Some people look at cryptocurrencies as a financial revolution. Others think of this technology as an opportunity for passive income. And others just see it as getting something for nothing.
More often than not, you’re the one giving the “something”. Scammers attract people with “free” stuff, but they’re the only ones who get it for free. From us.
Still, that’s nowhere close to the problems that digital scammers can cause. And if you’re in crypto, the threat is constant:
- Right now, some companies may be creating innovative software. But they’re not aware of the coding imperfections, which will be eventually exploited
- Maybe you’ve already fallen for phishing but the scammer does nothing. He’s silently waiting for you to accumulate money or steal other accounts, and then take it all at once
- Perhaps when you’re away from your phone or computer, someone is using it to mine cryptocurrency. And to prevent detection, the program turns off when detecting mouse movement
Just like that, you could wake up tomorrow with a terrible surprise.
Your wallet is at ground zero.
An exchange has been breached.
Someone on the news lost $5 million on a crypto scam.
These happen all the time. And whether you have millions or not, the success these hackers get motivates them to go after more accounts. Will yours be the next one?
Here are five common cyber attacks on cryptocurrency.
The Most Dangerous Cyber Attacks On Crypto
While hackers are constantly innovating, most strategies derive from phishing, malware, and data breaches. And while you can’t be 100% protected from these, the first step to take control is learning how they do it:
#1 Cryptojacking
In simple terms, cryptojacking is about manipulating someone else’s device, typically for crypto-mining.
When you mine cryptocurrencies, your money rewards depend on your hardware processing power. The more devices there are, the easier it is to profit from mining.
Today’s mining hardware rarely prices below $1000. But cryptojacking can make a scammer free money. Imagine if this guy could control hundreds of devices, which could be a threat to the crypto network.
For example, the hacker could:
- Cause 51% attacks (explained later) to manipulate transactions
- Sell these device accesses to other hackers with worse intentions
- Run hidden mining programs on all devices to make free money
It may not look like an immediate threat for you. However, the fact that they can run programs on your device is extremely risky. They can probably:
- Spy on your device to steal financial information
- Lock your device for a fee (ransomware)
- Install programs without your consent
Right now, there are apps like Pi Network that claim to make you money by mining from your phone. Users only need to install this app and press ‘Mine’ every hour, no registration is required.
It doesn’t cost you anything, and the Pi token could theoretically be worth something one day. But who knows? Maybe the founders never have those plans. They might just use millions of devices to mine Bitcoin for themselves. And nobody would know it.
Note: This is a made-up example. We don’t believe Pi Network is a scam. There’s a brilliant team behind it and 10+ million miners trust them, including us.
#2 Malware Phishing
When earning with cryptocurrency, people often look for the best exchanges, wallets, and mining platforms. But when something sounds too good to be true, it’s probably fake.
Ever heard of those incredible welcome gifts? That could just be a hook to lure you into a phishing trap. You’ll need to install something in order to claim your bonus (or to access the software).
That something may not be, however, what it claims to be. Maybe it does have the right name and icon, but the file size is suspiciously small. Or it asks for too many permissions, or your device blocks it due to potential viruses.
While it may sound irrelevant, giving permissions to an app is like giving your phone to a stranger. Permissions to monitor your screen, remember your login details or manipulate files.
You could report the website, but that won’t fix things. Those who create these malware programs often hire affiliate marketers to promote them. They don’t mind paying them well for referring, because they earn so much on scams.
These marketers could be using the apps themselves and not know it’s a fraud.
Beware if you see weird domains, shortened links, or excessive redirections.
#3 Double Spending
One thing that has increased Bitcoin adoption is ATM machines. For a fee, you can buy and sell Bitcoin locally, as you’d do with cash in your bank.
The difference is, there’s a block validation process between transactions. Bitcoin miners need to confirm your order, which may take around 30 minutes.
That means that if you deposit cash to buy BTC, you won’t see it in your balance until later. AND if you owned Bitcoin but sold it for cash, your balance won’t reduce until you get all the network confirmations.
Once it’s confirmed, it’s permanent. But what happens if you cancel the Bitcoin sale after withdrawing in cash? You might have paid some fees, but the sale doesn’t deduct from your balance.
If you sell $100 BTC for cash, you can keep $100 in cash, cancel, and sell it again. You lose <$5 in fees.
Beware. If scammers know how to double-spend, they probably know other ATM scams to steal YOUR money.
Luckily, most ATMs have ‘fixed’ the double-spending issue. You now cannot get the cash until the transaction confirms. And while nobody wants to wait 30-60 minutes, security matters more than convenience.
#4 51% Attacks
If you want to mine cryptocurrencies, you’re going to need a lot of processing power. Luckily, some software companies will rent you the hardware.
According to crypto51.app, here’s what it could cost per hour to rent all the available capacity:
As you can see, it’s hard to get any Bitcoin mining hardware these days. But if you look at other coins, you could rent over 50% of the capacity for less than $10K.
Of course, hackers will need money to make money. In the case of BitcoinGold, they could rent 60% of the network for 3 hours. They could potentially access $157.32M in funds at the cost of $1000 (insane ROI).
But what happens exactly when owning over 51%?
In most currencies, whoever owns most of the network plays has great influence in verifying transactions. If the consensus is based on votes, the 51% attacker can manipulate the entire network: re-arrange blocks, prevent miners from working and revert transactions (which leads to double-spending). It’s a mining monopoly that guarantees block rewards.
Still, hackers can’t manipulate other people’s transactions nor steal their funds. They can’t change the block rewards nor create currency out of nowhere.
Mind that hackers can still do 51% attacks on networks such as BitcoinSV (40% available). They could access the other 11% via malware phishing or cryptojacking.
If you own a coin like Bitcoin, 51% is almost impossible. Because mining networks become more protected against manipulation as more miners join the network. Meanwhile, if hackers attack, the best the network can do is make the attack as expensive and slow as possible.
#5 Advanced Phishing (DNS Poisoning)
If you try to mine crypto from your computer, you’ll be competing against large software corporations. The chances of you getting rewards are below the cost of hardware and electricity.
That’s why people join mining pools. Almost like stocks, you can contribute to a mining company. And if they win the block reward, you get paid proportionally to your contribution.
This, however, centralizes the network. If only three pools control +50% of the network, it’s easier to cause 51% attacks.
But just as expensive as it is to rent +50% in hardware, it costs even more to breach these pools. It’s easier to poison an exchange DNS. So everyone who logs in that day gets phished.
DNS poisoning is a server attack that allows stealing a website’s identity:
- Imagine a hacker creates a fake Coinbase website
- The hacker floods the server with lots of forged requests, causing a Denial Of Service attack and DNS manipulation
- Coinbase.com now sends you to the fake website
Even if you clearly recognize the website is fake, they’ve tricked the server to show it as the real one. The domain, the SSL certificate, everything points that the site is real.
Until the server updates the DNS, the scammer can do anything with those victims:
- If it’s an exchange, they’d steal their login data
- If it’s a wallet website, they steal all the seed phrases and balances
- If it’s a mining platform, that enables cryptojacking and 51% attacks
DNS poisoning is, thankfully, rare. As the website owner, there are simple fixes to prevent most DOS attacks. But as a user, it’s worth reviewing the platform’s security because you trust your money.
How To Protect Yourself From Crypto Hackers
There’s a benefit in getting early into opportunities. The downside, however, is that most projects are untested. And while they may be wildly profitable, it exposes you to security threats.
Cyber attacks always come when you least expect them. That’s why it’s vital to prepare before you need that security:
Avoid Hot Wallets
Crypto exchanges lure us with low fees and high coin variety. But don’t be fooled: once your money enters the platform, it’s their money. They tell you what you can or cannot do, and if you want to withdraw, you need their permission.
Hackers will likely target exchanges as they hold lots of money. And if they get breached, the exchange can’t pay you.
Instead of trusting a company, trust a cold wallet. Or at least, use a DEX (decentralized exchange) like Uniswap, 1Inch, or PancakeSwap.
It’s okay to use Coinbase, Binance, or Robinhood with small accounts. If you use them for large amounts, it’s better to withdraw after you exchange coins.
Update Your 2FA Code
Having a 2FA is so basic that we should mention it at all. The problem is, sometimes hackers steal these as well. And just because they didn’t steal from you yet, that doesn’t mean they won’t.
They could be waiting to gather more accounts for a 51% attack or to install malware on all devices at once.
If you don’t want to find out, we suggest you request new 2FA codes often. The frequency will depend on the account and how much money you keep on each:
- If it’s a cold wallet 2-3 months is good
- If it’s an exchange or hot wallet, update every 1-2 months
- If it’s your Google Account’s 2FA, it’s worth updating every month. Because Google often works as a recovery step for everything else
If you want to go further, the ideal setup is one Google Account for every crypto account. That’s one recovery email for CoinBase, another for Exodus Wallet, another for Binance…
Use Apps Instead Of Websites
If someone tries to steal your information, they will try to send you fake/shortened links. If you use the app, however, that removes the need of entering domains. You access the real platform directly.
As for DNS poisoning, it’s unclear whether it applies to mobile. Anyway, scammers will likely build the desktop version of the website. So if there’s no mobile version, that can help you recognize the fake one.
If you’re accessing all those apps from one device, make sure it’s protected from thieves. Don’t overthink all these complex hacks when the simplest one is to steal your phone.
Add passwords to your most important apps. You can skip them by adding a fingerprint lock.
Analyze Files Before Opening
Malware prevention 101: just because an app says to do something, that doesn’t mean it’s that thing.
It’s often easy to recognize from a glance. If it has no icon, different format, or low size, it’s probably not the app you wanted.
Sometimes, it’s not that obvious. You need to open the file first or have antiviruses installed. So you get a warning when downloading malware.
Sometimes, programs don’t do anything until you grant the permissions or enter your data. Before you do, you can test the app to make sure there’s nothing weird.
‘Fly Under The Radar’
If you have big money, hackers will find a way to get it. Don’t motivate them to steal from you.
Beware of whom you talk about money, especially on social media. If nobody knows how much you have, it makes life much easier. If you talk about your net worth or income strategies, you’ll soon start getting phishing emails.
While you may trust those around you, you may not know who watches your activity.
This doesn’t mean you have to keep your finance secret. Just don’t over-expose it.
The Bottom Line
Hackers won’t go away. More technology inevitably leads to more risks, especially around finance. You have to protect yourself long before you need that protection.
Passwords help, but control is better. If you trust an exchange or company, they’re responsible for potential losses, and there’s nothing you can do about it. But if you are responsible for your money, you can learn from mistakes and prevent them.