Be it a new user or an experienced hand regularly active in the cryptocurrency and DeFi industry, scams and vulnerabilities are something you would hear about on a periodical or even almost daily basis. This is important as you are the sole owner of your assets in the cryptocurrency industry and once an asset leaves your hand it is almost impossible to recover the asset unless you personally know the individual or entity to whom you transferred your digital assets.
Here, in this update, let us share with you some of the popularly known scams and vulnerabilities that a crypto user should be aware of -
Phishing scams — Phishing scam as its name indicates is a scam that makes use of fraudulent communications pretending to be a legitimate entity. Given that both marketing and key-user interactions occur in community-based environments unlike inside an office with a pre-defined set of rules and regulations and activity protocol, both individuals and professionals entities (individuals who run crypto business practices or actual company accounts of various dApps and blockchain networks) are highly active in the social media circle. Especially, in apps such as Telegram, Discord and Twitter.
Hackers would steal and use the same profile picture and use the same name as actual users albeit with a different username for social media. Given the familiarity, users fail to notice the fact that their past conversations might be missing in this chat and this is a highly overlooked factor as the external appearance often resembles that of an account we are used to on a daily basis.
It might be the profile of your co-worker or someone (admin/organiser) eg — a friend you met in the forum and are in regular contact with. Given the sense of familiarity from the same image and name, users tend to overlook the fact that the message might come from a different entity. These hackers pretend to be people you know and ask you to help them out owing to emergency or pitch about some non-existent projects which they might recommend as a good project to invest your money/tokens claiming it as early information of a good upcoming project.
When in doubt if you might be under an attack using profiles of those similar to you, please ensure that the user name of the person you are interacting with is the same as the one you interact with on a regular basis. Doing a simple search via an inbuilt search option in social media sites and apps will immediately show that there are two similar profiles. You can then check for one with your old chat records to find out the phishing entity. In case there is only a single account, ensure that you don’t have secret chat/disappearing messages enabled in your settings. If you do, then it is better to directly contact the person you are interacting with via a call or meet them directly before you make a decision to transfer your funds.
Pseudo Entities — This attack is very similar in nature to phishing attacks. But one major difference here is that they no longer pretend to be another person but instead pretend to be actual dApp/DEX or other crypto-related entities. They create a website and replicate the social media accounts of entities they are pretending to be. But, such entities lack the large follower presence that is usually found in the official social media accounts of actual dApps and DEX. Another factor to note is that these Pseduo entities might often use a different domain name for the website or make slight modifications to the logo or use a font that is similar in nature to the font used by the actual firm but is a different font in reality. Noticing these small details might help you identify the presence of such pseudo entities.
Be it a centralised exchange or a decentralized application, neither entity would at any point ask you to provide key information such as your wallet secret key phrase. This way, any site you are looking at that requests you to share sensitive information might in reality be a phishing attack or pseudo entity. Please report such sites and social media accounts the moment you notice them for suspicious behaviour as it would social media sites and search engines rise a flag and do an in-depth verification. This helps identify and remove such attack attempts.
Dust Attack — A Dust attack is often used as a pre-emptive attack by hackers to identify potential targets. While more commonly found in NFT markets, they are also active in regular DeFi markets. A Dust often referred to as a minute amount of crypto with no practical value in the real world is often sent to hundreds and thousands of wallets by attackers. This has no transactional value but helps hackers in monitoring the transaction activity taking place in these wallets.
They use this data to possibly identify the ownership of wallets before deciding on the mode of attack. Those wallets predominantly active in the DeFi market are targetted via Phishing or pseudo-entity attacks. For wallets that are active in the NFT market or hold NFTs, hackers wait for the users to purchase an NFT during which they try to replace the NFT with a Dust NFT or send a Dust NFT alongside the purchase and wait for unassuming users to open/view the NFT or transact using it. When the Dust NFT is used this will create a smart contract that will help hackers in draining the targeted wallet without the knowledge of the user.
Rug-pulls/Exit scams — This type of attack was more popular in the early days during which there was a clear lack of awareness surrounding cryptocurrencies. A lot of projects popped up claiming to provide hard-to-believe and to good to be true rewards and listed out their tokens via ICO (initial coin offering) as an attempt to raise funds. But such projects often had no actual use-case in the real world to generate the promised reward for the investors. Often called “Scam ICOs”, such attacks saw projects and entities pop up with various projects showing shiny prospects and ran away with all funds raised as investments for their empty ideas and projects.
When the market had enough of such attempts and users were starting to become slightly aware, such projects actually came up with good prospective ideas for ICOs and even ran their projects with successful results for quite a while. This helped them raise more funds as an investment than possible via “scam ico” and gain additional funds from users via their regular business endeavours. But, they failed to show the actual details of their revenue model and often ran away at their peak with a boatload of funds right when the flaws in their projects start to hit the limelight. Such projects were called “Exit scams” or “Rug Pulls”.
System Hijacking — This is the least-seen crypto hack attempt in recent times. But, was once the most popular crypto-based cyber attack/hack attempt. In the early days of crypto, when proof of work base consensus was the most popular means of revenue generation in the industry, there was a worldwide craze for crypto mining. Anything from an old desktop pc to gaming stations, servers, mobiles and tablets was used as means to mine tokens. Hackers created a small program that would latch onto these devices when clicked on certain links or images. The program would then run silently in the PC taking up a part of its computational capabilities to mine tokens at expense of innocent device owners without their knowledge while hackers reaped rewards with little to no investment aside from the computer program.
But mining has become a costly process that requires massive investment, hardware and infrastructure resulting in many end users moving away from mining. Furthermore, the blockchain industry as a whole opted to move towards proof of staking consensus compared to proof of work which further reduced the market’s preference towards mining. Given the increasing time, cost and hardware investment required with very low returns, mining had gradually died down unless one was heavily invested in the same resulting in such attacks slowly fading away from the limelight.
We recommend our users at Kana Labs be careful at all times and report any activity that you find suspicious. To ensure that you are on the right website, always ensure that the Kanalabs website you are browsing has a (.io) extension and keep a look out at the transaction history section in your wallet to ensure there is no trace of any suspicious activity. In order to ensure that new users do not fall prey to phishing scams and Pseudo entities, Kana Labs has a referral program which existing users can use to invite their friends and dear ones in case they are interested in trying out our platform. At the same time, activity performed on our site by referred people would allow those who refer new clients to our platforms to gain a small commission serving as a passive income.
