Crypto-hacking and theft have been front and center in the news. Separate from the failures and alleged fraud of CeFi crypto-exchanges, estimates suggest that $3.8 billion worth of cryptocurrencies have been stolen in the past year.  It’s become vital to understand how to proceed when these situations arise.  

Crowell & Moring has been working with clients to address such situations and has been involved in the tracking and tracing of over 30M USD of stolen cryptocurrency funds. Working with domestic and foreign law enforcement, we have investigated remote access fraud, Ponzi schemes, and numerous pig butchering scams.  Many of these frauds are cautionary tales that can ensnare highly sophisticated organizations and persons. 

As an example, last year a client, an institutional investment firm, was moving over 200 Bitcoin (“BTC”) to one of the largest cryptocurrency exchanges (the “Crypto Exchange”).  The transfer went through.  But when the client attempted to login to its Crypto Exchange account, it received a message noting that there was unusual activity, and that the account was frozen until additional KYC diligence could be performed.

The client called the telephone number provided in the message and explained to the Crypto Exchange personnel that the activity they viewed as unusual – movement of over 200 BTC – was in fact legitimate.  The Crypto Exchange explained to the client that, as an institutional investor, he should be using a “premium” account instead of a personal account, and that a premium account could save him a great deal of transfer fees.  The Crypto Exchange personnel set up the premium account with the client on the telephone and placed the over 200 BTC into that account.  An hour or so later when our client logged into his Crypto Exchange account, he was dismayed to find that all of the BTC he transferred was gone.

It turns out, the client was never on the phone with the Crypto Exchange. 

Our forensic analysis indicated that scammers registered a bogus domain name, created a bogus Crypto Exchange subdomain on that domain, and likely paid for premium search engine placement for the terms ‘the Crypto Exchange login’ to direct visitors to their fraudulent website.  Any person who landed on that site would have received the unusual activity notification with the request to contact the Crypto Exchange.

Here are the takeaways:

First, when logging into an exchange, users should bookmark the login page in their browser or directly navigate to a domain name.  Using search engines to find any crypto exchange login page could land you on a fraudulent site. 

Second, if you receive a KYC or unusual activity notification with a request to call an exchange, become immediately skeptical.  If you ever need to call any crypto exchange or service provider, use only the phone numbers on their main website.  In addition, think about how much time you usually spend on hold calling any financial institution: a dead giveaway that you may have reached a fraudster is the fact that they answer the phone immediately, ready to help. 

Third, because of the layered security that many exchanges have in place that require multifactor authentication, fraudsters will often suggest that, for support purposes, you navigate to a remote access link, such as GoToAssist or LogMeIn.  Those services will allow the fraudster direct access to your device, bypassing the security measures exchanges put in place. Legitimate technical support for crypto exchanges will never require you to download files or navigate to websites that enable remote access to your devices. 

The volume and velocity of attacks and scams targeting cryptocurrency holders is not going to subside any time soon.  Based on data we are tracking, malicious activity of this sort is on the rise and becoming more and more sophisticated, and, as with pig butchering, the fraudsters have highly sophisticated and layered schemes in place that may not be evident until a victim has lost a great deal of funds. 

If you or your firm are the victim of a theft, time is of essence, and we suggest you immediately engage specialized counsel to assist.  In subsequent posts, we will be addressing additional wallet security measures, for both hot and cold wallets.