Crypto phishing attacks are everywhere. It might not get better anytime soon
It’s a real mess out there these days.
I’m referring to the recent onslaught of attempted cyberattacks against the people and professionals of the crypto ecosystem. This week, Blockworks’ David Canellis reported that a wave of phishing attacks targeted crypto users, all under the guise of legitimate emails.
These attempted attacks prompted warnings from the real projects. “Unauthorized airdrop email sent from Token Terminal — do not connect wallets,” Token Terminal told users in a communication sent less than an hour after the scammy one.
These impersonations have impacted Blockworks as well. As we shared on Jan. 19, would-be attackers have pretended to be Blockworks recruitment staff. The goal was to interview victims for jobs that don’t exist and attempt to obtain their bank account information.
The Block’s Tim Copeland also recently warned about scammers who pretend to be journalists. While not an old issue — fake profiles for popular crypto journalists have surfaced over the years — the issue seems to be especially frequent these days.
As The Verge reported this week, scammers pretending to be journos sent out fake Calendly invites in an effort to compromise victims’ Discord accounts. Discord is a popular target because of the frequent use of Discord servers by crypto projects.
Sometimes, the attack vector is as simple as this kind of singular link. A frequent impersonation target is MetaMask, with scammers prompting prospective victims to download a new version of the crypto wallet. Such a fate befell billionaire Mark Cuban last fall, as CNBC reported at the time.
What gives? The simplest answer is probably the closest to the truth: With elevated digital asset prices, suddenly everyone is a target.
The frothy environment makes scams like yesterday’s airdrop email wave feel especially enticing. Market euphoria — and the prospect of even greater rewards — appears to be making people think with their wallet instead of, say, the sharp skepticism required to survive in an adversarial online environment. Phishing attacks aren’t new, but the threat is never-ending, and when they do succeed, the attacks pose significant risks.
Hell, even the Securities and Exchange Commission’s X account was compromised via SIM swap during one of the agency’s most momentous periods in the modern area. Later revelations that SEC security around the account was, well, utterly lacking is a reflection of an easy-going security attitude that few people can afford nowadays.
“Trust nobody” may feel excessive, but a security-first mindset can save you time, money and a massive headache. Get a text asking you to buy some gift cards? Delete and block. Someone offering you tokens in exchange for a clicked link or downloaded app? Delete and block. Don’t have 2FA on all your accounts? Get it done today.
One wonders if this will even be enough, especially as new technology progresses. Artificial intelligence tools can enhance impersonation efforts even moreso.
Voters in New Hampshire learned that lesson this week after a robocall bearing a message from an AI-generated Joe Biden instructed them to not vote during the presidential primary.
Maybe things will improve someday. Maybe a mix of technological and social solutions offer a greater degree of protection. I hope it doesn’t become a situation where you simply can’t trust anyone who sends you an unsolicited message. Open communication is, after all, the bedrock of the internet.
But it’s a real mess out there. Stay safe, readers.
Michael McSweeney has worked in crypto media since 2014, including editorships at CoinDesk and The Block. In his spare time, he writes fiction and plays disc golf. Contact Michael at [email protected].