Tinder Swindlers — Crypto Romance Scams On The Rise
As the name suggests, a romance scam involves a scammer creating a fake online profile and using it to gain the trust and affections of a victim. Using the illusionary relationship, the scammer then manipulates the real emotions of the victim to get them to send money wherever they want them to.
A report released on February 10th, 2022 by the Federal Trade Commission reported that funds lost to romance scams were up ~80% between 2020 and 2021. The total loss to these scams, as reported to the FTC, in the past five years has hit US$1.3 billion. According to the data used for the report, “consumers who paid romance scammers with cryptocurrency reported losing $139 million in total in 2021, more than any other payment amount.”
The FBI’s internet complaint center said that between the start of 2021 to July, more than 1,800 cases of romance fraud were reported involving cryptocurrency. Scammers are using classic romance scam methods of pretending to be a marine or in the military, and targeting the lonely — typically asking for money to pay for service related costs like travel home or expensive medical care. The key difference now is that cryptocurrency payments give scammers a much easier way to move and hide stolen funds.
Crypto, while popular with romance scammers, has not always been the payment method of choice for con artists. It can be complicated and difficult for the uninitiated to buy crypto for the first time, so often, romance scammers use easier options like gift cards or bank transfers.
In the last few years, however, a number of crypto and fintech startups have worked hard to make it easy to onramp from fiat currency to crypto. Crypto brokers and trading platforms are easy to find on app stores, have simple UX, and can easily integrate with bank accounts. Another favorite payment method for scammers is to have their victims transfer the crypto using crypto ATMs.
In general, crypto scams have become more popular in the last year. According to Chainalysis The number of financial scams active at any point of the year, active meaning their addresses were receiving funds, also rose significantly, from 2052 in 2020 to 3,300 in 2021.
Source: Chainalysis Crypto Crime Report
What is a Pig Butchering scam?
One of the most common types of love scams in crypto is the so called “pig butchering” scam. This involves a scammer creating a fake profile on a dating app or social media network, connecting with victims, building a relationship of trust and support, and then sharing an “investment opportunity” with them because they “care about them.”
Once they put in the initial investment, a fake platform reports to the victim that their holdings are growing. This convinces them to invest more and more. Additionally a further vector is that the victim keeps handing over money because they trust the scammer.
The name “Pig Butchering” comes because the scammers fatten up their victims before the “slaughter”.
Scammers, once they establish a connection with a potential “pig” they can “butcher”, will often ask them to sign up to a legitimate website. In the case of Tennessee woman Nicole Hutchinson, the website she was asked to sign up to was Crypto.com, a well-known legitimate cryptocurrency trading app and website. Nicole Hutchinson initially met her scammer on dating app Hinge. He went by the name Hao and steadily built up a friendship before he began the crypto element of the scam.
After Hutchinson created an account on Crypto.com and had topped up her account with cash, the scammer asked her to send the funds to a new trading platform he used personally. This platform was fake and Hutchinson had simply been sending her funds to the scammers private wallet address.
After Hutchinson deposited her new crypto into the fake trading platform it began to report that her holdings were growing rapidly. Hutchinson sunk more and more into her account on the fake platform and even convinced her recently widowed father to invest in Hao’s cryptocurrency platform. She says she began small and invested larger and larger amounts of money as she saw her account grow in profit.
In the end, Hutchinson and her father put US$390,000 into the scam platform. She attempted to withdraw money out of the account when it reached the impressive figure of US$1.2 million.
When she attempted to withdraw her funds from her account, she was told in order to do so, she needed to pay a “tax bill” of roughly $380,000. It was at this point Hutchinson decided to ask for help and investigations revealed that she and her father were sending money to the scammer’s account.
CBS News covered Hutchinson’s story. They contacted Rich Sanders of Blockchain forensics firm CipherTrace to look into her case and the addresses the funds were sent to. Sanders found that there were a number of fake dating app profiles that could be traced to the scammer’s blockchain addresses and in the end, they had stolen around US$20 million through their schemes.
There are numerous incidents of these sorts of pig butchering scams being reported across the United States. In another case, Boston woman Cindy Tsai, was contacted by a man named Jimmy on Whatsapp. Cindy told CBS Boston “Jimmy was attentive, good looking and was a comfort for her during a difficult time.” Using a nearly identical strategy to the one used on Hutchinson, Tsai ended up depositing US$2.5 million in the fake exchange platform Jimmy recommended.
For these kinds of scams, scammers will create fake versions of legitimate cryptocurrency exchange platforms and wallets. These websites tend to have similar but slightly different URLs to real, legitimate websites. Additionally, the fake websites often appear high in google search results, they look just like the real site — and can easily fool a user who is new to crypto.
An example of this phenomenon is the various clones of the Singapore-based trading platform Imtoken. Imtoken is a real wallet and exchange startup that was founded in 2016 and has millions of users, as well as millions of dollars worth of assets deposited on its platform.
The real version of the Imtoken website is token.im. There are, however, many fake versions of the site with similar and believable URLs including imtoken.im, imtokenhk.com, and imtokenwallet.biz.
As the screenshots below show, there appears to be no difference between the real token.im and the fake imtoken.im website.
The real site- token.im
The fake site- imtoken.im
# Targeted Phishing
Notorious government-funded North Korean hacking group, Lazarus, has its own unique style of romance scam that involves phishing.
An investigation by global cyber security F-Secure, found that hackers are specifically targeting employees of cryptocurrency firms on Linkedin as potential victims.
The employees were typically targeted via Linkedin messages which arrived with phishing documents attached. Once the victim clicked on the malicious document, a pop-up would say it was protected under GDPR restrictions and the user would have to enable macros in Microsoft Word to access the content. Once the macros were enabled malicious code would execute.
The payload of the attack would enable the hackers to download files, decompress data in memory, initiate command and control communication, execute arbitrary commands, and steal credentials and other data for accessing cryptocurrency wallets and bank accounts.
The types of docs that contain the macro typically include:
* a request for assistance with creating a website
* documentation for a blockchain project
* creating collateral for an Initial Coin Offering (ICO)
* writing the whitepaper for an ICO,
* a developer job opportunity at a cryptocurrency exchange platform,
* a request for help to create an email marketing tool.
The initial messages on Linkedin tend to contain romantic undertones which help to soften the approach and lower the guard of a potential victim.
# Cryptocurrency scam timeframes are shortening
Source: Chainalysis
According to the Chainalysis Crypto Crime report for 2022, the average financial scam was active for 70 days, down significantly from 192 days in 2020. In 2013, the average length of a crypto scam was over 2000 days.
Chainalysis suggests one of the reasons for the shortened length is investigators getting better at investigating and prosecuting scams. The company cites examples like the Commodities Futures Trading Commission (CFTC) charging 14 trading platforms that touted themselves as compliant cryptocurrency derivative trading platforms, for failing to register with the CFTC. In years gone by, the CFTC were not as fast or as aggressive at levying fines. In 2022, crypto scammers need to work faster than ever before.
Another notable trend is the relationship between cryptocurrency asset prices and scamming activity. Scams are typically rampant during periods when the price of bitcoin and ethereum are rising. Price pick-ups in crypto markets normally come with an influx of new users, Chainalysis reports that there was a sharp spike in cryptocurrency activity during the 2017 and 2020 bull runs.
Source: Chainalysis
The chart above shows that the total value received by scammers rose quickly in 2020 as the crypto bull run started to take off. In 2021, however, the value received by scammers dropped off. A possible explanation for this may be that, by that point in the cycle, investors had become more savvy about cryptocurrency and were less prone to be scammed.
Source: Chainanalysis
One trend that has remained consistent is that money laundering strategies have not changed. Stolen cryptocurrency still almost always ends up on exchanges for liquidation purposes. This means that it can potentially be intercepted.
Exchanges can use tools like the Chainalysis Know-Your-Transaction (KYT) to monitor transaction activity in real time and prevent scammers from cashing out.
In the meantime, the popularity of The Tinder Swindler documentary on Netflix shows that the public’s fascination with romance scammers are only matched by their susceptibility to them.