How to tell if a transaction involving cryptocurrency is a scam:
(1) Does it involve cryptocurrency?
When Ahad Shams detailed on Twitter how his company was scammed out of $4 million in cryptocurrency after a face-to-face meeting, Chris Hunter immediately recognized what was going on. Only weeks ago, Hunter fell victim to the same con apparently run by the same group. Having contacted Shams after reading his story in The …
"We are technical people," he said. "There was no way anyone was going to pull a scam on us, and yet they did… When you talk about people being scammed, it's not normally individuals as technical as us. It's normally your everyday, non-IT person. For people like us to be getting scammed at this level of sophistication, we thought we had our bases covered.
"But we didn't."
Reminds me even the best can get scammed - eg Jim Browning https://www.youtube.com/watch?v=YIWV5fSaUB8
A mate was almost a victim of the false invoice scam. Someone called him up and said they supplied the telecoms to the firm (multiple offices). Apparently the bills for the last 18 months weren’t paid and they were going to cut the firm off unless money was transferred immediately. He said he had no idea that this firm was owed money. He suspected it was a con though so wasn’t about to give them a thing. However he wanted to see how far they were willing to go to get the firm’s cash. So he said he was sorry and that the cheques must have got lost in the post He said that they’d write out a cheque for the full amount (£2k) immediately and it would be waiting at reception in an envelope. Scammer is a bit flustered by this and says they’re normally paid by bank transfer by the firm. My mate says check your records we always pay by cheque and have done so since we moved in.
He said he put an envelope at reception with a comp slip in with the words we weren’t born yesterday written on it. They were next door to a police station so could easily get help but no one ever came to collect it. He emailed everyone in the firm to alert them.to this too.
They're completely wrong about this, though. Studies have shown that using electronic communications a lot increases the risk of being phished, and IT competence and general knowledge does not decrease it, for example. Employees in the IT Services sector are significantly more likely than the median to click through on phishing emails.
There are various theories about the mechanism, but many people think it's simply a matter of comfort with technology leading to less conscious supervision of actions. In this case, the victims are tech early adopters, which makes them even more inclined to trust technology and thus even more vulnerable.
And, of course, thinking that you have better defenses for precisely the reason that you have worse ones compounds the problem.
It's the same reason why financial officers fall for financial scams.
I also recall at a previous company the top salesman coming into work on a Monday morning delighted with the kitchen he had bought the day before. "It was such a good deal - they were practically giving it away, I don't know how they make any money". When asked to elaborate, he spewed out all the same kind of things he told his customers about why they were getting such a fantastic deal on our products. It was in his blind spot.
Given everyone who was scammed was working on cryptocurrency and web3 projects, I have limited sympathy, and they certainly weren't the best or brightest or most ethical to start with.
Funny too that one of the scammers, "Moreno" has named himself after an anagram of one of the crypto currencies most suited to illegal transactions: Monero.
"We are technical people," he said. "There was no way anyone was going to pull a scam on us..."
This is the dictionary definition of hubris, a favorite lever of scammers of all kinds. Their mistake wasn't in meeting with the scammers, it was the patently false belief that being (ostensibly) skilled and knowledgeable in one field (information technology) implies equal skill in a completely unrelated field (investment and investment scams).
Bonus points for these "technical people" being scammed, in part, by technical means (just give us access to your phone...).
Beautifully summed up by XKCD as "the engineer syllogism".
This is unfortunately a hubris I've seen far too often from technical people. The number of technical people who assume that they will never fall for a scam is surprisingly high. People complain when somebody sends out a phishing test that doesn't have all the words misspelled because you know all scammers do that, and they assume that they'd always check every possible indicator. It's the same problem that results in programmers who are good at writing code that achieves the goal in an efficient way assuming that it's necessarily the secure way, often reacting with outrage if anyone suggests that a vulnerability could exist.
I work in security, which means I have seen more attempts at attacks but I've also seen enough smart people be successfully conned that I am not confident that I can spot one. All I can say is that I'm reasonably confident that it hasn't happened yet. It can happen to anybody (you, me, the best programmer you can think of) because it already has happened to someone like you. Finding a reason that you sort above whatever victim you recently heard about will not protect you. It didn't happen because they're stupid. It happened because their defenses failed, but that's not the same thing.
Agreed. Studies have shown that security-practices training does have a useful effect on rates of falling victim to general attacks such as broadcast phishing, but the real benefit from adopting a security mindset is to get in the habit of applying defenses in depth and using tools as well as personal judgement. Reducing the attack surface, running things with reduced privileges, employing a good back up strategy, and so on. Obviously it's still important to try to be careful, but belts-and-braces should be in place to back you up.
...on how to spot a scam.
It probably goes without saying that one of the red flags mentioned but not highlighted as a red flag is the scammer saying they wanted their fee in bitcoin "to avoid taxes". Well, that's not avoidance in most civilised countries, that's evasion and should be a huge red flag to anyone in legitimate business.
arguably, this hook worked, because 'everybody' on this planet wants to avoid taxes, I bet even the 'taxman' runs some tax 'optimisation' schemes. Therefore, wink-wink, nudge-nudge, know what I'm sayin = we're pals, on the same page, buddy, eh, eh? Pretty ironic this red flag was probably the ultimate seal of verification. But it's always so easy to dissect a crime from a comfort of one's armchair, when you have most of the pieces in front of you.
'everybody' on this planet wants to avoid taxes
I don't. Taxes are the price1 for living in civilization. I prefer that to the alternative and am content to pay my share.
Frankly, I get a little annoyed at hearing that I hate taxes and would avoid paying them if I could (or variations thereof; a friend once declared that "everyone cheats on their taxes", a rather obnoxious assumption that I let pass at the time). Well, I could get out of a good bit of it if I indeed wanted to. I don't.
Honestly, these days I'd be highly suspicious of an investor who wanted me to fly to another country to close the deal. No thanks, pal. Travel is fine; travel for work is fine. But a meeting like that can certainly take place online and there's no way in hell I'd trust some stranger who insisted on a face-to-face for this sort of thing. It's clearly a sunk-costs pressure tactic – much easier to say "no" if you haven't spent hours and dollars getting there.
1Or arguably not even that; they can be seen as just an inefficiency in the distribution of purchasing-power tokens to members of the polis.
Seriously, folks. It blows my mind that anyone would try to enter the VC world without either having someone they REALLY know and trust guiding them, or doing some substantial study on scams. There is a LOT of shady activity in that space, and whether our not a particular actor is a scammer sometimes depends exactly on how you define a "scam".
But yeah, some of these folks clearly had bought their own hype. It's much more of a question of who was going to take them & for how much than anything else. In practice, it sounds like many got their lesson from the School of Hard Knocks cheap by comparison.
Obviously the moral of the story is to avoid meetings in hotels in Barcelona.
I mean, it's Barcelona. Get out and see the sights. You could be in a hotel anywhere.
But getting back to OP's point: Right. Who the hell would think "here's some rando wants to give us $2M, no need for due diligence"? Even in a startup I'd have the company lawyer and some financial advisor with fiduciary responsibility and experience in the VC realm looking at the proposal very closely. I spent some years working for a startup, and we always needed cash, but you can be sure no investments happened without that kind of review.
I was going to offer some comments, but it all sounded like this 20-20 sarky 'advice' you get on the internets when you share how you were duped. Then half the world jumps on a chance to shit on you how infinitely stupid you are and how infinitely clever they would be, in a similiar situation. So all I can offer is sympathy to a fellow human being. And, for my own pleasure, offline images of what should - but never will - happen to the scammers. No, I'm not a nice person.
p.s. I've never been scammed, but that's because I have no money or scammable assets (next moment he's lost his internet connection. Then a house. And a wife).
"The Bitcoin request seemed odd, but the two men said they wanted to avoid paying taxes, Jonathan Kennedy told The Register."
There is no 20-20 hindsight at work here. The people Kennedy was dealing with literally told him up front that they were financial criminals. He and his partners still went ahead with the transaction.
This is the simple lever crypto scammers use. Bros all think that they are very cleverly sticking it to the Man, so anyone else sticking it to the Man must be on their side. But there's a saying in poker and it applies here: there's a donkey at every table, and if you don't know who it is then it's you.
[...], so Hunter turned his phone to face the two men, [...].
Fewer than 30 seconds later they returned the phone to Hunter [...].
"In those 15 or 30 seconds that they had my phone, [...]
how does "turned his phone to face the two men" turn into "they had my phone"??? never, Never, NEVER 1) hand your phone to someone (you don't know) and 2) always expect anyone to immediately start snooping on it... i mean...
"nonononono... i'll hold it... you just take the picture..." geez...
To be honest, these days, if you'll be traveling to or from a number of countries – definitely including the US – it's not a real good idea to bring your phone at all. Take a cheap phone with your SIM if you must have your current number and plan; otherwise a burner SIM.
Smartphones are valuable, fragile, easy to steal, and often of interest to authorities. It's bad enough carrying them around your usual stomping grounds.
-> Coin Publishers was looking for VC backing
"Crypto" backing or real, actual money? How sanguine it must look after the event.
-> the two men said they wanted to avoid paying taxes
We acquiesced and were party to an attempt to defraud/avoid $somerevenueauthoritysomewhere.
-> "We are technical people," he said.
No, they are people who think they are technical. The Reg is full of articles about people who talk the talk but are incapable of walking the walk. Not a week goes by without some company being hacked and $boilerplatestatement "we take customer data security very seriously" being issued.
It is not just LinkedIn that allows fake accounts (i.e. an account in the name of someone else, unverified). Google mail allows anyone to set up an account in any name, and at least three UK financial organisations have allowed scammers to set up accounts in my name for the actual purpose of stealing my money (savings, pension funds, etc.). How do I know? They got a way with about £100,000. Not by scamming me, but by scamming the banks, building society, and pension companies I have investments with. OK, so I got my money back, so technically I am not the victim of a crime (identity theft is not a crime in the UK, according to both the Police and Action Fraud). But the stress is severe.
The subjects of scams and the tax man reminds me of a story that might be worth sharing...
A few years ago I had a call at work from someone with a foreign accent saying that I owed the tax man some money and offering to take payment over the phone. I also smugly though "there was no way anyone was going to pull a scam on me" so I declined his kind offer.
A week later my boss had a VAT demand on his desk for some electronics which "sounded like my sort of thing" and asked me if I'd told HMRC to go f**k themselves.
It turned out that a £1500 bit of kit that I'd won in a competition (so hadn't payed anything for) and had delivered to work (for safety and convenience) still required VAT and duty to be paid on its value. Occasionally, just to keep you on your toes, the scam isn't a scam.
I thought that HMRC always send a letter. How did they know your work phone number?
Recently I have had two emails requesting money, one purportedly from DVLA claiming that I should set up some automatic payment for my road tax, and the other allegedly from TV licensing claiming that my payment had failed and would I please click on the embedded link to pay? As I pay both in the Autumn ('Fall' for USAfolk), I knew them to be scams, so I sent each of them to report@phishing.gov.uk
"How did they know your work phone number"
"Had to be delivered to work (for safety and convenience)".
The sender would have included a phone number for the receiver in the shipping submission, in case of delivery problems but also used for gathering of taxes/duties.
The exact same thing happened to me in Barcelona. I lost $150k. A guy who’s iD they gave me as the “investor” contacted me as he had been contacted by others, then we now have a group of us all scammed out of nearly $1m. We are in the USA. The fbi has been notified our end and investigations are underway.
This is a very sophisticated scam and they got my trust wallet secure code in the exact same way.
I would like to be in contact with the victims of this scam so please feel free to message me. Thanks
Some of these stories sound like (1) tales of "The Saint" (Roger Moore granted eternal life in re-runs) and (2) putting the "adventure" into "venture capitalism". And (3) "romance fraud" but when what you love is money.
Back to (1), don't trust foreigners, will stop a lot of this from happening. If Brexit is for anything at all, surely it is for the right to be left alone. ...What?
Thanks for the article and all the research that went behind it. Most people get scammed and feel embarrassed then clam up about it, leaving other vulnerable. I had a similar experience trading cryptocurrency with a fraudulent brokerage and I nearly lost $286K. Overcoming this obstacle relies on a robust blockchain analytics report clearly setting out the context of the fraud.
More practical impediments can include costs and the exchanges. Victims of fraud are not always able to fund complex recovery actions, and so funding for professionals working on an ‘at risk’ basis may be required, or a combination of both.
Finally, identifying the location of exchanges and being able to exert sufficient leverage to obtain their cooperation in freezing assets, disclosing information or satisfying third-party debt orders in this space, has required some creative thinking. I feel a fool but at least I got back my stolen digital assets with the professional guidance of a legal team of cryptography experts and licensed fraud analysts.
This post has been deleted by its author
Hi - I am doing a road show in Europe this week and met with two self proclaimed angel investors that had reached out to me in a telegram group for a conference I was speaking at. The asked that I fly into Sardinia to meet with them. I was running around so didn't get their KYC done before the meeting them nor did I really think we'd be getting terms on the first in person meet up. But they wanted to make a deal right away and offered attractive terms. But there was a really unusual request that they put in at the last minute for proof of $500K of funds in ETH USD or USDC to be transferred to an Exodus wallet (to show ability to pay interest on a convertible note)
This didn't make sense for two reasons
1 - their terms had the concept of setting aside an interest reserve out of investment proceeds and
2 - no one with any kind of compliance or security experience would transfer at this scale via anything other than a multi-sig walle (let alone an Exodus app).
So I thought either they were dumb or they were trying to pull a fast one. Anyways, we thanked them for their interest and walked. They got super upset when we declined their terms and started challenging my masculinity and control of the company. It was weird. And silly.
They claimed to be Swiss, but who knows. Both spoke French and Hebrew with English as second-ish language It's hard to say conclusively that it was a scam as nothing happened, but it had all of the trappings of one. A couple of other basic red flags... they came off as too Gucci for tech people, and they didn't understand what we were saying when I asked them basic questions like who is going to access our GitHub during DD. They also didn't know believe that Polygon is Matic. Cringe. Happy to help compare notes if it helps.
These guys will go to any length to get what they want. They go as far as creating clone websites and fake documentations. Before I became a pro crypto consultant expert, I lost a few cryptocurrency to scammers who got hold of my private key during my early years of crypto investing. Devastating moment for me because I was absolutely new to bitcoin. Not all but I was able to recover more than 80% of my money with the help of (Spirassp . com). A company linked to the Crypto Scam Defense. Both company are approved by Defi. They are currently helping people recover from this daylight robbery.
It’s a sad reality that when your money get in a situation like this, there is almost nothing you can do to get your money back. The first thing you need to realize that you are mostly dealing with Tech guys or even a certified hacker. This alone explains that you can’t bring a knife to a gun fight. I see people trying to get lawyers and they end up losing money. You can only get a chance of recovering your lost funds by hiring the services of a professional hacker who can go head on with whatever type of software the scammers have.
Information I got from a company that offers pro hacking services (spirassp . com) reveals that the crypto scam is bound to rise by 50% if care is not taken. Anyone familiar with the quadriga scheme in Canada back in 2016 will know they come at their victims in different ways. Quadriga was never listed but started selling shares and stopped publishing audits. They were later banned from selling shares after BCSC issued a cease trade order (CTO) for not submitting audit. What kind of entity operates like this?
Crypto scammers come at their victims in diverse ways so every one has to stay vigilant and beef up on cybersecurity as much as possible.