On July 16, attackers gained access to several celebrity and corporate accounts on Twitter and used those accounts to promote fraudulent Bitcoin giveaway offers. By doing so, the attackers managed to steal over $100,000 worth of Bitcoin.
The attack highlighted the need for crypto users to be wary of potential attacks of all types. New investors should consider the following guidelines.
1. Don’t send money to giveaways.
In this month’s Twitter attack, real accounts advertised fake giveaways. However, most giveway scams simply imitate real people and companies, meaning that giveaway scams are extremely widespread and almost impossible to shut down.
Legitimate giveaways exist, but those giveaways will never ask you to send money to them. This seemingly legitimate offer is actually fraudulent, for example:
2. Don’t use QR code generators.
QR codes provide an easy way to send money between Bitcoin addresses; they allow you to scan an address with your mobile phone or webcam.
However, online QR code generators are risky. Fake QR code generators can replace your Bitcoin address with an attacker’s address and intercept any payment that you attempt to receive. This image from ZDnet demonstrates the attack:
Instead of using an online QR Code generator, you should generate QR codes in your Bitcoin wallet. Additionally, you should always double-check that the address that you see on your screen matches the one that you expected to see.
3. Look out for fraudulent coins.
There are thousands of cryptocurrencies in existence, and not all of them are legitimate. Some, such as BitConnect and PlusToken, are considered “exit scams.” Exit scams raise funds, then shut down the project and make off with the money.
There is no surefire way to identify a fraudulent coin. However, the SEC lists red flags, such as celebrity endorsements and promises that are “too good to be true.”
If you choose to buy cryptocurrency, it’s best to buy coins that are listed on popular exchanges like Coinbase and Binance. All crypto investments involve risk, but major exchanges generally list reputable cryptocurrencies like Bitcoin and Ethereum.
4. Beware of phishing websites.
Sometimes, attackers duplicate real websites in order to intercept user transactions. Often, they attract users to the fake site through seemingly realistic emails, social media accounts, or tech support phone calls.
This type of attack is called “phishing.” Below is one example of a phishing attack, in which attackers cloned a real website (MyEtherWallet) and hosted it at a fake URL.
Fake URLs are not always obvious or visible. Most web browsers block phishing websites, but popular browsers do not always keep up to date with crypto scams.
Extensions like Metamask provide extra protection. Metamask also functions as an Ethereum wallet, but its blacklist features are useful no matter which cryptocurrency you own. It blocks over 10,000 fraudulent crypto websites.
5. Look out for ransomware.
Ransomware is a type of malware that can lock you out of your computer or threaten to expose your data. Ransomware cannot actually steal crypto from your wallet; instead, attackers simply demand cryptocurrency as part of their threat.
The most famous type of ransomware was CryptoLocker, which was distributed between 2013 and 2014, and which demanded payment in Bitcoin.
Ransomware is usually aimed at companies with valuable data rather than individuals. Garmin and Telecom Argentina were recently targeted by this sort of attack.
Malwarebytes says that you should not pay ransomware attackers: “The number one rule, if you find yourself infected with ransomware, is to never pay the ransom.” Instead, restore your files from a backup or use anti-ransomware tools to remove the malware.
6. Don’t worry about mining malware.
Until recently, cryptojackers and “mining malware” were an issue. Attackers used web pages and applications in order to mine cryptocurrency on remote computers.
Cryptojacking still exists. However, attackers need to go to greater lengths for it to be worthwhile. Most web browsers block mining scripts, meaning that attackers need to hack into the target system or force their victims to download malware. As such, cryptojacking attacks tend to attack enterprise networks rather than individuals.
Furthermore, cryptojackers do not actually steal cryptocurrency; they merely put stress on your computer. Anti-virus software and an up-to-date web browser provide sufficient protection against cryptojacking for general users.
Crypto Crime Never Sleeps
Cryptocurrency-related crime is widespread. According to Ciphertrace, attackers stole over $1.4 billion worth of crypto in the first half of 2020.
The vast majority of that crime was carried out through the methods listed above, especially through fraudulent offers, phishing campaigns, and ransomware. Hacks and thefts that stole cryptocurrency directly from exchanges were relatively uncommon.
Crypto investors should be constantly on guard against scams and fraud.