The methods by which cryptocurrency is stolen by hackers and fraudsters change as cryptocurrency users become more aware of how cryptocurrency thefts happen. We thus thought it would be helpful to outline the most common ways that cryptocurrency is being stolen in 2024, and outline new emerging methods that hackers have been using to steal cryptocurrency. Notably, in the past year, we’ve seen a significant increase in thefts via drainers and malicious smart contracts for example.
Drainers or Malicious Smart Contracts
A cryptocurrency drainer is typically a malicious smart contract that employs scripts to drain or sweep a users’ wallet of funds. They are typically deployed through phishing techniques and misleading ‘advertisements.’
Users are prompted to approve a (malicious) contract with their wallet, such as in return for receiving a ‘free airdrop’ for example, and effectively give that contract permission to sweep certain funds from the wallet to the hacker’s wallet.
Drainer scripts are not new; they’ve been around for a few years. What is increasing particularly in the past year, however, is the vastly increasing preponderance of cases where drainers are responsible for cryptocurrency theft. They have become far more widespread than they used to be, and attackers have gotten far more creative and innovative in the way they are deployed.
Historically, compromised seed phrases or private keys have accounted for the vast majority of cryptocurrency thefts, but with drainers, no seed phrase or private key is technically compromised. Instead, the victim technically gives permission for a malicious smart contract controlled by an attacker to execute certain transactions from their wallet using the private key without the private key being compromised per se.
Those who have been in the cryptocurrency space for over a year are used to hearing ad nauseam to never give out or input their private key or seed phrase. The reality is this is one of the few ways funds are regularly being stolen from cryptocurrency users whereby victims don’t give out their private key or seed phrase, and thus users must realize there are other ways their funds can be stolen as well without a breach of the seed phrase.
Drainer scripts have become so widespread that these scripts are regularly sold or otherwise ‘licensed’ under a scam-as-a-service model whereby the developer takes a ‘cut’ for each successful theft in much the same way as ransomware.
How To Protect Yourself From Drainers
The key is having a thorough understanding of every contract you are interacting with, and independently verifying that each contract is safe. Users that interact with DeFi services are much more vulnerable and exposed than those that don’t.
Don’t interact with contracts and tokens that you haven’t verified or which you don’t understand. Also, when interacting with a smart contract, make sure you verify the contract is authentic and not merely a fake contract posing as a more well-known cryptocurrency token; for example, there are many different fake USDT tokens (and corresponding fake contracts).
Seed Phrase or Private Key Compromise
Compromised seed phrases and compromised private keys continue to remain a dominant way in which cryptocurrency is stolen. This will undoubtedly continue to be common in 2024.
There are many different ways in which the seed phrase can become compromised, resulting in cryptocurrency being stolen. What is changing is that attackers are continually finding and implementing more creative ways of stealing the seed phrase and phishing users. It’s not just a Google form created by a scammer anymore where users are prompted to enter their seed phrase.
From fake wallet applications, to impersonating scammers directing victims to a fraudulent link whereby they purportedly need to ‘sync’ their wallet, to malicious Google ads, to data breaches, the ways attackers go about stealing cryptocurrency via getting a hold of a victim’s seed phrase is lengthy.
How To Protect Yourself From a Seed Phrase Compromise
Store the seed phrase strictly offline. Avoid entering it on any computer, phone, or any electronic device (even if it’s offline) for any reason. Do not take a picture of it. And certainly do not save it on your cloud storage in any form, whether on your email, Google drive, Dropbox, Evernotes, etc.
If some website or service prompts you to enter your seed phrase for any reason, do not do it. Operate under the assumption that the request is fraudulent.
Attacks rely on victims to act quickly and irrationally to avoid “losing access to their wallet”. Do not fall for this. Think before you act.
Fake and Malicious Applications and Extensions
We still regularly encounter instances where users have lost cryptocurrency due to downloading and installing malicious versions of applications that seek to impersonate legitimate applications, and deceive users into thinking the application is safe, when it couldn’t be farther from the truth. Users are usually prompted to ‘connect’ their wallet or import their seed phrase.
Popular wallet applications like Ledger Live, Exodus, and Metamask are frequent targets in this regard.
How To Protect Yourself From Fake Applications
Ensure you download the application or extension from the real source. If trying to download Exodus’ desktop wallet application do not simply do a Google search for ‘Exodus wallet’ and click on the first link you see – attackers are regularly able to get malicious advertisements to the top of search results.
Rather, verify the legitimate URL for exodus wallet, which is exodus.com and then navigate to this website by typing it into the address bar of your browser. You can furthermore verify the checksum of the installation file to determine whether an installation file is authentic or not.
Avoid links that you see to websites that you find on Twitter, Reddit, other social media, or in advertisements since they can be fake and may direct you to a fraudulent source. Typing in the domain manually yourself (or better yet have the domain bookmarked) helps to ensure that you aren’t navigating to a phishing website that incorporates punycode or a similarly spelt name. If you are navigating to the site via a hyperlink, ensure you do so from a trustworthy post (not some random twitter post in your feed).
Malicious mobile applications continue to make their way into the Apple store and Google Play store with lots of fake positive reviews. The best practice is to navigate to the official website of the application you wish to download, and obtain the link to the authentic Apple store / Google play app from there.
Phishing
Unfortunately, phishing continues to remain a primary underlying cause that leads to cryptocurrency being stolen, and this will undoubtedly continue. Phishing attacks have become increasingly sophisticated and come in many different forms. They are a form of social engineering which attempts to deceive users.
Ultimately, a phishing attack does not, but itself, cause cryptocurrency to be stolen. It’s what the prospective victim does in response.
There are many different types of phishing, to include email phishing, vishing, spear phishing, pharming, website and domain spoofing, social media phishing, page hijacking, and on-chain phishing attempts.
These phishing attempts try to obtain information from users (whether it be passwords, seed phrases, personal identifying information), or prompt them to take some type of action (install an extension, navigate to a malicious URL, contact a fake customer support representative). They almost always try to instill a sense of urgency so the victim doesn’t have time to think straight.
How To Protect Yourself From Phishing
Because phishing comes in so many different forms, there is no one-size-fits-all solution to protect yourself from all the different types of phishing.
But we do have some general advice to help protect yourself from phishing given the commonalities of different types of phishing attacks.
It is important to always verify the source of the information you are receiving. Are you sure you are on the real Edge wallet website? Are you sure the blog article you are reading was not drafted by a scammer that is giving you fraudulent recommendations as part of their ‘guide?’ Is the person contacting you is who they said they are? If it’s an email, have you checked the email headers to ensure it is not spoofed?
Don’t rush any response or action. Take time to verify the authenticity of the source providing you with information.
Email Account Breaches
If there is one account users need to ensure is secure, it’s their email account. Ensuring your email account is secure is arguably more important than ensuring your exchange accounts themselves are secure because with most cryptocurrency exchanges, a breach of the email account is largely necessary for an attacker to access and withdraw funds from your exchange accounts.
Email accounts can also hold other sensitive data that, if breached, gives the attackers a wealth of information about you. This could include:
- A list of cryptocurrency exchanges and services you utilize
- A list of other financial services and banks you utilize
- Other email addresses of yours. These other email addresses can then be used for trying to log into other services you use, the hacker may be able to breach those email accounts as well depending on the email account recovery settings you’ve set (i.e. if your breached email address can be used as a recovery email for your other emails).
- Names and contact information of your friends and family, who they could then proceed to extort or claim you’re kidnapped and demand money
- Personal data associated with attachments you sent (i.e. ever sent a copy of your driver’s license or passport by email to anyone or to yourself)?
- Pictures of yours (your phone may automatically backup photos to your Google account for example)
- Copies of seed phrases or private keys you might have elected (against advice) to store on your Email or Google Drive – which is precisely why you should never store such sensitive information on the cloud to begin with
- Passwords stored on your cloud storage, such as Google password manager, or if you’ve stored a backup of your password manager on your email or Google drive
- Other services you use, which makes you a prime target for targeted spear phishing attacks.
It thus shouldn’t be surprising to hear that email account breaches continue to play a critical role in a significant portion of cryptocurrency thefts and this behooves users to take a proactive approach to security and ensure their email accounts are set up in a sound and secure manner.
How To Prevent an Email Account Breach
Ensure you are using a secure unique password for your email account, and ensure you have 2FA that is properly set up. If you are using an app-based authenticator, ensure your settings are such that it is not prone to being compromised (which we talk about below). Or use hardware-based authentication, or prompt-based 2FA (e.g. Google Prompt). Avoid using SMS 2FA given its vulnerability to fraudulent SIM Hijacking.
Be particularly careful about the ways in which your email could be fraudulently ‘recovered’ by an attacker. Be especially careful about any ‘recovery email address’ associated with an email account – if that email address is breached, it can be potentially used to breach your main email address that you are most concerned about.
Having a different email address for your more sensitive financial accounts and information is generally a good idea as well.
Two Factor Authentication Compromise
Various types of Two-factor authentication (2FA) can be compromised, with some more prone to being compromised than others. 2FA is an important and valuable security measure that is available for many accounts, both crypto-related and non-crypto accounts, and if the 2FA is compromised, it can lead to a breach of those accounts.
Common types of 2FA include SMS, TOTP-based authentication (app-based, like Google Authenticator), hardware-based authentication, and biometrics. 2FA compromises are still something we are regularly encountering, and interestingly some types are increasing.
SMS 2FA
SMS 2FA is often breached by means of a fraudulent SIM Swap or SIM Hijacking. There are no shortage of stories about this in the news. The best way to prevent SMS 2FA from being compromised in a SIM Swap is simply not to use it for SMS 2FA to begin with, given how it can be compromised by a third party without your consent.
Compromises of hardware-based 2FA are quite rare in comparison. However, this type of 2FA isn’t for everyone, and does have an upfront cost associated with it for the hardware.
TOTP 2FA
As a result, app-based authentication seems to largely be the security norm in most cases, particularly for anything linked to cryptocurrency in any way. However, depending on the authenticator app you’ve chosen, certain ones can be susceptible to a SIM Swap in some instances depending on the settings and preferences you’ve chosen.
For example, Authy is susceptible to a SIM-Swap if the ‘multi-device’ feature is left on – something we’ve encountered in numerous cases in the past.
Just this past year, Google Authenticator has become more prone to compromise as well. This is because Google Authenticator now backs up the OTPs to the cloud. Thus if a hacker already had access to your Google account first, a hacker could potentially obtain your Google authenticator 2FA backup codes. It should be noted that this breach vector requires the hacker to obtain the 2FA backup codes first, which they presumably wouldn’t have unless they were already able to get into your Google account.
Google bills this as a positive feature and enhancement to Google Authenticator. In many cases, for many users this feature will end up being a good thing. For cryptocurrency users in particular, they should tread cautiously as it opens up a new attack vector since 2FA backup codes are now more often stored online. Users should ultimately keep in mind that the Google Authenticator app was not designed with the specific interests of cryptocurrency users in mind.
All these types of 2FA are simply not available, nor even possible for cryptocurrency wallets, like Metamask or Exodus. Thus a compromise of a users’ 2FA doesn’t inherently result in a breach of such a wallet since the wallets don’t use 2FA. However, a compromise of 2FA can still play a role that ultimately leads to a breach and cryptocurrency theft from these wallets if a user elects to their credentials or private keys on an online account that is breached as a result of the 2FA compromise.
How To Prevent Your 2FA From Being Compromised
If using an app-based authenticator, be careful about where your codes are backed up to (if they are backed up), particularly if it’s backed digitally or somewhere on the cloud. It is safer to store any recovery keys offline. If you elect to use Authy, ensure you turn the multi-device feature off.
There aren’t a whole lot of things you can do to prevent a SIM-Swap. Notifying your carrier can help, but that isn’t always the case. The key is not to be reliant on SMS as a form of 2FA. There are also some services that are much less prone to a fraudulent SIM-Swap, specifically Efani and Google Fi Wireless in the United States.
Password Manager Compromise
Using a password manager is a great way for users to store secure unique passwords for sites they use, which in this day and age is simply not practical for users to remember, leading users to use the same or very similar passwords for multiple websites if not using a password manager.
Users that elect to use a password manager that is affiliated with the same account as their email address should be particularly careful (i.e. a Gmail user that uses Google password manager). This is because if the Google account is breached, on top of having access to the victim’s emails, the attacker can potentially sync and obtain passwords in some cases as well.
Other reputable password managers like Bitwarden and 1Password are a better choice in most cases, but these password managers and password manager vaults can be compromised too in some instances. When the password manager is compromised, in most cases it’s due to how the user has elected to back up their vaults or password manager accounts, whereby the attacker is able to obtain the backup credentials.
Different password managers allow users to backup password manager data in different ways. Bitwarden for instance allows users to export an encrypted backup as a .json file. 1Password provides an ‘emergency kit’. Avoid storing this type of sensitive data on the cloud. Either store it offline (and make sure not to include the master password with it), or if possible, print out the backup and only store it physically, as you should be doing with any seed phrases or private keys.
Finally there is the risk of password manager software becoming compromised, and many account details becoming compromised by an attacker through no fault of the user. The Lastpass data breach is a prime example of this. Industry experts (including ourselves) have seen plenty of evidence to suggest that more information was compromised than what was officially disclosed having been breached from Lastpass.
How To Protect Yourself From a Password Manager Compromise
Proper password hygiene is very important. Using secure unique passwords for your accounts is important for cybersecurity hygiene, and password managers are a great way of managing all those passwords that would simply not be practical to remember all in your head.
In the unlikely event your password manager becomes compromised, and another similar situation arises in the future, your options are somewhat limited, but there are still things you can/should do. Changing your passwords and migrating to a new password manager is one. Hopefully, you set up 2FA – it’s a prime example of why 2FA is so important to begin with – it adds an additional layer of security if your passwords are compromised.
Traditional Malware
Other types of malware, such as keyloggers, malicious chrome extensions, clipboard hijackers, still play a role in cryptocurrency thefts, although they only account for a minority of cases.
How To Protect Yourself From Malware
Ultimately, your best defense against this type of malware (beyond the obvious of not installing questionable or pirated applications and using anti-virus software) is using a hardware wallet, and combining that with sound cybersecurity hygiene like using a password manager to generate unique, secure passwords, and using 2FA.
Furthermore, it’s critically important to avoid storing your seed phrase on any electronic device (even offline), or online (i.e. Gmail, Google Drive, Dropbox, Evernotes, etc.)
Pig Butchering
Pig butchering may or may not count as a ‘theft’ depending on how you define the term cryptocurrency theft, since it generally relies on the fraudsters deceiving victims into sending their cryptocurrency under fraudulent and fictitious pretenses, making it more of a scam than a theft.
However, pig butchering inquiries dominate our inquiries, accounting for roughly 35% of inquiries we receive, making it by far the most common way that victims lose cryptocurrency, and give the frequency that these cases have increased even further since we last talked about pig butchering, it’s worth mentioning here again as it is a dominant way by which cryptocurrency is stolen in 2024.
One interesting aspect of pig butchering is that the scammers typically target people who are relatively new to cryptocurrency, and often even people that have no prior experience dealing with cryptocurrency at all.
How To Avoid Becoming a Pig Butchering Victim
Your best defense against pig butchering is education about how the scams are perpetrated, understanding how to identify it, and being able to distinguish a real cryptocurrency exchange like Coinbase from the fake cryptocurrency exchanges that pig butchering operations direct victims to.
Almost all pig butchering scam victims have never even heard of pig butchering victims beforehand (in contrast, we’ve all heard about phishing). Most pig butchering victims have little or no understanding about how cryptocurrency works, and the fraudster is the one that has enticed them to acquire cryptocurrency (if they don’t already have it) and then “invest” it on an “exchange” that the scammer “recommends” and “trusts.”
Most of all, don’t trust what someone you met online (but still haven’t met in person) “recommends” especially if they are “suggesting” you “invest” money on a purported cryptocurrency platform that they “trust”. Don’t assume someone is who they say they are, even if they’ve taken weeks or months to build rapport with you.
Learn how to do due diligence on cryptocurrency exchanges and learn how to identify a legitimate exchange from a fake one. Avoid using cryptocurrency exchanges that don’t already have a large amount of publicity (i.e. Coinbase and Kraken are safe and legitimate exchanges to use – why use some no-name exchange with a domain that has no track record?
If you take the time to educate yourself about cryptocurrency before investing, you’re aware about how pig butchering scams work, and you practice basic fraud prevention practices, it’s extremely unlikely you’ll become a pig butchering victim. The pig butchering victims will be those that haven’t read up on it and who have failed to heed such caution until it’s too late.
Other Things You Can Do To Prevent Cryptocurrency Theft
Educating yourself about how cryptocurrency is being stolen, which you’re already doing if you’ve read this article. This helps you better identify theft attempts and red flags when you come across them. This is in addition to the various steps mentioned above.
One final recommendation we have to consider is that many cryptocurrency users should mitigate risks by using both a hot wallet and cold wallet. For example, if a cryptocurrency user regularly interacts with DeFi protocols and DeFi exchanges, it makes sense to do so on a Metamask ‘hot’ wallet, while storing the majority of the funds in a safer location on a cold hardware wallet. Thus, if your Metamask hot wallet ends up getting breached (due to a drainer for example), you still have the majority of your funds safe on your hardware wallet.