Jan 23rd 2023
Despite the belief of many crypto enthusiasts that centralized exchanges (CEXs) are safer, history has often shown them to be rather vulnerable to attacks.
Because these exchanges centralize the storage of users’ assets, they can be attractive targets for cybercriminals. If an exchange’s security measures are inadequate or successfully compromised, user assets may be stolen or lost.
Another risk of centralized exchanges is the potential for fraud or mismanagement by their operators. CEXs may have a single point of control — leaving them more susceptible to insider fraud or other forms of misconduct — which can lead to the loss of funds or other negative consequences for users.
Over the last year, the collapse of major centralized cryptocurrency platforms like FTX and Celsius has led to more users choosing to take self-custody of their digital assets. The risky financial practices and alleged fraud committed at some platforms have caused many people to lose faith in them as safe places to store their cryptocurrency.
Self-custody refers to holding and managing one’s cryptocurrency instead of entrusting it to a third party, such as an exchange. This approach offers users greater control over their assets and can potentially provide higher levels of security. However, it also comes with its risks, particularly in scams.
Types of scams and how to avoid them
To better understand the potential dangers associated with self-custody and offer guidance on how to protect oneself from scams, BiTon reached out to Alice Boucher of Chainabuse — a multichain community platform for reporting fraudulent crypto transactions.
One scam aiming to take advantage of crypto users is called “pig butchering.”
“A pig butchering scam occurs when the scammer stays in constant contact to build a relationship with the victim and ‘fatten them up’ with affection over time to have them invest in fake projects,” Boucher said, adding:
“The scammer tries to drain as much money out of the victim as possible, often using fake investment sites showing large fake profits and using social engineering tactics, such as intimidation, to extract more money from the victim.”
Social engineering uses psychological manipulation tactics to exploit the natural tendencies of human trust and curiosity.
Cybercriminals in the cryptocurrency industry often aim to steal self-held assets by taking control of high-profile accounts. “Between May and August 2022, social media account takeovers involving Twitter, Discord and Telegram have wreaked havoc. Scammers post malicious nonfungible token (NFT) phishing links during those attacks, compromising high-profile social media accounts,” Boucher said.
Once these attackers have gained access to a high-profile account, they typically use it to send out phishing messages and other malicious communications to many people, attempting to trick them into giving up their private keys, login credentials or other sensitive information.
The end goal is to gain access to the victims' assets in self-custody and steal the cryptocurrency held by the individual.
Followers of these high-profile accounts may be tricked into clicking on malicious links that transfer the tokens from their wallets. These scams may also be designed to have users invest on a trading platform, often resulting in victims losing their deposits with no way to recover them. Boucher added:
“The volume of scams, hacks, blackmails and other fraudulent activity has been growing exponentially over the last few years. Most fake platforms appear to be either Ponzi schemes or payout scams with the following characteristics: They advertise fake returns, have referral incentives that resemble pyramid schemes or impersonate existing legitimate trading platforms.”
Scammers utilizing these phishing tactics can encourage users to sign smart contracts that drain their assets without their consent. A smart contract is a self-executing contract with the terms of the agreement between buyer and seller directly written into the code.
Users may lose their tokens if the contract contains errors or is designed to take advantage of people. For example, if it allows its creator to take possession of tokens to sell them, users may lose cryptocurrency by signing it.
Most of the time, users don’t know they’ve lost their tokens until it is too late.