In 2022, a total of $2 billion has been already lost in the cryptocurrency and Web3 space as a result of scams and hacks. Centralized crypto platforms attempt to provide users with security features like account passwords and 2-factor authentication to secure their funds. However, the control of users’ crypto wallets and private keys still remains with the company.
This is the reason why you are hearing when centralized crypto lending platforms going bankrupt because they are taking users’ funds with them. With a custodial wallet, another party controls your private keys and most custodial wallets these days are web-based exchange wallets.
This is why we always say in crypto:
“Not your keys, not your crypto.”
This advice refers to two key points:
1) if you don’t truly own your private keys, you don’t truly own the cryptocurrencies in your wallet
2) if your private keys are, in any way, compromised, stolen, or in the hands of someone else, your funds are not safe.
The latest iteration of the World Wide Web, Web3 is built on the blockchain with a decentralized infrastructure promising to give its users complete control and ownership of their data with much greater security. Decentralization of data networks or the financial ecosystem also means that the responsibility of the security of users’ data and funds also comes back to the users.
Types of Crypto Scams
Web3 is no longer merely an idea. It is intrinsically linked to ownership of data and financial value. Millions of users are falling victim to the scams in the Web3 and crypto industry and billions of dollars of funds have been lost. This is preventing the penetration of Web3’s adoption into different industrial sectors as the hacking incidents portray a flaw in the technology.
In this blog, we are going to discuss in detail the types of scams web3 investors fall victim to and how to stay safe against them. Users have suffered due to these scams frequently. You will also find the best practices that you can use to protect yourself from these scams.
Phishing scams are the most common type of scams in the crypto and Web3 space. Scammers only target one thing: your private key and seed phrase because this information gives full access to your funds. Every attempt people make in this type of scam is to get your private keys in any way possible.
What are these ways? Here are the types of phishing scams that are frequently used to deceive users into submitting their private keys.
Seed Phishing Through Ads
In a recent incident that happened in Q1 2022, scammers put Google Ads to promote the malicious URLs of their websites that were either claiming themselves to be a wallet or a wallet aggregator service. They made users submit their seed phrase on their website to access their own (different) crypto wallet on their platform. What it turned out to be was a simple form where they were collecting public addresses and seed phrases of users and using that information to draining all the funds which left users’ wallets empty.
Continuing the same warning, NEVER EVER share your private keys and seed phrases with anyone or on any platform. No legitimate Web3 and cryptocurrency platform will ever ask you for your seed phrase.
In the real world, ice fishing is a practice of catching fish where the fisherman needs to create a hole in the middle of a frozen lake or let’s say an opening. A similar opening is created by hackers on the smart contract platforms where they tamper with the user interface. All the hacker needs to do is inject a code that will replace the receiver’s address with the attacker’s address. Being an encrypted randomly generated stream of characters, users don’t double-check before confirming the transaction and click ‘ok’.
There is only one way to defend against this attack: DOUBLE-CHECK each and every character of the sender’s address at least twice, both in the receiver’s address box and the confirmation screen.
Social Media Phishing
Crypto security firm Certik released a quarterly report in July 2022 in which they noticed a 170% increase in phishing attacks. A striking fact that Certik also mentions in their report is that most phishing attacks are conducted on social platforms like Discord, Telegram, and Twitter. Social media is a huge hunting ground for crypto scammers.
Scammers will share quotes by famous billionaires or celebrities, slide into your DMs, or share links with exciting rewards to lure users into stealing or acquiring their private information. On Telegram and Twitter, it is easier to do as the security layers groups and projects can implement are very limited. These scammers will either ask you for funds in the promise of higher returns, risk-free profits, secure your wallets, or any other way to either take and run away with your money or get a hold of your private keys.
- Never ever share your private keys with them or send a single penny of your funds to them.
- Do not click on any suspicious or unknown links.
- Keep two-actor authentication (2FA) on all of your social accounts.
- Never reply to any messages with suspicious links that you receive on your social accounts.
Employees of Web3 and Crypto companies are constantly targeted with pretentious and fake emails by scammers who pretend to be seniors or bosses of these employees and ask them to either send funds to them or share their wallet addresses.
Additionally, scammers target job seekers by either faking themselves as potential employers or promising them jobs with lucrative returns. The scammers ask the job seekers to share their wallet private keys to send bonuses or advance payments for the roles. Do not share anything with them! Again, no legitimate person or organization will ever ask for your private keys or seed phrase.
- Always check the domain name of the emails and make sure it is an official email address.
- Organizations should implement anti-phishing code to help the receivers identify that the email is authentic and sent by the organization.
- If you receive any such email, inform your company seniors or official team members right away.
People surfing Crypto Twitter or crypto-based Telegram channel have seen images similar to the ones below, containing promises by global icons like Elon Musk, Joe Bidden, or Bill Gates running giveaways of millions of dollars in cryptocurrencies.
Clearly, these are fake! Despite Tesla having millions of dollars worth of Bitcoin in their reserve, we are pretty sure they are not holding it to run airdrop campaigns for retail investors. Do not fall, a victim to these scams, because its super easy to create such Photoshopped images.
In addition to impersonating celebrities, scammers also create impostor accounts of crypto and Web3 projects, download the images from their official social profiles, and pretend to run airdrops to scam users.
Before falling for any of these seemingly lucrative offers, make sure to check the URLs and usernames of the channels and confirm on the official channels with the admins. Mostly, the official channels of any project are available either on the footers of the website or on the community pages.
Crypto Rug Pulls
Remember the Tom and Jerry cartoons where Tom pulls the blanket under Jerry’s feet and Jerry rolls over and falls on his head. A similar experience is often faced by crypto and NFT investors when they invest their hard-earned money into a new crypto/NFT project and the founders of the project run away with the funds which drop the price of their own token to zero. This type of scam is known as a Crypto rug pull.
It all starts with scammers attempting to convince the investors that their project is legitimate and holds a bright future. This convincing is done in various ways like by building a spectacularly looking website, adding the names of fake employers and advisors, and presenting a roadmap that demonstrates the project has a sustainable future. Retail investors around the world start investing in these projects, exchanging their tokens for the project’s tokens in IDO and ICO rounds, and trading on exchanges.
Then the founders play the real game and begin to pull the rug in one of the following ways:
- Dump their tokens in the open market and run away with the users’ funds and sold tokens.
- Put a smart contract that locks users’ funds and disables them from selling their tokens.
- Extract all the liquidity from liquidity pools they started on the decentralized exchanges leaving users with only tokens and no medium to trade them.
- Research every aspect of the project starting with authenticating the team members and their backgrounds
- Don’t fall for huge promises of returns or their claims of becoming the next ‘Bitcoin’ or ‘Ethereum’.
- Research! Research! Research!
Malware has always posed a threat to crypto and Web3 users since the inception of the industry. All scammers need to find is a way to inject a virus or malware into your computer system or mobile device. We all copy-paste wallet addresses when we send cryptos to a receiver’s address. This is the exact time when these malwares play their mischiefs and replace the addresses from the receiver’s address to the scammer’s address.
Addresses being a complex string of alphanumeric characters are not often double-checked by investors before sending and investors end up sending their funds to the scammers.
- Enter the receiver’s address by scanning the QR code
- Triple-check each and every character of the receiver’s address.
- Try sending a smaller amount of funds before making a big transaction and confirming with the receiver.
- Keep your devices virus-free with the help of antivirus programs.
- Do not click on any suspicious links that you find on the internet or receive in your emails and messages.
Spoofing means when something pretends to be something else. Scammers attack via spoofing using URLs, websites, emails, text messages, and IPs. And now with the innovations in technology, add facial and GPS spoofing also to the list. For example, a spoofed URL is a fraudulent link that pretends to be a legitimate URL designed to steal your data. This is called URL spoofing. Scammers attack via spoofing using URLs, websites, emails, text messages, and IPs. And now with the innovations in technology, add facial and GPS spoofing also to the list.
Scammers will often use the name of a big trusted Web3 organization and send you communications about your activity or promotions. For example, it can be a promotional email from Binance that says you have won $50 for being a valued customer. However, the email will contain malicious links that will send you to a website that looks like Binance. This spoofed Binance page will have a sign-in form that has been created by scammers to collect your username and password.
This is just one example of numerous ways how a user can be tricked into believing the legitimacy of online communication or platform. Look at the example below where the scammer has sent an email that looks like it has been sent by MetaMask’s support team. But, if you look at the email address, the reality is different.
- Always check the URLs, email addresses, and any link that you are accessing. Once you know you are really on the authentic website, bookmark it to reduce your chances of clicking on a scam site that can appear on Google.
- Crypto and Web3 projects will never ask you for your seed phrases. Never share them with anyone.
- Do not click on any suspicious links that you receive on any communications.
- Straightly mark all such emails as spam as it will help other investors also
- Never connect your wallet to an unknown platform
In contrast to custodial wallets that are common to centralized crypto exchanges, there are platforms that offer non-custodial wallets where the entire responsibility for the security and safety of users’ funds is with the users. With a non-custodial wallet, you have complete and sole control of your private keys which means you fully control your cryptocurrency and prove the funds are yours.
Other Ways to Get ‘REKT’
We have discussed all the major scams that are burning the pockets of Web3 investors. Adding to the ones discussed above, there are a few other ways that can leave Web3 users REKT!
- Scammers might blackmail you that they possess personal information, chat history, images, or videos about you and ask for funds.
- They might send ransomware to your devices, encrypt all the files on your device, and demand a hefty fee in Bitcoin to decrypt the files.
- They organize pumps and dumps on low trading volume altcoins on centralized crypto trading platforms.
- They can build Ponzi schemes where at first, they will offer you magnificent returns on your investments, and later, they will run away once they convince you to deposit a large sum for higher returns.
- The scammers may act as a romantic partner or someone dealing with life-threatening diseases to lure you to pay them money.
Web3 is full of many creative ways to scam users and snatch their private keys and seed phrase to get access to their funds and private information.
Despite all the variety of scams, there are really only a handful of things you need to keep yourself as safe as possible:
- Always triple check the sender’s and receiver’s address as scammers will change the address so the assets will go to their address instead
- Don’t click on anysuspicious or unknown links, buttons, and ads
- Never share your private information, private key, and seed phrase
- Always check website URLs, email addresses, and redirects closely
- Never send any money to an unknown person or a company
- Always keep strong passwords and two-factor authentication on all your accounts
- Research every corner of a project before investing your money in it.
If you can learn to implement all the above-mentioned points every time when you interact on a Web3, DeFi, or a crypto platform, your funds will be safe and secure. Your keys and your private information are only yours to keep. While Web3 promises to bring complete ownership of your data, it will be solely your responsibility to keep it secure.