Crypto scammers and hackers tend to operate in tandem with the markets.
As crypto markets start to pick up, it is a good time for a security reminder, to stay mindful of the ways you could lose your crypto 👇
Compared to last year’s nearly $4 billion lost to hacks and scams, the first 10 months of 2023 have witnessed only $1.4 billion (source Immunefi).
However, the market is waking up. In the last two weeks, we saw Telegram’s Unibot exploit ($640k), Australian exchange CoinSpot hacked through “probable private key compromise” ($2.4M), a phishing attack through a fake Blockwork’s website (no loss), and another one through a fake Ledger Live app listed by Microsoft app store ($770k).
It is a good time for a security reminder, to stay mindful of the ways you could lose your crypto 👇
Self-custody is not easy, and numerous third-party services, both crypto-specific and all-purpose, propose users to manage their seeds.
Just like the popular password manager LastPass.
The service is accused of being at the origin of a long string of crypto thefts that started after the company was hacked last December. The hacker used seed phrases stored at LastPass, and due to the company’s misleading communication and users’ procrastination, the hacker managed to drain some $39 million, and counting.
⚠️ Any intermediary is a potential threat, and it is concerning that so many crypto users still commit the same mistake. The golden rule is “not your keys, not your coins”.
DeFi protocols are hackers’ favorite victims, with bug exploits typically accounting for up to 80% of total losses (Immunefi).
⚠️ Most often, such hacks target new and relatively unknown protocols (Curve Finance’s was a notorious exception). To avoid losing money, the rule of thumb here is to use well-established platforms.
The term “rug pull” describes a situation when a project’s founding team disappears together with their client’s funds. This year, the most significant rug pull was Fintoch ($31M in losses).
⚠️ It can be difficult to spot a rug pull, especially if its authors are adept at manipulating social media. The safest approach here is to avoid investing in or using protocols without a significant track record.
Phishing means impersonating a person or a service to lead users to a fraudulent website and/or make them approve a fraudulent transaction.
Mirror websites and fake apps that lead users to reveal their seed or sign fraudulent transactions are the most popular means.
⚠️ To fend off phishing attacks, attention to detail is crucial. When approving a transaction, or clicking on a link, it’s better to cross-check the domain from several sources (verified social media accounts, other websites…)