The advantages of cryptocurrencies for owners — lax regulation and lack of government control — are major pluses for cyberthieves too. Because the threats to crypto assets are quite varied, we recommend that you study our overview of how to protect your crypto investments, as well as our tips for owners of hardware cryptowallets. But these posts of ours, detailed as they are, still do not disclose the full variety or scale of crypto-related scams. To give you a better grasp of just how attractive crypto finance is to scammers, we’ve compiled a list of the most striking examples of attacks in recent years. Our police lineup (of cybercriminals) shows you the biggest, most brazen attacks in different categories. We didn’t rank them by damage, as this is hard to determine for many types of attacks, and our rating excludes pyramid schemes like BitConnect.
1. The most sophisticated
Damage: US$30 000
Method: Trojanized hardware wallet
This attack was investigated by our experts, hence we have a detailed post about it. An investor purchased a popular hardware wallet, which looked and worked exactly like a real one — until it didn’t. It turned out to be a very crafty fake with pre-flashed private keys known to the cybercriminals and a password-weakening system. When money appeared in the wallet, the hackers simply withdrew it. And that’s without the wallet ever connecting to a computer.
2. The biggest
Damage: US$540 000 000
Method: server hack
For a long time, the largest hack in cryptocurrency history was the theft from Mt. Gox exchange of US$460 million, which caused the exchange to collapse in 2014. But in 2022 this dubious honor passed to Sky Mavis, developer of the popular play-to-earn game Axie Infinity. The attackers compromised the Ronin Bridge system, which handles the interaction between in-game tokens and the Ethereum network, which led to the theft of ether and USDC worth, according to various estimates, US$540–650 million. Without delving into the details of the blockchain bridge hack, the attackers compromised five of the nine validator nodes for verifying Ronin transactions and used them to sign their transfers. Apparently, the network was infiltrated through a combination of malware and legitimate but outdated access credentials that had not been revoked in time.
The hackers also hoped to earn even more from the collapse in the market capitalization of the target companies, but the hack was noticed just a week later, and their attempt at short selling failed.
3. The most persistent
Method: fake Chrome extension
The attacks, carried out by the BlueNoroff group and detected by us in 2022, were aimed primarily at FinTech companies working with cryptocurrency. In this series of attacks, the hackers penetrated the internal networks of the target companies using phishing emails seemingly from venture capital funds. When the victim opened the malicious email attachment, a Trojan installed itself on the computer allowing the attackers to steal information and install additional malware. If the company’s emails were of interest to them, the hackers remained in its network for months. Meanwhile, the crypto theft itself was carried out using a modified Chrome extension called Metamask. By installing their version of Metamask instead of the official one, the cybercriminals were able to observe and modify the victim’s legitimate cryptocurrency transactions; even the use of a hardware cryptowallet in this case didn’t provide sufficient protection.
4. The most obscure
Damage: US$35 000 000
On June 2, 2023, attackers targeted the decentralized Atomic Wallet, debiting tokens from the victim. This is the most recent example at the time of posting. The developers confirmed the hack, but have yet to figure out how it was done. Atomic Wallet prides itself on the fact that neither passwords nor private keys are stored on its servers, so the attack must be linked to what takes place on users’ computers.
Cryptocurrency tracking experts say the laundering methods used resemble the modus operandi of the Lazarus group. If it is Lazarus, it’s most likely an attack either through a fake Trojanized version of Atomic Wallet (similar to the attack on DeFi), or on the developers themselves with a Trojan in the official application.
5. The most cinematic
Damage: US$4 000 000
Method: face-to-face meeting
To steal cryptocurrencies, some cybercriminals set up Catch Me If You Can-style scams. The targets — companies looking for investors — are approached by “investment funds” to discuss a potentially large investment in the business. After a few phone calls and emails, face-to-face meetings are scheduled at a luxury hotel with the victims — startup CEOs. There, all legal and financial matters are discussed at length, after which, under a convenient pretext, the conversation turns to investments and cryptocurrency fees. As a result, the scammers sneak a peek on the victim’s seed phrase or briefly get hold of their cryptowallet, emptying it of all funds. In one case, the victims were hustled for US$4 million; in another, described in detail, for US$206 000.
6. The most elegant
Method: fake letters and wallets
This one sounds like a plot for a detective novel: cybercriminals sent paper letters to buyers of Ledger hardware wallets. To get the mailing list, they either hacked into an unnamed third party (likely a Ledger contractor) or capitalized on an earlier user-data leak.
The letter informed the recipient that, due to security issues, their Ledger Nano X hardware wallet had to be replaced — and a free replacement wallet under warranty was handily attached to the letter. In fact, the enclosed box contained a malware-infected flash drive disguised as a Nano X. On first startup, the program asked the victim to perform a “key import” and enter their secret seed phrase to restore access to the wallet — with obvious consequences. Many recipients, however, didn’t fall for the ruse: despite the convincing packaging, the letter itself contained a number of spelling mistakes. Vigilance pays dividends!
7. The most inconspicuous
Among the most inconspicuous are address-substitution attacks, usually carried out with the help of clipboard-injector malware. After infecting the victim’s computer, the malware silently monitors the clipboard for cryptowallet addresses: when one arrives, malware replaces it with the address of the attacker’s wallet. So, by simply copying and pasting addresses during transfers, cybercriminals can easily direct funds their way.
8. The most hurtful
Damage: US$15 000
Method: love letters
Romantic scams remain one of the most common ways to deceive private crypto investors. Let’s take a look at a specific example. Kevin Kok had years of crypto experience, yet even he was hoodwinked by a blossoming romance. Having met a woman on a dating site, he chatted with her for several months, during which time the topic of investments never arose. Then, she suddenly shared “information from friends” about a handy new app for crypto investments. She was having trouble figuring it out and asked for help so she could deposit her own (!) money there. Kevin, of course, offered to help. Convinced that the app was working fine, he saw his new flame’s assets rise in value. So he decided to invest his own money and smiled at the high rate of return. Kevin became suspicious only when the woman suddenly disappeared from all messenger apps and stopped replying to his messages. And it was then he discovered it wasn’t possible to withdraw funds from the “investment system.”
How to stay safe?
We’ve already given detailed recommendations for crypto investors, so here we’ll repeat just two: treat all crypto-related offers, emails, letters and innocent questions with maximum suspicion, and always use security software tailored for crypto investments on all relevant devices. And we certainly recommend a Kaspersky Premium subscription for one or more devices, the price of which is a drop in the ocean compared to the potential damage from just one successful scam. Premium includes special tools to protect your crypto investments:
- Protection against cryptocurrency fraud and unauthorized mining
- Additional protection for banking apps and financial transactions
- Special anti-keylogger protection for password input windows
- Detection of remote access to the computer
- Password manager and secure storage for sensitive data
- Real-time antivirus with application behavior control
- Warnings about potentially dangerous applications
- Automatic search for outdated versions of applications and updates from official sources