Blockchain and cryptocurrencies are springboards for innovation, but, as an emerging industry, it can become an attractive target for scams and fraud with malicious actors constantly attempting to find new attack vectors to exploit. Financial incentives in the form of crypto or tokens, combined with the blockchain’s pseudonymity and the ability to transact with anyone anywhere, result in much fraud going undetected.
Types of Cryptocurrency Scams
There are many types of cryptocurrency scams, with new variations appearing all the time. These are a few of the most common types.
Exit scams involve someone, often founders or other key contributors, artificially inflating a token’s price and then exiting the project to profit at the expense of investors.
One example is pump-and-dump schemes, which involve one or more people buying up large quantities of a low market cap token and spreading rumors online with the aim to inflate the price. Once enough people have bought in, the original buyers “dump”, or sell, their tokens on the market, causing the price to crash.
Rug pulls are another type of exit scam, usually involving a decentralized exchange (DEX) listing. Like pump-and-dump schemes, token issuers will pump the price of their tokens, only to sell them. However, in a rug pull, scammers will remove all liquidity from the DEX liquidity pools, leaving investors without a way to sell their tokens.
Another mechanism is to code the token such that the issuer is the only wallet-holder able to sell. The latter method was used by those behind the Squidcoin scam. The scammers exploited the popularity of the TV show Squid Game by garnering interest before selling their tokens and leaving other holders to discover that they could not sell theirs.
Investment scams and Ponzi schemes
This is a broad category encompassing scams that promise guaranteed or outsized returns in return for an upfront investment.
Investment scams typically involve an “investment manager” who will require an up-front fee for advisory services or initial minimum investment before disappearing with the funds.
Ponzi schemes are a type of scam where funds from newer investors are used to pay older investors. These schemes do not offer any actual benefits or returns – the scheme simply relies on a continuous stream of new recruits bringing in money. OneCoin is an example of a Ponzi scheme.
Phishing scams are ubiquitous in crypto since attackers use them to try and extract private keys from individual and enterprise users alike. There are many variations, but they generally involve someone masquerading as a legitimate party to fool people into giving away personal information that will allow the scammer to steal funds.
Phishing attackers might pretend to be from financial institutions, crypto exchanges, or project teams, and they often use sophisticated methods to cloak their actions, such as directing users to “spoofed” domains that look like their target organization with only one or two characters changed.
Phishing can take place over a variety of media, including email, voice messages, SMS, and social media, among others. Phishing communications might be distributed to many people, but phishing attacks can also target specific groups within organizations (like the entire IT staff) or even specific individuals. These targeted phishing attacks are known as spear phishing.
In 2019, Singaporean crypto exchange DragonEx became the subject of a spear phishing attack when fraudsters posed as representatives from a trading bot firm to gain access to company systems.
Airdrops and token-based giveaway fraud are variations of phishing attacks called "airdrop phishing”.
These attacks involve sending unsolicited allocations of locked tokens or NFTs to wallets so that the sender can manipulate victims into taking actions to “unlock” their free gifts. However, these actions are usually a ruse to entice the user to connect their wallet to a fraudulent website or interface. Once connected, the website will drain their wallet of its funds.
In May 2023, it was reported that over $300,000 had been stolen from users who thought they were claiming legitimate airdrop tokens from Blur, a new NFT marketplace that had advertised a genuine airdrop.
Cryptocurrency malware is software designed to steal cryptocurrency via one of several routes.
Malware may attempt to detect crypto-related activity on a user’s computer by seeking out strings of characters that look like blockchain addresses. They may then seek to either replace recipient addresses with their own during a transaction or attempt to extract private keys through monitoring software.
Another method of crypto fraud using malware is known as “crypto-jacking” and it involves hijacking a computer’s resources, such as the GPU, to mine cryptocurrency – most commonly privacy coin Monero – without the user being aware.
How to Recognize and Avoid Cryptocurrency Scams
There are no failsafe methods for recognizing crypto fraud, but there are often telltale signs that should act as a red flag:
- Offers tokens or platforms that guarantee minimum returns.
- Requests for up-front fees, down payments, or initial investments to access future returns.
- Any request to provide your personal information, including bank credentials, credit card details, crypto wallet details, or login credentials for online crypto or finance platforms.
- Attempts to use social engineering or peer pressure, including pressure to act quickly before an offer expires.
- Misspellings, bad grammar, or poorly written communications, particularly if they purport to be from reputable companies.
- Domain names or names of apps that don’t correspond exactly to the brand name.
Any of these signs should serve as a warning to avoid interacting.
Tips for Safeguarding Your Crypto Assets
There are some precautions that can help to keep crypto-assets safe:
- Never disclose private keys or login credentials to anyone.
- Keep private keys stored in a secure, offline location.
- Use a password manager for online credentials and enable 2-factor authentication (2FA) wherever possible.
- Do not open unsolicited emails from unknown sources.
- Do not interact with unknown contacts on social media in a way that reveals any personal information.
- Use antivirus and malware protection programs on all connected devices.
- Regularly update operating systems and apps to the latest version, as they often include bug fixes and security updates.
- Do not interact with unsolicited airdrops.
- Use a hardware wallet for storing larger amounts of cryptocurrency.
- Consider using segregated storage, particularly for large amounts of cryptocurrency. Splitting the total into smaller sums and storing each in a different wallet can act as a risk mitigation measure in case one wallet becomes compromised.
- Only use known websites with established domains.
- Download applications from the official app marketplace.
Legal Remedies for Victims of Cryptocurrency Fraud
Users who have fallen victim to crypto fraud may have legal remedies available to them, depending on how the act was committed.
If the fraud involves payments made via a credit card or an insured bank, then users may be able to recover the amount through the institution that handled the transaction, which will also involve law enforcement as required.
Users who have lost funds from outside the banking system, through self-custodied wallets for instance, have fewer options and may have to resort to pursuing the case privately. For example, victims can engage blockchain tracing experts to amass enough evidence to identify and pursue the fraudster via legal means.
However, the unfortunate reality is that many victims of crypto fraud simply do not recover their losses, underscoring the importance of being vigilant and taking appropriate security precautions.
The Future of Cryptocurrency Security
From the individual user perspective, there are two areas of development that could support better cryptocurrency security in the future.
The first one is blockchain identity solutions which would enhance the transparency of blockchain transactions by making it easier to identify individuals. Using innovations such as zero-knowledge technologies, it’s possible to increase transparency while maintaining a general level of user privacy, only identifying individuals when law enforcement needs to intervene.
Another development is making blockchain security more accessible using technology such as biometrics to lock wallets rather than long, unintelligible strings of characters that need to be stored offline for security.
Crypto scams essentials
- There are many types of cryptocurrency scams, including exit scams, investment scams and Ponzi schemes, phishing, and fraud using malware, among others.
- Users should look out for signals such as offers of guaranteed returns, requests for upfront payments or personal data or credentials and avoid interacting.
- Keeping private keys stored safely offline, using a password manager for online credentials, and regularly updating your apps and operating systems can help to keep your crypto safe.