Major cryptocurrency scams and how to avoid them. Part 1: private key theft scams
According to research, hackers stole about $1.7 billion in cryptocurrencies in 2023 alone, and about 18% of that amount came from compromised private keys. The years 2022 and 2023 were record years for fraudulent attacks.
1. Personal contact scam
It often happens like this: a user writes to a public chat (for example, Telegram or Discord) with a request for help, and then he is scanned by a scammer and writes a private message offering help. The scammer may introduce himself as a chat administrator or an exchange/wallet support representative.
Such scammers resort to social engineering (SI) and often first gain the user's trust by creating an imaginary image of an expert. Then it's just a matter of putting the user's vigilance to sleep and getting the coveted private information.
How to avoid scams?
- Do not share confidential information (private keys, seed phrases, passwords, 2FA codes and so on) with anyone. Admins and support will never ask you for this information;
- Do not trust those who write you a private message first: in most cases, it is done by scammers;
- Ask experts to help yourself. It is better to do it without leaving the public chat — so there will be less probability of deception.
Another method used by scammers is the offer of guaranteed earnings. The scheme is the same: the scammer finds you in a public chat and offers a supposedly working scheme of earning, for example, on arbitrage, convincing the future victim that they have an expert team and work only with reliable exchanges, and you control the funds. Further, scammers work in different ways, but it is essential to identify them from the beginning:
- You won't be written to by pros. Teams that do arbitrage are usually already formed or are looking directly for experts; they typically have lengthy waiting lists, and it's not easy to get in;
- It's safest to say right off the bat that you're not interested in making money this way;
- Don't trust guarantees. Any way of earning money with investments is associated with high risks of losing money. Only scammers can guarantee income;
2. Fishing
Fishing links are often distributed via email, social media channels or chats. Recognizing such sites is easy: they usually request a seed phrase or a private key to a cryptocurrency wallet under various pretexts. Some are less obvious: they require a wallet connection where users sign a fraudulent transaction.
It is also widespread for links to fishing sites to appear in Google and Yandex ads when searching. Once, even Yandex gave out a fishing site of Stargate Finance, one of the most popular cross-chain solutions, on the first line of the organic output.
Tips for beginners:
- Don't click on links from emails or private messages;
- Look for links to official sites on the project page via CoinMarketCap, CoinGecko or DeFi Llama;
- Save the links in your browser bookmarks on your first visit and follow them only in the future;
- Always check the website address in your browser: Domains like Metamask-recover.com or Trust-wallet.io should be suspicious;
- Do not enter a seed phrase or private key on the site. They are only necessary when restoring access to the wallet in case you, for example, reinstall the app or create a wallet on a new device.
Tips for experienced crypto users:
- Some browsers, such as Firefox and Opera, have built-in anti-fishing protection;
- Use additional anti-fishing plugins such as Fire, NetCraft;
- You can check the suspicious site via WebArchive and similar services if you don't know or have forgotten the original domain.
Do not rely entirely on protection tools: unfortunately, they do not work 100%. It is essential to take a holistic approach to security, following all the points we have mentioned. Trust but verify.
3. Twitter/Discord hacks
Over the past year, there have been more and more cases of hacking accounts of famous projects and persons in the crypto industry: Aptos, Slingshot and even the account of Vitalik Buterin himself. Often, such attacks are carried out due to confidential data leaks or a SIM swap attack, as was the case with Vitalik.
After the hack, attackers usually publish a link to a fishing site with a fake airdrop. Your assets will be stolen if you follow the link and connect your wallet to that site.
The same goes for Discord: it's not uncommon for attackers to hack into the accounts of server admins or moderators and distribute links to fishing sites through them.
Here are some tips to help you avoid scamming:
- Don't rush, and don't start acting immediately. If scammers have set a limit (for example, you need to brand tokens within an hour), this is a clear sign of a scam — projects always provide enough time to collect tokens. If airdrop is accurate, many sources will write about it — it's better to believe them;
- Check information in other sources: official blogs, social networks, thematic forums or chat rooms. It would be strange if, for example, the news about airdrops were published only on Twitter, but there is nowhere else, is it? There, you will also find out if a published post on Twitter or Discord is fake;
- Don't click on links if their addresses are different from the genuine domain.
4. Address spoofing attacks
This type of attack works like this: the scammer sends you a transaction with an address similar to the one you last used. Fraudsters know it's not uncommon for users to copy addresses from recent transactions, which they take advantage of.
As a result, the victim copies the fraudster's address without noticing the substitution due to the similarity of the addresses. The ways to protect against such attacks are very simple:
- Do not copy addresses from your transaction history. Either keep them separately in a notebook, copy them from your wallet, or save a QR code in advance and transfer using it;
- Check addresses carefully before sending. Among other things, your device may be infected with malware that spoofs addresses. Often, users check only the first two and last two characters, but it is better to check at least five characters and, ideally, the whole address.
5. Website hacking
Another standard method of scamming in 2023. For example, in October, Galxe, one of the most famous quest sites in the Web3-sphere, was hacked. Hackers accessed the Galxe.com domain by tricking the ISP with fake documents.
In this way, the attackers completely replaced the original site with a fake one, causing users to sign malicious transactions and lose their funds. About $270,000 was stolen due to this attack, but Galxe later returned the funds to the victims.
Also, recently, hackers were able to spoof a link to the Discord servers of CertiK and CoinMarketCap.
Unfortunately, it is difficult to defend against such attacks, as they can happen anytime. Fortunately, thanks to social networks, information about them spreads in seconds.
Here are some tips that can help you avoid scam hacking sites:
- Before visiting a site where you need to connect your wallet, look for news on Telegram or Twitter — to see if the site has been hacked. It's certainly inconvenient, but it's still better than losing your assets;
- Subscribe to the CertiK Alerts, PeckShields Alert, ZachXBT, and Beosin accounts on Twitter — they publish hacking data promptly there. Be sure to set notifications so you don't miss tweets.
- An unobvious life hack: first, use a spare wallet with a small amount of money. If after some time after connecting the wallet all the assets, then it will be possible to use the main one;
- Generally, it is worth keeping large sums in separate, preferably hardware and hot wallets — only the ones you actively use.
To avoid becoming a victim of scammer attacks, following basic security rules and always being attentive is essential