Many crypto scams are just another form of financial crime that could as easily be carried out using dollars, rands, or gold chains. Such common scams include Ponzi schemes, romance scams, ‘rug pulls’ – where capital is raised and then the founders disappear with all of it – and good old-fashioned blackmail and extortion.
These scams don’t require any deep technical knowledge. They mostly leverage social engineering and confidence schemes to gain the victim’s trust to pay crypto into the scammer’s account.
They are by far the most common type of crypto scams, according to the FBI’s 2021 Internet Crime Report.
But there is another layer of crypto crime that belongs more aptly in those hacker movies where a deep technical knowledge allows fraudsters to swindle unsuspecting victims smoothly and quickly.
Bogus crypto investment apps have defrauded victims of at least $42 million (R726 million) in less than a year, reports the FBI. Creating such an app requires computer programming knowledge specific to the device the app is targeting, such as the Android or Apple iOS mobile operating systems.
These bogus apps can be incredibly convincing; one app recently defrauded a Silicon Valley computer programmer of $1.3 million (R21 million).
Some fraudulent apps even make it onto official app stores.
Token spoofing is an extremely advanced crypto fraud method that utilises malicious smart contracts.
A smart contract is a piece of code on a blockchain – most commonly the Ethereum blockchain – with a set of programmatic rules that must be adhered to for the successful exchange of crypto tokens.
It is possible to programmatically specify a well-known address – such as the address of a popular token creator – inside the smart contract’s code, even though that address is not associated with the contract.
Block explorers such as Etherscan then pick up this address, and any transactions from the contract seem to be made by the well-known address when in fact they were initiated by someone else.
The spoofed address inspires confidence in the contract, making people believe the tokens coming from it are from a legitimate source.
How this spoof is then leveraged by scammers varies, but it was once used to scam Uniswap users out of $4.7 million (R81 million) by directing them to a fraudulent website where they exchanged real crypto for the spoofed tokens.
More fancy footwork with smart contracts allows criminals to mint an NFT (non-fungible token) directly to a well-known person’s wallet address and then immediately take it out again.
This makes it seem like the NFT was created by the well-known personality, obfuscating its true provenance.
This concept was proven by someone using the handle Monsieur Personne, who made a copy of Beeple’s $69 million ‘Everydays: The First 5000 Days’ NFT and then managed – quite convincingly – to create the impression that it originated from Beeple’s official wallet address.
This is called sleepminting and although it has not gained much traction, it is something to be wary of.
Seed phrases are the equivalent of a user’s private key that allows that user to unlock the funds in their crypto wallet.
Poor security regarding seed phrases – as when the Solana wallet provider sent unencrypted seed phrases to a central server – means that hackers can use the seed phrase to unlock a wallet.
Or, as in the case of Solana, 8 000 wallets.
Crypto ATMs and bogus QR codes
Crypto ATMs are becoming more popular but are still poorly regulated. They exist in the United States, Canada, Spain, and also in El Salvador, a country that officially recognises bitcoin.
To make a payment to an address, a crypto ATM offers the ability to scan in a QR (Quick Response) code.
Scammers can use anything from social engineering to direct hacking to send fraudulent QR codes to unsuspecting victims who then make a cryptocurrency payment to the fraudulent address.
Phishing and fake wallets
Phishing is one of the oldest tricks in scammers’ books.
Phishing is an impersonation tactic that uses fraudulent emails and websites that look legit to convince people to type in sensitive information such as banking details or cryptocurrency wallet keys.
A victim could receive an email designed to look like a well-known wallet provider urging the user to visit a website and connect their wallet to it, at which point the crypto in the wallet is stolen.
How to stay safe despite not being a crypto expert
All of the above attacks can be prevented if you have some knowledge of programming and cryptocurrency.
For less technically savvy people, the solution is to follow general guidelines such as:
- Only use trusted centralised exchanges to transfer cryptocurrency;
- Never respond to alarming emails;
- Always verify the facts after reading alarming emails, by calling the company directly;
- Stick to mainstream crypto assets unless you have someone experienced who can advise you; and
- Remember, if it seems too good to be true, it probably is.
* R Paulo Delgado is a crypto writer with an eye for the bizarre and the human stories behind the always fascinating leaps and stumbles of this new asset class.