Cryptocurrency is achieving ever-wider acceptance, with nearly $600 billion in Bitcoin and Ethereum alone currently circulating in the Web3 ecosystem. But there’s a dark side–as crypto grows, it attracts more interest from thieves. For instance, over $2 billion in cryptocurrency was stolen in just the first half of 2022.
The most common form of Web3 fraud is phishing, in which users are tricked into giving up critical information by clicking a link or visiting a phishing website. Read our complete guide to avoiding being a victim of phishing fraud.
If only phishing were all there were to fraud in Web3. In fact, there are many more types of crypto scams you should know about.
Common features of Web3 scams
There are common characteristics that you’ll see across many of these fraud types. For instance, attackers will often counterfeit the accounts of prominent projects or individuals, such as Elon Musk or Bill Gates.
Also, attackers often work by creating a sense of urgency. This pushes the user to act quickly, without thinking about the possible consequences. The urgency can be positive, attempting to exploit FOMO (Fear Of Missing Out). For instance, many scams in Web3 involve dangling an opportunity for great profit that can only be obtained if the target acts quickly.
Alternatively, the urgency can be negative, threatening problems if the user doesn’t act immediately. A classic example is claiming that the user’s account on a crypto exchange or trading platform has been compromised, and its password must be reset.
Attackers cloak their actions in many guises as they seek to deprive crypto owners of their tokens. Let’s look at the ways Web3 fraud happens and discuss ways to keep your assets safe.
Biggest crypto scams: 8 types of Web3 fraud
It’s important to understand the different approaches attackers use, so you can be on guard. Beyond phishing, here are the types of scams to watch out for:
1. Investment scams
Investment scams appear to be legitimate investment opportunities, but they’re not. The attackers may claim to be successful investment managers and will typically promise large or guaranteed profits.
The methods of attack vary. The attacker may request an upfront fee, which they simply steal. They may request the seed phrase to the target’s wallet, claiming it’s needed to deposit funds.
Some investment scams actually do pay a high rate of return, for a temporary period. These scams typically operate as Ponzi schemes, in which previous investors are paid with the proceeds from more recent ones, until the point at which not enough new investors turn up, and the scheme collapses.
For instance, Trade Coin Club raised more than 82,000 bitcoin–valued at their height at over $295 million–from over 100,000 investors. The company promised guaranteed returns on their targets’ investment, saying that their trading bot was making millions of transactions every second. In reality, the project’s founders used the funds to enrich themselves, the SEC charged in November 2022. The SEC described Trade Coin as a classic Ponzi scheme, in which any returns received by early investors came from the deposits made by later investors, not from trading profits.
2. Fraudulent Initial Coin Offerings (ICOs)
What is an ICO? The acronym stands for initial coin offering. An ICO is a method of raising capital in which a company offers newly issued crypto tokens for purchase. In themselves, they can be legitimate. They are analogous to an initial public offering (IPO) of company shares in the stock markets.
In a fraudulent ICO, the company or organization doesn’t really exist–it’s simply a construct created for the purpose of the scam. Often, the attackers create a slick website and superficially plausible documentation, all designed to attract and steal the funds that investors provide to purchase the tokens.
In one recent ICO scam, Australian Craig Sproule raised over $40 million for an ICO of Crowd Machine Compute Tokens (CMCT). Investors were told the money would be used to create a new Web3 technology, when in fact funds began to be funneled into South African gold mining firms. The SEC filed charges against Sproule and his companies in early 2022.
3. Pump-and-dump scams
In pump-and-dump scams, attackers aggressively market a token whose price is low but is promised to rise. Messages on social media platforms like Twitter, Facebook, or Telegram are often used for this purpose.
The attackers inflate the price of the token by releasing false or misleading information. As buyers flock to purchase the token, its price eventually reaches a high level. The attackers then sell off their own tokens at the elevated price, causing the price to plunge. Investors are left with less-valuable or even worthless tokens. This is also known as a “rug pull.” This type of scam is common with NFTs, but can take place with any kind of token.
For instance, the SEC filed criminal charges against two companies in late 2022, Arbitrade and Cryptobontix, accusing them of a pump-and-dump scheme that inflated the price of the crypto asset Dignity (DIG). The companies falsely claimed they had bought $10 billion in gold bullion to back their coin in order to give investors a false sense of security and create a price spike.
The principals then sold their own stakes for $36.8 million. The price then imploded–today, DIG is nearly worthless.
4. Giveaway scams
In giveaway scams, the attackers send messages to the target, inviting them to deposit crypto to an address. The message promises to match or multiply whatever amount is deposited. Of course, the deposited funds are simply stolen. Giveaway scams are also known as “flip-coin” scams, after the old “flip-cash scam” that works in a similar way.
Celebrities’ personas are often hijacked for giveaway scams–Elon Musk is a popular choice.
In one recent giveaway scam, the crypto trading platform Coinbase discovered a fake Twitter account impersonating the platform that promised a giveaway of thousands of coins. Anyone who clicked the link in the tweet about this giveaway was asked to verify their address by sending between .1-10 Bitcoin (BTC) to the scammer’s address, which promised to send 10 times as much BTC back. Of course, any coins sent were just taken.
5. Malicious airdrops
An airdrop is a marketing technique that involves an organization sending tokens to a wallet. Airdrops are typically for small amounts of a new token. They’re sent to members of a particular community, either for free or in exchange for a small marketing service.
In malicious airdrops, the token is used to send users to a phishing website where they are encouraged to input private information. Airdrop scams are insidious because sometimes, legitimate organizations do airdrop coins, as when Bored Ape Yacht Club deposited about $100,000 apiece to their NFT owners’ wallets in April 2022.
Thieves have robbed individuals of large amounts through malicious airdrops. For instance, two individuals lost a combined $8 million in July 2022, when attackers promised an airdrop of 400 free Uniswap tokens worth roughly $2,000. The victims visited a phishing website and granted the attackers access to their wallets.
6. Fraudulent exchanges
Attackers will sometimes create a fraudulent website that purports to be a cryptocurrency exchange. These websites can take the form of a clone of legitimate exchanges such as Coinbase, only with the URL slightly changed, or a new exchange altogether. The fraudulent exchange will often advertise low rates to buy bitcoin or other cryptocurrencies. The funds sent to the fake exchange are then stolen.
In some cases, the scam takes the form of a mobile app that purports to be a crypto exchange. The FBI reported nearly $43 million was stolen in 2020-’21 via mobile apps posing as crypto exchanges or crypto investment-services firms. Fake exchanges and trading apps continue to proliferate–here’s a list of recent fraud sites from TrendMicro.
7. Romance scams
In a romance scam, the attacker connects with their victims on legitimate dating apps or websites, such as Tinder. The attacker then attempts to establish a relationship with the target, pretending romantic interest while offering reasons why they can’t meet up in person right away.
At some point, the attacker in romance scams confides that they’re in a financial crisis due to unpaid medical bills or other personal problems. The attacker then tries to convince the target to send cryptocurrency to invest or dollars to buy tokens. Any cryptocurrency or dollars sent are then stolen.
FTC named romance scams the second-biggest type of crypto scam in its 2021 report. Of the $587 million total lost to romance fraud that year, $185 million was paid in crypto, FTC reported. Notably, scammers who sought cryptocurrency from their victims tended to ask for larger amounts, FTC said.
8. Blackmail scam
In blackmail scams, the attacker sends a message claiming to have incriminating information about the target. Often, they’ll say they’ve intercepted data showing the target frequents adult websites or have gained access to naked photos of the target from their computer (sometimes called ‘sextortion’). The attacker then threatens to publicize this embarrassing information unless the target sends cryptocurrency or private keys.
In one variation of the blackmail scam, the target gets a message claiming that the sender has infected their machine with malware. The message will threaten some harmful action, such as erasing data on your computer, unless the target sends a crypto payment.
It’s usually an empty threat, but victims don’t know that. The FBI recorded 18,000 complaints about blackmail scams involving $13.6 million in losses in 2021.
How to spot these types of scams–and avoid them
There are some simple red flags you can look for that signal a message is probably one of the Web3 scams we’ve just described. These include:
- It comes unsolicited from someone you don’t know.
- It contains exaggerated marketing, promising free money or guaranteed returns.
- There is no credible white paper or technical documentation for the token.
- It tries to induce a sense of urgency or FOMO.
- It contains a threat of some adverse action.
Conversely, you can avoid these scams by taking some simple steps:
- Carefully research any crypto platform or token before investing in it.
- Assume that offers of free or easy returns are fake.
- Don’t act on investment offers from anyone you don’t know in real life.
- Unless you have independently detected malware, assume messages about it are fake.
As these basic rules show, it’s not hard to protect yourself against crypto theft, once you know the do’s and don’ts. And remember, if any offer you get sounds too good to be true, it probably is.