12 common attack vectors that you probably didn't know (first part)

12 common attack vectors that you probably didn't know (first part)

Once a victim sends any crypto assets to a “giveaway” address, they are gone forever! Due to the finality of cryptocurrency transactions, there is no way to reverse a transaction unless the recipient decides to return the funds, which is extremely unlikely. Some of the commonly used scams in the crypto world are listed below, but the list is by no means complete. Let’s dive in alongside the most common crypto scams out there:

1. Fake YouTube videos

With botted views showing known trusted people like Vitalik Buterin, Elon Musk, Bill Gates or other famous philanthropic or crypto person.

This scam relies upon those prerequisites:

  • Hacked Youtube account with more than 1K subs that is eligible for live streaming.
  • The hacked Youtube account (ATO) is renamed to SpaceX foundation, Tesla, Elon Musk, Gill Gates Foundation, Balancer exchange and so on and pushes a live stream showing recording of some real conference to add “credibility” (see above Vitalik) and a fake site gets added to the description.(above in red)
  • Then bots are used to generate views and this fools YouTube’s algorithms to display videos as “related” to users who are interested in crypto currencies.
  • They also build a fake site with the same “promotion” tied to it.

The fake sites always promises to send 1 and get 2 back, in various ways. Anything sent gets lost forever.

Scammers will also use wallets to make the scam seem more realistic.

If you see a live video promoting an airdrop proceed with caution!

Here is a neat collection of scam wallets for your viewing pleasure.

2. Bitcoin Revolution scams

Those are linked to semi legitimate businesses and often push referrals.

It is usually fake news article and fake video of a famous rich millionaire like Sir Richard Branson or Elon Musk and some lies about them starting the bitcoin revolution. There is often a sense of urgency asking users to sign up for the last slots. Some of them are geo-localized and if you open the site from Portugal will display a portugese TV host or celebrity promoting the scam, as if they were a successfull investor, if page gets accessed form let's say a Dutch IP, you will my see a Dutch famous person promoting the scam and so on.

If you sign up for those they will siphon as much money as they can, luring you that you are now bitcoin rich. but if you try to withdraw, you realize this has been a scam all alon3. Fake exchanges and investment platforms

3. Fake exchanges and investment platforms

They sound too good to be true. Unsolicited DM spam about fake exchange advance fee scam (you won fake money, but need to deposit real money as "verification"). The ask to register on the dummy site with throwaway email and enter the fake code. The company registration number phone and everything is usually fake. They can have real deal phones as well with fake employees, luring investors.

We recommend you to turn off direct messages to disable the ability of criminals to spam you with scams.

Notice the similarity between an exchange with a fake one

Again only the logo and name gets changed

4. Twitter verified scams (fake giveaways)

Often stolen profiles get renamed to Elon Musk and start to offer “giveaways”.

They also use Reply Spam under legitimate Elon Tweets!

Fake airdrop

Scammers put videos in the replies, that appear to be as if “verified” Elon Musk typed them.

Typical twitter scam:

More twitter scams:

5. Discord DM unsolicited Spam

Good rule of a thumb is Staff will never DM you with an airdrop, nor will Elon Musk, Bill Gates, Coinbase, Kraken, Binance nor will the latest hot token.

All unsolicited DMs are scams!

6. Fake ICOs

NotanImaginaryDude lost $140K worth of $UNI overnight. Lets say NotanImaginaryDude sees a fancy new “farming” scheme called “UniCats”, and decides to invest some money in it. Who knows, it might be the “next YFI” (first big mistake)

Then NotanImaginaryDude decides to deposit some $UNI, and gets the trivial message “Allow this Dapp to spend your UNI” message from Metamask wallet extension.

Naturally they think “Oh sure, this again. As with all the farming Dapps do that, no worries

⚠ And approves the transaction! (second big miskate)

NotanImaginaryDude farms some $MEOW, and happily decides ”Done with this $MEOW game. I’ll pull out all my UNI and capitalize gainz now“

What NotanImaginaryDude doesn’t know though, is that once they approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme!

Bottom line - be careful which site you allow your metamask to interact with.

Dodgy contract that allows holder to leave investors with worthless token and drain their ETH.

This type of scam is called approval scam and is relatively newer. To check granted permissions one you can one of those tools to revoke any redundant contracts’s permissions that might have been granted previously.

Some threat actors also use approve infinite amount, instead of limited.

Anybody can create a rug pull token or copycat token or a bogus token with hidden functions. This is the double edged sword of true decentralization.

If those 4000% seemed to good to be true, it is probably because it is a fake token with artificial volumes, designed to lure naïve “investors”.

How often do you visit these sites? How you ever been attacked by scammers?
If you want to read the second part and know more about anti-phishing, subscribe to our RSS Feed.

Ensure your brand security and protect your business from attacks, starting today

Our advanced technology detects and takes down phishing websites, mobile app clones, and fake social media content.