There seem to be more potential security threats in crypto than in traditional finance. Invested capital might vanish into the bit space just by sending it to the wrong blockchain. Rug pulls happen, phishing coins are sent to wallets, etc.
This thread is intended to centrally collect advice and warnings so that no one loses their funds due to clumsiness, ignorance, or criminal activity. Volatility, depreciation, and other “normal” risks do not belong here. For clarity, all other discussions and comments should be left in other threads.
https://medium.com/metamask/phisher-watch-airdrop-scams-82eea95d9b2a
This is an attempt to get the airdrop recipient interested in figuring out how to convert them into something with liquid value. A friendly support person somewhere will then try to “investigate” the matter by asking for wallet recovery keys or other sensitive information.
TLDR: If strange coins appear in your wallet, just leave them be. Do not reveal anything that links these coins specifically to you or your wallet by actively asking or wondering about them on the internet.
If someone asks for your keys, never tell them (this also applies to banks).
Do not use unknown platforms or wallets (this also applies to normal money).
Make sure you don’t accidentally go to the wrong address via Google (this also applies to banks).
Make sure the wallet code is correct when making a transfer (this also applies to banks).
Think and research before you act (…)
Diversify your activities (…)
Keep your computer clean (…)
It’s no more dangerous than dealing with banking, if you approach it with the same seriousness. Of course, if it’s just a hobby, perhaps the seriousness can be lower, but then you have to be prepared for your wallet to be empty tomorrow. Of course, platforms offering crypto markets are not as reliable as banks, so I would also be cautious about keeping funds on such service providers. Transferring some cryptocurrencies costs quite a lot (even tens of euros), so you might not want to make transfers, but it’s advisable to keep currency mainly in your own wallet, whose keys are not known to others.
My rule of thumb is under 10k in CEXes (Centralized exchanges, i.e., Binance, Coinbase, etc.). Over that, to “my own” wallet, i.e., Metamask, Trustwallet, etc.
A very important topic. General good practices and advice for navigating the cyber world can also be found at the National Cyber Security Centre (Kyberturvallisuuskeskus):
I would especially highlight the adoption of multi-factor authentication (e.g., username/password + additional identifier) in ALL services where it is possible.
If you have a significant sum tied up in crypto or are otherwise concerned about security, you should get a hardware wallet. For example, Ledger. With it, you confirm transfers from an external device; Ledger works with, for example, MetaMask.
I won’t go into further detail on the subject; you can find more information about it and different options by searching on Google or YouTube.
Exactly.
Additionally, for 2FA authentication, definitely use a stick or authentication software (Authy, Google…). Email and/or SMS alone are not enough. Those are constantly being hijacked.
Nowadays, authentic-looking phishing emails have started to appear. It’s advisable to maximize security and set up an Anti-phishing Code in the settings. This way, you can immediately tell which messages are genuine and which are not.
Apparently, a pretty credible-looking phishing attempt is coming via email in the name of MetaMask…
Your MetaMask wallet will be suspended!, KYC not done and Please keep in mind that our intention is to keep our customers safe and happy etc and blah blah.
Among some crypto investors, the recent announcement from the tax authority that “information from virtual currency exchanges is flowing” might cause a slight stir of concern. Fortunately, the taxman is proper, and the announcement is conveniently timed so that one can still clarify the matter for the year 2021 in the tax return: “If you correct the return, the due date is either May 10, May 17, or May 24, 2022.” Verohallinto saanut paljon suomalaisia koskevia tietoja ulkomaisesta virtuaalivaluuttapörssistä – Verovalvonta tehostuu | HS.fi
Ethereum founder Vitalik Buterin’s X (Twitter) account was hacked last night, and criminals exploited the account to promote an NFT scam. Unfortunately, many people lost their money again, as few likely believed that an account belonging to someone like Vitalik would ever feature scam posts. Losses are in the range of 700,000 dollars.
Below is an image of the tweet. Vitalik has now regained control of his account and the scam message has been deleted.
How does such a scam work in practice? Victims clicked the link in the X post and ended up on a site created by the scammers, where they granted a smart contract access to their wallet to receive an NFT. After this, the scammers emptied the victims’ wallets.
This is once again a good reminder of how careful you need to be in the crypto world. Similar scams occur constantly, especially on Telegram and Discord.
Since last summer, I have been added several times on WhatsApp to “investment groups” bearing the Binance name. The adding stopped after I restricted the group addition settings in WA to my contacts only.
For a long time, I wondered how on earth they managed to link my number and Binance membership. For now, I blame these third-party crypto tax services. My own stupidity; of course, I should have always remembered to read the terms when trying these out
Are there others here who “got into” these investment groups? Or perhaps even factual information on how one ends up as a group member—is Binance leaking?
Practically all my acquaintances have been added to various groups multiple times. The internet is full of Binance-related scams because it is by far the most well-known brand, so scammers love to exploit it. Those numbers can surely leak from many different sources. Trust Wallet, owned by Binance, is also a popular brand for wallet scams.
I also constantly get contacted on various social media channels, and my phone rings every now and then from who knows what area codes. Just block everything.
Nexo at least has leaked its customer registry at some point, somehow. I create accounts for all services using unique email addresses. The address I used for Nexo, which I have never shared anywhere else, receives phishing emails every now and then. Airdrops and other “free lunches” are offered, or they threaten to close my Binance account if I don’t click within 24 hours.
For nearly 30 minutes, the young scammer detailed his operations, from using Google Forums to impersonate Google employees, owning the username ‘Coinbase’ within the video game Minecraft, paying robodialers to pre-qualify leads, and purchasing leads from dark net vendors.
Apparently, a large email list of customers from crypto companies has been leaked to hackers, so you should be especially careful over the coming days and weeks. You might receive more scam emails than usual in your inbox. This is what CoinGecko’s Bobby Ong just posted on X:
PSA: There is an ongoing supply chain email breach attack happening with an email newsletter vendor right now. Several crypto companies may be affected via email blasts of fake token launches. Be careful with email newsletters in the coming days. We at CoinGecko may be potentially affected and are actively working with our vendor to investigate further to determine the extent of this breach. We have seen phishing CoinGecko emails being sent from other client accounts. There is no CoinGecko token being planned so don’t be duped by the phishing emails.
I ‘forgot’ to keep the phone for trade-in. I made sure all other systems were working, except for Trust Wallet, before resetting the phone. The key code hasn’t been written down anywhere, and cloud backup hasn’t been done, of course. These solutions somehow felt insecure. Maybe some recovery mechanism should be kept, even if it exposes one to theft.
You no longer need to be a crypto millionaire to fall victim to criminals; owners of crypto portfolios worth thousands or tens of thousands are now also targets if they make the mistake of boasting on social media from behind a pseudonym. The crime is not committed online; instead, passwords are extorted through threats of physical violence.
The security industry is reaping the rewards and, for a fee, removes information that the wealthy have shared about themselves on social media. Unfortunately, middle-class “crypto kings” cannot afford such security services.
“Wrench attacks” are on the rise: When owning cryptocurrencies becomes life-threatening - Institutional Money Institutional Money
Hopefully, the translation was captured in the link.
