BY TIANA CLINE
THE ANONYMOUS, unregulated nature of cryptocurrency – which for many is a selling point – is also what makes crypto oh-so-popular with hackers. It is estimated that in 2021, crypto scammers stole around $14 billion in cryptocurrency worldwide. And it’s not only newcomers who are getting blindsided, even those with the blockchain know-how have fallen prey to pyramid schemes, phishing attacks via email, social media (or even dating apps) and pseudo- coins.
“The concept with blockchain is that it gives decentralized capability to transfer or to manage assets. That is the difference between blockchain technology and what we are currently using today,” explains Oded Vanunu, the head of products vulnerability research at Check Point Software.
“With blockchain, everyone who wants to enter the network is equal – everyone owns the same database and every transaction is documented and approved by all parties. It’s secure, cryptographic and – in theory, unbreakable.”
But since the introduction of Bitcoin in 2009, a lot has changed. There are now over 18,000 cryptocurrencies. Non- fungible tokens (or NFTs), which are built on blockchains and can be bought with crypto, have become far more than a way to collect digital art – businesses are using NFTs to create more transparent supply chains and San Marino, a small country in Europe, turned to the blockchain to digitize Covid-19 vaccine passports.
“We are now moving between the internet of information and into the internet of value,” says Vanunu, “but every website and application we are using is based on Web2. Web3 is based on the blockchain.”
In 2021, over $14 billion worth of cryptocurrency was hijacked from wallets. And according to Vanunu, this gap between Web2 and Web3 is where vulnerabilities come in. “We have many misconfiguration gaps on the security of combining Web2 and Web3. There
is a lot of malicious activity to exploit applications using blockchain connectivity to get users’ wallet permissions and
this is just the beginning.”
Fake wallets and faux coins?
Today, anyone can create a token coin and behind each is a smart contract – source code that says exactly how a coin will function. But because coins are so easy to set up, hackers are now creating fraudulent crypto tokens to misconfigure smart contracts and steal funds.
“These coins have some kind of malicious functionality. Smart contracts have very basic functionality but since it is software, cybercriminals can take it to the next level,” says Vanunu. “Behind each scam coin you’ll find marketing on social media and people don’t really understand what’s happening behind the scene. They’re buying coins based on fake news.”
When it comes to buying and selling cryptocurrencies, there is little to no due diligence. In many countries, cryptocurrencies remain unregulated. A digital token named Squid inspired by Squid Game, a popular South Korean Netflix series, stole $3.38 million from crypto investors
last year. KuCoin, a leading crypto exchange in Singapore, suffered a security breach to the value of over $281 million. “Anyone can create a crypto coin. Anyone can copy a malicious crypto coin and create a new one for scams,” adds Vanunu.
In order to buy digital currency on a trading platform you don’t technically need an electronic wallet – coins can be stored on a crypto exchange – but in order to move cryptocurrency around, a non-custodial wallet is a must-have. There are currently over 80 different types of cryptocurrency wallets available and hackers are taking advantage of this by setting up fake phishing wallet websites containing nefarious links. While there are increasingly complex methods of stealing cryptocurrency, phishing scams remain the most common. Phishing scams have been around since 1995 but what makes crypto phishing somewhat different is that there’s no undo button or customer service to call when things go wrong. This type of crypto hacking occurs when a hacker sends emails containing links in an attempt to bait the receiver into sharing their personal details – including their crypto wallet key info. Unlike a bank card with a pin, crypto wallets use public addresses and private keys which are mathematically linked to each other.
“The simplest way to get at people is to hack their wallets and to fool them into giving away that information. That’s really how the whole crypto-hacking thing works,” says Brian Pinnock, Mimecast’s Director of Sales Engineering for the Middle East and Africa. “Someone opens a phishing email and ends up downloading malware. And even if you type in a legitimate address, they may have hijacked your DNS and you’ll end up on a fake domain where they can steal your money or credentials.”
There are two main types of cryptocurrency wallets – hot and cold. Pinnock says that most people download hot wallets without realizing that they’re connected to the internet the whole time.
“Everyone makes the assumption that crypto is completely anonymous but it’s very trackable in the right circumstances,” adds Pinnock. “We put all of our information online and
hackers weaponize it – that’s why these scams work so well. Even if you’re conservative with what you share on social media, there’s been a huge number of well-publicized data breaches.”
As businesses move online and into the cloud, cybercriminals follow.
Some high-profile scams include a Brazilian pyramid scheme which saw Kenya Bitcoin investors losing millions. Similarly, an alleged cryptocurrency pyramid scheme in Uganda saw its two directors charged with fraud.
“Why do we go digital?” asks Pinnock, “because it allows us to scale up very quickly. We can do much more than we could in an analogue world. The cloud takes away the hassle of running these things ourselves. That’s exactly what cybercriminals did. Phishing gives them scale and anonymity. The benefits of being online have helped cybercriminals as much as they’ve helped us. That’s the reality.”
According to Gartner, by 2024, at least 20% of large enterprises will use digital currencies for payment, store of value or collateral. Cryptocurrency is transforming the concept of money as well as disrupting financial networks and business models and as its adoption skyrockets, it will be critical for potential investors to take note of the scams that have already happened as well as the influx of new ones.
“If you want to invest in cryptocurrency, go for coins with very big liquidity – coins that thousands of users are already invested in. Usually, scammer coins don’t have a large liquidity. In other words, there is not much money inside,” advises Vanunu. “Secondly, use two wallets. One will be a core wallet where all your assets sit, the second will contain a small amount of money and this is the wallet that will be connected to various marketplaces and to the Web2 infrastructure, so if you do get exploited, a hacker will only have access to the minimum amounts.”