Pulling Off a Crypto Heist 101
Perhaps you’ve watched movies, heard stories, or even played video games where individuals pulled off heists involving millions of dollars in cash, gold bullions or even exotic vehicles from highly secured spots. But let’s face it, those days are over. In contemporary times, individuals with malicious intent are increasingly turning to technology for their nefarious activities. During the crypto industry’s surge in the 2017s, innovative methods of exploiting crypto enthusiasts emerged. Fast forward five years, as the initial hype subsided and the sector matured a bit, some individuals found themselves holding substantial amounts of crypto in their wallets. Now, when we refer to wallets, we mean both software and hardware devices that store and generate cryptographic keys. These keys are crucial for interacting with the blockchain while mitigating the risk of information leakage. Wallets are categorized as either “hot” or “cold.” Hot wallets, connected to the internet, are utilized for active transactions and typically allow for a specific amount of coin storage. On the other hand, cold wallets, offline in nature, are reserved for substantial deposits. A crypto user employs hot wallets for transactions and complements their holdings with a cold wallet. These repositories stand as prime targets for criminals looking to pilfer cryptocurrencies.
Crypto scams have perennially existed, with criminals employing tactics like phishing emails, investment scams, and vulnerability exploitation to coax individuals into voluntarily surrendering their coins. Phishing scams are textbook crimes where scammers deploy unsolicited emails to entice victims into providing their personal information. Some scammers utilize the “Indian call center” technique, employing delay tactics by relaying false information to the victim. They assert that the victim’s reserves can be subjected to taxation and coerce them into investing their cryptocurrency on false platforms that are created and maintained by scammers. This type of deception is often referred to as investment scams.
However, these scams differ from heists in a way that heists specifically target wallets boasting substantial coin reserves. They unfold in a manner designed to keep the victim unaware, at least for the initial days of the deception, providing enough time for the robbers to cover their tracks. Reputable cryptocurrency exchanges and certain high-profile individuals typically store substantial amounts of cryptocurrencies. Unlike “traditional” banks, governments often lack financial claim schemes to insure significant crypto holdings in the event of theft. Due to weak or nonexistent regulations, it is relatively easy for perpetrators to erase their tracks and escape accountability for the crime. An incident exemplifying this occurred when a team of white hat hackers managed to steal $613 million worth of bitcoin from Poly Network (a Decentralized finance platform). Their objective was to demonstrate how exploiting vulnerabilities in smart contracts (digital ledger programs underpinning blockchains) could allow someone to get away with such a substantial sum of money without leaving many traces.
Keeping these type of cryptocurrency reserves in mind, you could now start your online heist operation. Firstly, you need to gather a team if you prefer not to shoulder the entire burden and potentially face the legal consequences alone, in the unfortunate event of getting caught. Ideally, a sim swapping gang should consist of at least four individuals, each assigned to key roles: a searcher, a caller or swapper, a holder and the coordinator. And maybe an Attorney! just in case.
The Searcher initiates the operation by using a method called social engineering, which involves manipulation and gas-lighting to exploit human behavior and gain access to confidential information, networks, or systems. They may use publicly available information, such as tweets or Instagram stories, where victims provide leads about their crypto reserves. Using software, they run through many passwords, breaking into the victim’s email or potentially acquiring login credentials from other hackers off the dark web where such information is sold in bulk.
Once the Searcher gains unauthorized access to the victim’s email, they disable incoming notifications from the target’s crypto exchange, which typically issues warning messages about suspicious activities through emails. By doing so, the victim remains unaware that their account has been compromised and is under unauthorized access.
The next stage of the heist is managed by the Caller, with the main goal of gaining control of the victim’s phone number and intercepting incoming One-Time Passwords (OTPs) and other crucial text messages from the crypto exchange. This is achieved through a process known as porting, wherein the Caller persuades the SIM card provider that they have lost their phone and they request to have the victim’s number ported onto a new SIM card, intended for use with a burner phone, i.e. disposable phones that are used by criminals to maintain anonymity.
Now, the Holder is able to receive login codes, initiating the process of looting the coins stored in the victim’s wallets. To cover their tracks, the stolen cryptocurrency is transferred to another account. Following this, the burner phone used in the operation is destroyed clearing any evidence of theft.
The acquired cryptocurrency is then prepared for laundering, either by sending it to a relatively unregulated crypto-to-fiat exchange or by using stolen identity documents to perform similar transactions. To further decrease the risk of being traced by law enforcement, the stolen funds are broken down into smaller untraceable amounts using crypto tumblers or mixers. Essentially, this process diverges the initial lump sum amount into significantly smaller, less conspicuous sums to keep away any suspicion.
With these steps executed successfully, the heist is considered to be completed. But do consider security protocols and the potential risk of getting caught, leading to a lengthy jail sentence. DYOR.
P.S. The author does not endorse or condone criminal activities. This blog is a satirical guide aimed at helping you protect yourself from such con artists.
