent 6 months collecting private keys for IOTA wallets. This hacker registered a domain called and advertised it as an official IOTA seed online generator. To gain credibility, the hacker linked this malicious website with a GitHub repository. In layperson’s terms, the wallet seed was always the same malicious seed using this generator. So the hacker sat there and logged every instance when someone used the malicious website to generate a seed. When the hacker finally collected enough private keys, he cleared out all the funds from owners’ crypto wallets. The hacker then disappeared immediately after the scam was exposed. The damage from this scam was around $3.94 million worth of IOTA.

Call the Security! The truth is, no matter how secure a blockchain platform is… we cannot prevent our consumers from falling for these trojan horses and phishing scams. The best we can do as a blockchain company is to educate our consumers again and again.

Protect Yourself

  1. Consider buying a hard wallet (e.g. Ledger Nano S, Trezer, or KeepKey).
  2. Never copy and paste your crypto wallet address.
  3. Check the transaction VERY carefully before you press confirm. Make sure your private key is correct.
  4. No one should ever ask for your private key.
  5. Always double check the website you are on. Google does NOT do a good job eliminating scam sites from top search hits.

Vigilance is the key to eliminating scams.

Remember the lessons that you have learned at the beginning of this post?

  1. A seemingly innocent wooden horse can be dangerous = a seemingly innocent website can be dangerous.
  2. Check the gift that you have received. Don’t wait until you’ve brought it home to check it = check your transaction details.
  3. Don’t accept gifts from a stranger (especially your enemy) = think twice before you accept free bitcoin or ether from a stranger.

IoTeX Warns You: Beware of Scams

Please know that we have encountered numerous FAKE contacts claiming to be IoTeX and offering additional private sale opportunities. We have never authorized any third party to distribute our private sale. ❗️DO NOT participate in any activities that are not officially released by IoTeX.

So far, we have not released any public sale plans. ❗️We have NO partnership with any other ICO projects. Please double-check to make sure that you are receiving official information from AUTHORIZED ADMINS in the telegram group and official SNS channels. We are working hard to remove scam messages/websites.

Announcement Channel:
Telegram Group:
Telegram Bounty Bot: BoTeX-B (@IoTeXBountyBot)
Telegram Admin Bot: BoTeX-G (@IoTeXGroupBot)

⚠️List of IoTeX Admins (Telegram)




About IoTeX

IoTeX is dedicated to create the next generation of the IoT-oriented blockchain platform. The cutting edge blockchain-in-blockchain architecture will address the scalability, privacy, isolatability, and developability issues relating to the IoT DApps and ecosystem growth. By combining token incentives with our vibrant global community, we believe we can crowdsource top industry and community talents to push the frontier of blockchain 3.0.





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
IoTeX Team

IoTeX Team

Building the Internet of Trusted Things: