Stay away from cryptocurrencies—for now.
While none of them appear to be "going to the moon" like we all thought or hoped they might back in 2021, they have also become a primary source of revenue for scammers looking to take advantage of the popularity of crypto.
The FBI released a Private Industry Notification detailing how cybercriminals are creating fraudulent crypto apps to trick investors into giving them their money.
It says these fraudsters are "claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cyber criminals have used with increasing success over time to defraud the investors of their cryptocurrency."
A total of 244 victims have been identified, with approximately $42.7 million in losses associated with this activity.
The FBI asks that if any financial institutions or investors believe they have been defrauded through a scam like this to contact the FBI via the Internet Crime Complaint Center (IC3) or their local FBI field office.
Examples of fake crypto apps
One thing the FBI points out is how good these fake apps are at impersonating the real deal. Cybercriminals use the names, logos, and any other identifying information they can use to make an app appear legitimate. Some even use information like what the FBI is citing in this notification to appear even more real.
As an investor, if you visited a fraudulent website that told you to beware of cybercriminals, wouldn't you think that site is legitimate?
The FBI provides three specific examples of this type of cybercrime:
- "Between 22 December 2021 and 7 May 2022, unidentified cyber criminals purporting to be a legitimate US financial institution defrauded at least 28 victims of approximately $3.7 million. The cyber criminals convinced victims to download an app that used the
name and logo of an actual US financial institution and deposit cryptocurrency into wallets associated with the victims' accounts on the app. When 13 of the 28 victims attempted to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals. After paying the supposed tax, the victims remained unable to withdraw funds."
- "Between 4 October 2021 and 13 May 2022, cyber criminals operating under the company name YiBit1 defrauded at least four victims of approximately $5.5 million. The cyber criminals convinced the victims to download the YiBit app and deposit cryptocurrency into wallets associated with the victims' YiBit accounts. Following these deposits, 17 victims received an email stating they had to pay taxes on their investments before withdrawing funds; all 4 victims could not withdraw funds through the app."
- "Between 1 November and 26 November 2021, cyber criminals operating under the company name Supayos, AKA Supay2, defrauded two victims by instructing them to download the Supay app and make multiple cryptocurrency deposits into wallets
associated with their Supay accounts. In November 2021, the cyber criminals told one victim he was enrolled in a program requiring a minimum balance of $900,000 without his consent; upon trying to cancel the subscription, the victim was instructed to deposit the requested funds or have all assets frozen."
Protect yourself against crypto scams
As always, the best way to defend against cybercrime and crypto scams is to practice proper cyber hygiene. Use strong passwords, change them often, implement MFA, know what scams look like, and verify the legitimacy of a site.
But to specifically defend against the type of crypto scams described above by the FBI, the organization provides three recommendations for investors:
- "Be wary of unsolicited requests to download investment applications, especially from individuals you have not met in person or whose identity you have not verified. Take steps to verify an individual's identity before providing them with personal information
or relying on their investment advice."
- "Verify an app is legitimate before downloading it by confirming the company offering the app actually exists, identifying whether the company or app has a website, and ensuring any financial disclosures or documents are tailored to the app’s purpose and the proposed financial activity."
- "Treat applications with limited and/or broken functionality with skepticism."
For more information, see the Private Industry Notification from the FBI.