Threat players now offer victims what seem to be investment services from legitimate companies to tempt them to downloading malicious apps aimed at fraud.
They have defrauded 244 US investors of about $42m through fake cryptocurrency apps that exploit people’s legitimate investments in digital currency, the FBI has revealed.
Fooled People
The agency observed a number of cyber-criminal campaigns that fooled people into downloading malicious apps through which threat players extorted money from victims, the FBI explained in a Private Industry Notification published Mon.
Threat players used the names, logos & other identifying info of legitimate US financial institutions to gain the trust of & fool investors into thinking they were interacting with an actual crypto-currency related firm, the agency stated.
They even created fake websites using the information as part of the scheme to gain the trust of investors, according to the FBI.
Popular Target
The rise of interest & investment in crypto currency also has made it a popular target for cyber thieves, who have invented creative ways to get people to trust them into falling for malicious campaigns.
In Feb. 2021, 100s of investors fell prey to a fake crypto-currency scam that conned them out of $11m through investments in a fake crypto-currency called “Bitcoiin.” The campaign even had celebrity backing, as US action actor Steven Seagal was hired to promote the company called “Bitcoiin2Gen” or “B2G” that served as the front for the fraudulent activity.
The latest FBI warning also is not the 1st time the feds sounded an alarm over cyber=criminals targeting investors. About a year ago the FBI warned that threat players were posing as financial advisors to try to lure victims into various investment scams.
Campaigns Uncovered
In its warning, the FBI revealed the details of 3 specific crypto-currency fraud campaigns observed Oct. 2021- May 2022 that alone defrauded investors of more than $10m.
In a campaign that occurred 4 Oct. 2021-13 May 2022, cyber-criminals operating used the company name YiBit to steal about $5.5m from at least 4 victims, according to the FBI.
Bogus App
Threat players convinced victims to download a bogus app & deposit crypto currency into wallets associated with their YiBit accounts. Once the deposits were made, 17 of the victims received an email stating they had to pay taxes on their investments before withdrawing funds. 4 victims who were ultimately defrauded revealed that they could not withdraw funds through the app.
In a similar campaign that occurred Dec. 22, 2021-May 7, 2022, cyber-criminals impersonated a legitimate US financial institution to steal about $3.7m from at least 28 victims, stated the FBI.
Convinced Victims
Again, threat players convinced victims to download an app that used the name & logo of the legitimate company & deposit crypto currency into wallets associated with the victims’ accounts on the app.
When 13 of the 28 victims tried to withdraw funds from the app, they received an email stating they had to pay “taxes” on their investments 1st before making withdrawals. After proceeding to pay the phoney tax, they still could not withdraw funds from the apps, according to the FBI.
Supayos
Yet another investor-fraud campaign occurred Nov.1-Nov. 28, 2021, with threat players this time operating under the company name Supayos, also known as Supay. This campaign, which snared 2 victims, instructed targets to download the Supay app & make multiple crypto-currency deposits into the crypto wallets associated with their accounts.
In Nov. 2021, the cyber-criminals told 1 victim without previous consent or knowledge that he was enrolled in a program requiring a min. balance of $900k; upon trying to cancel the subscription, attackers told the victim to deposit the requested funds, or his assets would be frozen.
Precautions Urged
The FBI is urging both institutions & individuals alike to take some basic precautions to avoid being defrauded when dealing with crypto-currency transactions.
Institutions should proactively warn customers about the potential for such activity & provide a way for their customers to report it.
They also should tell customers about the details of their own crypto-currency-related services— e.g. if the company actually has a crypto-currency app – so clients can identify real communications & transactions, the FBI observed.
Institutions also should periodically conduct online searches for any unauthorised use of company name, logo, or other identifying information to determine if cyber-criminals are using it for bad purposes.
Unsolicited Requests
Investors also can protect themselves by being wary of unsolicited requests to download investment applications, verifying if an app is legitimate before downloading it, & treating apps with limited and/or broken functionality with suspicion, states the FBI.
The FBI is now encouraging people to report any suspicious activity related to crypto-currency fraud to their local field offices.
