The FBI is warning the public about fake crypto apps following a recent surge in their appearance, with the most successful of these apps garnering millions of investor dollars before being found out.
Fake crypto apps continue to find success even as the market enters a lull period, as they specifically target new investors unfamiliar with the technology. It also comes at a time in which nearly 100% of those under the age of 40 say that they make use of mobile banking apps, indicating not just a general comfort with phone-based transactions but also a very large pool of potential victims.
FBI report on fake crypto apps observes substantial amounts of theft since late 2021
Fake crypto apps have grown to be a significant problem in the United States, with the FBI reporting a flurry of activity since October 2021. The agency has logged at least 244 victims during this period, with a total loss of over $42 million.
These fake crypto apps tend to have some similarity in their operations. They generally position themselves as a crypto-focused “investment service” comparable to traditional fiat-based advisory services. Once victims deposit money, the app will at some point tell them that their account is frozen until they pay some sort of tax or additional fee. Some also message victims who have committed funds about a previously undisclosed “minimum balance” before withdrawals can be made, which in one case was an outrageous $900,000.
A major red flag for any crypto service is a lack of legitimate presence on the iOS or Android app stores, but even approval on those platforms is no guarantee of investor safety. A number of fake crypto apps have managed to operate on both platforms prior to being found out. One of the most brazen examples of this was the successful spoofing of an app made by Trezor, a legitimate hardware wallet company (and one of the world’s most well known). The fake Trezor app was able to slip by Apple security in early 2021 and remain listed on the app store for a number of days, harvesting over $1 million from trusting consumers before it was removed.
Another app impersonating the legitimate Ledger Live crypto wallet service reportedly stole at least $20,000 via the Microsoft app store.
Fake crypto apps target high rollers, implement complicated schemes
Some of these fake crypto apps, such as the phony version of Trezor, are content to operate for a short time and take whatever money in deposits they can rack up. But others are much more sophisticated, incorporating the trappings of a legitimate investment service (and sometimes even blending in “romance scam” influences in wooing investors). One of the fake crypto apps reported on by the FBI, a service calling itself “YiBit.vip,” is a perfect example of these operations aimed at stealing from investors looking to deposit hundreds of thousands to millions of dollars in funds.
First appearing roughly a year ago, YiBit appears to have actually functioned as an exchange for some time with the only suspicions raised being the company’s utter lack of history on the internet. But comments on social media sites indicate that the service was letting the “small fish” move money in and out freely; the real target was investors looking to deposit in the hundreds of thousands of dollars or more.
YiBit appears to have employed attractive women (or at least convincing simulations of them) to approach potential “high rollers” on services such as WhatsApp, combining romantic flirtations with promises of teaching investors unfamiliar with crypto how to make easy money via day trading. Those that tested the waters with small investments did report making some profits (likely fed by money stolen elsewhere) and being able to withdraw funds, but this was all to inspire confidence in making larger deposits. Once the “high roller” had committed a large amount of funds, they would be asked to “certify” their account before they could withdraw in a process that was dragged out and never resolved. Alternatively, the company would ask for a bogus personal income tax payment that had to be resolved before the account could be unlocked.
All told, YiBit users were scammed out of about $5.5 million. Another of these fake crypto apps, which remains unnamed by the FBI as it was impersonating a legitimate financial institution, managed to steal $3.7 million. These appear to be the largest of the individual thefts, at least among fake crypto apps for which amounts were reported, but there are many smaller players continuing to nibble away at the funds of investors.
James McQuiggan, Security Awareness Advocate with KnowBe4, sees this report as yet another call to action to put a greater emphasis on social engineering in cybersecurity programs: “Security awareness training focuses on phishing, and it’s important to remember that we should only download apps from trusted sources, like the Google Store or Apple’s App Store. Cybercriminals will leverage social engineering to convince victims to download apps which can take over their devices like smartphones or install browser extensions to take over their computers … When it comes to any online accounts involving finances, it’s crucial to ensure that multifactor authentication is configured on the account to reduce the risk of an account compromise. A username and password is a weak level of protection, and using MFA strengthens the account and protects the user’s finances.”
The FBI has issued some general warnings about spotting fake crypto apps in the wild: watch out for unfamiliar individuals that approach you on social media and solicit (especially those touting day trading and easy returns), check the company history to verify it has a legitimate basis, and be wary of those that have functions that are disabled or not working for some reason. And while the specific perpetrators of the crimes in the report were not named, the agency also issued a general warning that advanced state-sponsored North Korean hackers have been observed pulling scams such as these to raise money for their government.
Roger Grimes, Data Driven Defense Evangelist with KnowBe4, adds that social engineering is almost always a key element of these scams: “The two main ways value are stolen in the cryptocurrency world is social engineering and buggy smart contracts. Social engineering is involved in most of the attacks. Either convincing people to install malicious apps, as reported in this event, or in investing in fraudulent cryptocurrencies, tokens, and other “rug-pull” scams. Another common hacker ploy is for hackers to compromise a (Discord) chat channel dedicated to a particular cryptocurrency or token, and then to modify the channel’s moderation/welcome bot so that it posts a fake sell or “airdrop” which promises astronomical gains if users just provide their wallet information or access to their wallet … The metaverse is full of thieves, scammers, and money grab schemes…it’s rampant…and most innocent, unsuspecting people, trying to get rich quick after hearing about a friend or a friend’s son who recently got rich off of cryptocurrency, are ripe for the picking. They may think there are some scams in the metaverse, but they don’t realize it’s mostly scams and frauds.”
