The Department of Financial Protection & Innovation (DFPI) in the United States welcomes complaints from consumers victimized by cryptocurrency scams. The results in their regularly updated scam tracker are telling.
While each scam can involve multiple scam types - and indeed most do - there is a clear hierarchy in which schemes are becoming increasingly popular. Two of the most popular scams are emotionally manipulative. In second place with 52 incidents are pig butchering scams and coming not far behind are romance scams with a total of 9 entries. The difference between the two according to DFPI’s categorization is that romance scams usually involve outright stealing, while pig butchering uses the ruse of a fake investment. The rise of these two scams speaks to people’s increasing comfort with computer-mediated relationships, even with complete strangers.
Other popular scams include fraudulent trading platforms with 59 incidents, imposter scams with 24 incidents, and liquidity mining scams with 7 incidents. Each of these involves financial duplicity of the victim. With fraudulent trading platforms, victims trade on what are bogus websites, while with imposter scams, they give money to individuals or entities impersonating legitimate people or businesses. A liquidity mining scam is similar to a Ponzi scheme, only victims are guaranteed returns by staking their cryptocurrency in a fake liquidity pool.
The United States Secret Service has likewise observed an increase in cryptocurrency investment scams, such as pig butchering. The agency warned users on social media, dating apps, and even professional networking platforms to be wary of investment solicitations through these channels. This market education is in an extension of the Secret Service’s mandate, which has broadened beyond just fiat to also include digital assets, such as cryptocurrency, stablecoins, and virtual currencies.
This DFPI data is in keeping with the popular scams, vulnerabilities, and attack vectors we have identified in our top five investment scams. It is important to keep in mind that the DFPI tracker can suffer from some selection bias. Victims of highly personal or embarrassing crimes, such as pig butchering, may be reluctant to come forward. Similarly, victims of highly public crimes, such as rug pulls, may assume that other victims will report the crime. This kind of digital bystander effect may account for why DFPI includes rug pull scams in their official glossary, but no instances were included in their scam tracker.
Understanding how these popular schemes are executed is essential in helping individuals and organizations defend against these specific attacks as well as establishing best practices in general.
Pig butchering schemes
In a pig butchering scheme, the victim is fattened up over the course of several months by the scammer, before being finally led to the slaughter. For example, in 2022 a retiree known as “JZ”
was approached by “Jenny” on Facebook. Jenny introduced herself as a gold spot trader and began befriending JZ. Eventually, Jenny convinced JZ to put money on an investment platform where her friend was supposedly the CFO. JZ deposited US$1.1 million and would eventually transfer a total US$2.8 million, representing most of his life savings.
JZ is unfortunately not alone. There are many victims of pig butchering because it combines the social engineering of a romance scam with the financial manipulation of a Ponzi scheme. Victims are more easily parted with their money when they are blinded by both love and the prospect of easy money.
The playbook used on JZ is a common one. The scammer will usually target a victim over text, email, social media, messaging platforms, or other digital channels to initiate a seemingly harmless conversation. Over time, the scammer will ingratiate themselves into the lives of the victim by chatting regularly, sending photos, sharing selfies, and more. The scammer will often play on the emotions of the victim. In one case, a victim shared that she wanted to live a nomadic life in a motorhome, and the scammer alluded that such would be possible with cryptocurrency.
Once rapport is established, the scammer will introduce the specific investment scheme. These vary but are commonly investment platforms, mining operations, exchanges, and brokerages. Upon investing, the back-end dashboard will show fake returns to the victim, so that they are encouraged to invest even more. If the victim tries to withdraw the funds, the investment platform usually has more bogus requests for money. In the case of JZ, he was asked to pay a US$466,000 verification fee, a US$230,000 final verification fee, and a US$99,000 fee to become a VIP member. After such payments, the site and the scammer ghost the victim, leaving them destitute and emotionally scarred. People are advised not to interact with any suspicious characters they meet online, and do due diligence on any investment opportunities.
Rugpull
In January 2021, Frosties sold out within hours of its launch. This was a collection of 8,888 non-fungible tokens that the creators said would be part of an upcoming metaverse game. This seemed like a favorable start for an NFT project until the developers disappeared. They deactivated the project’s social media accounts, deactivated the Frosties website, and walked away with US$1.3 million.
Though the scammers were eventually charged by the Department of Justice, Frosties illustrates another threat in the cryptocurrency community: the rugpull. This scam is common for both digital currencies as well as non-fungible tokens, and it is not particularly sophisticated in either scenario.
A rugpull involves project creators hyping up a given project, for which there is usually some work done. For non-fungible tokens, the NFTs will usually be live, and the developers will have a roadmap of future updates and benefits. This is designed to attract early investors and play on people’s fear of missing out.
Once the NFTs are sold, the developers vanish, effectively abandoning the project. They often shutter their digital assets to make it harder for investigators to track them. They may then launder the cryptocurrency by running it through various mixers. When the creators go on the run, the purchased NFTs almost immediately become worthless, as their value was tied to the development of a given project. Frosties NFT-holders were supposed to be able to stake their own and share in the revenue of the metaverse game. With a rug pull, developers only hold up the ruse until they have user money, at which point they often do not even bother to hold up the charade. Because rug-pullers build up an air of respectability around their projects, people should understand the inherent risks of NFTs and only be willing to invest with funds that they can actually stand to lose.
Phishing
Phishing has been around for as long as people have emailed, but the scam has evolved rapidly since the typo-laden requests from Nigerian princes. Cryptocurrency has raised the stakes for successful phishing: Once scammers gain access to a person’s or organization’s account, they can more easily launder money. Cryptocurrency is far easier to transfer cross-border than fiat and far more difficult to trace.
Crypto-related phishing is no different from regular phishing. A scammer will send a bogus email with a fake pretext, one that makes them look like a legitimate person or entity. In the Ronin hack, a senior developer famously got an email purporting to be a recruiter from another tech company. After a remote interview with the recruiter, the senior developer was sent a file that supposedly contained a more detailed job description. After opening the file, it delivered a payload that gave scammers access to the person’s computer and eventually Ronin’s network. The “recruiter” was actually a member of North Korea’s Lazarus Group, who stole US$600 million from Ronin.
Phishing is also a major threat to individuals. Phishing emails are often sent to exchange or brokerage users that argue their account is locked: Only by entering their log-in information can they regain access. Inputting this information of course turns over credentials to hackers, who will proceed to make unauthorized withdrawals or transfers, or even empty the entire account. Phishing emails sent to individuals are now commonly an attack vector for ransomware. As soon as they open the file, ransomware may lock them out from their workspace, and a ransom may appear, demanding payment in crypto for them to regain access.
Because phishing can have such dire consequences on both individuals and enterprises, people should be cautious when emailing. They should double-check that emails are coming from legitimate entities, and they should never turn over credentials or open files from suspicious email accounts.
Man-in-the-middle attack
A man-in-the-middle attack is a general cybercrime attack that involves a scammer inserting himself in the communication between two parties, such as a user and an application. The purpose of a man-in-the-middle attack is often to intercept information, such as log-in details, or interject information, such as a transfer to an authorized wallet. The man-in-the-middle is able to insert himself by impersonating each endpoint.
In 2018, cryptocurrency hardware wallet Ledger was found to be vulnerable to man-in-the-middle attacks. Researchers discovered that once a Ledger was plugged into the internet, malware could change the destination address from the intended target to one belonging to the attackers. All of this would take less than a few lines of Python code, according to the researchers. This man-in-the-middle vulnerability was so serious that Ledger warned users of the threat, even though there were no documented instances of it occurring.
Man-in-the-middle attacks are sometimes paired with phishing. In this instance, the scammer will reroute website traffic to a legitimate-looking website, where the user will be prompted to turn over personal information or log-in credentials. In one instance, a pop-up on an elderly woman’s computer directed her to call a customer service number in order to fix an issue with her Apple account. Upon calling, the customer service representative advised that she deposit US$20,000 in Bitcoin to a Bitcoin machine. Fortunately, authorities were able to intervene before she completed the transaction.
To prevent man-in-the-middle attacks, people are encouraged to use secure connections, endpoint security, or even a virtual private network. They should also watch out for signs that their computer has been compromised, such as when suspicious pop-ups, websites, or certificates appear on their device.
Social media/telegram scam
Many cryptocurrency schemes prey on victims through social media. A general rule of thumb applies here: If it’s too good to be true, it almost certainly is. Such is the case in the many schemes that double between a promotional giveaway and an investment scam. These promise users that they can double their money by sending money to a particular address. Upon doing so, of course nothing happens.
These preposterous social media scams are made more believable by different forms of fraud. In some cases, hackers will use identity theft, creating fake social media accounts of A-list celebrities or key opinion leaders in cryptocurrency. In some cases, these may even be verified accounts, such as by having the blue checkmark on Twitter. In other instances, actual profiles of celebrities or thought leaders are hacked in order to promote the crypto scam.
Pump-and-dump schemes are often executed on Twitter, Facebook, and messaging platforms like Telegram. These involve hyping up a particular currency, token, or asset, so that throngs of duped users will buy it, inflating its price. When the price is at or near an all-time high, the scammers will then liquidate their earnings.
Users should be wary of any investment scheme that advertises on social media, especially any that offers the guarantee of profits. No legitimate investment scheme would be able to guarantee a return to investors. Users should also be wary of investment schemes that focus on personalities, such as the endorsement of a celebrity, rather than particulars about the asset itself.
Light at the end of the tunnel
Dealing with these attacks will require deep collaboration between authorities and leaders in the industry. In a recent win, for example, Binance helped the Department of Justice seize more that US$112 million in funds affiliated with cryptocurrency investment scammers. While even this staggering figure is just a drop in the bucket in terms of overall losses, it’s a step in the right direction. More public-private collaboration can help slow the flow of funds, so cryptocurrency is no longer a convenient means for criminals to move money. Addressing this core challenge may also stop the creation of newer schemes built atop the foundation of cryptocurrency.