Security Threats Specific to Cryptocurrency Investment
Whilst investing in, trading and using crypto currencies in everyday life has become immensely popular, and is becoming more mainstream everyday, unfortunately security measures and protections haven’t kept up, and the world of crypto isn’t as safe as we’d like it to be.
There have unfortunately been many events where crypto currencies, exchanges and wallets have been hacked – either where their security has been breached, often because the founders and devs simply didn’t use strong enough security protections, and in some cases even where the people behind the exchanges have been at fault.
As the crypto space is largely unregulated, there are also many scams continuing to go on, designed to separate people from their crypto. These scams include hacking into exchanges or wallets so you lose your crypto, but can also be much more subtle and easy to fall victim to.
There are many scam links in crypto chat forums –especially in slack groups, but also people use Facebook and email to promote scam links – which are designed to make you send your Bitcoin or ETH to a fake address, or to make you give away your private key to your MyEtherWallet (which you should never do!).
Other scams include: bad/scam/Ponzi ICOs – where it seems the team sometimes have no honest intentions, but are purely using an ICO platform to raise money for themselves, sending you to the wrong ICO link. Also scam mining links, where hackers use your computing power to mine cryptocurrency (especially Monero) for their gain.
Perhaps most scarily, hackers can and have broken into computers and stolen bitcoin and cryptos straight off peoples’ computers and wallets. Or, they have found unencrypted backups of their wallet keys on their computers and have used those to transfer coins straight off personal computers.
Here are some examples of scams that have happened – and what to look out for – and a guide on how to keep your computer, your data and your crypto safe!
Hacks and security threats specific to Crypto investors
Whilst computer and cyber threats and hacks are becoming increasingly common, it seems that crypto investors – and particularly exchanges, wallets and ICOs, are specific targets for hackers and suffer a disproportionate level of cybercrime. This is understandable- people and especially exchanges and ICO teams have made huge profits from crypto, large sums of money are stored on exchanges and in wallets, and crypto is unregulated and mostly in a legal grey area. That means big rewards for often not much risk. It is very rare that a crypto hacker is punished for their transgressions, and losing money to a hack or a scam is generally seen as a standard part of crypto investing. This means that you have to be extra careful. Many people new to crypto, who previously didn’t worry too much about online or personal computer security, soon learn to take extra precautions with all their online activities.
Here are some of the cyber security risks specific to crypto currencies:
Scammers trying to post fake websites and wallet addresses, also known as Phishing Attacks
These are the most common threats in crypto, and appear all over the place. Many slack groups and other social media forums used in crypto are often littered with phishing links. There are people posting fake and fake websites and ETH addresses to try and get people to send their ETH/ funds to the fraudulent address instead of the correct one. The fake websites often look identical to the real one, and it can be hard to know which is which. Scammers also post all over slack and often also hack into the email lists for ICOs, so will email you, with very realistic looking emails, again, trying to send you to the wrong website or their wallet addresses instead of the correct ones.
Another scenario could be when you are redirected to a phishing website, where unknowingly you share crypto wallet details. There is no one single way to identify such phishing attacks, except to be vigilant and re-confirm the exact URL before providing any sensitive information or proceeding with any wallet transfer
Phishing Attacks Against ICO Participants
In crypto these phishing links are mostly targeted at people looking to participate in an ICO, designed to get you to send funds to the scammers’ address rather than to the ICO. Many ICOs have been victim to these attacks, with some ICOs having millions of $dollars stolen and some having to cancel their ICOs after losing the funds they have raised.
Scams to look out for when participating in an ICO:
- Phishing attacks might create an identical website but with a different domain ending. For example, the correct website might be exampleICO.org and the fake website might be exampleICO.net. This happens very frequently.
- Scammers might change one letter in the website so that it looks similar when they send out links- for example changing an l (lower case L) for an I (capital i) – this also happens very frequently.
- Or, scammers will send out a fake wallet address or ETH address, to get you to send your funds to the fake wallet address instead of the real ICO one. Often ICOs will post a wallet address shortly before the ICO launches, or will get the founder to video the correct one on Youtube for example, so that you can check that you are sending to the correct link.
- ICO funds collection usually opens at a specific time and closes when the required amount has been gathered. The collection address is open and is posted on the project website. In the past, there have been incidents where a hacker replaced the project website with his own. Within 1 hour, one hacker made almost $8 million using the fake address.
Slack is one of the most popular mediums used for crypto groups, especially by ICOs, but is one of the least safe and most prone to spam. Anyone can post in slack, and slack group leaders have no real control over the ‘slack bot’ – anyone can take over the slack bot and post spam links, looking like they’re from the group.
Top tips to protect yourself from being scammed in Slack
- Don’t trust the slackbot
- Don’t trust any private message you receive with a link in it
- Don’t trust any message you receive that says anything about your MEW (My Ether Wallet)
- Don’t trust an ICO or wallet address posted on to slack and don’t send your funds to any wallet address posted on slack unless you are 100% sure that it is from the correct team. Even then, there have been cases of founders /ICOs slack accounts getting hacked and scammers posting from their accounts.
- FUD (fake negative comments) or fake good news posted in slack. Many people are genuine and post their real thoughts. Others try to manipulate people and control the market by posting fake good or bad comments- to try and affect the market. Always DYOR (do your own research)
Getting your computer to mine Monero directly for scammers
Another crypto-specific attack is scammers getting you to mine Monero, a dark crypto coin, on your computer, which is sent straight to them. This uses your computer power and energy for the scammer to get free Monero. There is a plugin available for anyone to buy cheaply, which allows anyone to get users of their site or links to scam people into mining for them. The people doing the mining mostly have no idea, other than maybe their computer being slower. This attack isn’t specific to crypto investors though, many Facebook users and others have been victim to this also. Many websites also install Monero mining plugins – they then link to your computer and get your computer to mine Monero which redirects to them, whilst they are on your site. Many websites are now using this trick as a standard way to monetize their website instead of advertising.
Payment Gateway Hacks
A genuine payment gateway with a valid address can also result in wallet being stolen. In June 2017, a popular web wallet for Ethereum classic suddenly started stealing wallets. The hackers had used social engineering techniques to convince the host provider that they were the original domains owners. As a result, they gained access and started intercepting the cash flows. They managed to steal over $300,000.
User address issues
This amounts to a loss of money during the money transfer, because of a wrong address being provided. Bitcoins has address validation in place and hence such incidents are less likely to happen.
This is a mistake made by the user and is not a scam or hack, but is still a common mistake made and is a risk specific to crypto users, especially those new to crypto. Always check every character of the destination address carefully.
However, other cryptocurrencies such as Ethereum witness such attacks, also popularly called as short address attacks where your money can simply disappear. It is safer to use bitcoins or validate the address before initiating any transfers. And always use 2FA.
Loss of wallet details
Again, not a scam or hack, but an issue specific and common to crypto users. Most crypto wallet users store their credentials in the files on the computer. This can result in attacks from malware stealing your credentials or can result in loss of credentials due to a hard disk crash. Some people just write their wallet details down somewhere and then forget where, or lose the piece of paper or delete the file. To prevent such attacks, users should make a hard copy of the secret key or store it in USB hardware wallets.