Crypto scams or hacks are often malicious schemes designed to rob crypto users of their assets. Crypto scams can be as simple as giveaways or as complicated as DeFi rug pulls.
According to Chainanalysis’ 2021 Crypto Crime report, illegal wallet addresses received up to $14 billion in 2021. That is nearly an 80% increase from the $7.8 billion in 2021.
Most times, crypto scammers aim to get access to user's private information or to trick them into sending crypto assets into compromised digital wallets.
The problem with crypto scams is that the stolen funds are often almost impossible to trace due to the privacy and decentralization of blockchain technology.
DeFi scams are elaborate schemes designed for the DeFi (Decentralized Finance) space. Like other crypto areas, DeFi is also vulnerable to fraud and crime; the space has seen an enormous growth of scams in the last year.
But, this growth has also attracted the attention of scammers and malicious actors. A report by Elliptic, a blockchain analytic firm, reported that over $10 billion were lost in DeFi scams between January to November of 2021.
The main reason is that policing DeFi poses a bigger challenge due to the complete decentralization. There are no regulators to enforce and prevent scams because users are in control of their assets. Besides, the rapid growth in the DeFi sector has attracted the attention of various people, including malicious actors.
For example, flash loans – a type of instant borrowing without collateral – have become a major area for fraud. Malicious actors use smart contracts to trick the lender that the loan has been repaid.
However, this doesn't overshadow the numerous benefits of DeFi; users just have to be more careful to avoid falling into scams.
DeFi scams can be broadly divided into two groups:
Scams involving the transfer of users’ assets directly to scammer's crypto wallets. That may result from impersonation or fraudulent investments like Rug pulls.
Scams that involve malicious actors gaining access to users' wallets or security information like their private keys. Sometimes, that may be stealing the user's physical wallet, i.e., Cold wallets. The Malicious actor then transfers the crypto assets out to another wallet.
DeFi Social engineering scams are just like regular internet social engineering scams. In this case, scammers use psychological manipulation like impersonation and deceit to get vital information from the user.
Most times, the user is manipulated to think that they are dealing with trusted people like tech support, business agency, community members, or friends. The scammer can relate with the victim for an extended period to gain the victim's trust and avoid suspicions.
After the malicious actor gains the victim's trust, they try to get the victim to reveal their private details or send money to the scammer's wallet. Examples of social engineering scams include romance scams, blackmail, and extortion.
Malicious actors lure unsuspecting crypto holders to invest in false investments or business opportunities. They do this by offering guaranteed returns with huge and fast ROI that seems almost impossible.
Once users send their assets to the platform, they find that they cannot get their funds out of the investment or business opportunity. In most cases, the promises of these bogus investments are always exaggerated with false promises.
As the saying goes:
"If it sounds too good to be true, then it probably is."
Keep that in mind if you're planning to invest in any crypto investment or business opportunity.
Rug Pulls schemes are currently one of the most common DeFi scams. In these elaborate scams, developers promote crypto projects that appear to be exciting, revolutionary projects with plenty of potential. They get massive following and hype on social media platforms and crypto communities.
When they gather enough money – hundreds of thousands, sometimes millions of dollars – they simply sell the token and disappear with the money. The developers never intended to build a project the first time.
Sometimes, these developers program a back door into the project's smart contracts that allow them to exit the project. And makes it impossible for investors to sell. Investors suddenly are left with valueless tokens, and the project stops existing, hence the name "Rug pull."
Rug Pulls got a lot of attention in 2021 after the SQUID scam. In November, the meme coin SQUID was created and named after the popular South Korean NetFlix series, Squid Game. SQUID began selling at 1 cent, after which it skyrocketed to above $90 before the developers crashed (rugged) it.
Another way developers carry out Rug Pull is through Liquidity pools. Developers create a new token on a DEX (Decentralized Exchange) and pair it with one of the big cryptocurrencies like Bitcoin or Ethereum.
The developers get investors to deposit the two tokens in the liquidity pool (i.e., the new token and BTC). Also, to get the new token, investors have to swap their BTC for the new token.
The scammers then drain the liquidity pool of the big coin (BTC in this case), driving the coin's price to zero and leaving investors with worthless coins.
Rug pulls scams are one of the easiest scams to spot if you pay attention. Here are some vital signs you should be on the lookout for.
The Pump and Dump is an old scam tactic in the stock market used to quickly raise the price of worthless assets, usually a penny stock. The brokers sell off their assets when the price increases, dumping the price of the assets and making off with profit.
In Pump and Dump crypto scams, the price of a worthless asset (sometimes a meme coin) is inflated through well-planned marketing.
The founders/scammers may use different marketing techniques, including social media posts, co-signs, influencers, and false/misleading statements. The hype around this coin is to position it as a hot buy and cause FOMO in investors (Fear of Missing Out).
"As the prices rise, the pump creators dump their assets into the FOMO they've generated, resulting in a price crash that leaves the new buyers holding a bag of the assets that now have a lower value than they were purchased at, creating significant and often unrecoverable losses."
The CTFC (The Commodities Futures Trading Commission) released its first Pump and Dump Virtual Currency Customer Protection Advisory Statement in 2018.
According to the Statement:
"Customers should know that these frauds have evolved and are prevalent online. Even experienced investors can become targets of professional fraudsters who are experts at deploying seemingly credible information in an attempt to deceive."
Pump and dump schemes usually capitalize on getting investors in quickly; it is all about the immediate hype. So, before you invest, here are some quick tips to help you spot pump and dump coins.
What is the purpose of the coin? Most times, pump and dump coins are meme coins – there is no specific use case behind the token. The pump and dump scheme organizer is only capitalizing on the social media hype.
Avoid buying based on just social media hype. Don't invest or buy a coin based on rumors and influencers' words. DYOR (Do your own research and verify the rumors).
According to the CFTC:
"Customers should avoid purchasing virtual currency or tokens based on tips shared over social media. The organizers of the scheme will commonly spread rumors and urge immediate buying.
Victims will commonly react to the currencies or token’s rising prices, and not verify the rumors. Then the dump begins.
The price falls, and victims are left with currency or tokens that are worth much less than what they expected. From beginning to end, these scams can be over in just a few minutes."
Crypto phishing scams are a variation of the old internet phishing scams – where malicious actors pretend to be legitimate companies or websites to gather personal info from their victims.
Phishers in the crypto world are interested in getting users' crypto wallet private keys. The scammers then use keys to access funds within the wallet and send the assets out.
Here are the common ways scammers carry out phishing on crypto users:
DeFi phishing can be conducted through email; the bad actor pretends to be trading platforms or DeFi protocols.
The email informs users that their account is compromised, and to solve it, they need their wallet addresses and password. In some cases, scammers request for the user to send funds for their wallet security.
In some instances, the phishing email might link to a fake website that requires users to input their wallet details. Inputting your wallet details on such a website leads to the scammer getting your private information
Another way scammers can "phish" your private details is through decentralized crypto wallets like Metamask.
You're anonymous when you use Metamask to interact with a Web 3.0 or decentralized application. However, the website will show that you have a crypto wallet; this is enough for scammers to start phishing attacks.
The public address is hidden with a locked Metamask wallet, and scammers can't view any wallet history. But malicious actors have several strategies targeted to have you unlock your wallet.
An example is sending the wallet with a fake incoming transaction alert or a phony metamask pop-up to get you to unlock your wallet. In some instances, they just wait for the user to unlock the wallet.
An unlocked Metamask wallet will show your public address on all the web pages you open; if you switch between accounts, the address of that account is also displayed. With the public address, scammers can view the balance of the crypto wallet and your financial transaction history.
With the transaction history, the scammer can create phony transactions alert to either:
The scammer can take advantage of access to the user’s information.
Another way is to send you another Metamask pop-out of your transactions with correct details except for the last transaction, which it reports as failed. Then there is a prompt for the user to retry the previous transaction.
Everything is correct except the destination wallet address. The scammer changes the address, and if successful, the users unknowingly send crypto to the phisher's address.
Scammers can also put up a fake google ad to take the first spot when users search for a particular project. Users who click on that ad get directed to the scammers' wrong website.
Phishing attacks are centered around victims inputting their details on fake websites. Make sure you always check your email contact address. Most times, phishing email contact addresses are full of random characters.
Don't link or follow any link from suspicious email addresses. Besides, exchanges or protocols won't ask for your private keys over an email.
Always double-check to be sure you're on the right website. Clone websites usually use a variation of the original website address, like changing the domain or adding/removing a letter.
For example, instead of Metamask.io, the clone address can be Metamask.com or Metamaskk.io.
To avoid falling victim, always double-check the website URL. Also, ensure that the URL has a security certificate (HTTPS// not HTTP). You can decide to navigate the website manually instead of following a link from another source.
Wallet Dusting, or simply "dusting," is a sophisticated scamming strategy targeted at hot wallets. It is especially common among decentralized wallets like Metamask or Trust Wallet. In a dusting scam, the scammer sends a small amount of an obscure coin into your wallet.
Dusting scams usually involve tens of thousands of wallets. Scammers mainly use dusting scams to
identify individuals with extensive crypto holdings. The coins they send to the wallet act as a tracker.
Immediately you sell or trade those coins, the scammers can start tracing the transactions on the blockchain to your wallet where you hold other coins. If they can successfully identify the wallet, they can begin targeted phishing attacks to hack the wallet.
Avoid trading or transacting tokens if you're unsure of their source, especially if the volume is small.
Honey pot scams are pretty similar to pump and dump scams, except, in this case, only the developers can sell their holding.
The founders lure investors to invest in their projects with lofty price projections and marketing. As more people invest, the price of the assets increases (heading for the moon).
The problem starts when investors decide to remove their profits, you get an error message like "transactions can't succeed due to error undefined; this is probably due to a problem with one of the tokens you're swapping."
The scammer already inserted a line of code in the smart contract that makes it impossible for investors to sell their holdings.
Like spotting Rug pulls and Pump and dump, ensure you do your due diligence before investing in any DeFi project.
In this investment scheme, scam platforms convince investors and retail buyers to put upfront capital to secure an ongoing stream of mining power.
Cloud mining companies allow you to rent mining hardware they will operate for a fixed down payment. In return, investors get a share of the revenue. That way, investors can mine remotely without buying expensive hardware.
The catch with cloud mining scam companies is that these platforms don't own the hash rate they say they have. Therefore, investors will lose their capital and not get any return on their down payment.
NFT scams can occur in several ways, including rug pull, phishing, wallet dusting, counterfeit NFTs, and bidding scams. Here are the common NFTs scams.
NFT Rug pulls: The creator stops backing the NFTs and takes their investors' money after price increases. As a result, the NFTs dump and value drops to almost zero.
Phishing Attacks: Hackers try to get your private keys to hack into NFT collections. A common variant is wallet dusting; the hackers send a fake NFT Airdrop to your wallet. Communicating with this NFT in your wallet can give them access to hack into your wallet.
Counterfeit NFTs: In this case, the scammers steal an artist/creator's art and open a fake NFT on another NFT marketplace. If not careful, unsuspecting buyers will buy the counterfeit NFT. You should always ensure that you're buying from the original artist to avoid this.
Pump and Dump: This happens when a group of people artificially drive up the value of some NFTs, tricking users into thinking they are valuable. Once the bid goes up, the scammers offload the NFTs, causing investors to lose money.
Bidding Scams: Bidding scams occur when bidders switch your preferred currency with a lower-valued currency without you suspecting it. This happens when investors want to sell their NFTs in a secondary market.
Airdrop is one of the ways DeFi protocols can distribute free tokens to their community members. Some protocols use Airdrop to drive awareness for their new project.
Users are asked to perform simple tasks like tweeting about the project or joining the community. After which, they get rewarded with Airdrops.
However, not all Airdrops to your crypto wallet are genuine. In some cases, it is a way for hackers to access your wallet.
The scammers trick people into thinking they've received Airdrop worth thousands of dollars after a shady project/website. The Airdrop can only be redeemed by connecting your wallet to that website.
The tricky part is that there is no liquidity on the Airdrop. And if you connect your wallet to that website, you give the malicious smart contract access to your wallet. Scammers can hack into your wallet and withdraw your assets.
Airdrop scams depend entirely on you connecting your wallet to malicious smart contracts. Don't redeem any Airdrop if you are not sure of its source.
ICOs (Initial Coin Offerings) are unregulated means by which crypto projects can raise funds for their new project. The basic idea is that the founders sell a number of their tokens to investors at a lower price.
Investors typically get their token shares after a cliff period when the project launches.
In ICO scams, the investors don't get any token share at the end of the cliff because the project is a scam.
These developers can go out of their way to make the project "legitimate," including investing in high-level marketing and fake legal documents.
Romance scams usually begin on online dating sites; the scammer uses attractive profile pictures (catfishing) to lure in their victims (pigs).
The scammers form a relationship with the victim via online messaging. When the victims get close and trust them, the scammer tells them about cryptocurrency investments and the huge gains they have made.
After which, they get the victim to follow along in some false investments. They convince the victim to send a huge amount of crypto assets to a scam wallet.
Scam accounts impersonate celebrities and influencers in the crypto space. These imposters then reach out to impersonators to unsuspecting victims about a new project or giveaways. Then they ask people to send some crypto assets before they can access these giveaways.
For example, between September 2020 and April 2021, there were reports of over $2 million transferred to Elon Musk impersonators on Twitter. And according to the FTC, 14% of all types of impersonator scams are in cryptocurrency.
I covered the major DeFi scams in this article but that is not all. Malicious actors are always coming up with new ways of scamming investors of their crypto assets.
To avoid falling victim, you want to be careful of your online activities. Don't follow any suspicious links and ensure that you verify all transactions before you approve.