The four types of cryptocurrency scam
Send me your money, tell me your password, let me into your computer and buy my magic beans.
The return of a bull market for cryptocurrency will come with a return of the thriving industry of cryptocurrency scams. Even experienced participants in crypto are occasionally the victim of scams and there is no recourse if a criminal is able to steal your money. The gift of crypto is freedom, the price of crypto is vigilance. Here are the four basic types of cryptocurrency scam and how to avoid them.
In this issue:
Send me your money
Tell me your secrets
Let me use your computer
Buy my magic beans
How to stay safe
Send me your money
A surprisingly common (and surprisingly effective) strategy for cryptocurrency scammers is what is known as the "giveaway" scam where the scammer will pose as someone wealthy or famous and announce a giveaway where they will double (or triple) any money sent to the scammer’s address. The scammers will usually also create fake accounts pretending to be other people who have successfully participated in the giveaway and doubled their money. No one actually gets their money back.
The scam pictured above netted the scammers ~$140k worth of Bitcoin and ~3.5 years of prison. The reason these scams work is because so much of crypto violates ordinary economic expectations that people end up confused about what is real and what isn’t. It is hard to distinguish between Megan Thee Stallion doing a Bitcoin giveaway (real), Twitter giving away NFTs to anyone who replied (real) and Apple doing a 30m Bitcoin doubling promotion (false). The key difference to remember is that real giveaways never ask for your money.
Don’t send anyone your Bitcoin unless you want them to have it.
Tell me your secrets
If they can’t convince you to send them your money, scammers are also happy to try convincing you to give them your passwords (or private keys). This will usually come in the form of a targeted message (email or direct message) with an urgent reason for you to click on the scammer’s link. In the image above the scammer is pretending to be a motivated seller underpricing a valuable NFT, but there are also variations where the scammers pretend to be a security warning from your exchange.
The link will look like it comes from a service you already use and trust. If you look carefully in the image above the link is not to OpenSea.io but instead to opensea.fo, presumably a website used by the scammers to impersonate OpenSea. If you were to click through you would arrive at a site that looked exactly the same but prompted you to login again - and as soon as you did the scammers would use your credentials to sweep your account and steal everything valuable.
Often these messages will mimic the accounts of people you trust like influencers in the space, mods on a discord or your friends and family. Be suspicious of any message with a link, even from someone you trust. Don’t click links in emails or DMs, type the address of the URL you want to go to in the browser yourself. Be extremely nervous about signing into any website with MetaMask or your password, even a service you already trust. Impersonators will use your trust against you.
Never, ever send anyone your private key or seed phrase for any reason.
Let me into your computer
If they can’t convince you to send them your secrets, scammers will try to trick you into giving them access to your computer so they can steal your secrets for themselves. A good rule of thumb about computer security is that once you install a piece of software on a computer it can pretty much do anything it wants - including download and install other software.1
The same free-riding infestation of jerkware that causes pop-up ads and resets your homepage to greatfreesearch.biz is now also scanning computers looking for unprotected cryptocurrency wallets to steal. Any software you install on a device that handles your money is software you are trusting with your money. Assume any computer that has freeware installed (including browser extensions) on it is not safe to use with cryptocurrency.
Hardware wallets can help with this, but a compromised computer is still unsafe. Scammers can do address replacement attacks, for example, where they replace addresses on the screen with their own addresses and trick you into signing transactions sending your money to the wrong place.
The closer your cryptocurrency is to the internet, the more it is at risk. Handling Bitcoin on an internet connected computer is like storing money in your wallet - only put as much there as you intend to spend and are ready to lose. The majority of your crypto assets should always be in some combination of cold storage (i.e. offline storage) or stored on an exchange/bank.
Never install anything that was sent to you. Keep your Bitcoin away from software that connects to the internet.
Buy my magic beans
The money-doubling giveaway scam that we started with is really just the most clumsy and primitive version of the more general family of investment frauds. It turns out it is easy and lucrative to convince people to give you money by promising to use that money to make more money. One way to raise money is to have a genuinely good business idea but that is risky and effortful and can take a long time. Another much easier way is to lie.
There are lots of different ways to lie about an investment, which is why most countries have an entire body of law dedicated to investment fraud. In America there are a lot of rules governing how you can market an investment, who you can sell it to2 and what disclosures you have to make. Retail investors don’t think about these protections very much, but that’s why they exist - if retail investors were better about evaluating investment risks securities law would be redundant.
When you "invest" in something with a cryptocurrency you are almost certainly outside the anti-fraud protections provided by the government. Buying stocks on an SEC regulated exchange is like betting in a Vegas casino. Buying DeFi tokens on a decentralized exchange is more like playing three card monte with a street hustler. They both involve risk but the latter is a very different risk profile.
Investing your cryptocurrency is like swimming with sharks. You might survive but you need to be thinking of yourself as prey. There are no rules of fair play and there is no one looking out for your safety.
Pump-and-dump groups will manufacture artificial price jumps in illiquid tokens so they can sell worthless coins to retail investors buying into the momentum. Ponzicoins construct confusing and arcane mechanics to create the impression of guaranteed value. Developers will raise funds on the basis of "promising research" into unsolvable problems. Cloud miners sell mining contracts priced as though network difficulty won’t continue to rise.
Even entrepreneurs with a genuine business idea might decide it is easier to just take the investment money and abandon the project than to actually build the business. That happens often enough in crypto that it has a name - a rug pull. Business is hard and fraud is easy, so for every successful business in a space you should expect many, many more frauds and failures.
As a rule you can assume no one wants to sell you free money. If someone understands the market well enough to offer useful advice on how to trade it they don’t sell that advice they use it to profit for themselves. If they have to sell their advice to make money, it isn’t very good advice. Similarly if someone wants to sell you the profits from the mining rigs they operate, it is because they are charging more than the mining rigs will produce. If an investment looks risk free the risks are being hidden from you somehow. No one is running a business as a favor to investors.
Anything that looks too good to be true is a trap.
How to stay safe
To distill the above into a set of guidelines:
Don’t send anyone your money unless you want them to have it.
Keep the majority of your cryptocurrency in cold storage or an exchange/bank.
Use a hardware wallet for any cryptocurrency that needs to touch the internet.
Don’t install software on a computer that uses cryptocurrency.
Don’t click links that are sent to you, type URLs into the browser yourself.
Don’t assume that a message from someone you trust is trustworthy.
Get in the habit of carefully scrutinizing URLs and usernames for imposters.
Treat any "urgent" message as highly suspicious
Treat any DM from a stranger as highly suspicious
Treat any potential investment opportunity as highly suspicious
Anything too good to be true is a trap
Stay safe out there, friends.
I know that isn’t literally true, but it is still close enough to true that for non-security professionals I think it is the right way to reason about the risks.
Some people (including some in my family) will insist the phrase should be "to whom you can sell it." But I just can’t! It’s so awkward. The rule about dangling prepositions is just a vestigial attempt to jam Latin grammar into English. It’s stilted.