{"id":21278,"date":"2023-06-23T09:44:30","date_gmt":"2023-06-23T05:44:30","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/top-eight-crypto-scams-2023\/21278\/"},"modified":"2023-06-23T09:44:30","modified_gmt":"2023-06-23T05:44:30","slug":"top-eight-crypto-scams-2023","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/top-eight-crypto-scams-2023\/21278\/","title":{"rendered":"Eight of the most daring crypto thefts in history"},"content":{"rendered":"

The advantages of cryptocurrencies for owners \u2014 lax regulation and lack of government control \u2014 are major pluses for cyberthieves too. Because the threats to crypto assets are quite varied, we recommend that you study our overview of how to protect your crypto investments<\/a>, as well as our tips for owners of hardware cryptowallets<\/a>. But these posts of ours, detailed as they are, still do not disclose the full variety or scale of crypto-related scams. To give you a better grasp of just how attractive crypto finance is to scammers, we\u2019ve compiled a list of the most striking examples of attacks in recent years. Our police lineup (of cybercriminals) shows you the biggest, most brazen attacks in different categories. We didn\u2019t rank them by damage, as this is hard to determine for many types of attacks, and our rating excludes pyramid schemes like BitConnect<\/a>.<\/p>\n

1. The most sophisticated<\/h2>\n

Damage: US$30\u00a0000<\/strong>
\nMethod: Trojanized hardware wallet<\/strong><\/p>\n

This attack was investigated by our experts, hence we have a detailed post<\/a> about it. An investor purchased a popular hardware wallet, which looked and worked exactly like a real one \u2014 until it didn\u2019t. It turned out to be a very crafty fake with pre-flashed private keys known to the cybercriminals and a password-weakening system. When money appeared in the wallet, the hackers simply withdrew it. And that\u2019s without the wallet ever connecting to a computer.<\/p>\n

2. The biggest<\/h2>\n

Damage: US$540\u00a0000\u00a0000<\/strong>
\nMethod: server hack <\/strong><\/p>\n

For a long time, the largest hack in cryptocurrency history was the theft from Mt. Gox exchange of US$460 million<\/a>, which caused the exchange to collapse in 2014. But in 2022 this dubious honor passed to Sky Mavis, developer of the popular play-to-earn game Axie Infinity. The attackers compromised the Ronin Bridge system, which handles the interaction between in-game tokens and the Ethereum network, which led to the theft of ether and USDC<\/a> worth, according to various estimates, US$540\u2013650 million. Without delving into the details of the blockchain bridge hack, the attackers compromised five of the nine validator nodes for verifying Ronin transactions and used them to sign their transfers. Apparently, the network was infiltrated through a combination of malware and legitimate but outdated access credentials that had not been revoked in time.<\/p>\n

The hackers also hoped to earn even more from the collapse in the market capitalization of the target companies, but the hack was noticed just a week later, and their attempt at short selling failed.<\/p>\n

3. The most persistent<\/h2>\n

Damage: unknown<\/strong>
\nMethod: fake Chrome extension<\/strong><\/p>\n

The attacks, carried out by the BlueNoroff group and detected by us in 2022<\/a>, were aimed primarily at FinTech companies working with cryptocurrency. In this series of attacks, the hackers penetrated the internal networks of the target companies using phishing emails seemingly from venture capital funds. When the victim opened the malicious email attachment, a Trojan installed itself on the computer allowing the attackers to steal information and install additional malware. If the company\u2019s emails were of interest to them, the hackers remained in its network for months. Meanwhile, the crypto theft itself was carried out using a modified Chrome extension called Metamask. By installing their version of Metamask instead of the official one, the cybercriminals were able to observe and modify the victim\u2019s legitimate cryptocurrency transactions; even the use of a hardware cryptowallet in this case didn\u2019t provide sufficient protection.<\/p>\n

4. The most obscure<\/h2>\n

Damage: US$35\u00a0000\u00a0000<\/strong>
\nMethod: unknown<\/strong><\/p>\n

On June 2, 2023, attackers targeted<\/a> the decentralized Atomic Wallet, debiting tokens from the victim. This is the most recent example at the time of posting. The developers confirmed the hack<\/a>, but have yet to figure out how it was done. Atomic Wallet prides itself on the fact that neither passwords nor private keys are stored on its servers, so the attack must be linked to what takes place on users\u2019 computers.<\/p>\n

Cryptocurrency tracking experts say the laundering methods used resemble the modus operandi of the Lazarus group. If it is Lazarus, it\u2019s most likely an attack either through a fake Trojanized version of Atomic Wallet (similar to the attack on DeFi<\/a>), or on the developers themselves with a Trojan in the official application.<\/p>\n

5. The most cinematic<\/h2>\n

Damage: US$4\u00a0000\u00a0000<\/strong>
\nMethod: face-to-face meeting<\/strong><\/p>\n

To steal cryptocurrencies, some cybercriminals set up Catch Me If You Can<\/em>-style scams. The targets \u2014 companies looking for investors \u2014 are approached by \u201cinvestment funds\u201d to discuss a potentially large investment in the business. After a few phone calls and emails, face-to-face meetings are scheduled at a luxury hotel with the victims \u2014 startup CEOs. There, all legal and financial matters are discussed at length, after which, under a convenient pretext, the conversation turns to investments and cryptocurrency fees. As a result, the scammers sneak a peek on the victim\u2019s seed phrase or briefly get hold of their cryptowallet, emptying it of all funds. In one case, the victims were hustled for US$4 million<\/a>; in another, described in detail<\/a>, for US$206 000.<\/p>\n

6. The most elegant<\/h2>\n

Damage: unknown<\/strong>
\nMethod: fake letters and wallets<\/strong><\/p>\n

This one sounds like a plot for a detective novel: cybercriminals sent paper<\/em> letters to buyers of Ledger hardware wallets. To get the mailing list, they either hacked into an unnamed third party (likely a Ledger contractor) or capitalized on an earlier user-data leak.<\/p>\n

The letter informed the recipient that, due to security issues, their Ledger Nano X hardware wallet had to be replaced \u2014 and a free replacement wallet under warranty was handily attached to the letter. In fact, the enclosed box contained a malware-infected flash drive disguised as a Nano X. On first startup, the program asked the victim to perform a \u201ckey import\u201d and enter their secret seed phrase to restore access to the wallet \u2014 with obvious consequences. Many recipients, however, didn\u2019t fall for the ruse: despite the convincing packaging, the letter itself contained a number of spelling mistakes. Vigilance pays dividends!<\/p>\n

7. The most inconspicuous<\/h2>\n

Damage: unknown<\/strong>
\nMethod: malware<\/strong><\/p>\n

Among the most inconspicuous are address-substitution attacks<\/a>, usually carried out with the help of clipboard-injector malware. After infecting the victim\u2019s computer, the malware silently monitors the clipboard for cryptowallet addresses: when one arrives, malware replaces it with the address of the attacker\u2019s wallet. So, by simply copying and pasting addresses during transfers, cybercriminals can easily direct funds their way.<\/p>\n

8. The most hurtful<\/h2>\n

Damage: US$15 000<\/strong>
\nMethod: love letters<\/strong><\/p>\n

Romantic scams remain one of the most common ways to deceive private crypto investors. Let\u2019s take a look at a specific example. Kevin Kok had years of crypto experience, yet even he was hoodwinked by a blossoming romance<\/a>. Having met a woman on a dating site, he chatted with her for several months, during which time the topic of investments never arose. Then, she suddenly shared \u201cinformation from friends\u201d about a handy new app for crypto investments. She was having trouble figuring it out and asked for help so she could deposit her own (!) money there. Kevin, of course, offered to help. Convinced that the app was working fine, he saw his new flame\u2019s assets rise in value. So he decided to invest his own money and smiled at the high rate of return. Kevin became suspicious only when the woman suddenly disappeared from all messenger apps and stopped replying to his messages. And it was then he discovered it wasn\u2019t possible to withdraw funds from the \u201cinvestment system.\u201d<\/p>\n

How to stay safe?<\/h2>\n

We\u2019ve already given detailed recommendations for crypto investors<\/a>, so here we\u2019ll repeat just two: treat all crypto-related offers, emails, letters and innocent questions with maximum suspicion, and always use security software tailored for crypto investments on all relevant devices. And we certainly recommend a Kaspersky Premium<\/a> subscription for one or more devices, the price of which is a drop in the ocean compared to the potential damage from just one successful scam. Premium includes special tools to protect your crypto investments:<\/p>\n