An Incomplete Encyclopedia of Crypto Hacks And Scams

Our mission with this document is to categorize and demystify the various types of cryptocurrency hacks and scams that currently occur in the Web3 space, empowering you with the knowledge you need to spot a threat and safeguard your assets. We firmly believe that with some basic education and a few proactive measures, you’ll have built a robust defense against these attacks and can sleep with ease.

We understand that the crypto space can feel overwhelming and intimidating, especially with the seemingly ever-present threat of scams. It’s important to note, though, reliable security is fully within your control. A common misconception around the crypto space is that the majority of hacks are highly sophisticated, where, for example, bad actors gain remote access to one’s computer or break into an exchange and drain all the funds. The reality is that the most prevalent and successful form of scam is not only fully preventable, but also wholly relies on the victim’s cooperation: social engineering.

Nevertheless, it’s important to understand that the threat landscape is diverse, with various types of attacks aside from social engineering. These range from the highly technical, such as contract exploits, to the seemingly mundane, such as phishing attempts. Throughout this article, we will provide a comprehensive overview of these common threats, ranging from phishing scams to protocol and product exploits, and even some mistakes simply from human error.

• PHISHING SCAM. a type of scam that tricks consumers into interacting with a malicious website, feigning as a legitimate one.
  • A fake website impersonating a prominent collection has a malicious contract.
  • An individual checks to see if their wallet qualifies for a promotion, and signs what they thought was an innocent gasless transaction, but actually is a transaction that grants access to all of their Opensea approved NFTs for $0.
  • An individual plans to do an NFT trade with someone and the bad actor swaps links to a malicious website. Upon accepting the “trade”, the NFT transfers out of the user’s wallet.
  • An individual plans to do a crypto or NFT trade with someone and out the gate, they suggest an unfamiliar website that ends up being a scam.
  • A fake twitter account impersonating a prominent figure posts a scam to a fake project
  • A user follows a reputable twitter accounts recommendation to revoke token approvals for proper wallet hygiene, only to find that it was a fraudulent twitter account and a scam website attempting to sign away their assets.
  • An individual receives a DM from a friend who urgently needs money. They help them out, and later find out that their friend’s twitter was hacked and they sent it to a stranger.
  • A hacked twitter account posts a fake “mint” link. A user “mints” the project, and is tricked into signing a transaction that sends money to a scammer’s address.
• SOCIAL ENGINEERING. the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
  • An individual receives a DM from someone who is a fellow community member in the space. The community member builds trust over time, and eventually attempts to trick the individual into connecting their wallet to a malicious website or contract.
  • An individual develops a relationship with someone and is lulled into a false sense of safety when they meet in person and present their funds, only to have the funds drained from their wallet and have the stranger disappear.
  • A prominent NFT artist is contacted by someone who wishes to commission them to create work. They are asked to download reference images, which includes a “.exe” file that gives remote access to the artist’s computer.
  • A collaborator uses a prominent individual’s name and reputation to legitimize a project, and disappears with the funds
  • A project founder is contacted by a writer to cover their project. They invite the founder to their discord, which includes a scam Discord verification bot.
• RUG PULL. a type of scam where a fraudulent team feigns as a legitimate one to attract funding and runs off with the money
  • SLOW RUG. After receiving initial funding, slowly, over time, the team will gradually fade away. They often utilize social engineering to maintain the appearance of completing the work that they promised, without the intention or follow-through of actually investing their time and energy into the success of the project. Perhaps their social media presence falls off, only to return from time to time to provide an “update” that lacks substance. This may have always been the team’s intention from the beginning, or may be the result of the team’s negligence or misuse of funds.
  • Due to the very low barrier of entry for launching a coin or NFT collection, the venture may also turn into a “slow rug” because of the complete negligence/incompetence of its founders that lack any awareness of running an actual business, or due to the fact that they paid themselves egregious salaries.
• HARD RUG. After receiving initial funding, the team quickly runs off with as much money as they can. This may include deleting all socials, removing all liquidity from the token, limiting sell orders of the token, or dumping all of their tokens on the market and ceasing further operation on the project.
• PRIVATE KEYS COMPROMISED. when private keys associated with a cryptocurrency wallet are compromised, typically due to a personal security breach through a hack or social engineering scam.
  • A bad actor feigns an issue with a trade and tricks an individual into sharing their screen. There, they lead the individual through MetaMask functions and trick them into changing the UI language, thus making it easier for the bad actor to get the user to mistakenly reveal their seed phrase.
  • An individual holds their private keys held on Google Drive. A bad actor gains access, finds the private keys, and gains full control of their wallet.
  • A complex social engineering scam allows an individual to let their guard down, and they are convinced to share their MetaMask QR Code (despite its warning), giving full access to their wallet
• SIM SWAP. a type of scam in which an attacker obtains a victim’s SIM card information and uses it to take control of the victim’s phone number, allowing the attacker to access accounts that use phone-based authentication.
  • A bad actor uses a SIM swap to gain access to the 2FA protected marketplace where a user is holding their funds, and sends those funds to themselves.
  • A project’s founders Twitter is hacked due to a SIM Swap, and the bad actor tweets out a phishing scam to their community.
• PROTOCOL EXPLOIT. a vulnerability that a hacker takes advantage of in the code of a blockchain protocol.
  • A bad actor executes a “flash loan” attack where they manipulate the price of an asset creating their own “arbitrage” opportunity
  • A bad actor discovers a vulnerability that allows them to call token contracts directly from any wallet that gave infinite approvals
  • A reentrancy vulnerability is discovered that allows the attacker to drain funds from the vulnerable contract before it can complete its execution
• CONTRACT EXPLOIT. a vulnerability in the code of a smart contract that can be exploited by a hacker to gain unauthorized access to a user’s funds or manipulate the contract in a way that benefits them.
  • A user receives an unknown NFT in their wallet with a standing WETH offer on it. The individual accepts the offer, however, that NFT is from a malicious contract that includes a signature that gives the contract permission to drain their wallet
• DOWNLOADING A MALICIOUS FILE. installing a file that contains harmful software or malware onto a computer or device. once installed, a bad actor may steal personal information, or gain unauthorized access to the system.
  • There are countless ways in which a malicious file may provide access to one’s computer, but it could include a keylogger for passwords, access to a document where one may have written their private keys, or even remote access to an individual’s computer.
• ADDRESS POISONING. a scam where a bad actor attempts to trick their victim into sending funds to the wrong wallet address.
  • This most well defined example of this occurring is when a scammer sends a transaction to their victim from a wallet address that matches the first and last characters of their victim’s wallet address. They may do this in an effort to trick their victim into copy-pasting the fraudulent wallet address, and then sending funds to the incorrect address.
  • Not colloquially defined as “address poisoning”, another example of this type of wallet misdirection may be a bad actor minting a scam project to a prominent users’ wallet address, making it seem as though this prominent user is minting their NFT collection or purchasing their token. If this prominent user has a community’s trust, the community may FOMO into this new collection or token without realizing this was a trick done without the users’ permission.
• PRODUCT EXPLOIT. a type of cyber attack where a hacker identifies and exploits a vulnerability or weakness in a software product or service to gain unauthorized access to data or systems.
  • A bad actor sees an exploit available in a UI that allows them to trick a user into trading for a fake NFT.
  • A scammer utilizes Discord Nitro to spoof their Discord ID to make it seem like they are the project founder. From there, they target individuals to do a phishing scam.
  • An oversight in a product’s UI that is taken advantage of on the back-end. For example, when an Opensea consumer would transfer an NFT back into an old wallet and finds it suddenly sniped for far lower than it’s currently worth. This occurred because there was an old listing for that NFT that suddenly becomes re-active when the NFT hits the wallet. While Opensea’s UI indicated that there was no listing, users who understood how to read the back-end wrote bots to snipe those underpriced NFTs from legitimate, old listings.
• WIFI HACK. A WiFi hack is a type of cyber attack that involves exploiting vulnerabilities in a WiFi network to gain unauthorized access to devices connected to the network or to intercept and manipulate network traffic.
  • An individual connects their cell-phone to public wifi, and a user gains access to their wallet by discovering a seed phrase saved in that individual’s Notes app or email.
• REMOTE ACCESS. a rare and highly sophisticated attack where a hacker gains control over an individual’s computer from a remote location, often under the guise of providing technical assistance or performing a specific task.
  • A person receives an email with a seemingly harmless attachment. Once downloaded, a remote access tool is installed on their computer, giving the attacker full control.
  • After gaining access, a bad actor modifies a wallet extension on the user’s computer to trick that individual into signing a malicious transaction while using their hardware wallet.
  • A fake tech support agent convinces an individual that their computer has been compromised, then tricks them into installing remote access software under the pretense of resolving the issue. The attacker then uses this access to drain funds from connected wallets.
• EXCHANGE COLLAPSE. the bankruptcy of an exchange, resulting in millions of customers losing the funds they held on that exchange.
  • ​​Mt. Gox, at one time the world’s largest cryptocurrency exchange, was compromised by hackers and lost over 850,000 Bitcoin, including all of its users’ funds.
  • FTX, the world’s third largest cryptocurrency exchange suffered a multi-billion dollar collapse, resulting in a bankruptcy filing due to a “complete failure of corporate control” and misuse of its customers funds for their failing trading business. FTX additionally lost over $400 million due to a hack.
• HUMAN ERROR. mistakes made by individuals that unintentionally expose their digital assets to threats; often stemming from lack of understanding, carelessness, or both.
  • While the following is not a scam or hack, it is worth noting as it is an easy way that many have lost funds. Many bad actors have written bots to take advantage of moments when users make these errors. These errors can include, but are not limited to:
    • “Fat fingering” an NFT sale. A user may intend to list their Bored Ape Yacht Club NFT at 90 ETH, but mistakenly list it for 9 ETH.
    • An individual sends their funds to the wrong wallet address
    • An individual mistypes an NFT ETH offer, and someone accepts it
    • A user accepts a bid on an NFT for 123 DAI, thinking that it is 123 ETH.
    • An individual loses place of their private keys, or deletes a digital wallet without a backup of their private keys.

Stay tuned for our next article where we have created a “checklist” of questions you can ask yourself to see if you’re potentially in the midst of a social engineering attack. And remember, being informed is only the first step. Vigilance and proactive measures are key to protecting your assets in the crypto space. Don’t forget to read our Self Custody 101 article on best practices when utilizing self custody.

We are going to keep this conversation going, so please reach out to us via Twitter or Telegram if there’s anything we’ve missed. Or, just to say hi. We want to hear from you!