Things haven’t always been plain sailing in the crypto space.
Oh so scandalous!?
Obviously, the introduction of online banking made it quicker and easier to transfer money than ever before. As a result, internet banking opened new frontiers for scams and instances of fraud because of the ease of transferring money without needing to pass physical verification checks at a local bank or centralized computerized ones.
Similarly, the invention of cryptocurrencies has opened up a new frontier for scammers and new opportunities for fraud and theft. For the purposes of discussion, we’ll refer to this new frontier of digital asset scams, theft and exploits collectively as cryptoscams.
These typically are aimed at getting one of three things: your money, your personal data or access to your computational power. While the first two of these scams also exist in Web2, the third is an emerging type of scam that is nearly exclusive to the universe of Web3.
Why are digital assets particularly vulnerable?
Of course, online scams are as old as the Web. However, it is important to understand that cryptoscams are on an entirely new scale to anything that has ever happened before. According to The Verge, in the first half of 2022, Cryptoscams stole over $2 billion from Web3 early adopters. For context, in 1999 when Web1 was roughly the same age, only about $80 million disappeared to scams.
But why are cryptoscams an even bigger problem in Web3?
With the conventional banking system, there are safeguards in place to avoid susceptibility to scams and instances of fraud. Some of these are regulatory, meaning that the government forces your bank to provide them, others are imposed by the bank to protect its customers.
However, in Web3, none of these safeguards exist. Because there is no centralized mediator in financial transactions, you cannot rely on third party measures to ensure that you don’t fall victim to a scam. Moreover, transactions are irreversible – once your funds have been compromised there is usually no way back.
The novelty of Web3 means that many users don’t typically know how it works, or how scams tend to happen. All of this means that cryptocurrencies and non-fungible tokens (NFTs) have been a perfect place for scammers to attack in recent years.
Computer-based scams and exploits
So, what are the types of scams that exist in Web3? How do they work? Well, broadly, online scams can be split into two major categories. While some scams target computer vulnerabilities, others target human vulnerabilities.
Given the nature of blockchains, attackers are unable to ‘hack into the database’ and give themselves tokens the way that someone could for a centralized Web2 database. As a result, most crypto ‘theft’ is actually due to the discovery of a smart contract vulnerability. An example would be a poorly written smart contract that doesn’t validate the number of tokens in a user’s account prior to allowing a withdrawal.
Sophisticated attackers can interact directly with the contract programmatically. The attacker can then submit values to the contract that the web interface wouldn’t allow, then permitting the withdrawal of otherwise unavailable funds. The variety of exploits is infinite, but generally the attacker is looking for the opportunity to ‘trick’ the smart contract into providing them money due to an oversight by the original developer.
Hackers who are able to access your computer and find unencrypted passwords stored in files are able to use those to access your accounts. The same applies if you have unencrypted wallet seed phrases or private keys stored on your machine. To be safe, *never* store passwords, seed phrases, or private keys in files on your hard drive.
Human-based scams and exploits
Scams preying on human vulnerabilities are much more prevalent in Web3. Because transactions are instant, irreversible, and require no third-party approval, if a hacker gets into your account or tricks you to send them money, it’s gone.
In the traditional financial system, even if a hacker got into someone’s bank account, large transactions would likely be flagged as potential fraud, requiring verification, and it’s very likely that even if a transaction was sent, the bank would be able to reverse it in the future, returning the stolen funds.
None of these safeguards are widespread yet in Web3, though ‘smart contract wallets’ are being developed to enable temporary time locks, secondary authentication, or several other safeguards using the programmability of the blockchain rather than the intervention of a third party.
You may be thinking, who’s stupid enough to give their password to some stranger on the internet? Well, it’s often more complicated than that. Scammers will often obtain your password through three different intelligent mechanisms: phishing, screen recording and impersonating websites you recognize. It is not just foolishness that makes someone susceptible to a human based scam.
One human-based scam is phishing. In phishing, scammers will send a user an email or a message claiming to be representative of a service – for example, your crypto wallet.
They will often try to create an urgent reason for you to access your account, like claiming that you’ve been hacked or your account has undergone a recent major transaction and will provide you with a link to log into your wallet.
This link will take you to a website that looks identical to your wallet. That means you can trust it, right? Wrong. These websites will be designed by the scammer to mimic your wallet right up until you put your password in. However, when you do, rather than signing you in, the phishing site will send your password directly to the scammer who will then be able to sign in to your account.
According to the Verge, in February 2022, $1.7 million was stolen from 15 different users of the OpenSea blockchain in just three hours. This shows that it’s not just beginner users who can fall victim to phishing scams – experienced users can also be victims.
The moral of the story: don’t click on links in emails, chats, or sites that you don’t trust.
Hard exit scams
Another type of scam that benefits directly from human error involves tricking you into investing money. In these scams, the scammer will set up a business opportunity and will make it appear lucrative for investment.
They will then try to get as many people as possible on board. However, rather than building a proper, viable business, these application are fake. Instead of investing in an exciting new app with world-class developers, it’s all a facade that’s bound to implode. Once the scammers have taken as much money as possible, they disappear. This is known as a ‘hard exit’.
Because the decentralized internet means that they can protect the majority of their identity – other than a replaceable wallet – it is easy for them to do so. While in the status quo it is relatively easy to check the identity of someone you are in business with, even if the relationship is purely online, doing so in the Web3 universe is far more challenging. As a result, Web3 users are far more vulnerable to being ‘rugged’.
One example of this occurred in 2014 when Dr Ruja Ignatova defrauded investors in her new cryptocurrency, which was called OneCoin, out of $4 billion. However, in 2017, she disappeared with the money. According to Damian Williams, Manhattan’s top federal prosecutor, “she timed her scheme perfectly, capitalizing on the frenzied speculation of the early days of cryptocurrency”. She is now on the FBI’s top 10 most wanted criminals list.
Soft exit scams
Soft exit scams are similar to hard exit scams, except they haven’t been made intentionally. These occur when businesses take on investors with the intention of creating a viable financial opportunity. However, for various reasons, the project loses momentum.
Maybe the founders have found another better business. Or maybe the scheme wasn’t particularly successful, so they started dedicating less time to it. However, entrepreneurs often aren’t able to return the money invested – either because they already spent it or because they’ve forgotten to.
This is a form of exit scam because the company directors will often disappear out of fear of consequences. They are able to do this because of the relative anonymity and difficulty to trace people in Web3 because of decentralization. While soft exit scams aren’t created with malicious intent, individuals still get cheated out of their money so it is still a type of scam.
Another type of cryptoscam is ‘fake coins’. Because Web3 is such a fast developing universe, there are new coins popping up all the time. These new coins can often present exciting business opportunities to get rich quick – some of the cryptocurrency coins that have been invented in the past ten years have seen explosive growth of up to 1000% in just a year. As a result, investors are keen to buy new types of coins.
However, because growth in Web3 is happening at such a fast pace, it can be difficult for investors to find the time to do the necessary due diligence. Checking whether a coin is real, reliable and built upon a safe computational framework can take time – time that investors won’t feel they have to acquire the asset early and cheap. As a result, they’ll often experience Fear of Missing Out (FOMO) and invest their money without doing enough diligence.
Having done so, they might find out that the type of coin is fake like with OneCoin – or that their value has been misrepresented like with Luna. If you bought ten million SuperTreeFishDollars for $100 USD, you might think that you’re getting a good deal. However, if you later find out that there is an infinite amount of them in existence, rendering them as worthless, you just wasted your money.
False coin endorsements
A sensible response to knowing about the issue of fake coins might be to do an increased amount of due diligence. Maybe it’s worth googling the coin to see if it has a positive reputation? What if it has been endorsed by someone famous who has a good reputation for technical or business know-how? Would you trust a coin that has been promoted by Elon Musk or Warren Buffett?
Well, this adds yet another layer to the sophistication of fake coin scams. Often, scammers will hack into the social media accounts of famous individuals or create fake profiles appearing to imitate them to promote coins. For example, there are fake lookalike profiles for Elon Musk and Warren Buffett promoting cryptocurrencies. This will make users think that the coin is reliable and as a result will purchase them. A good rule of thumb for avoiding these scams is to check whether an endorsement appears out of character for a celebrity given the rest of their profile. Is this the first time they have promoted a token? Are they unusually effusive in the language of their praise? If so, it is probably not really them.
Pump & dump scams
Another type of cryptocurrency scam which preys upon human errors is the concept of the ‘pump and dump scam’. In a pump and dump scam, an investor will buy large amounts of a cryptocurrency. They will then try to artificially raise its value by making greatly exaggerated false statements online. This might be done in conjunction with a fake coin endorsement.
They will then sell all their coins immediately, making a huge profit. However, there is no real increase in value in the coin. In fact, the value created is arbitrary, and it is likely that when people see that a huge amount of coins is being sold again that the value of the coin would crash again.
This is called a ‘pump and dump scam’ because it involves the value being pumped up and then the coin being dumped in large quantities.
White hat hacking and bug bounties
Not all hackers in the world are evil. In fact, there is now so much ‘surface area’ for hackers to find vulnerabilities, that an entire industry has emerged for ‘white hat’ hackers to find problems and report them directly to the developers to be fixed. Why would they do this rather than taking the money and running? Well, perhaps it’s from the goodness of their heart, but more frequently it’s because of the pervasiveness of ‘bug bounty’ programs.
In these programs, hackers are typically rewarded, often with a percentage of the ‘exploitable value’ in exchange for identifying the exploit and not profiting from it. These sums are often in the millions of dollars and rather than becoming a criminal, provide an excellent source of income without the negative aspects of running from the law and maintaining anonymity.
For example, when there was an issue with a cryptocurrency wallet called Polynetwork, a hacker found a vulnerability and took $610 million. However, he returned the money and told Polynetwork about the problem so it could be fixed. Immunifi offers up to $10 million as a reward for finding problems with code and it is now commonplace for companies to negotiate with hackers in the event of an exploit and settle for some white hat terms. Ultimately, this makes the entire industry stronger and is a win-win for everyone involved.
Case Study: LUNA-Terra
In May 2022, one of the most significant crypto collapses in history occurred, shaking up the entire crypto market. This crisis was caused by the cryptocurrency TerraUSD (UST), one of the most popular stablecoins out there.
The promise of stablecoins is that they are stable – their price is not supposed to fluctuate, and instead match the US dollar in value 1:1. In theory, one TerraUSD was always supposed to be worth one US dollar.
The way UST worked was that it maintained its peg through an arbitrage mechanism from an independent coin – called Luna – one whose price *was* determined by the free market.
The Terra blockchain lured in customers by offering very high interest rates for people who put their money into UST.
The endless supply of buying pressure caused the price of Luna to drop suddenly – unable to defend the peg of UST. This was one of the most brutal crashes in the history of crypto. Many people had put their savings into UST under the promise that it would remain stable. Instead, they lost everything within a few hours.
This was no scam – it was a failure of design. But that will be little consolation to the many people’s life savings evaporated thanks to the LUNA-Terra collapse.
Case Study: The FTX Scandal
In November 2022, FTX – one of the world’s biggest cryptocurrency exchanges – declared bankruptcy.
This was a nightmare scenario – one that many true crypto believers had warned against for years. Crypto exchanges make it very easy to buy and sell crypto, but they also eliminate a large part of the ‘decentralized’ ethos that is at the core of all blockchain technology.
Millions of people trusted FTX with their money – without really looking into how capable this institution was of managing it. As it turned out, FTX was mishandling their customers’ money on a massive scale.
FTX’s CEO, Sam Bankman-Fried, known as SBF, was in fact funneling money from FTX – money that should have been ring-fenced – into his other businesses, most notably his hedge fund, Alameda Research. He did this through a complex system of tokens and hedge funds – but it really boiled down to old-fashioned embezzlement.
The full extent of SBF’s fraud is still being uncovered. But the FTX scandal represents a massive moment for crypto – probably the biggest and most outrageous scandal in its history.
The lesson: keeping money on an exchange is risky. Maintaining self custody of your private keys on a hardware wallet ensures that no one is able to access and lose your funds.