Cryptocurrency Scams: Where money is concerned, scams always follow. And the same is true with cryptocurrency. In February 2022, cryptocurrency exchange platform Wormhole lost $320 million after a cyber attack. In addition to this attack, cryptocurrency scammers have stolen more than $1 billion since 2021, according to a report by the Federal Trade Commission.
Lloyds Banking Group in the U.K. reported cryptocurrency scams were up 23% in 2023 over the same period in 2022. During the first half of 2023, cryptocurrency scams were down. However, the number of scams increased significantly in the third quarter of 2023, according to bug bounty platform Immunefi’s report. Part of the increase was from the Mixin hack on Sept. 25 when attackers stole nearly $200 million.
Digital currency is a form of currency stored in a digital wallet, and the owner can turn currency into cash by transferring it to a bank account. Cryptocurrency, such as bitcoin, is different from digital currency. It uses blockchain for verification and no central authority such as a bank, so it is harder to recover from theft.
Even though cryptocurrency is a newer trend, thieves are using old methods to steal. Here are some of the common cryptocurrency scams to watch.
1. Bitcoin investment schemes
In bitcoin investment schemes, scammers contact investors claiming to be seasoned “investment managers.” As part of the scheme, the so-called investment managers claim to have made millions investing in cryptocurrency and promise their victims that they will make money with investments.
To get started, the scammers request an upfront fee. Then, instead of making money, the thieves simply steal the upfront fees. The scammers might also request personal identification information, claiming it’s to transfer or deposit funds, and thus gain access to a person’s cryptocurrency.
Another type of investment scam involves using fake celebrity endorsements. Scammers take real photos and impose them on fake accounts, ads or articles to make it appear as though the celebrity is promoting a large financial gain from the investment. The sources for these claims appear to be legitimate, using reputable company names such as ABC or CBS with a professional-looking website and logos. However, the endorsement is fake.
2. Rug pull scams
Rug pull scams involve investment scammers “pumping up” a new project, non-fungible token (NFT) or coin to get funding. After the scammers get the money, they disappear with it. The coding for these investments prevents people from selling the bitcoin after purchase, so investors are left with a valueless investment.
A popular version of this scam was the Squid coin scam, named after the popular Netflix series Squid Game. Investors had to play to earn cryptocurrency: People would buy tokens for online games and earn more later to exchange for other cryptocurrencies. The price of the Squid token went from being worth 1 cent to about $90 per token.
Eventually, trading stopped and the money disappeared. The token value then reached zero as people attempted but failed to sell their tokens. The scammers made about $3 million from these investors. Rug pull scams are also common for NFTs, which are one-of-a-kind digital assets.
3. Romance scams
Dating apps are no stranger to crypto scams. These scams involve relationships — typically long-distance and strictly online — where one party takes time to gain the other party’s trust. Over time, one party starts to convince the other to buy or give money in some form of cryptocurrency.
After getting the money, the dating scammer disappears. These scams are also referred to as “pig butchering scams.”
4. Phishing scams
Phishing scams have been around for some time but are still popular. Scammers send emails with malicious links to a fake website to gather personal details, such as cryptocurrency wallet key information.
Unlike passwords, users only get one unique private key to digital wallets. But if a private key is stolen, it is troublesome to change this key. Each key is unique to a wallet; so, to update this key, the person needs to create a new wallet.
To avoid phishing scams, never enter secure information from an email link. Always go directly to the site, no matter how legitimate the website or link appears.
5. Man-in-the-middle attacks
When users log in to a cryptocurrency account in a public location, scammers can steal their private, sensitive information. A scammer can intercept any information sent over a public network, including passwords, cryptocurrency wallet keys and account information.
Anytime a user is logged in, a thief can gather this sensitive information by using the man-in-the-middle attack approach. This is done by intercepting Wi-Fi signals on trusted networks if they are in proximity.
The best way to avoid these attacks is to block the man in the middle by using a virtual private network (VPN). The VPN encrypts all the data being transmitted, so thieves cannot access personal information and steal cryptocurrency.
6. Social media cryptocurrency giveaway scams
There are many fraudulent posts on social media outlets promising bitcoin giveaways. Some of these scams also include fake celebrity accounts promoting the giveaway to lure people in.
However, when someone clicks on the giveaway, they are taken to a fraudulent site asking for verification to receive the bitcoin. The verification process includes making a payment to prove the account is legitimate.
The victim can lose this payment — or, worse yet, click on a malicious link and have their personal information and cryptocurrency stolen.
7. Ponzi schemes
Ponzi schemes pay older investors with the proceeds from new ones. To get fresh investors, cryptocurrency scammers will lure new investors with bitcoin. It’s a scheme that runs in circles, because there are no legitimate investments; it is all about targeting new investors for money.
The main lure of a Ponzi scheme is the promise of huge profits with little risk. There are always risks with these investments, however, and there are no guaranteed returns.
8. Fake cryptocurrency exchanges
Scammers might lure investors in with promises of a great cryptocurrency exchange — maybe even some additional bitcoin. But in reality, there is no exchange and the investor does not know it’s fake until after they lose their deposit.
Stick to known crypto exchange markets — such as Coinbase, Crypto.com and Cash App — to avoid an unfamiliar exchange. Do some research and check industry sites for details about the exchange’s reputation and legitimacy before entering any personal information.
9. Employment offers and fraudulent employees
Scammers will also impersonate recruiters or job seekers to get access to cryptocurrency accounts. With this ploy, they offer an interesting job but require cryptocurrency as payment for job training.
There are also scams when hiring remote workers. For instance, North Korean IT freelancers are trying to capitalize on remote job opportunities by presenting impressive resumes and claiming to be based in the U.S.. The U.S. Department of the Treasury issued a warning of this North Korean scam targeting cryptocurrency companies. This type of scam is called a shadow workforce.
In 2022, shadow workers targeted a Sky Mavis engineer by posing as a LinkedIn recruiter. The engineer had a phone interview with this shadow worker and gave him a document to review for the next step in the interview. This document contained malicious code that allowed the North Korean Lazarus group to steal $600 million in a bridge attack.
These IT freelancers seek projects involving virtual currency and use access for the currency exchanges. They then hack into the systems to raise money or steal information for the Democratic People’s Republic of Korea (DPRK). These workers also engage in other skilled IT work and use their knowledge to gain insider access to enable the DPRK’s malicious cyber attacks. With these scams, these shadow workers have stolen nearly $3 billion in the past year, according to Chainalysis.
10. Flash loan attack
Flash loans are loans for short periods of time, such as seconds to make a trade. These loans are popular in the cryptocurrency market because traders use funds to buy tokens on one platform with a lower price, and then sell that asset immediately on a different platform to make money. These moneymaking trades are all done in one transaction and the flash loan is repaid.
Because flash loans are not collateralized and there are no credit checks involved, an attacker takes advantage of borrowing money and using these funds to manipulate pricing on a decentralized finance platform. To manipulate the pricing, the attacker creates several buy-and-sell orders to create an impression of high demand. The attacker then cancels orders after prices increase, which will cause the price to fall immediately. The attacker can then make a profit by buying at a lower price on a different platform.
In February 2023, Platypus Finance was victim to a flash loan attack, which resulted in an $8.5 million loss.
How to protect bitcoin and cryptocurrency
To protect against cryptocurrency scams, some of the common red flags include the following:
- Promises of large gains or double the investment.
- Only accepting cryptocurrency as payment.
- Contractual obligations.
- Misspellings and grammatical errors in emails, social media posts or any other communication.
- Manipulation tactics, such as extortion or blackmail.
- Promises of free money.
- Fake influencers or celebrity endorsements that seem out of place.
- Minimal details about money movement and the investment.
- Several transactions in one day.
Protect digital wallets from scammers by practicing good digital security habits such as strong passwords, using only secured connections or VPNs and choosing safe storage. There are two types of wallets: digital and hardware. Digital wallets are hosted online and have a higher rate of getting hacked. Hardware wallets store information, such as the cryptocurrency wallet and keys, offline within a device.
Cryptocurrency is not insured by the Federal Deposit Insurance Corporation, so keeping it safe is vital. Never give wallet keys or access codes to anyone.
How to report a scam
Anyone who believes they have seen a cryptocurrency scam or were part of a scam should report it immediately. Here are some organizations to report it to:
- Commodity Futures Trading Commission (CFTC): CFTC.gov/complaint.
- Federal Trade Commission (FTC): ReportFraud.ftc.gov.
- Internet Crime Complaint Center (IC3): ic3.gov.
- U.S. Securities and Exchange Commission (SEC): sec.gov/tcr.
In addition to the agencies listed above, the person should also immediately report to the cryptocurrency exchange used for the transaction.