When a businessman friend of mine told me he and his brother were investing in cryptocurrencies, I was, quite frankly, dumbfounded. Here were two technologically challenged businessmen planning to invest considerable money in one of the most technologically challenging concepts in existence. However, I understood the motivation behind their optimism. It was, in short, the belief that this was the road to instant wealth. It was not only the triumph of greed over fear, but the triumph of ignorance over reason. As someone who writes on cybersecurity, my first question to them was whether they had bought a hardware wallet. Their blank stares said more than any words could have.
This interaction made me wonder how many others were like these two businessmen. How many people, hoping for instant wealth, invested large sums in bitcoins or other cryptocurrencies without knowing the first thing about how they operate? I suspected the numbers were high, and, if this were true, there must be hundreds of hungry scammers waiting to feed on them.
Yes, I expected to see a lot of scams, but what I found exceeded all my expectations. There is a rampant feeding frenzy going on among scammers who are glutting themselves on the overabundance of naïve bitcoin and other cryptocurrency buyers. They are taking advantage of these people in a number of ways. Some of the scams are simplistic while others are more complex. Here are some that are currently making the rounds.
The ICO (Initial Coin Offering) Scam
Initial coin offerings (ICOs) are supposed opportunities to be among the first to invest in a new type of cryptocurrency. As one writer recently put it, “the shear number of ICO’s that have come across my desk makes my head spin.” The writer estimates that 90% of these offers are scams. If you check a site like Bitcoin Jerk, you will find a list of nearly every possible cryptocurrency available. As of this writing, there are almost 1500 of them with some selling for less than one cent. Although bitcoin itself is based on complex code and encryption, some of the currencies listed are based on absolutely nothing. Then how can they even exist? The answer is: by pure speculation.
If I have enough people believing that a green piece of paper with some esoteric markings on it has value, then it has value, at least among the believers. This paper can, then, be exchanged for goods and services. Remember that bitcoin really got its footing in the deep web where people needed to buy illegal merchandise, often drugs, in an untraceable fashion. As more people believed in its value, its value increased.
New cryptocurrencies need some way to make themselves known. The best way to do this is to pair themselves with a spamming network or botnet. This is what the largely unheard of cryptocurrency, Swisscoin, is doing.
Swisscoin has paired itself with the infamous Necurs botnet to spread spam offers for the coin. Swisscoin spokespeople deny this and ask those who get such emails to report it to them. That said, Swisscoin has been termed a Ponzi scheme by a number of researchers as it relies mainly on persuading investors to interest other people in the coin in order to increase interest (speculation) in it, thus, raising its price in what is termed a pump-and-dump scam. It could be that only one investor used the botnet to encourage more people to invest in the coin. The increased interest would, then, increase the price of the coin and, by extension, the spammer’s own income. The current price of a Swisscoin stands at $0.004. It is no surprise, then, that Swisscoin wants people to buy packages that start at 25 euros. That said, according to those who’ve traced the bitcoin address for the company, Swisscoin has received over $2.5 million in bitcoins alone. Not a bad return for a little known and almost useless cryptocurrency.
For this and other cryptocurrency spam emails, look for subject lines like the following.
Subject: Forget about bitcoin, there’s a way better coin you can buy.
Subject: Let me tell you about one crypto currency that could turn 1000 bucks into 1 million
Subject: This crypto coin could go up fifty thousand percent this year
Subject: Could this digital currency actually make you a millionaire?
Cryptocurrency Wallet Hacks
When you buy your bitcoins, you are really buying a private key that enables you, and only you, to use the coins. This key needs to be protected because, if it falls into someone else’s hands, the coins are as good as theirs. What’s worse is that bitcoin’s built-in privacy will allow the thief to escape all detection. So, to protect the key and your bitcoins, you need what is called, a wallet. Basically, there are three kinds of wallets. One that is often used comes with the coins you buy through some website, like Coinbase. The website protects your private key with its own security. In order for you to access your private key, you need a username and password. However, these ‘cloud’ wallets are vulnerable if someone gets your password. They can get this through normal hacking methods, such as phishing scams, or by infiltrating your email and contacting the bitcoin site to reset the password, thereby taking control of your account.
Cloud services themselves have been hacked and customers’ bitcoins were stolen. This happened to NiceHash when hackers compromised an employee’s computer to steal $64 million. The Mt. Gox hack (billions of dollars in bitcoins stolen) and the recent Coincheck hack ($450 million stolen) are examples of online storage sites that were hacked. Some of these could have been inside jobs.
Software wallets store your bitcoin information on your device or computer and, in so doing, are connected to the internet. Such wallets allow for easy use of your bitcoins but are more accessible to hackers. No serious bitcoin owner will use software to protect their private key. Serious users use hardware wallets, which are independent devices, not connected to the internet. They can be hacked, but not easily. For more information on these hardware wallets, see my recent post.
Fake Recipient Hacks
“All of my money was just send from MyEtherWallet to this address. It looks like that person has stolen more than 44 million dollars worth of crypto. What now?” So began one post on Reddit. It appears the user signed into a spoofed (look alike) website and gave them the information they needed to steal his bitcoins from the real website. Always check the URL carefully as even a one letter difference can be important. GoogIe.com is not the same as Google.com. (They look the same because of the font used on this website. The capital ‘I’ is indistinguishable from the letter ‘l’, but that’s my point. Spoofing a false link can be difficult to spot.)
It is also possible for a hacker to divert bitcoin payments through a man-in-the-middle attack. Without going into details, the scammer initiates a transaction with both a buyer and a seller and watches it progress. When the time is right, the scammer, pretending to be the seller, gives the buyer his own bitcoin address for the buyer to send the coins to. For more details on this scam, go here.
So, my final observation after studying many of these scams is that those who speculate on cryptocurrencies without knowing how they work are destined to find out how they work after they lose their coins. When greed is the underlying motive for buying cryptocurrency, reason is co-opted and people are more willing to take risks they would not normally take. As for my businessman friend mentioned at the beginning of this post, he ended up losing about 30% of his original investment. For the moment, his greatest fear is not of being hacked, but of having his wife learn about his costly investment.