You’ve been Hacked: An overview of crypto exchange fraud in 2022
The problem of payment fraud has intensified in the past couple of years, and the crypto space isn’t immune to its spread.
As the market continues to grow in size, so does the level of fraudulent activity. So far, losses caused by DeFi (Decentralized Finance) exploits have totaled $12 billion in the first 11 months of 2021. Fraud and theft account for $10.5 billion of that sum, which represents a seven-time increase from 2020.
Crypto exchanges are frequently under attack, and once the money is gone, it's gone for good, and along with it a chuck of the exchange’s reputation.
The crypto space has a huge desire to be widely accepted and used in the mainstream, but as long as it is perceived as unsafe, its massive potential will not be realized.
It doesn't have to be as bad.
Why crypto is high-risk digital goods
The high-tech world of crypto means there are many new and evolving risks, all thanks to the nature of these digital assets:
Decentralization: because cryptocurrencies are distributed across a large number of computers, they exist in a decentralized structure that allows them to exist outside the control of governing bodies.
Irreversibility: unlike for fiat currencies such as the US dollar, there usually aren’t legal protections for cryptocurrencies. Crypto payments generally aren’t considered reversible as the only way to get money back is if the person you paid sends it back.
Pseudonymity: although they offer a decent amount of anonymity as a user can hold a crypto address without revealing anything about their identity, cryptocurrency transactions are permanent and public. Hence, sending and receiving virtual currency is a lot like writing under a pseudonym where one person can hold multiple addresses, create multiple wallets, or use tumblers/mixers to obfuscate their trail.
On top of these, the fact that this is a volatile and complex technology that is far from easy to understand is helping the fraudsters’ cause. Scams such as fake coins, fake exchanges, and similar present an appealing opportunity to get rich quickly by buying and selling as fast as possible.
How crypto exchanges are targeted
Unfortunately, there is no shortage of ways crypto exchanges are under attack.
The all-too-familiar type of fraud mostly happens when converting a fiat currency to crypto. A fraudster purchases a cryptocurrency via a stolen credit card number and sends it to another wallet, which triggers a chargeback request from the actual cardholder. The exchange then issues a refund while still the fraudster keeps the stolen goods.
Another common case is a user buying a certain cryptocurrency, which coincidentally loses value against a fiat currency. Then, they abuse the chargeback process by attempting to secure a refund.
In some cases where phising is involved (more on that below), a user buys a cryptocurrency with their credit card and thinks they are sending it to their own wallet. However, they actually click a link that sends the cryptocurrency to someone else (a fraudster’s wallet), which is a reason enough to request a chargeback and yet another way crypto exchanges can be hurt.
Social engineering fraud
This is a more widespread form of fraud where the goal is to obtain the details of a user’s crypto wallet.
There is a wide variety of scams that aim to exfiltrate the user’s credentials.
Scammers often pose as tech support on social media networks. For example, a crypto support bot on Twitter monitors every tweet for specific keywords, such as “MetaMask” and “support”. If such a tweet occurs, it instantly replies to the tweeter, offering false support and urging them to click a link.
If the user falls for it, the scammer then keeps working on the user, using social engineering to obtain the recovery phrase for the user’s cryptocurrency account. Once the scammer gets that, they steal that user’s cryptocurrency.
Then, there are the traditional phishing scams that offer more anonymity and less hassle for fraudsters.
Just as a standard phishing attack would work, a fraudster sends an email attempting to lure recipients into clicking links and inputting their personal details, which include the crypto wallet key info.
These scams are successful in part because a wallet address is a long string of numbers and letters, so it’s fairly easy to simulate it. Scammers attempting a phishing scam make the URL more convincing by copying the URL of legitimate exchanges and swapping certain letters and numbers (“l” for “1” or “0” for the “O,” e.g.).
So, the user needs to deliberately pay a great deal of attention to notice it’s fake by double and triple-checking the URL.
In such cases the exchange is left as helpless as a bank can’t help a client when cash gets stolen. The money is gone.
Obviously this seriously hurts the crypto exchanges, even though they aren’t directly responsible for users being victims. It’s a huge hit on an exchange’s reputation, where poor brand image can be the key differentiator in a growingly competitive market.
Compliance, friction and everything in between
Unlike its banking counterpart, blockchain lacks common KYC (Know Your Customer) and Anti-money laundering checks. These are two sets of standards that make sure customers are who they say they are and don’t represent a threat to the business, and prevent criminals from depositing or transfering funds that came from illegal activity.
That means people can open wallets without submitting valid identification, address, or contact information. Case in point - Binance, one of the largest exchanges in the world, allows for trading without KYC checks.
The other side of the coin (pun intended) is that as crypto exchanges become increasingly regulated, the registration process in many exchanges is cumbersome, requiring new users to go as far as taking pictures of themselves holding declarations and IDs.
I suspect that in the near future, compliance will become stricter, and not enforcing checks such as two-factor authentication or allowing weak passwords will yield severe penalties.
The process will require revisiting with minimal friction and maximal protection striking a proper balance.
What can be done about this?
In 2022, crypto payment fraud isn’t a problem you can ignore. The repercussions of allowing fraudsters into your site, either as registered users or through backdoor hacking, can be catastrophic.
Right now, many crypto exchanges who fell victim to fraudulent attacks just chalk it up to the cost of doing crypto.
This is bad.
Fraud should never, ever be accepted as part of the "cost of doing business".
A lot of this activity can be cut off at the pass with tools that match customer data with cryptocurrency transaction histories. This can make it easy to identify high-risk customers, remain AML compliant, and avoid the stigma associated with crypto money laundering.
Anything else is a risk not worth gambling.