Phishing

Crypto catfishers ditch fake exchanges for approval phishing scams

According to on-chain analytics firm Chainalysis, romance scammers increasingly use this method to steal their victim’s hard-earned crypto.

Crypto romance scammers — a cohort of crypto-stealing smooth-talkers — appear to have a new trick up their sleeves: targeted approval phishing.

In a Dec. 14 report from on-chain analytics firm Chainalysis, the firm noted that the technique has seen explosive growth over the past two years, with at least $374 million in suspected stolen crypto in 2023.

Approval phishing is a crypto scam where victims are tricked into signing transactions that give scammers access to wallets, allowing them to drain funds. While this isn’t new, Chainalysis said the technique is now utilized more often by pig-butchering scammers.

Read more

Crypto phishing attacks up by 40% in one year: Kaspersky

Russian cybersecurity and anti-virus provider Kaspersky detected over 5 million crypto phishing attacks in the year, compared with just over 3.5 million in 2021.

When it comes to cryptocurrency-related cyberattacks, bad actors have seemingly reduced the use of traditional financial threats like desktop and mobile banking malware, shifting their focus to phishing

Russian cybersecurity and anti-virus provider Kaspersky revealed that cryptocurrency phishing attacks witnessed a 40% year-on-year increase in 2022. The company detected 5,040,520 crypto phishing attacks in the year, compared with 3,596,437 in 2021.

A typical phishing attack involves reaching out to investors through fake websites and communication channels that mimic the official companies. Users are then prompted to share personal information such as private keys, which ultimately provides attackers unwarranted access to crypto wallets and assets.

While Kaspersky could not predict if the trend would increase in 2023, phishing attacks continue the momentum in 2023. Most recently, in March, hardware cryptocurrency wallet provider Trezor issued a warning against attempts to steal users’ crypto by tricking investors into entering their recovery phrase on a fake Trezor site.

In a survey conducted by Kaspersky in 2022, one out of seven respondents admitted to being affected by cryptocurrency phishing. While phishing attacks predominantly involve giveaway scams or fake wallet phishing pages, attackers continue to evolve their strategies.

According to Kaspersky, “crypto still remains a symbol of getting rich quick with minimal effort,” which attracts scammers to innovate their techniques and stories to lure in unwary crypto investors.

Related: 5 sneaky tricks crypto phishing scammers used last year: SlowMist

Arbitrum investors were recently exposed to a phishing link via its official Discord server. A hacker reportedly hacked into the Discord account of one of Arbitrum’s developers, which was then used to share a fake announcement with a phishing link.

Cointelegraph accessed the phishing link to find that it redirects users to a blank website with the text “Astaghfirullah,” which translates to “I seek forgiveness in God.“ According to Wiktionary, the term can also be used to express disbelief or disapproval.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

Arbitrum Discord hacker shares phishing announcement amid airdrop hype

The phishing message on Discord offered “the opportunity to re-claim an additional stake in Arbitrum DAO Governance” while citing issues during the initial token claim drive.

The crypto community’s warning against fake Arbitrum (ARB) airdrops materialized as hackers managed to drop a phishing link into Arbitrum’s official Discord server.

On March 25, blockchain-focused security firm CetriK revealed the possibility of a phishing link being circulated via the Arbitrum Discord server. It is suspected that a hacked Discord account of one of Arbitrum’s developers was used to share a fake announcement with a phishing link.

The phishing message on Discord offered “the opportunity to re-claim an additional stake in Arbitrum DAO Governance” while citing issues during the initial token claim drive. However, the supporting URL misspelled Arbitrum as “Arbtirum” — a deception technique used in a phishing attack.

Clicking on such a phishing link usually navigates the unsuspecting victims to a fake website prompting them to enter personal information, such as a wallet’s private key.

Phishing link shared on Arbitrum’s Discord server. Source: abtirum.io

However, further investigation from Cointelegraph shows that clicking on Arbitrum’s phishing link takes users to a blank website with the text “Astaghfirullah,” which translates to “I seek forgiveness in God.“ In modern times, it can also be used as an expression of disbelief or disapproval, according to Wiktionary.

Until further clarification from Arbitrum, investors are advised against interacting with the announcement. As hackers try to cash in on the hype, investors must be hypervigilant about unrealistic claims and deceptions.

Arbitrum has not yet responded to Cointelegraph’s request for comment.

Related: Arbitrum airdrop sells off at listing, but traders remain bullish on ARB

Meanwhile, two airdrop hunters managed to bag approximately $3.3 million worth of ARB.

As Cointelegraph reported, one wallet received $2 million in ARB, while another collected around $1.38 million worth of tokens.

Magazine: $3M OKX airdrop, 1-hour due diligence on 3AC, Binance AI — Asia Express

Visa: Token bridges were a favored target for thieves in 2022

The fraudsters would usually exploit the smart contracts to allow for the approval of unauthorized transactions.

According to the global payment provider Visa, 2022 became a record-breaking year for cryptocurrency thefts, with over $3 billion stolen in on-chain exploits. Cryptocurrency bridge services were a favored target for threat actors.

Visa published the biannual threats report on March 20. The document contains data on all sorts of violations occurring globally in the digital payments system last year — from plastic card fraud schemes to malware. A separate section is dedicated to cryptocurrency and digital platforms.

Quick history of blockchain-based major thefts. Source: Investopedia

It pays particular attention to the vulnerability of token bridges. Commonly, fraudsters exploit a bridge service’s smart contracts to either forge new transactions or allow for the approval of unauthorized transactions. The total amount of funds stolen via token bridges totals $2 billion from January through early October 2022.

The report also mentions a crypto-focused phishing campaign, whose actors were impersonating a crypto exchange in emails to harvest the victim’s account login data. Once the real exchange prompts the threat actor for the two-factor authentication (2FA), they would use the spoofed site to prompt the victim to enter their 2FA information, using the real 2FA from the spoofed site to complete the login process.

Related: ​​Visa’s crypto strategy targets stablecoin settlements

In February, it was reported that, along with its competitor Mastercard, Visa would delay the launch of new partnerships with crypto firms due to high-profile bankruptcies in the industry. However, Cuy Sheffield, head of product at Visa, called the report inaccurate and reassured that Visa would “continue to partner with crypto companies to improve fiat on and off-ramps,” and “build new products that can facilitate stablecoin payments.”

On Feb. 20, the Bitcoin market cap flipped the market cap of Visa for the third time in history. By March 14, the gap between the two reached more than $20 billion in favor of BTC.

Binance launches anti-scam campaign after Hong Kong pilot run

The new campaign features a withdrawal warning message that attempts to prevent users from sending their crypto to scammers.

Binance, in cooperation with law enforcement agencies, is launching a campaign to prevent scams by issuing targeted alerts to potential victims, according to a March 3 blog post from the company. The project, called the “Joint Anti-Scam Campaign,” was rolled out first in Hong Kong, and the company now intends to expand it into other jurisdictions.

According to the company’s post, it collaborated with the Hong Police Force’s Cyber Security and Technology Crime Bureau to build an “alert and crime prevention message” targeted at Hong Kong residents. As part of the pilot project, when users tried to make withdrawals, they were subjected to warning messages that gave them information about common scams and tips on how to avoid scams.

Over the course of four weeks, Binance investigated customers’ responses to the messages. It found that approximately 20.4% of users either decided not to make the withdrawal or investigated further to determine whether the transaction might be a scam.

The warning gave statistics on the number of scams that occurred in Hong Kong in 2001 and recommended resources such as Scameter, the Anti Deception Coordination Center, Cyber Defender and Binance Verify. It also instructed users that Binance will never call them directly.

Related: Scam alert: Trezor warns users of new phishing attack

Binance considers the pilot program to have been a success, and it plans to collaborate with police in other jurisdictions to make tailor-made warning messages for customers outside of Hong Kong.

Social engineering and phishing scams have been recurring problems for crypto users. In February, scammers allegedly created a fake version of the ETHDenver convention website, which they then used to trick users into giving away their crypto by calling a function on a malicious contract. Over $300,000 worth of crypto is believed to have been stolen through the scam. In another example, an influential nonfungible token promoter had over $300,000 worth of CryptoPunks removed from his wallet when he was apparently fooled into interacting with a phishing site.

Scam alert: Trezor warns users of new phishing attack

The new active phishing attack tries to steal Trezor users’ crypto by tricking investors into entering their recovery phrase on a fake Trezor site.

Hardware cryptocurrency wallet provider Trezor has warned its users about a new phishing attack targeting their crypto investments by trying to steal their private keys.

Trezor took to Twitter on Feb. 28 to caution users about an active phishing attack designed to steal investors’ money by making them enter the wallet’s recovery phrase on a fake Trezor website.

The phishing campaign involves attackers posing as Trezor and contacting victims via phone calls, texts or emails claiming that there has been a security breach or suspicious activity on their Trezor account.

“Trezor Suite has recently endured a security breach, assume all your assets are vulnerable,” the fake message reads, inviting users to follow a phishing link to “secure” their Trezor device.

“Please ignore these messages as they are not from Trezor,” Trezor declared on Twitter, emphasizing that the firm will never contact its customers via calls or SMS. The firm added that Trezor had not found any evidence of a database breach.

A fake SMS from scammers posing as Trezor. Source: Twitter

According to online reports, the latest phishing attack against Trezor customers was launched on Feb. 27, with users being directed to a domain asking to enter their recovery seed. The domain provides a perfectly-made fake Trezor website that prompts users to start securing their wallets by clicking the “Start” button.

A screenshot from a phishing domain copying Trezor’s website. Source: Bleeping Computer

After clicking the “Start” button, users will be asked to provide the recovery phrase for their cryptocurrency wallet.

The wallet’s recovery phrase, or private keys, is the most important part of self-custody by keeping your crypto on a software or hardware noncustodial wallet. The safety of the recovery phrase is more important than keeping the hardware wallet safe. Once the private keys are stolen, it means that crypto holdings no longer belong to their original owner.

Related: Notorious Monkey Drainer crypto scammer says they’re ‘shutting down’

The news came shortly after metaverse firm The Sandbox suffered a data breach on Feb. 26, resulting in a phishing email sent to users.

The latest phishing attack against Trezor customers is not the first scam of such kind. Trezor wallets were also targeted with phishing attacks in April 2022, with attackers contacting Trezor users posing as the company, asking them to download a fake Trezor app.

Such attacks are not exclusive to Trezor, though. In 2020, rival hardware wallet firm Ledger suffered a massive data breach, with attackers publicly exposing the personal information of more than 270,000 Ledger customers.

MyAlgo users urged to withdraw as cause of $9.2M hack remains unknown

The Algorand wallet provider said it still hasn’t determined the cause of the attack, urging users to withdraw funds from wallets created with a seed phrase.

A wallet provider for the Algorand (ALGO) network, MyAlgo, has warned its users to withdraw funds from any wallets created with a seed phrase amid an ongoing exploit that has seen an estimated $9.2 million worth of funds stolen.

MyAlgo tweeted the advice on Feb. 27 adding it still doesn’t know the cause of the recent wallet hacks and encouraged “everyone to take precautionary measures to protect their assets.”

Earlier on Feb. 27 the team tweeted a warning of a “targeted attack […] carried out against a group of high-profile MyAlgo accounts” which has seemingly been conducted over the past week.

The self-titled “on-chain sleuth,” ZachXBT, outlined in a Feb. 27 tweet that it’s suspected the exploit has pilfered over $9.2 million and crypto exchange ChangeNOW was able to freeze around $1.5 million worth of funds.

Particularly susceptible to the exploit were users who had mnemonic wallets with the key stored in an internet browser according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key.

John Wood, chief technology officer at the networks governance body the Algorand Foundation, took to Twitter on Feb. 27, saying around 25 accounts were affected by the exploit.

He added the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.

Related: $700,000 drained from BNB Chain-based DeFi protocol LaunchZone

Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised that lead to the “targeted exfiltration of unencrypted private keys.”

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”

MyAlgo users urged to withdraw, as cause of $9.2M hack remains unknown

The Algorand wallet provider said it still hasn’t determined the cause of exploit that’s drained millions in ALGO, urging users to withdraw funds from wallets created with a seed phrase.

A wallet provider for the Algorand (ALGO) network, MyAlgo, has warned its users to withdraw funds from any wallets created with a seed phrase amid an ongoing exploit that has seen an estimated $9.2 million worth of funds stolen.

MyAlgo tweeted the advice on Feb. 27, adding it still doesn’t know the cause of the recent wallet hacks and encouraged “everyone to take precautionary measures to protect their assets.”

Earlier on Feb. 27, the team tweeted a warning of a “targeted attack […] carried out against a group of high-profile MyAlgo accounts” that has seemingly been conducted over the past week.

The self-titled “on-chain sleuth,” ZachXBT, outlined in a Feb. 27 tweet that it’s suspected the exploit has pilfered over $9.2 million and crypto exchange ChangeNOW was able to freeze around $1.5 million worth of funds.

Particularly susceptible to the exploit were users who had mnemonic wallets with the key stored in an internet browser, according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key.

John Wood, chief technology officer at the networks governance body the Algorand Foundation, took to Twitter on Feb. 27, saying around 25 accounts were affected by the exploit.

He added the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.

Related: $700,000 drained from BNB Chain-based DeFi protocol LaunchZone

Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leadin to the “targeted exfiltration of unencrypted private keys.”

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”

Fake Ethereum Denver website linked to notorious phishing wallet

Hackers continue to create fake Web3-enabled websites to fleece unsuspecting victims’ browser-based wallets, with ETHDenver being the latest victim.

A fake website of the popular Ethereum Denver conference is the latest phishing target of a red-flagged smart contract that has stolen over $300,000 worth of Ether (ETH).

The popular conference saw its website duplicated by hackers this week in order to trick users into connecting their MetaMask wallets. According to Blockfence, which identified the fraudulent website, the smart contract has accessed more than 2,800 wallets and stolen over $300,000 over the past six months.

ETHDenver also issued a notice to its followers on Twitter warning of the malicious website.

Blockfence CEO Omri Lahav told Cointelegraph that users were prompted to connect their MetaMask wallets via the usual “connect wallet” button. The website prompts a transaction that, if approved, carries out the malicious function and steals the users’ funds.

Blockfence’s research team identified the incident while tracking different trends in the industry. Lahav said that the smart contract executing the scam had stolen over 177 ETH since its deployment midway through 2022:

“Since the smart contract was deployed almost six months ago, it’s possible that it was used on other phishing websites.”

Hackers had gone as far as paying for a Google advertisement to promote the malicious website’s URL, banking on search trends being high, with ETHDenver taking place on Feb. 24 and 25. The fake website appeared second on a Google search, above the actual ETHDenver website.

As Cointelegraph previously reported, hacks and scams continue to be commonplace in the cryptocurrency ecosystem. 2022 saw over $2.8 billion of cryptocurrency stolen through a variety of hacks and exploits.

MetaMask issues scam alert as Namecheap hacker sends unauthorized emails

Web hosting company Namecheap detected the misuse of one of its third-party services for sending some unauthorized emails, which directly targeted MetaMask users.

Popular crypto wallet provider MetaMask warned investors against ongoing phishing attempts by scammers attempting to contact users through Namecheap’s third-party upstream system for emails.

On the evening of Feb. 12, web hosting company Namecheap detected the misuse of one of its third-party services for sending some unauthorized emails — which directly targeted MetaMask users. Namecheap described the incident as an “email gateway issue.“

In the proactive alert, MetaMask reminded its million followers that it does not collect Know Your Customer (KYC) information and will never reach out over an email to discuss account details.

The phishing emails sent by the hacker contain a link that opens a fake MetaMask website requesting a secret recovery phrase “to keep your wallet secure.”

The wallet provider advised investors to refrain from sharing seed phrases, as it hands complete control of the user’s funds to the hacker.

NameCheap further confirmed that its services were not breached and that no customer data was leaked in this incident. Within two hours of the initial intimation, Namecheap confirmed that its mail delivery was restored and that all communications would now be from the official source.

However, the main issue related to the mailing of unsolicited emails is still under investigation. Investors are advised to recheck website links, email addresses and points of contact when dealing with communications from MetaMask and Namecheap.

In response to Cointelegraph’s coverage on the subject, Namecheap confirmed being able to stop the fraudulent emails and contacted their upstream provider to resolve the issue from their end.

Related: OneKey says it has fixed flaw that got its hardware wallet hacked in 1 second

In January, a hacker used Google Ad services to steal nonfungible tokens (NFTs) and cryptocurrencies from investors.

NFT influencer NFT God lost “a life-changing amount” after accidentally downloading malicious software embedded in a Google advertisement.

The incident happened when the influencer used the Google search engine to download OBS, an open-source video streaming software. However, he clicked the link with a sponsored advertisement instead of the official link, which led to the loss of funds.