The cryptocurrency blockchain was supposed to be impervious to fraud, but somebody forgot to tell the scammers.
Roughly $14 billion in fraudulent transactions occurred in the cryptocurrency world in 2021, up by 79% from a year earlier, according to data firm Chainalysis. Israeli software and cybersecurity concern Check Point Software Technologies, which is tracking the fraudulent activity, expects that number to grow this year.
Researchers at Check Point are documenting the most common frauds, and recently shared their findings. “There is a currently a huge gap between crypto consumers and security,” said Oded Vanunu, head of products vulnerability research at Check Point, noting that the scammers understand the technology behind cryptocurrencies and the venues where they are traded much better than most crypto users.
Unlike fraud victims in conventional finance, victims in the Wild West of cryptocurrency cannot rely on deposit insurance or any other recourse. Instead, the villains ride off into the sunset with the loot, and the credits roll.
New scams take advantage of crypto investors's lack of tech expertise and desire to earn outsize returns. Some of the biggest fortunes in the cryptocurrency world were made by those who bought into then unknown digital tokens in their infancy. Scammers take advantage of this appetite for newly minted cryptocurrencies. In some of the most common schemes, hackers create their own currencies embedded with hidden computer code that render them worthless.
In another common style of scam, the hackers exploit vulnerabilities in the websites that crypto investors use to buy, sell and store tokens.
Here are three of the most common crypto scams, and how to avoid them:
New Cryptocurrencies with Hidden Fees
Just like scammers in the physical world, crypto frauds snare unsuspecting buyers using the fine print in contracts.
Thanks to the success of the Ethereum platform and others, many cryptocurrencies these days can be linked to “smart contracts.” To read and write smart contracts, a basic knowledge of computer coding is required, according to the Check Point researchers.
“Most people cannot really understand what’s inside this smart contract,” says Vanunu.
It’s also relatively cheap and easy for someone with knowledge of computer programming to launch their own cryptocurrency. So hackers have started to sell new cryptocurrencies with a clause in the smart contract that says any resale will remit to the inventor huge portions of the token’s value in fees.
Recently, Check Point identified one coin, MetaMoonMars, which changed its fees to 99% shortly after it launched.
This scam capitalizes on the cryptocurrency community’s obsession with the next big thing. In the last year, investors in brand new tokens like Shiba Inu saw their holdings rise many times over in a matter of days, helped by sheer hype and short-term momentum. Now investors scour the top gainers or “trending assets” on sites like Coinbase, Coingecko and CoinMarketCap for newly minted coins, hoping to discover the next “meme coin” before the price takes off.
To avoid getting scammed in this way, Vanunu recommends users buy a small amount of whatever new token captures their interest. By buying $1 worth, and then selling soon thereafter at around the same price, the user will know if exorbitant resale fees have been programmed into the token.
New Cryptocurrencies You Can't Resell
In the rapidly evolving cryptocurrency world, everybody tracks the fastest movers. The biggest daily percentage gainers are listed at the top of many Web sites. This is an ideal environment for the kind of “pump and dump” scheme that’s familiar to investors in penny stocks, and played out in the Squid Game cryptocurrency over two weeks in late October.
In this kind of scam, hackers write into the smart contract a clause that says their new cryptocurrency cannot be resold at all. This gives the hacker complete control of the new token’s price. To start the ball rolling, scammers simply buy the token themselves at steadily increasing prices. Any investor who joins in the game will find themselves unable to sell, meaning the price cannot be pushed down. Eventually, sites like CoinMarketCap.com will start to display the new cryptocurrency among the biggest daily gainers — free marketing for the scam.
This is exactly what happened with the Squid cryptocurrency. The inventors of this currency piggybacked on the popularity of the South Korean streaming show "Squid Game" despite having no official links to the show. Launched in late October on the PanCakeSwap exchange, the currency drew Internet hype, especially when its price started rising exponentially. Due to the design of the currency, it wasn’t immediately clear to people who purchased Squid that they couldn’t sell their holdings, and so, for days, the buyers kept piling in.
By the time scammers "pulled the rug" on Squid Game, on Nov. 1, it had increased in value by 230,000%, according to Bloomberg.
A simple way to defend against such scams is to avoid newly launched cryptocurrencies. By sticking to the top 50 or 100 digital currencies, investors can be sure they’re dealing with known quantities.
NFTs with Hidden Code
If there’s one thing riskier than buying an untested cryptocurrency, it’s shopping for new non-fungible tokens. To buy these popular pieces of digital art, cryptocurrency enthusiasts have to move some of their holdings off exchange Web sites like Coinbase onto “marketplaces” like OpenSea, the largest. While the exchanges style themselves after conventional financial websites, the free-wheeling nature of NFTs mean that the marketplaces resemble a more “buyer beware” experience, like eBay.
Hackers have become adept at exploiting the security vulnerabilities in these platforms, according to Check Point.
In September, the Check Point researchers noticed a lot of Twitter complaints from users of OpenSea who had suddenly lost all their holdings in their digital wallets. Vanunu and a colleague discovered that someone was posting NFT art that contained “malicious code.” If users clicked on the NFT, and accepted a “gift” from the hackers who had designed it, the code immediately cleaned out the user’s balance.
Check Point reported a vulnerability that would enable NFT scams to OpenSea in late September, and the company fixed the issue soon thereafter. A spokesperson for OpenSea said a company investigation did not identify any victims, and indicated that victims would have had to provide a digital signature before a fraudster was able to steal money. After the investigation, OpenSea updated its security warnings to customers.
But Vanunu was soon receiving emails from other crypto users caught in similar scams. As soon as one vulnerability was fixed, hackers discovered another.
“This is the game now,” says Vanunu.
The only way to defend against this kind of scam is to be very careful where you click.
“It’s not really the money, what hurts is the humiliation,” said Matt Borchert, a YouTuber who said he was conned into buying a worthless NFT on OpenSea in a recent video. “Someone is sitting there, going ‘I can’t believe they fell for that.’”