So many new investors and users entered the world of blockchain without realizing they were stepping into virtually autonomous territory. The deep web is the wild west of the internet and this is all a mature and publicized version of it's economics. This means that much of the safety precautions you would take on the deep web... or you took on pre-2009 internet, needs to be closely resembled when working with crypto, web3, and blockchain. Phishing, malicious downloads, bots skimming info about your identity, dirty nodes, faulty code, and con-artistry is all very alive and thriving in this minimally regulated zone. I can't protect you. Your computers can't protect you. Coinbase will not protect you. You have to protect yourself in this wild world of +300% investments and pump n' dumps that could take you're dreams away in seconds.
In this article I'm going to casually cover some of the scams that I've seen thrive in 2021 that can't necessarily be stopped by anyone when initiated. These scammers are playing chess with you. They make a move and then you make a move that could either save your ass or cannonball it into a hot fryer. You have to protect your neck and secure your base because the scammers are coming for you and the first line of defense is how you carry yourself in this space!
Before we get into the attacks, I want to share...
a few tips that you should take into consideration right now that could save you from a lot of grief in the future.
Now understand that these tips aren't fool-proof, so it's important for you to not play the fool!
Get a cold storage wallet, an offline wallet, or a very low-key hot wallet.
Cold Storage and Paper Wallets are kept offline. They allow you to access your crypto in a limited way and are great for the long holder. If you do a lot of swing trading, you shouldn't use these for that, but these are perfect for stashing your Bitcoin away for 10 years.
Hot wallets are your typical online wallets like Metamask, Trust Wallet, and Exodus Wallet. These are good and generally safe, but because they are online and require a device to be connected to the internet, the device creates a lot of vulnerable paths. A low-key one would be one that you don't publicly advertise or talk about. One that's out of the way and not obviously connected to your identity or daily activity. A good way of handling these is by buying a pre-paid phone, keeping it off of a service plan, only using it on protected private wifi, and hosting your wallet there.
These wallets are all protected by private keys and recovery phrases. These keys and phrases need to be stored offline somewhere safe and locked/encrypted. If someone gets your keys or recovery phrases you're screwed. They can access your wallets and do whatever and there's nothing you can do about it.
Never store crypto or cash on an exchange like Binance, Coinbase, or Kraken. These not only rely on you keeping your access points secure, but they also rely on the exchange to keep theirs secure and exchanges are learning as they go along with this just like you. Exchanges get hacked ALL THE TIME and most are not insured so they are not responsible for any cash you lose. After you do your trades on exchanges, send your crypto to a secure and quiet wallet.
Have a Project Wallet
A project wallet is a wallet that you will be using to do work with. For example, if you sell NFTs or do a lot of work with Decentralized Finance, you'll want to do this work with a project wallet. Usually project wallets are browser-based like Metamask, Hive Keychain, and Temple wallet. These wallets need to be protected because they are commonly targeted, so keep things in them that you are willing to lose but aim to never lose those things.
Also be sure to disconnect your project wallets from everything you aren't currently using!
Use a Dummy Wallet to Test the Waters Before you Dive in
If you plan on working closely with a particular blockchain, then create a dummy wallet and keep about $100 worth of crypto in it. Before you connect your project wallet and risk your funds, you want to test that the technology actually works. Decentralized projects can be risky. They could be scams or just have a few bugs that the developers missed. You don't want to discover a new scam or bug with your project wallet so be sure to test things with a dummy wallet.
NEVER EVER EVER USE YOUR REAL PHONE NUMBER
OR AN IMPORTANT EMAIL ADDRESS
Hell, be totally anonymous if you can. It's not easy but this is the future of the internet. You're just getting a crash course with crypto and web3 beta.
Avoid Influencers and Bots like the Plague!
Influencers and Bots will tell you whatever they are paid or programmed to. You can't trust their advice or much of their shared experiences. Usually when an influencer or a bot marketing campaign is involved with a project, you're seeing red flags. A good project or service doesn't need to pay for artificial reviews. Sure paying celebs is a common practice used in commerce and marketing, but think about the levels of things that Celebrities promote versus the what internet influencers are usually assigned. If Shaq is promoting an NFT project then maybe there's some legitimacy to it, but still research it. If someone who's biggest accomplishment is their social media follower count and their ability to seize the algorithms, don't trust them without some serious auditing. If a bot is telling you to do something, just ignore it and block the bot.
Alright time to get into the fun stuff. These are some of the scams, hacks, and attacks I've seen and dealt with over the last year.
SIM Swap hacks
SIM Swap hacks are terrifying attacks that consists of the attacker taking control of your mobile phone number. Why would a hacker want control of your phone number? To receive your text messages for 2 factor authentication confirmation codes. You know when you go to log into your email or private financial accounts and the platform sends a code to your phone for verification? They want access to that. So say you have crypto stashed in Coinbase (which is not safe!) and you have your phone number set up as the 2 factor authentication. If it's a phone number you've had for a while then it may be pretty easy to figure it out online. If not they'll usually get your info from a data breach or by scamming you into filling out a form or sharing the info with them. A common way they can get your phone number is by scheduling a call while pretending to have a professional offer or desire for your services. Let's say the hacker gets your phone number. They can use software to crack your pin and and contact your data provider while pretending to be you. They then request to activate a new SIM card using your number and just like that - they have access to your email and Coinbase account.
Now these attacks can be very scary and you need to know how to identify a SIM attack in progress so you can take action immediately. Here's my experience and how I responded.
About 11:00 pm I received a text message saying “Welcome to Metro by T-Mobile”. My first thought was that T-Mobile purchased the phone company I'm with, but I'm pretty on top of tech news and don't recall hearing about this. A quick web search confirmed that this was not the case. Then immediately a light bulb went off in my head and I realized that someone has taken control my SIM card! I immediately turn to my partner who was sitting next to me on her computer and asked her to call my phone. The phone number rang but my actual phone didn't make a sound. So I tried to make a call and received a “no service” error. So I used my partners phone and called Metro by T-Mobile immediately while using my laptop to quickly disable mobile 2fA on everything, starting with my email and crypto accounts. I never keep funds on an exchange so I wasn't too worried about them being drained. My concern was that my bank cards are attached to these exchanges and they could potentially make purchases on my account with my attached bank info or funnel illegal funds through my account, attracting bad attention to me. Before I could get in to my Coinbase they had already breached my email, breached my Coinbase account and changed the email and password. I was able to get them out of my email and cut off mobile 2fA for all of my email accounts, but their goal had been met. By time I got a T-Mobile rep on the phone (about 5 minutes) they had gotten into my account, made their moves, and disconnected my number from their SIM card. The T-Mobile person checked the number and could not find it on any of their lines. We tried calling my number and it was no longer connected to any line. I reached out to Coinbase and received automated responses that lead to nowhere. About 6 months later I receive an email with a link to reset and unlock my account. The link didn't work, so I said screw Coinbase and moved to a safer option with an active 24hr customer service line.
Ok so to break down what happened here.
I'm guessing that these people had my email address and phone number from a prior data breech or from some kind of public listing somewhere. My email provider was popular but not average so they had to have known prior what app to use to access my email. Once they gained access to my inbox, they searched for BTC, Coinbase, and Crypto. After finding confirmation emails from Coinbase they knew to breach that next. By time they got there and did the dirty work, I had kicked them from the email. This took them about 5 minutes total. In the end they took whatever crypto I had on Coinbase, my phone number, and accessed private information.
Now the fact that they were able to be in and out before I could get a T-Mobile rep on the line tells me a few things. One: they were briefed and had a plan or procedure down. And two: they may have had help from inside of the T-Mobile system in order to make these moves while avoiding phone wait times. Recently news has come out that T-Mobile employees have been discovered to be behind many of these attacks.
How to Act when being Attacked
Well I acted pretty quickly and if I were somewhere without Wi-Fi access, I would have been stuck without a phone signal and unable to act. So know if you are on the road or away from Wi-Fi and this happens to you, then you may be left alone with no phone, no data, and no way to address this issue immediately. The first thing you need to do is to disconnect SMS 2FA from everything, starting with crypto apps, banking apps, and wallets. Then disconnect emails, social media, and everything else. After you are disconnected and logged out on every device from within the app, contact your phone service provider and try to save your phone number or at least see if you can figure out what happened. After this is contained, change your phone number and move to a new email because your info is now circulating through the dark web. Delete all of the emails you receive from exchanges and make sure a there is no trace of financial activity left in your email.
How to Avoid this Attack
Never share your real email or real phone number. Use a VOIP or Google Voice number for all public business and use Telegram, Signal, Zoom, or meet in the Metaverse for all Crypto business.
NEVER KEEP MONEY ON AN EXCHANGE LIKE COINBASE, CRYPTO.COM, BINANCE, or KRAKEN.
Use an authentication app for 2FA, not a phone number and not an email.
Never show your desktop or apps when sharing your screen in meetings or presentations. Sharing your desktop or apps can tell attackers what email you use, what OS you use, and what apps you have.
“Let's Collab” Scams
This one sucks because it's masked in “community building” and friendliness. These appear randomly and usually when you are most active online or in the crypto community. It usually starts as a random email or a DM from a random person who appears to be real after a quick glance.
They say something along the lines of:
“Hey! I love your art and your work is super inspiring. Do you do commissions? I'm developing a game and need a new logo and your art style is perfect for my game!” or they'll say they make music or whatever and want to “collaborate” with you. You'll respond in a normal manner. Doesn't matter if it's a yes or no, they'll try to get you into the next step.
If you say yes they'll respond like:
“Awesome. I'll send you my notes and ideas to check out. Tell me what you think. What's your email?”
To be safe you'll say “I don't share my email for privacy reasons”, and they'll instead send a file through the DMs. This file will be a ZIP library with innocent looking .jpegs and a .doc or a PowerPoint presentation. You'll download it, open it, and unknowingly install malware on your computer or phone. They will then be able to log your keys, see your screen, or take control of your computer and access your wallets. You won't even notice it until you log into your Metamask and see there's nothing there!
How to Act when being Attacked
If you manage to catch the attack in progress, hurry up and save your crypto! If they are attacking your pc, disconnect it from the internet immediately. Access the compromised wallet and send whatever you can to a safe wallet that isn't currently active on your compromised device. If you can't access these wallets from other devices besides the compromised one, then move your funds before disconnecting from the internet. After your funds are safe, you have to locate the malware and remove it. Do so in safe mode or in a way that is disconnected from the internet. Get rid of the compromised wallet and start fresh with a new wallet on a different device.
How to Avoid this Attack
Never download anything from someone you don't know or trust.
Make sure the file type matches the icon. Sometimes they'll send a file that looks like a .doc but is actually a .exe. Never ever EVER click a .exe that you don't trust and understand.
Have an up-to-date virus scanner and firewall. It may miss some files but it could definitely help notice what you may miss.
Heavily vet your collaborators. If they want to work with you, learn who they are and understand what they do. Some of these scammers will actually work to gain a bit of trust, but they can't keep the act up for long because someone will figure them out and they may have to change their fake identity.
Customer Support Scammers
This one really sucks because it preys directly on the desperate, confused, and super vulnerable. You'll see it all the time on Reddit, Twitter, and Instagram. Usually it's on a post or in a group for a platform with really bad customer service like Opensea. Opensea is notorious for not giving a shit about your problems. People will reach out to customer service and be left in the dark for months before getting a response. Because of this you'll see desperate pleas for help in comments of their posts all across the internet. When a user makes these public requests for help, within a few minutes an account mimicking Opensea's customer support will contact them pretending to offer help. When this happens the scammers will ask for private wallet information, login information, private info, and whatever you're willing to give them. It sucks horribly to make a costly mistake then when reaching out for help, you get your wallet cleaned out by an impersonator.
How to Avoid this Attack
It's simple, make sure anyone who reaches out on behalf of a platform really is who they say they are. Usually these platforms will not contact you on social media when addressing a problem. They'll either use your email or their platform's help forum.
The Big Shot Investor or
Super Connected Promoter Wanting to do Business Scam
These accounts are usually easy to spot when they appear. They show up in your inbox confidently offering to work with you, buy something from you, or to hook you up with an investment opportunity. Whatever they want, it has to do with money and usually big money. Their profile looks like that of a corny investment influencer with fake photos, corny sayings, links to strange publications, and usually comments from a lot of non-American people talking about nothing in particular. A lot of times they'll show you a screen shot of a bank or crypto account with 6 or 7 figures in it to “prove” that they're rich and don't need your money. Their goal is to not only get information out of you, but to get control of your account, wallet, or something that you have. It's best to not talk too much to these guys. You should block them as soon as you spot something strange about their approach, profile, or the way they talk about money.
The vulnerability is easy to see, but easier to ignore if you don't look at life with malicious intent. On Telegram (an encrypted chat app commonly used in crypto) whenever someone post a file (like an image, video, or document), in order for you to see it in the chat, the file has to physically download to your phone. To keep info private, files are hosted on your device and not on a telegram server. In many NFT or Crypto telegram chats, there are hundreds and thousands of people saying whatever they want, 24-7. One of those people could upload a malicious file and when it is seen, it could download malware to the viewer's device without them knowing. If you like to browse art by simply scrolling through telegram dumps, this is bad news for you. You could easily and unknowingly download your demise in the form of a pixel art goldfish.
How to Avoid this Attack
Go to your Telegram settings and turn off the feature that automatically downloads files and images. What this will do is make every image and attachment a blurred thumbnail requiring your permission to download and view. A bit annoying but a necessary move for safety.
This is a classic so I won't spend too much time on it. Make sure every app you install is the authentic app from the authentic source. Apps like Telegram, Discord, Metamask, and virtually every popular crypto wallet has dirty installers out there. The installers either lead to fake apps or are tainted install files that will install the actual app... plus a few malicious things here and there. If you download a dirty wallet and put in your private keys, you're screwed. Nobody can help you recover lost funds.
Dirty Telegram installers are a popular one. You'll download it from what you think is a clean mirror. The installer looks indistinguishably the same as a clean installer. You'll even get the copy of Telegram you were hoping for, but during installation you'll receive a load of malware. Like not just one dirty app, you'll get about 3+ and they'll go after everything, not just crypto. Banking info, personal identity info, internet browsing data, everything.
How to Avoid this Attack
Make sure you're downloading legit software from legit places. If possible, do business on one device and social media/chatting on another. Telegram provides a lot of opportunities for malicious intent if you aren't careful and vigilant. So if you must use it, don't join too many random chats or connect with too many random people. Treat it like an SMS app that could potentially kill you virtually if you give it the chance.
As an avid internet user you should know what a phishing scam is. It's a fraudulent link or message that pretends to be something you trust, but in reality it's something meant to scam you. A simple example of Discord Phishing is a random person comes into your inbox and says something that leads to you clicking a link for a server. You click the link but instead of seeing the server, you're seeing a message asking you to log into Discord because you have been logged out. You should check the address bar and notice the URL is not an official Discord one. If you would have logged back in, you would have been sending a scammer your login credentials.
A different example would be a if a person impersonating a moderator from a server that you trust shares a malicious link to the community using the @everyone tag. Or the impersonator can DM you, pretending to have exclusive investment opportunities for you when in reality they just want your money.
How to Avoid this Attack
Discord can be a really busy place when you're dealing with crypto, NFTs, or Web3. It can be easy to drop your guard and click on random links without thinking twice. Always vet the links you click and the person who shared them. Make sure they have prior activity in the server and that their profile and posting habits are normal. Beware of the random people in your inbox and be careful clicking or downloading anything they send.
“Connect Wallet” Scam
Once upon a time web3 was a new thing and all of the people involved were friendly and loved art and wanted to make the crypto world a better place. Then scammers got hip to everyone's willingness to connect their wallets to random sites and started taking advantage of the happy explorers.
Connect Wallet Scams are scams where you connect your web3 wallet (like Metamask) to a website and unknowingly grant the devs permission to gain control of funds inside your wallet. Websites like Opensea and UniSwap are trustworthy and have been audited many many times by the community. So any flaws to their platform's wallet connection ability has been addressed and reinforced. On the blockchain new dapps (decentralized apps or apps that require you to connect a wallet to access) are appearing on a daily basis. New NFT projects that promise a new freaky use-case appears every 10 minutes. Many of these new projects are on their own websites and require that you connect your wallet in order to participate. A lot of times, you'll connect and nothing negative will happen immediately. You could try out the project, have a successful experience, and leave the site with a smile on your face; only to wake up the next morning to an empty wallet and a ton of emotions.
Your safety mistakes were that you:
A. Connected to a sketchy website.
B. Didn't disconnect on your way out.
Always log off or disconnect your wallets when you're done with an app! Even if it's a trustworthy site like Opensea, you don't want anyone or anything that you can't control having access to your wallet unsupervised. Disconnect your wallet from the apps you use!
In a not-so-humble scenario you could connect to a sketchy website, begin a process, and think you're sending funds one way when in reality they're going somewhere else. An example of this would be if you connect to an exchange that's new and sketchy. You see they have the ability to swap Tezos for Binance Smart Chain so you select your Tez and begin the swap. The swap seems to be going correctly and it gives you a successful notification. You check your wallet but don't see any new funds. You try to check the transaction out on the exchange and get a 404 page. Congratulations, you just sent some crypto to hell!
Never trust a process that you personally have not safety tested. You have to take the extra steps to protect yourself in this world. Before trying a new exchange, connect a dummy wallet (see above).
How to Act when being Attacked
Disconnect your wallet, save your crypto by sending it to a safe wallet, and pray that you're faster than they are.
How to Avoid this Attack
Test new apps with a dummy wallet and always disconnect your wallet before you leave the site.
Airdrop scams are heartbreaking. You get a gift of free money from a platform or a random address only to find out it's really a code bomb waiting to drain your wallet.
Airdrops are an awesome phenomenon! It's free tokens given to you by a platform or another user for whatever reason they want. Typically airdrops come from DAOs (Decentralized Autonomous Organizations) which are apps that pay you governance tokens in exchange for your activity on the project. For example Rarible is a DAO that airdrops RARI tokens to users that buy and sell NFTs on the platform. With these tokens in your wallet you have the ability to vote on new Rarible features and participate in the community-based government. You can also sell these tokens for Ethereum or an Ethereum based coin and cash it out into fiat. So basically you get paid to use the platform. All of this is done autonomously by the platform, not by an accounting department. So everyone gets their fair share for their activity.
Another popular form of Airdrop are promotional airdrops. This is when a new platform or project records information from an older project's ledger and sends active addresses free tokens for them to use on their platform or to cash out as a monetary promotional move. An example of this is the recent OpenDAO airdrop where a new project called OpenDAO recorded activity from NFT platform Opensea's ledger and at launch they airdropped tokens into wallets that fit a qualifying criteria. In order to check if you qualify you have to connect your wallet to their website. Since the community is becoming a bit more safety-savvy, devs went into action on verifying if OpenDAO was a legit project or not. Trustworthy devs reviewed the code and saw that it was clean and legit. You could then connect your wallet and are rewarded with tokens!
You can see how airdrops are great when they're legit. Last year I recall seeing people get basically retired by the value of their airdrops for DAOs that they were a part of and didn't even know it was a DAO project. Imagine if Facebook revealed that they were a DAO and airdropped $10million dollars into all of their user's wallets in exchange for the data they've siphoned. This will never happen, but it's the same idea.
Airdrop Scams are not fun... at all. You could get hit with the good old “connect your wallet” scam and have a bad day, OR you could receive tokens successfully, go to sell them, and end up triggering a chain reaction that drains your wallet of it's crypto!
Another airdrop delivery method is to simply drop coins into someone's wallet. You could end up receiving malicious tokens via a wallet connection or through a random wallet drop. So far I've seen these scams happen quite a bit on Binance Smart Chain (which is a centralized clone of Ethereum) and can't quite explain the technical side of what's happening, but it's kind of like receiving a virus in token form. Currently in my BSC wallet I have TONS of random coins that I have no idea where they came from or what they're for. I don't do much work on Binance so I know these are not drops from platforms I've used retroactively. After doing a bit of research on some of these tokens, I saw stories of how users went to cash out these tokens on an exchange and ended up having their entire wallets emptied. These tokens could have a botched exit method and instead of behaving like average tokens when sold, they could trigger a different response. Or these tokens could be exclusive to malicious exchanges and lead you to connect your wallet to a death trap decentralized app.
How to Avoid this Attack
To avoid this trap follow the same precautions in the “Connect Wallet Scam” section.
If you receive random tokens in your wallet, research them before trying to use them. As of right now, it does no damage to leave these tokens alone in your wallet.
When you learn of a new airdrop, consult Twitter or a seasoned and vetted crypto server on discord. If you're experiencing it then someone else should be too. Look for signs of celebration or turmoil around the coin. Search the coins $SYMBOL and note the traffic. Are they happy and telling others to check or are they sad and expressing regret? Are they human or are they bots and influencers?
Public WiFi Tampering
As a general rule of the internet, be extremely careful when connecting your devices to public WiFi. Recently I saw a tweet about someone getting their Metamask wallet hacked by connecting to a risky public WiFi router. The attacker was apparently able to place a bot onto his computer that kicked him out of his Metamask. When he went to restore his wallet, the attacker was able to intercept that info and access his wallet. Now I don't know the specifics to this attack but I do know that public WiFi is extremely risky. You're sharing a network with people and devices that you do not know. Sometimes your data is monitored by the access point provider and used in ways that you can't monitor or confirm.
How to Avoid this Attack
Try to only use trusted public hot spots.
Use a VPN and some sort of firewall to protect your device and data.
Read what you're agreeing to when you sign on and are required to accept a Terms of Service
So in conclusion
if you're working with crypto or crypto-based technologies you should be extremely careful. You should get into the habit of not sharing personal info in chat conversations. Never download anything you don't completely understand. This world is very experimental and has a lot of trap doors, so tread lightly. The only real way to protect yourself is by taking the proper preventative measures. Once these attacks are initiated you have to act fast and intelligently in order to save your assets.
If you have an questions or concerns about how safe your crypto habits are, feel free to reach out to me for a creative consultation session! With a CC sesh I can take a look at your practices, answer any questions you have, and provide access to different resources that could potentially help your outcome in this wild world of blockchain.
Make sure you follow me on Twitter to keep tabs on when I drop new art and articles!