Published on

Think like a scammer to protect your crypto assets

think-like-a-scammer-to-protect-your-crypto-assets think-like-a-scammer-to-protect-your-crypto-assets-750x500.jpeg

Blockchain technology is revolutionizing the way we transact with each other, assets can be transferred faster, the identities of the sender and the receiver are kept hidden, and it is impossible to counterfeit or hack the transactions. Really?

Scammers and hackers are not short of ideas, from fake blockchains, and fake cryptocurrencies, exploiting smart contracts vulnerabilities, or even flooding the blockchain network with spam transactions and caring out 51% attacks, and more. All for the same reason retail and institutional investors are Jumping on the blockchain wagon, money.

In this blog, we’ll look at one of the many ways cyber-criminals seek to profit from the cryptocurrency space by caring out phishing attacks.

Phishing is a form of fraud in which an attacker poses as a trustworthy organization or person in email or other forms of communication. Attackers will commonly use phishing emails to distribute malicious links or attachments that can perform a variety of functions.

Think like a scammer!

Let's put on the scammer hat for a few minutes without almost any technical jargon. Let’s say we want to pull off a phishing attack to steal ADA funds, how can we do it in simple form? Why not just make the victim send us the funds himself? Is that not easy? It turns out is relatively easy.

Steps :

  1. Purchase a domain similar to the official website
  2. Clone the Daedalus website using tools such as
  3. Download the official Daedalus wallet
  4. Inject the official Daedalus wallet with malicious code, using tools such as Debinject in the case of Debian files.
  5. Put the copied website and the injected wallet on the web server such as apache2 in the cloud.
  6. Craft a genius email with your malicious link (Ex: Daedalus revolutionary new version!)
  7. Send the email to your victims.
  8. Once the victim downloads the wallet through your fake website and uses it.
  9. Eureka you got the victim funds.

Malicious code can be a keylogger for example or a script that sends funds to the scammer's ADA address

Real world phishing attack

Crypto scams raised more than 80% last year, last December in real world phishing attacks, scammers use Google Ads to direct victims to fake wallets and hundreds of thousands of dollars were stolen.

“Simplicity is the ultimate sophistication.” — Leonardo da Vinci.

Scammers purchased a domain, almost the same as the official one, and they used Google Ads to direct as many victims as possible to their fake website wallet. Compared to our example above, they changed step 7 Email with Google Ads.

Phantom phishing attack

The main principle of phishing attacks and social engineering, in general, is to trick you to walk into a trap.

Psychological manipulation

Scammers are masters in psychological manipulation, they use every trick in the book to get their targets out of their logical thinking to an emotional state where logic suddenly goes out of the window.

Psychological tricks

  • Phantom riches: enticing investors with the prospect of future wealth and promises of guaranteed income
  • Social consensus: leading investors to believe that other savvy investors have already bought into the opportunity
  • Reciprocity: offering to cut the commission in half in exchange for investing
  • Scarcity: creating a false sense of urgency by claiming there is a limited supply.

Last November 2021 scammers used the popularity of the Netflix series Squid Game, and create a digital token that they marketed as "play-to-earn cryptocurrency".

"Play-to-earn" cryptocurrency is where people buy tokens to use in online games and can earn more tokens which can later be exchanged for other cryptocurrencies or national currencies.

This kind of scam is commonly called a "rug pull" when the scammers draw in buyers and investors and then run off with the money raised from sales.

DYO - Do Your own research

One of the main skills a scammer has is research. The time spent to research and prepare to determine the percentage and likelihood of pulling a successful attack. Likewise for users doing DYO before investing decreases your chance to be scammed or simply investing in the wrong project.

I can not emphasize enough this point it’s often overlooked or outsourced to third parties. Many prefer just watching one or two videos about the project and scrolling through the project's promotional website and they have already an opinion.

From my side I prefer DYO, and how extensive I go depends if the level of interest decreases or increases while researching the project.

Sometimes DYO is not enough, and this is why my golden rule is don't invest what you can't afford to lose.

Don’t trust - verify!

Security is all about knowing who and what to trust, and that is the essence of a phishing attack and social engineering attacks in general, which are usually done by faking something a website, mobile application, phone number ..etc, and tricking victims to fall into the trap.

Here are a few rules I follow:

  1. General principle, unless you 100% trust the site you are on, you should not willingly give out your card information, your crypto spending password or your crypto mnemonic or sensible data.

  2. Double-check the URL, or the application name: take few minutes and check the web address you are navigating to or the application name you are about to download from the store.

  3. Https not Http: Make sure that the URL you navigating to starts with HTTPS.

  4. Bookmark your favorite websites: A simple thing that I do always, which spares me time and reduces the risk of ending in fake websites.

  5. Two-factor authentication: Improve the security of your online accounts such as exchanges or emails, by using two-factor authentication (2FA). You know this annoying code that is sent to you by SMS or through Authenticator App such as Google Authenticator App, then you need to type the code as extra security to log in. This is 2FA.

    Note: Using an authenticator app to generate your Two-Factor login codes is more secure than a text message.

  6. File downloads: I recommend to download files only from the source when you can authenticate the sender.

Tools that really help

Browser: For privacy I use brave.

Brave is a free and open-source web browser based on the Chromium web browser, which Chrome is based on as well. Brave is a privacy-focused browser, which automatically blocks online advertisements and website trackers in its default settings.

Ad-Blocker and anti-phishing add-ons: Install browser add-ons that alert you of phishing sites, block malicious website, and blocks online advertisements. I personally use two awesome open source add-ons:

  1. PhishFort: Anti-Phishing Solutions for High Risk Industries, this is one of the best chrome addon which offers website and domain phishing protection
  2. uBlock: An efficient blocker add-on for various browsers. Fast, potent, and lean.

I think the key takeaway from this article is to avoid doing this one mistake, the one that you will regret if you don't take simple steps and precautions to protect your crypto funds and your privacy in general.


What is social engineering?

Rug pull attack

Security tips

Scammers used google ads to steal 500k

Squid Game crypto token collapses in apparent scam

Disclaimer: This post is for educational purposes only, the authors do not endorse or promote any products discussed herein.