Fairside Logo
Fairside Logo
Fairside Logo
블로그
블로그/An Incomplete Encyclopedia of Crypto Hacks And Scams

22nd May, 2023

An Incomplete Encyclopedia of Crypto Hacks And Scams

Andrew Hogue

Andrew Hogue

blog.detail.headlines.title

blog.detail.headlines.share

Twitter (X)Linkedin
blog thumbnail

Our mission with this document is to categorize and demystify the various types of cryptocurrency hacks and scams that currently occur in the Web3 space, empowering you with the knowledge you need to spot a threat and safeguard your assets. We firmly believe that with some basic education and a few proactive measures, you’ll have built a robust defense against these attacks and can sleep with ease.

We understand that the crypto space can feel overwhelming and intimidating, especially with the seemingly ever-present threat of scams. It’s important to note, though, reliable security is fully within your control. A common misconception around the crypto space is that the majority of hacks are highly sophisticated, where, for example, bad actors gain remote access to one’s computer or break into an exchange and drain all the funds. The reality is that the most prevalent and successful form of scam is not only fully preventable, but also wholly relies on the victim’s cooperation: social engineering.

Nevertheless, it’s important to understand that the threat landscape is diverse, with various types of attacks aside from social engineering. These range from the highly technical, such as contract exploits, to the seemingly mundane, such as phishing attempts. Throughout this article, we will provide a comprehensive overview of these common threats, ranging from phishing scams to protocol and product exploits, and even some mistakes simply from human error.

  • PHISHING SCAM. a type of scam that tricks consumers into interacting with a malicious website, feigning as a legitimate one.
    • A fake website impersonating a prominent collection has a malicious contract.
    • An individual checks to see if their wallet qualifies for a promotion, and signs what they thought was an innocent gasless transaction, but actually is a transaction that grants access to all of their Opensea approved NFTs for $0.
    • An individual plans to do an NFT trade with someone and the bad actor swaps links to a malicious website. Upon accepting the “trade”, the NFT transfers out of the user’s wallet.
    • An individual plans to do a crypto or NFT trade with someone and out the gate, they suggest an unfamiliar website that ends up being a scam.
    • A fake twitter account impersonating a prominent figure posts a scam to a fake project
    • A user follows a reputable twitter accounts recommendation to revoke token approvals for proper wallet hygiene, only to find that it was a fraudulent twitter account and a scam website attempting to sign away their assets.
    • An individual receives a DM from a friend who urgently needs money. They help them out, and later find out that their friend’s twitter was hacked and they sent it to a stranger.
    • A hacked twitter account posts a fake “mint” link. A user “mints” the project, and is tricked into signing a transaction that sends money to a scammer’s address.
  • SOCIAL ENGINEERING. the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
  • RUG PULL. a type of scam where a fraudulent team feigns as a legitimate one to attract funding and runs off with the money
    • SLOW RUG. After receiving initial funding, slowly, over time, the team will gradually fade away. They often utilize social engineering to maintain the appearance of completing the work that they promised, without the intention or follow-through of actually investing their time and energy into the success of the project. Perhaps their social media presence falls off, only to return from time to time to provide an “update” that lacks substance. This may have always been the team’s intention from the beginning, or may be the result of the team’s negligence or misuse of funds.
    • Due to the very low barrier of entry for launching a coin or NFT collection, the venture may also turn into a “slow rug” because of the complete negligence/incompetence of its founders that lack any awareness of running an actual business, or due to the fact that they paid themselves egregious salaries.
  • HARD RUG. After receiving initial funding, the team quickly runs off with as much money as they can. This may include deleting all socials, removing all liquidity from the token, limiting sell orders of the token, or dumping all of their tokens on the market and ceasing further operation on the project.
  • PRIVATE KEYS COMPROMISED. when private keys associated with a cryptocurrency wallet are compromised, typically due to a personal security breach through a hack or social engineering scam.
  • SIM SWAP. a type of scam in which an attacker obtains a victim’s SIM card information and uses it to take control of the victim’s phone number, allowing the attacker to access accounts that use phone-based authentication.
  • PROTOCOL EXPLOIT. a vulnerability that a hacker takes advantage of in the code of a blockchain protocol.
  • CONTRACT EXPLOIT. a vulnerability in the code of a smart contract that can be exploited by a hacker to gain unauthorized access to a user’s funds or manipulate the contract in a way that benefits them.
  • DOWNLOADING A MALICIOUS FILE. installing a file that contains harmful software or malware onto a computer or device. once installed, a bad actor may steal personal information, or gain unauthorized access to the system.
    • There are countless ways in which a malicious file may provide access to one’s computer, but it could include a keylogger for passwords, access to a document where one may have written their private keys, or even remote access to an individual’s computer.
  • ADDRESS POISONING. a scam where a bad actor attempts to trick their victim into sending funds to the wrong wallet address.
    • This most well defined example of this occurring is when a scammer sends a transaction to their victim from a wallet address that matches the first and last characters of their victim’s wallet address. They may do this in an effort to trick their victim into copy-pasting the fraudulent wallet address, and then sending funds to the incorrect address.
    • Not colloquially defined as “address poisoning”, another example of this type of wallet misdirection may be a bad actor minting a scam project to a prominent users’ wallet address, making it seem as though this prominent user is minting their NFT collection or purchasing their token. If this prominent user has a community’s trust, the community may FOMO into this new collection or token without realizing this was a trick done without the users’ permission.
  • PRODUCT EXPLOIT. a type of cyber attack where a hacker identifies and exploits a vulnerability or weakness in a software product or service to gain unauthorized access to data or systems.
    • A bad actor sees an exploit available in a UI that allows them to trick a user into trading for a fake NFT.
    • A scammer utilizes Discord Nitro to spoof their Discord ID to make it seem like they are the project founder. From there, they target individuals to do a phishing scam.
    • An oversight in a product’s UI that is taken advantage of on the back-end. For example, when an Opensea consumer would transfer an NFT back into an old wallet and finds it suddenly sniped for far lower than it’s currently worth. This occurred because there was an old listing for that NFT that suddenly becomes re-active when the NFT hits the wallet. While Opensea’s UI indicated that there was no listing, users who understood how to read the back-end wrote bots to snipe those underpriced NFTs from legitimate, old listings.
  • WIFI HACK. A WiFi hack is a type of cyber attack that involves exploiting vulnerabilities in a WiFi network to gain unauthorized access to devices connected to the network or to intercept and manipulate network traffic.
    • An individual connects their cell-phone to public wifi, and a user gains access to their wallet by discovering a seed phrase saved in that individual’s Notes app or email.
  • REMOTE ACCESS. a rare and highly sophisticated attack where a hacker gains control over an individual’s computer from a remote location, often under the guise of providing technical assistance or performing a specific task.
    • A person receives an email with a seemingly harmless attachment. Once downloaded, a remote access tool is installed on their computer, giving the attacker full control.
    • After gaining access, a bad actor modifies a wallet extension on the user’s computer to trick that individual into signing a malicious transaction while using their hardware wallet.
    • A fake tech support agent convinces an individual that their computer has been compromised, then tricks them into installing remote access software under the pretense of resolving the issue. The attacker then uses this access to drain funds from connected wallets.
  • EXCHANGE COLLAPSE. the bankruptcy of an exchange, resulting in millions of customers losing the funds they held on that exchange.
  • HUMAN ERROR. mistakes made by individuals that unintentionally expose their digital assets to threats; often stemming from lack of understanding, carelessness, or both.
    • While the following is not a scam or hack, it is worth noting as it is an easy way that many have lost funds. Many bad actors have written bots to take advantage of moments when users make these errors. These errors can include, but are not limited to:
      • “Fat fingering” an NFT sale. A user may intend to list their Bored Ape Yacht Club NFT at 90 ETH, but mistakenly list it for 9 ETH.
      • An individual sends their funds to the wrong wallet address
      • An individual mistypes an NFT ETH offer, and someone accepts it
      • A user accepts a bid on an NFT for 123 DAI, thinking that it is 123 ETH.
      • An individual loses place of their private keys, or deletes a digital wallet without a backup of their private keys.

Stay tuned for our next article where we have created a “checklist” of questions you can ask yourself to see if you’re potentially in the midst of a social engineering attack. And remember, being informed is only the first step. Vigilance and proactive measures are key to protecting your assets in the crypto space. Don’t forget to read our Self Custody 101 article on best practices when utilizing self custody.

We are going to keep this conversation going, so please reach out to us via Twitter or Telegram if there’s anything we’ve missed. Or, just to say hi. We want to hear from you!