Indonesia, Nigeria, the US, and Vietnam, have some of the highest victim rates for crypto scams, Director of Security at MyCrypto, Harry Denley, told Decrypt.
Denley, of Southampton, London, tracked crypto-scams since June 2018 from shortened Bit.ly URLs that funnelled victims to fraudulent websites that wanted to trick them out of cryptocurrencies.
He analyzed potential victims for 118,302 click-throughs by monitoring URLs he’d worked out led to scams. He’d been tipped off to these scams by those who’d fallen prey to them, or other security researchers he knows, Denley said.
As part of the study, he tracked a total of 266 ETH (worth roughly $45,554), but found that lots of wallet addresses were single-use addresses that funnelled funds to a larger consolidation of addresses. Some of these hold more than $100,000. In fact, 34 percent of the stolen funds analyzed went to just one address, which holds around $150,000.
By analysing network data, Denley found that 14 percent of victims were in Nigeria; 11 percent in Indonesia; 9 percent percent in the US, and 8 percent in Vietnam.
Denley found that the best ways to swindle crypto holders were disappointingly routine trust-trading scams. “In essence, they would be promised a bunch of tokens through an airdrop, usually advertised to be worth a good amount of USD, and they’d be asked to provide information,” he wrote in his report.
Of the top referral methods scammers use to lure in victims, email, SMS and direct clicks were the most popular, comprising 36 percent of victims. Next up, with 35 percent, a popular airdrop scam—kinetictokenforms.typeform.com—which Denley told Decrypt is a “KYC before you get the airdrops” scam in which “the bad actors would harvest identifiable information for targets as well as attempt to send them to weaponized Ether wallets.” Twitter formed 4 percent of referrals.
Denley acknowledged, however, that his study has some limitations. Google Trends data, which suggests how interested people are in blockchain, doesn’t match with Bit.ly Analytics data. Denley suggests this means that links were given to individuals directly, or that people clicking on the link used VPNs to redirect traffic to the most popular scam sites.
In addition, new scammers, with new types of scams, surface all the time, so Denley’s dataset represents just a small subset of the true problem. “Whilst we get a lot of really good reports from various people in the ecosystem, and we hunt them ourselves via various popular channels (ie: Twitter, Google Ads, forums, ...) we won't catch them all,” he said.
Should exchanges be responsible for preventing known scammers—at least those logged on public blacklists—from using the service? It’s a tough one, said Denley. “Exchanges are private for-profit entities for trading—they are not inherently security products,” he said.
Getting around the red tape could be tricky, not least because some “public blacklists...accidentally launch a griefing attack on someone they don't like by accidentally blacklisting random addresses without solid proof of them belonging to a bad guy,” Denley added.
And then there are the politics that such blacklisting methods drag up: “From my experience on blacklisting addresses and domains, even if it's for the users best interest, there will always be that small group of people who lobby against you for ‘acting like police’ or ‘school-hall monitors,’ because they are ‘adults and can decide what they do with their money,’” said Denley.
Private companies aren’t known for resolving complex ethical queries. But that doesn’t mean solutions can’t be found in the market: Denley recommends purchasing hardware wallets, like a Ledger or a Trezor, “so that your private keys always stay offline in a contained device.”