Bamboozled: A Short Guide on the Plays Scammers Love to Use to Steal Crypto & NFTs
By the end 2021, Defi (Decentralized Finance) platforms reported holding north of $243 billion worth of deposits. Up from $18.29 billion the year before!
In the same year, a record $14 billion was stolen globally. That’s a 79% increase from the previous year thanks to a surge in theft and scams specifically targeting DeFi platforms.
It’s no secret that DeFi companies experience attempted hacks on a minute-by-minute basis from sophisticated black-hat hackers. On the flipside, it’s the everyday person who pays the real price since most these companies have insurance policies in place to provide enough cushion for themselves to stay afloat and profitable.
Most novices in this space unwittingly think these DeFi platforms will keep their funds secure from deviants. This is far from the truth due to the inherent nature of irrevocable cryptocurrency transactions.
That’s why it’s so important for each individual to educate themselves and learn how to detect nefarious signals before adding stakes to the game.
In this post, I’ll share stories and examples of the most prevalent scams targeting users of cryptocurrency brokerages & NFT (non-fungible token) marketplaces, including two-factor authentication (2FA hacks), phishing scams, and old-school scams.
Two-factor Authentication Hacks —
Turns out it’s not all it’s cracked up to be
In February 2022, a married couple was notified via an automated phone call informing them that their Coinbase account was in jeopardy. The recorded call claimed to be a Coinbase security prevention representative alarming them to the fact that they have detected unauthorized activity due to multiple failed login attempts.
In the heat of the moment, the husband, Apgar, hastily provided the automated bot with his two-factor authentication code sent via SMS to verify he was the rightful account holder.
Subsequently less than two minutes later, Apgar and his wife were locked out of their Coinbase account. The scammers stole approximately $106,000 worth of cryptocurrency and US dollars. The bot used to target their Coinbase account is called a one-time password, or OTP bot.
“The bot calls are crafted in a very skillful manner by artificially creating a sense of urgency and trust over the phone. The calls rely on fear to convince unknowing victims to act and ‘avoid’ malicious activity.” — CNBC
Scammers will combe through publicly available social media posts to determine how much cryptocurrency a potential target holds and possibly where. Unsurprisingly, millions of people love to share how much cryptocurrency or NFTs they bought, when (via social media timestamps and cross-reference those with etherscan.io) and what wallets/exchanges they might be storing them in.
Next, they will proceed to contact their targets through multiple social channels claiming they’re a customer service representative and that the reason they are calling is to address a ‘security matter‘. Once they’ve gained the target’s trust, scammers will persuade them to divulge sensitive information such as birthday, social security number or password claiming to need ‘verify’ that they’re the legitimate account holder.
You’re probably saying to yourself, “alright, who in their right mind would fall for something like this, it’s obviously a scam!”
Let’s remember just how recent crypto, DeFi, DAO, and the NFT universe are and just how far down the rabbit hole goes. Crypto is essentially a digital black hole that goes on forever in a never ending ripple through time and space.
Phishing Scams — Probably one of the most effective ways to infiltrate organizations and scam individuals
Email phishing scams are one of the most successful tactics whereby scammers will create a seemingly legitimate domain name, for example, customer904445382456@websupport.com, to inform a target that something strange is going on with their account in order to get them to click on a link.
By clicking a dubious link like the one you see above, the target could be providing scammers with the ability to access their computer even if it’s shut off or will redirect them to an exact copycat Coinbase login page to record keystrokes. Now they have the target’s credentials which they’ve unwittingly handed over without raising any internal alarms thus far.
In similar fashion, this how many large cryptocurrency platforms like Coinbase and Binance have been infiltrated in the past. Experienced and emboldened scammers targeted the inboxes of employees of these platforms to get them to click on a call-to-action link or download a file on their work computer to infect their systems with malicious code. This gave scammers unfettered access to company proprietary technologies, terabytes of private customer information, and the ability to deceive millions of customers via various channels to drain patrons of all of their digital assets.
Tessian, an enterprise email security company, revealed that 75% of organizations around the world experienced some kind of phishing attack in 2020 — and 96% of those came by email.
Tighten Your Life Jackets — OpenSea Smart Contract Debacle
On February 19, 2022, OpenSea, undeniably the most popular NFT marketplace in the world announced that they were upgrading their smart contract in an attempt to identify and get rid of outdated NFT projects plaguing their site.
OpenSea notified all users to migrate their NFTs before February 25th.
That’s just a one-week window!
The primary goal of the migration was to move all the active NFT listings from the Ethereum blockchain to a new smart contract or NFT holders risk losing their listing. Such a massive event happening on OpenSea where millions of non-technical users are interacting with sophisticated smart contracts made them extremely vulnerable to phishing.
Just a quick note, I’d say 99% of victims don’t realize they’ve been scammed until they’ve already executed their transaction.
Ok, now you know where this is going…
Scammers deployed phishing emails to steal the NFTs before they were migrated by sending the rightful owners to a look-a-like OpenSea website and got them authorize a smart contract transaction.
The combination of providing such a short deadline given by OpenSea essentially forcing million of users to migrate their NFTs and the prevalence of email phishing scams gave scammers with a small but lucrative window of opportunity to steal $2 million worth of NFTs collectively.
Stay tuned. I’ll be doing a follow-up post about how you can protect yourself against these types of scams as well as my own personal story of being scammed myself.
Stay safe out there!