Open wallets with broken padlocks scattered around
DeFi and AMM Education How-To

Seven Crypto Hacks And Scams, And How To Protect Yourself

Ruby
Ruby

A recent series of exploits have seen over 5,000 ETH drained from wallets by unknown means. While this is a worrying development, 5,000 ETH (currently around $10 million) is a drop in the ocean of crypto hacks and scams, through which users lose billions of dollars of digital tokens every year. These attacks use a wide range of means, from technical exploits to social engineering, and impact everyone, from newcomers through to seasoned DeFi veterans.

But how exactly do criminals steal your crypto? Here are seven common methods—and some of the things you can do to protect your digital wealth.

1. Rug Pull (Aka "Rug")

Strictly speaking, a rug pull is an exit scam, in which so-called founders collect investors' money for a specific purpose, such as building a DeFi platform, and then disappear with the cash.

One common variation is to advertise a smart contract that turns out to be a "wallet drainer", which will steal everything in the connected wallet.

In practice, a "rug" has become a catch-all term for a broad spectrum of behaviors that range from launching a project that failed through no fault of the creators, through to the most cases of blatant fraud and theft.

What you can do:

  • Do your due diligence on the project and the individuals running it.
  • Always use burner wallets (one-off, throwaway addresses that only contain as much crypto as you need) when interacting with smart contracts you don't 100% trust.

2.  Phishing

In a phishing attack, scammers create fake websites or send emails that aim to trick users into giving up personal information like login details and passwords, or even private keys and seed phrases, or convince them to send crypto to the scammer's address. Phishing often involves a special "offer" designed to instill a sense of FOMO.

"Spear-phishing" is a variation on this, whereby scammers target a specific individual—such as a wealthy investor or CEO—often with a highly tailored and sophisticated approach.

What you can do:

  • Check the spelling and grammar in emails and other content carefully. Scam sites and posts often contain errors that would not appear in official communications from legitimate projects.
  • Hover over links to see where they really lead. Scam links are often misspelled versions of the real site, to try to trick users into thinking they're safe.
  • Don't click on any links or attachments from sources you don't trust.
  • Type the URL of the website into the search bar, rather than clicking on a link or even Google search results.
  • Never enter your seed phrase into a website.
  • Project team members should not DM you first on Telegram or Discord. It's easy to create a fake account that looks like a team member.
"I don't PM first" Telegram handle
Admins and team members usually have a policy of only responding to inquiries, not sending messages first.

3. Smart Contract Attacks

Smart contracts are code that runs on the blockchain, exactly as written, with their execution enforced by the entire network. This means applications cannot be shut down or transactions reverted. However, it also means that any vulnerabilities in the code may be exploited by attackers, and by the time anyone has noticed, it will be too late. There are many ways that hackers can take advantages of "loopholes" in smart contracts.

One of the largest and most significant smart contract attacks occurred early in Ethereum's history, when a hacker drained tens of millions of dollars of ETH from The DAO, a pioneering decentralized VC fund that held around 14% of all ETH in existence. The episode led to both the Ethereum community and network controversially splitting, with the majority opting to fork the blockchain to roll back the theft and return funds to users.

What you can do:

  • Code audits should catch the most serious smart contract bugs.
  • However, hackers are always looking for new exploits, so it's best not to put all your eggs in one basket. Spread funds around different protocols.

4. Flash Loan Attacks

A flash loan is an uncollateralized loan that must be paid back in the same block that it was taken out, or else the transaction is reverted. These can be used to take advantage of arbitrage opportunities on different DEXs. However, they can also be used to carry out economic attacks against DeFi protocols.

The attacker uses a flash loan to borrow a large amount of tokens. These are used to manipulate the price of a particular token on one protocol, while the attacker typically uses another protocol to profit from the change in price. The loan is paid back in the same block and the attacker keeps the profits, which have effectively been extracted from the targeted protocol. In March 2023, a flash loan attack was used to drain almost $200 million from Euler Finance. Flash loans can also be used in governance attacks, to push through proposals that benefit the attacker.

What you can do:

  • Mitigating flash loan attacks is generally down to platform developers.
  • Audits can pinpoint specific vulnerabilities that can be exploited using a flash loan, and critical processes (like voting) should be spread across at least two blocks.
  • Regular users should again diversify their funds across protocols.

5.  Insider Threats

Blockchain protocols are built to eliminate points of trust. Unfortunately, CeFi platforms necessarily still require human decision-making, and employees or other insiders with access to sensitive information can exploit their positions in various ways. This has repeatedly happened in the history of crypto, as exchange founders have diverted customer funds for their own use—most notably and recently in the case of FTX.

ShapeShift, Livecoin, FTX and many other thefts from exchanges turned out to be inside jobs.

What you can do:

  • Avoid centralized platforms where possible.
  • Use licensed and regulated CEXs when you have to deal with centralized services.
  • Don't hold funds on centralized platforms unnecessarily.

6. Pump And Dump (P&D)

Pump and dump schemes involve scammers accumulating a large amount of a particular crypto, before artificially inflating ("pumping") its value by making strategic buys and/or by spreading information that make it appear underpriced. Traders pile in on the hope of quick gains, driving up the price, before the insiders take the opportunity to sell at a profit, dumping the price back down and leaving the latecomers holding the bag.

For every buyer, there needs to be a seller...

P&D schemes are not unique to crypto, but anonymity, ease of access to exchanges, and the speed with which information travels on social media make this a perennial favorite for crypto scammers.

What you can do:

  • Be cautious of hype and FOMO.
  • Accept you might lose any funds you put in.
  • Practice good risk management.

7.  Ponzis

Brought to global attention in the 1920s by Italian swindler Charles Ponzi, and again by in 2008 by Bernie Madoff, Ponzi schemes involve scammers creating fake investment opportunities that promise extremely high returns. In reality, existing "investors" are paid using funds deposited by more recent ones, until the stream of new money runs out and the Ponzi collapses.

What you can do:

  • Be suspicious of opportunities that look too good to be true (even for the crypto space).
  • Double your suspicion if the team is anonymous.
  • Double it again (and once more for luck) if they can't or won't satisfactorily answer questions about where revenues come from, or provide convincing evidence.

What (Almost Certainly) Isn't Happening?

If you're the victim of a hack or crypto theft, there are a couple of things that almost certainly aren't going on. The first is a 51% attack on the blockchain, resulting in a double spend. It's not impossible, and it's happened before, but only smaller proof-of-work chains and large accounts (like exchanges) are generally targeted due to the cost. It's practically unthinkable this would happen for a major blockchain, let alone for Bitcoin or Ethereum.

The second thing that is highly unlikely is a brute force attack on your private keys. Assuming you've generated them using a suitable wallet app, the amount of computational power required to crack standard 128-bit private keys in a useful time frame (before the end of the universe) is many orders of magnitude larger than is available. One day, quantum computers might change that—but at that point, we would have far bigger problems than crypto being stolen.

Checklist

  • Don't keep funds on exchanges
  • Use strong passwords
  • Use 2FA
  • Don't keep private keys and seeds unencrypted online
  • Get a hardware wallet
  • Use burner wallets to interact with untrusted contracts
  • Don't use one seed phrase for all your crypto
  • Verify the authenticity of websites and emails before you use them or click on any links
  • Never share your seed phrase online

Got any other good tips for keeping your crypto safe? Share them with us on Discord or Twitter, and don't forget to subscribe to our blog for regular updates.