The key commandment for crypto owners is as follows: never tell anybody your seed phrase under any circumstances. Holders are warned about this whenever they create a cryptocurrency wallet, but despite this, attackers still find ways of stealing seed phrases and escaping with the money. How do they do it, and how can owners of digital assets protect themselves?
Many people of course remember that they need to keep their seed phrase secret. This means that it’s easier for scammers to shake gullible people down by other means. One method is offering to send them a significant sum in exchange for a small commission. These schemes are easier and faster, and they attract less suspicion. Nevertheless, gaining full access to somebody’s crypto assets is too much to resist, so scammers will always try to trick people out of their seed phrases.
Another thing: people often make the mistake of thinking that it’s just the older generation who are vulnerable to the tricks of scammers. In fact, studies have shown that people over the age of 50 rarely fall victim to fraud. The 30–39 age group is actually much more likely to be deceived. The reason is simple: attackers target the most solvent group. What are their methods?
Classic phishing
The victim receives an email from the team of a crypto wallet, DeFi project or crypto community – the possibilities are endless – offering to send them an amount of crypto. The figure is usually quite high, and the email might read as follows: “To celebrate our launch/completion/IPO, we’ve decided to send $500,000 to the people who register before the end of the week, so click on the link to get started.”
If the user follows the link contained in emails like this, they will end up on a cloned version of the website for a famous project, or the page of a fake DeFi project. If you think you can spot a fake immediately, you might be disappointed: over the years, scammers have learned to create pretty convincing bogus websites.
What happens next? To claim your share of the USD 500,000 you’ll need to name the wallet where your money is stored and enter the seed phrase. If you do this, you won’t receive any money and your funds will be sent to somebody else’s wallet.
It’s important to clarify that these kinds of “tempting offers” are not always sent by email, and links to bogus websites can be shared using banner networks, instant messengers and Google Docs (in this case the scammers will share a document with you).
There is another option, whereby an email is sent on behalf of a crypto exchange or a wallet with a “notification” that a customer’s data has been hacked or leaked. To protect their funds, of course, victims must urgently follow a link and “update” their seed phrase. It goes without saying that in order to do this the old seed phrase must be provided.
This is the simplest way of tricking people, with an extremely low barrier to entry. Fraudsters only need to send out a fake mass email and create a bogus website template. Most emails will end up in the spam folder, but given the size of the mailing list some of them will end up reaching the recipient.
How to protect yourself
- Spotting errors: Fraudsters sometimes don’t bother to run a spell check, and if you spot typos in the email this could be a sign that you’re looking at a fake. Furthermore, the wrong colours and graphic elements might be used in the design. One example is out-of-date logos.
Look at how the word “members” is spelt
- The wrong links: The email body may mention a well-known website, but the links you are told to click on have nothing to do with it. Even if the website address looks correct, hold your cursor over the link and the browser will show you the URL you’re being sent to. In Google Chrome, for example, the URL will be visible in the lower left-hand section of the window.
- Links that almost look like the real thing: Scammers often register domain names for fake websites that look very similar to real ones. They might change a couple of letters – for example, metamaks instead of metamask – or use numbers instead of letters, such as g00gle instead of google. You should therefore always pay attention to the URL in the browser address bar.
Suspect seed phrases
Another method is stealing the seed phrase before you even receive it. Fraudsters copy the websites of well-known crypto wallets, carry out SEO optimization to ensure that the site appears in search engine results, start advertising and wait for somebody who wants to open a wallet to visit the page.
Spotting a fake can be tricky. The sites are often very similar to the original version, and each stage is copied, from registration and installation to generating a seed phrase. The only catch is that no phrase is actually generated: what you receive is the existing phrase from the attacker’s wallet. All they need to do is track any deposits of funds and make a withdrawal.
How to protect yourself
Don’t go to crypto service websites directly from search engines, links on forums or banners. If you already know the website, enter the address manually. If you haven’t come across it before, check the address using other sources. Use the WHOIS service to find out how long the domain has been registered and for what period – scammers usually try to save money by registering domains for short time frames.
For example, this is the domain information for our website:
Everything here is in order: the name was registered a long time ago, and the registration period ends in two years at the time of writing.
Browser extensions
Some cryptocurrencies use Google Chrome extensions. Fraudsters are well aware of this and release fake extensions, which have a single purpose: to pass on your seed phrase to attackers.
We already wrote about a case of this kind, where a user of the Ledger cold wallet lost USD 16,000 after installing the Ledger Secure extension. It goes without saying that this extension had nothing to do with Ledger.
How to protect yourself
If you’ve found an extension for your crypto wallet in the Chrome Web Store, don’t install it straight away. First, go to the project’s website and check whether there really is a browser extension version. If there is, follow the Chrome Web Store link on the official site.
Targeted phishing
This is the most dangerous kind of phishing, when attackers have a specific target. It can combine all of the methods listed about, but with one key difference: before they get started, the scammers research their victim.
There are lots of options when it comes to carrying out the attack, and it all depends on the situation, the level of perseverance of the attacker and, most importantly, the victim’s overall approach to online security. If you have been imprudent enough to publish your wallet address somewhere in the public domain and there are enough funds (this can be checked using a blockchain explorer), then there is an incentive to target you personally.
Scammers could, for example, try to hack your email or messengers, read your correspondence and then send a personalized message on behalf of a service you use or a specific person you trust. Targeted phishing is often deployed as the initial stage of more complex attacks. The email could in theory contain anything, from a link to a phishing website or malware. In any case, the effort put into the scam will be an order of magnitude higher, and will look very believable.
How to protect yourself
Have you heard the saying “wealth whispers” ? This is perhaps the most important thing to keep in mind if you want to evade the attention of scammers. Don’t boast openly about your successes in crypto, and don’t publish your wallet addresses on forums or in messenger group chats. Additionally, you should use complex passwords wherever possible and enable two-factor authentication (2FA).
The bottom line
Malicious actors are honing their skills, and the methods they use to shake gullible people down are constantly changing. The only reliable defence is critical thinking. Nobody needs your seed phrase in order to transfer funds – all that’s required is the wallet address. Always remember that your seed phrase is the key to your crypto assets.
Ultimately, you can’t lose your seed phrase if you store your funds in a crypto wallet that doesn’t have one. In Tangem Wallet, the private key is stored in the card’s chip and isn’t revealed to anybody, even the owner. With Tangem, there’s no need to fear phishing tactics.