For some, the key feature of cryptocurrency is that it is largely untouched by world governments. That state of being comes with certain inherent risks, and recent creative crypto scams illustrate some specific things that investors need to be prepared for. A scam that played on the popularity of the Squid Game franchise demonstrates how the psychological effects of “fear of missing out” (FOMO) can override the thinking of even informed and careful investors, and one that targeted Google Ads provides a warning that threat actors will adapt their old tried-and-true tactics to attack this lucrative market.
“Squid Game” crypto scam was a blatant pump-and-dump
Each decade appears to have its own influential series that involves people hunting each other in some sort of dystopian game run by an authoritarian government. The popular Netflix series Squid Game stepped forward to fill that niche for the 20s.
The runaway popularity of the South Korean series has created at least one real world threat; a crypto scam that leveraged its brand name to sucker in over $3 million in investments that were summarily stolen. The scheme was a classic pump-and-dump, using internet hype to quickly raise the price while making it very difficult for those who had bought in to sell their stake.
Of course, this had nothing to do with the actual Squid Game brand; intellectual property theft and abuse is just another possibility that is wide open in an unregulated market. The parties behind the crypto scam remain unknown, but were able to tap into trending tags and discussions of the show on social media to raise awareness of the coin and rope in victims.
Another factor that aided the Squid Game crypto scam is the recent meteoric rise of the Shiba Inu coin; like Dogecoin, it was once widely seen as a joke but began accruing value very quickly in October after some cheeky tweets about it from Elon Musk and a rally by casual internet investors looking to make the next GameStop out of it. When a crypto coin spikes in this way, there is generally FOMO when something similar starts to show similar patterns.
Even though warning signs were plentiful, the sudden spike of the newly-introduced Squid Game coin caused some people to jump in with both feet. The coin rose by 1,000% in a matter of days and looked to continue going up, causing social media buzz that translated into legacy media coverage. Of course, all of those supposed gains were illusionary. The creators of the coin were running an intentional crypto scam from the beginning, preventing anyone from selling what they had bought. When they pulled the rug out on November 1st, they made off with $3.3 million in investments and made the coin virtually worthless in the space of about 10 minutes.
There were certainly warning signs along the way. The white paper used to introduce the Squid Game coin described an unusual structure, tying the coin’s value to a separate pay-to-play game that would require investors to purchase a virtual currency (“marbles”) in order to cash out. There was also the fact that they had no authorized association with the brand, creating the possibility of the legitimate IP holders stepping in at some point. And the various social media accounts the coin creators set up did not allow replies to posts and messages.
Nevertheless, the scammers were able to attract several million dollars before disappearing. The technical details of the exit scam were more sophisticated, leveraging popular trading platform Binance’s structure to make their intentions less obvious. The actual value of the Squid Game tokens was transferred to Binance’s BNB tokens, which were then run through a mixing service to obscure the fact that only a small handful of wallets were ultimately holding all of the tokens in circulation.
Google Ads scam targets crypto wallet holders
Another recent scam that made use of Google Ads demonstrates that old tricks from cyber criminals can be applied in new ways in the crypto market.
This scam filched about half a million dollars via fake ads that criminals paid Google Ads to place at the top of searches related to cryptocurrency. The ads targeted wallet holders looking to visit popular sites, posing as these sites then redirecting victims to an attack site that harvested their login credentials.
This is a classic phishing approach, usually delivered by email or text message; the use of Google Ads is novel. Part of the success is likely owed to the tendency of these sites to use offbeat alternative URLs as compared to the traditional .com and .net extensions. A slight variant in the URL leading to the cloned attack site might be less immediately visible to those clicking through the ads.
Another factor is that Google Ads only recently started allowing cryptocurrency ads again, after banning them in early 2018. The ad network is supposed to require certification and subject buyers in this category to extra screening, but apparently there was a critical failure in this case.
Roger Grimes, data-driven defense evangelist at KnowBe4, added some insight on the history of Google Ads fraud: “Attackers have tried using both search engine optimization (SEO) techniques as well as buying ads to initiate attacks for decades, and Google has been fighting it just as long. But it is a tough fight. The larger problem is known as transitive trust. If A trusts B and B trusts C, then A trusts C. It is not only search engine ads, it is ads on most websites. Most websites have no idea what ads (or not ads) are running on their websites. It is even beyond ads. The average major website has dozens to hundreds of components coming from all over the web to make the single page we see and download. Almost none of those websites know what is running on their own sites at any point in time. They lost control and interest a long time ago. And it is not uncommon for one of those components to be compromised or abused by phishers to poison the web page. There are even entire companies whose only job is to monitor customer web pages and alert those customers when they detect something malicious. And they detect malicious components nearly every day on the most popular sites. It is a constant battle. And no one has come up with a great solution yet for keeping otherwise innocent websites free of badness.”
There is one simple solution to avoiding a Google Ads attack; don’t click on any link that has “Ad” next to it in the search results at the top of the page, and ideally bookmark the legitimate URL instead of Googling for it each time. Avoiding crypto scams requires a greater deal of due diligence, but the examples provided by the Squid Game coin scheme provide a template of red flags to check for.