How Crypto-Phishers Steal Crypto Wallets

Are you a skeptic when it comes to cryptocurrencies? The vibe check in Southeast Asia (SEA) shows there’s more optimism than skepticism towards this technology.

Kaspersky’s fresh data on crypto-related phishing for SEA showed a slight dip in 2022. From 164,330 total crypto-phishing detections in 2021, it was down to 147,649 last year.

The global cybersecurity company, however, notes that the decline is only observed in three of the six key countries in the region – Singapore (-74%), Thailand (-51) and Vietnam (-15%).

This type of threat aiming to steal money from crypto wallet owners continue its upward trend in the Philippines (from 9164 detections in 2021 to 24,737 in 2022), Indonesia (from 19,584 detections in 2021 to 24,642 in 2022) and Malaysia (from 16,071 detections in 2021 to 16,767 in 2022).

“Scammers will stop at nothing when it comes to stealing cryptocurrency. First, it’s on trend. We see more and more adopters, especially in Southeast Asia. In fact, the region is responsible for 14% of cryptocurrency transactions globally and is predicted to continue being the frontrunner in mass crypto adoption,” explains Adrian Hia, Managing Director for Asia Pacific at Kaspersky.

“Second, the population here is young and highly digital savvy. Future trends are welcomed with optimism instead of skepticism. Thus, we believe that adopters here should be more knowledgeable on the latest tricks being used by crypto-phishers to keep their crypto assets safe,” adds Hia.

Kaspersky’s Spam Analysis Expert, Roman Dedenok discusses a tactic used by crypto-phishers to get their hands on unsuspecting victims’ crypto assets.

Free Money

As is often the case, it all starts with an e-mail. The brains behind this scheme chose as bait an offer to take part in a juicy giveaway of cryptocurrency: Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Tron (TRX) or Ripple (XRP). A total of $800 million no less was at stake! The overly generous scammers were kind enough to provide a simple three-point guide for those wanting to get their free cryptocurrency, plus a link to the “promotion” website.

Let’s take a look at the e-mail. It is signed by the support team of a certain Crypto Community: an association of crypto enthusiasts, one might think. However, the domain in the sender’s e-mail address has nothing to do with any kind of crypto at all. That does not inspire confidence. The message text is slapdash, and full of errors and typos. The scammers are likely counting on the victim being so taken aback by the nine-figure sum that everything else will slip under the radar.

Clicking the link takes the user to a phishing site. Its domain bears no relation to the sender’s address, and in the minimalist design there is no mention at all of any Crypto Community.

At this point, the victim is asked to specify the wallet they want the funds transferred to. The criminals covered all the most common wallets: Blockchain.com, Trust Wallet, MetaMask, Coinbase, Binance, Crypto.com, and Exodus. But users of more exotic wallets have not been forgotten: for them, an Other Wallets button has been provided. User-friendly, isn’t it?

Now for the most interesting part: to get the coveted tokens, the user must enter a secret series of words, aka – a seed phrase. As soon as they fill in the fields and click the Next button, a notification appears on the screen that everything was successful and the cryptocurrency will be in the lucky winner’s account within 24 hours.

Interestingly, the website has no checks: even if random words or even numerals (which cannot be part of a seed phrase at all) are entered instead, the site still reports a successful transfer. Of course, if the real seed phrase is typed in, far from receiving winnings, the victim will likely be relieved of all their savings.

Seed phrase, or the key to all doors

The scammers rely on the fact that people are usually very protective of their private key, which immediately opens access to the crypto wallet; but many do not realize their seed phrase is also top-secret, and think nothing of entering it on a website in anticipation of a reward.

In actual fact, the seed phrase is no less valuable. With it, an attacker can generate a new private key and thus gain access to the victim’s wallet. In other words, the seed phrase effectively affords the same opportunities to pillage your savings as the private key. This means you should protect the former from prying eyes and ears as carefully as the latter.

How to protect your crypto finances

To wrap up, a few tips to avoid falling victim to cryptoscams:

• Keep your seed phrase secret. Never reveal it to anyone, and enter it only to recover access to your wallet. Do not store the seed phrase in public file-sharing services, or send it via instant messaging apps or by email.
• Do not click on links in emails about giveaways, gift payouts, account suspensions or bank account closures. Such e-mails are most likely from cybercriminals. Read our checklist to learn how to spot online scammers.
• Use a reliable security solution that warns you in good time about phishing pages and prevents you from handing over sensitive information to the bad guys.