There are many ways of tricking crypto wallet owners out of their seed phrases. Malicious actors could send them a fake email, create a fake version of a cryptocurrency services website or plant malware on their device. Almost all of these schemes, however, have one thing in common: social engineering.
In the context of information security, this refers to the manipulation of a victim in order to make them do the fraudster’s bidding. Very often, social engineering is all that’s required. So how does it work and why?
No unnecessary complications
In most cases, social engineering is deployed as part of complex multi-stage attacks. Sometimes, however, nothing else is needed, and the schemes are so simple that a fraudster of any skill level could use them. The main thing is the ability to deftly pull the wool over the victim’s eyes. Below are a couple of approaches where the attacker barely even has to think about the technical side of the scam.
No fake websites are created and nobody is required to go anywhere. Everything is done through correspondence. The victim receives a letter from the support service of a crypto exchange, wallet or DeFi project, which describes one of several boilerplate stories. For example, the account has been hacked and something needs to be done urgently in order to restore it, such as generating a new seed phrase. The "tech support person" will be very kind and offer to generate it on the victim’s behalf, and all they need is the old seed phrase.
People’s fear of losing their assets is a key point of leverage, but not the only one. Fraudsters can play on people’s desire to simplify the execution of various tasks. One of our users came across an aggregator site in a search, which promised to connect to any DeX or NFT platform via WalletConnect. It turned out that while the service was very convenient, it didn’t seem to work. After several attempts to scan a QR code, the service reports that there is a problem on the user’s side and, in order to solve it, the user needs to enter their private key or seed phrase. In this case, it was only the fact that there is no seed phrase in Tangem Wallet that saved the user from a grave error.
You shouldn’t trust everything that comes up in search engine results. Unfamiliar services must at least be checked using the WHOIS database. If the domain was registered recently and the registration period is short, it’s more likely than not that the resource is fraudulent.
In addition to simple scams that don’t requires any special outlay or skills, attackers deploy social engineering in rather complex schemes. They don’t scare or threaten their victims, instead relying on somebody else’s authority to draw attention to their services. Victims who then use them can lose their money or cryptocurrency, or be cheated out of their seed phrase. Anything is possible.
Pressure from an authority figure
A popular way of building trust is by using an influencer’s persona. The attacker chooses a well-known personality to serve as bait and starts praising some successful project on their behalf. They do this by running ads on popular social networks and video hosting sites. Moderators do of course try to remove this kind of content, but their efforts are clearly not enough.
In 2020, Steve Wozniak tried to sue YouTube. The co-founder of Apple was outraged that his image was used in fraudulent advertising. He lost, by the way. Little has changed since then and, three years later, adverts depicting Elon Musk encouraging investments in various cryptocurrency projects are still popping up on YouTube.
There is a more expensive way of riding on somebody else’s fame – commissioning integrated adverts from popular bloggers. Attackers simply purchase adverts for non-existent projects, and the bloggers themselves don’t even realize that they are becoming party to a scam. The scammers then simply wait for visitors to flow to their project’s website.
The bad friend
There is another way of ingratiating yourself with people using social media. Fraudsters create accounts and run them in the guise of fake experts. They create posts, publish photos, try to add their intended victims as friends, and join crypto communities.
The overall aim is to create the impression that the account is being run by a real person. When they reach the required number of subscribers, the scammer makes an extremely “profitable” offer to their subscribers. This could involve installing a wallet, registering for a project, or participating in an airdrop.
Most scammers don’t pay too much attention to the details when working out their stories. In many cases, they simply purchase “real” social media accounts – for $2–20, depending on the quality – join relevant groups and start messaging users. These accounts are often very basic, with hardly any information and very few posts.
There is always the old-fashioned option of hacking accounts, of course. Fraudsters acquire hacked accounts on instant messengers or social media – or hack them themselves – and start communicating with the people in the contact list while impersonating the real account owner.
How to protect yourself and your funds
In most instances, the most effective tool scammers use is fear. When it comes to money, rational fear turns into genuine existential horror, plain and simple.
Psychologists have offered an explanation for this by pointing out that money is the basis of existence and its loss is even associated with death. All rationality is thrown out of the window, giving way to pure survival instincts. When you receive a message telling you that your funds are at risk, you should take a break and think critically about the situation.
We probably aren’t saying anything new here, but it always bears repeating: never give anybody your private key or seed phrase. You should also store your funds in a cold wallet that doesn’t require one, such as Tangem Wallet.