Warning to crypto fans: Phishing schemes are not just for email any more.
In a new scam, criminals are manipulating online advertising to target cryptocurrency users searching for digital currency “wallet” apps MetaMask and Phantom, according to cyber security firm Check Point Research. Fraudsters bid on keywords on Google ads, luring cryptocurrency enthusiasts to counterfeit versions of the Web sites, according to the Check Point investigation.
The effectiveness of the scam and the challenges of proving fraud occurred reveal some of the downsides of anonymized digital savings accessible to anyone who has the right code.
The Google ads phishing scam likely resulted in the theft of at least $500,000 worth of cryptocurrency in November, according to Check Point. The scale of fraud is often difficult to calculate because not everyone affected reports such incidents.
Representatives from MetaMask, Phantom and didn’t respond to requests for comment. A Google spokeswoman said: "This behavior directly violates our policies and we immediately suspended these accounts and removed the ads. This appears to be a malicious actor looking for ways to evade our detection. We are always adjusting our enforcement mechanisms to prevent these abuses."
How the Scam Works
Holders of cryptocurrencies must have access to the long string of numbers that identify their holdings on the decentralized ledger known as the blockchain. Some people store these numbers as hard copies. Many store them in online “wallets,” provided by crypto exchanges and by specialist apps such as MetaMask and Phantom.
Most crypto holders first buy and hold digital currencies in brokerage-style accounts on Web sites such as Coinbase or Robinhood. There are certain things, such as buying non-fungible tokens, which are not possible on these platforms, however. So, some enthusiasts move their crypto holdings to more flexible apps, including MetaMask, which specializes in storing Ethereum-linked tokens and enabling purchases of NFTs; and Phantom, which specializes in applications of the Solana cryptocurrency. Both sites allow for the transfer of cryptocurrency from other platforms into their wallets.
During November, Google searches for both MetaMask and Solana were answered, in part, by ads with links to phony lookalike Web sites, according to Check Point.
If a user inadvertently clicked on the link, they entered an intricate simulation of the real Web sites, like a digital version of an "Ocean’s Eleven" caper. A screenshot captured by Check Point, for example, shows one of the links as Phanton.app, a single keystroke from the legitimate Phantom.app URL. Once a user clicked on the link, the Web design, as illustrated by more Check Point screenshots, was a perfect replica of the bona fide site. Even the pop-up tech-support instant messages, according to Check Point, were carefully matched to the legitimate site's Web design.
Once inside the fake Phantom or MetaMask site, users were prompted through the account creation process. The language on the prompts made it appear that the user was creating a brand new wallet; but they were actually setting up new passwords for an existing Phantom or MetaMask wallet – one controlled by the scammers. When it came to funding the wallet, the fake Web site linked back into the bona fide Web site. Any cryptocurrency transferred to the “new” wallet could be instantly swiped by the scammers.
A nightmare end to the year
One Texas man who fell prey to a similar MetaMask scam in late November lost about $50,000 of bitcoin after a fake help agent wormed their way into his Coinbase account. (Money agreed to not publish his name, since he was the victim of a crime.)
His troubles didn’t end there. He said he is plagued by nightmares about the experience. He has spent a lot of the holiday season filing reports with the Federal Trade Commission and the Federal Bureau of Investigation and is concerned that he will have difficulties proving that he is no longer in control of the cryptocurrency, potentially leaving himself liable to capital-gains taxes.
“I just feel like such a [fool],” the Texas man told Money.