- scam
We explain how scammers steal cryptowallets through phishing.
Roman Dedenok
Scammers will stop at nothing when it comes to stealing cryptocurrency. Some try to sell scarce mining equipment, others lure victims with gifts from cryptoexchanges or Elon Musk himself, or even post screenshots on public platforms with passwords for cryptowallets and collect “fees” from cryptoinvestors enticed by the prospect of a free lunch. Today we tell you about a new giveaway scam and underscore once again why the seed phrase for your cryptowallet must be guarded with your life.
Free money
As is often the case, it all starts with an e-mail. The brains behind this scheme chose as bait an offer to take part in a juicy giveaway of cryptocurrency: Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Tron (TRX) or Ripple (XRP). A total of $800 million no less was at stake! The overly generous scammers were kind enough to provide a simple three-point guide for those wanting to get their free cryptocurrency, plus a link to the “promotion” website.
Let’s take a look at the e-mail. It is signed by the support team of a certain Crypto Community: an association of cryptoenthusiasts, one might think. However, the domain in the sender’s e-mail address has nothing to do with any kind of crypto at all. That does not inspire confidence. The message text is slapdash, and full of errors and typos. The scammers are likely counting on the victim being so taken aback by the nine-figure sum that everything else will slip under the radar.
Phishing e-mail inviting the recipient to take part in a cryptocurrency giveaway
Clicking the link takes the user to a phishing site. Its domain bears no relation to the sender’s address, and in the minimalist design there is no mention at all of any Crypto Community.
At this point, the victim is asked to specify the wallet they want the funds transferred to. The criminals covered all the most common wallets: Blockchain.com, Trust Wallet, MetaMask, Coinbase, Binance, Crypto.com, and Exodus. But users of more exotic wallets have not been forgotten: for them, an Other Wallets button has been provided. User-friendly, isn’t it?
The victim is invited to choose a cryptowallet for the promised transfer of tokens
Now for the most interesting part: to get the coveted tokens, the user must enter a secret series of words, aka – a seed phrase. As soon as they fill in the fields and click the Next button, a notification appears on the screen that everything was successful and the cryptocurrency will be in the lucky winner’s account within 24 hours.
Interestingly, the website has no checks: even if random words or even numerals (which cannot be part of a seed phrase at all) are entered instead, the site still reports a successful transfer. Of course, if the real seed phrase is typed in, far from receiving winnings, the victim will likely be relieved of all their savings.
Any sequence of words and numbers will produce a “successful” transfer
Seed phrase, or the key to all doors
The scammers rely on the fact that people are usually very protective of their private key, which immediately opens access to the cryptowallet; but many do not realize their seed phrase is also top-secret, and think nothing of entering it on a website in anticipation of a reward.
In actual fact, the seed phrase is no less valuable. With it, an attacker can generate a new private key and thus gain access to the victim’s wallet. In other words, the seed phrase effectively affords the same opportunities to pillage your savings as the private key. This means you should protect the former from prying eyes and ears as carefully as the latter.
How to protect your cryptofinances
To wrap up, a few tips to avoid falling victim to cryptoscams:
- Keep your seed phrase secret. Never reveal it to anyone, and enter it only to recover access to your wallet. Do not store the seed phrase in public file-sharing services, or send it via instant messaging apps or by e-mail.
- Do not click on links in e-mails about giveaways, gift payouts, account suspensions or bank account closures. Such e-mails are most likely from cybercriminals. Read our checklist to learn how to spot online scammers.
- Use a reliable security solution that warns you in good time about phishing pages and prevents you from handing over sensitive information to the bad guys.
- Read next
Bank phishing and identity theft
We explain how phishers are swindling Wells Fargo customers out of personal credentials, passwords, card details, and selfies with an ID card.
Tips
- Tips
Four ways to lock your screen on Windows and macOS
Four handy ways to lock your screen on Windows and macOS.
- Tips
What to do if someone tries to hack you
You’ve interacted with scammers or visited a phishing site. What steps should you take to avoid being hacked?
- Tips
What to patch first: prioritizing updates
Some thoughts on what PC software patches should be prioritized and why.
- Tips
Know your personal threat landscape
You can apply the concept of a threat landscape as used in corporate security to yourself to make it easier to stay protected.
Sign up to receive our headlines in your inbox
I'm an expert in cybersecurity and cryptocurrency, with a deep understanding of the tactics used by scammers to exploit vulnerabilities and deceive users. My expertise comes from years of research and practical experience in the field.
Now, let's delve into the concepts mentioned in the article about crypto wallet scams:
-
Phishing Scams: The article discusses a phishing scam that begins with an email offering a cryptocurrency giveaway. Phishing is a fraudulent attempt to obtain sensitive information, such as usernames, passwords, and seed phrases, by disguising as a trustworthy entity.
-
Crypto Wallet Seed Phrase: The seed phrase is highlighted as a crucial element that users need to guard with their lives. The seed phrase is a series of words that serves as a backup and recovery mechanism for a cryptocurrency wallet. It's emphasized that entering the seed phrase on suspicious websites can lead to the loss of funds.
-
Fake Giveaway Offers: Scammers often use enticing offers, such as fake cryptocurrency giveaways, to lure victims. In this case, the scammers claim to be from a Crypto Community, but the email's domain raises suspicion, and the content contains errors and typos.
-
Phishing Websites: Clicking on the provided link takes users to a phishing website that mimics the appearance of a legitimate platform. The article points out that the website doesn't have proper checks, allowing even random words to be entered as a seed phrase, indicating the lack of security measures.
-
Wallet Compatibility: The phishing site targets a variety of popular cryptocurrency wallets, including Blockchain.com, Trust Wallet, MetaMask, Coinbase, Binance, Crypto.com, and Exodus. This broad approach aims to capture users of different wallets.
-
Seed Phrase Security: The article underscores the importance of keeping the seed phrase secret. It explains that the seed phrase, like a private key, can be exploited by attackers to gain access to the victim's wallet. Users are advised to only enter the seed phrase for wallet recovery purposes.
-
Tips to Avoid Cryptoscams: The article concludes with practical tips to avoid falling victim to cryptocurrency scams. These include keeping the seed phrase secret, not clicking on suspicious email links, and using reliable security solutions to detect and prevent phishing attempts.
In summary, the article provides valuable insights into the tactics employed by scammers in crypto wallet phishing scams and offers practical advice to users on how to protect themselves from such threats.
