Cybercriminals posing as legitimate investment firms and cryptocurrency exchanges have stolen tens of millions of dollars from more than 200 people by convincing them to download mobile apps and deposit cryptocurrency into wallets owned by the perpetrators.
According to an alert [PDF] sent out on Monday by the FBI, the cyber-thieves are contacting US investors, fraudulently claiming to be legitimate organizations offering cryptocurrency services and mobile apps. Once the marks download the apps and deposit funds into the account, they are unable to get them back.
To date, the Feds have identified 244 victims of the scams, saying that $42.7 million was stolen between October 2021 and this May. The bureau is warning both financial institutions and investors to protect themselves against such schemes.
“Cyber criminals are creating fraudulent cryptocurrency investment apps to exploit legitimate cryptocurrency investments, defrauding US investors and causing reputational harm to US investment firms,” the FBI wrote in the alert.
“Innovative financial institutions offer mobile apps to enhance user experience and increase legitimate investment. Cyber criminals seek to take advantage of the increased interest in mobile banking and cryptocurrency investing.”
The legitimate global cryptocurrency world has expanded albeit not without problems, such as rapid growth followed by dizzying plunges. The blockchain watchers at Chainalysis noted in a report earlier this year that across the cryptocurrencies it tracks, total transaction value between 2020 and 2021 grew 567 percent, hitting $15.8 trillion last year.
At the same time, more cybercriminals are using cryptocurrency, though the year-over-year increase was 79 percent, significantly lower than the growth rate of legitimate crypto use.
“However, we also have to balance the positives of the growth of legal cryptocurrency usage with the understanding that $14 billion worth of illicit activity represents a significant problem,” the team wrote. “Criminal abuse of cryptocurrency creates huge impediments for continued adoption, heightens the likelihood of restrictions being imposed by governments, and worst of all victimizes innocent people around the world.”
Cryptocurrency has a wide role in modern cybercrime. Criminal gangs run myriad campaigns aimed at stealing cryptocurrency, from cryptomining and cryptojacking attacks to scams like those outlined in the FBI alert. In addition, cryptocurrency plays an increasingly central part in other cybercrimes, particularly ransomware, where payment is typically made in cryptocurrency. There is an ongoing debate whether to more tightly regulate or outright ban cryptocurrency in hopes of slowing or eliminating the threat of ransomware.
President Biden’s administration is pushing for greater scrutiny on the booming market for digital assets – which includes cryptocurrency – a space the US government says passed a $3 trillion market cap in November 2021. It noted that about 16 percent of adult Americans – or about 40 million people – have invested in, traded, or used cryptocurrencies and that more than 100 countries are investigating digital forms of their currencies.
President Biden in May signed an executive order outlining a “whole of government” approach to addressing the benefits and risks associated with cryptocurrency, with the aim of protecting consumers, investors, and businesses and mitigating the risks to the US and global economies.
Around the same time, the SEC created an organization within the agency called the Crypto Assets and Cyber Unit, tasked with helping to increase oversight of crypto markets.
The US Treasury this month outlined a framework to support Biden’s executive order.
The FBI’s alert this week falls in line with the increased attention the government is giving to cryptocurrencies and other assets, according to Mark Bower, vice president of product at Anjuna Security, a cybersecurity company that focuses on data security and privacy.
“While crypto crime gets FBI attention to drive consumer education, it can also place even more pressure on legitimate crypto industry players to deliver new levels of trust and integrity,” Bower told The Register. “The SEC’s new Crypto Assets and Cyber Unit was formed for exactly that and will no doubt be looking for proof the industry itself is resilient in the face of crime risk, attack and compromise to investors who bear the brunt in the hip pocket today.”
Crypto lender Celsius in Chapter 11 deep freeze
In its advisory, the FBI said that between December 22, 2021, and May 7, cybercriminals purporting to be a legitimate US financial institution scammed at least 28 people of about $3.7 million. They used the name and logo of the institution to convince the investors to download an app and deposit cryptocurrency into wallets associated with the victims’ accounts on the app.
Thirteen of 28 tried to withdraw funds from the app, receiving an email stating they had to pay taxes on their investments before withdrawing funds. Even after paying the fake tax, they were unable to make withdrawals.
Two other campaigns followed similar patterns. Between October 4, 2021, and May 13, thieves using the name YiBit – a onetime legitimate cryptocurrency exchange that apparently shut down in 2018 – convinced investors to download its app and deposit cryptocurrency into wallets. Again, victims were told they had to pay taxes before withdrawing funds. At least four people were defrauded of about $5.5m.
Another scam that run in November last year saw criminals operating under the name Supayos – also known as Supay – which the FBI said was a fraudulent company using the same name as an Australian currency exchange. Again, the victims were convinced to download a mobile app and make deposits into Supay wallets associated with them.
“The cyber criminals told one victim he was enrolled in a program requiring a minimum balance of $900,000 without his consent; upon trying to cancel the subscription, the victim was instructed to deposit the requested funds or have all assets frozen,” the agency wrote.
The FBI is urging financial institutions to warn customers about such scams and give them ways to report it, to be transparent about the cryptocurrency services and mobile apps they offer, and conduct period online searches to detect fraud if it’s happening.
The agency warned consumers to be wary of unsolicited requests to download investment apps, particularly from unknown or unverified people, and verify the legitimacy of an app before downloading it. ®