Application security, Vulnerability Management, Threat Management

Fake cryptocurrency apps trick US investors, FBI reports

A pedestrian walks past a display of George Washington on the dollar bill wearing sunglasses with the Bitcoin logo in the lenses.
The FBI is warning against fake cryptocurrency apps targeting U.S. investors after nearly 250 victims lost a combined $42.7 million. (Photo by Anthony Kwan/Getty Images)

The roller-coaster ride of cryptocurrency valuations recently has a new wrinkle: criminal groups are increasingly defrauding investors with their fraudulent crypto applications, according to a recent notice from the FBI.

Becoming more aggressive in their schemes, cybercriminals are reaching out directly to U.S.-based investors in cryptocurrency, “claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cyber criminals have used with increasing success over time to defraud the investors of their cryptocurrency,” according to the private industry notification released last week by the FBI’s Cyber Division.

The FBI reportedly identified 244 victims who lost a total of $42.7 million in recent months through these scams, according to the notice, which was specifically aimed at U.S. financial institutions and customers, “who suspect they have been defrauded through fake cryptocurrency investment apps.”

“Threat cybercriminals are creating fraudulent cryptocurrency investment apps to exploit legitimate cryptocurrency investments, defrauding U.S. investors and causing reputational harm to U.S. investment firms,” the FBI notice stated.

The FBI notice pointed out that cybercriminals are taking advantage of the recent trend of “innovative financial institutions offer[ing] mobile apps to enhance user experience and increase legitimate investment. ... The FBI has observed cyber criminals using the names, logos, and other identifying information of legitimate USBUSs, including creating fake websites with this information, as part of their ruse to gain investors.”

Indeed, given the rising popularity and ubiquity of cryptocurrency investment and the fast-paced changes in valuations, crypto scams “are more pervasive than ever,” according to a report released in late June by fraud prevention company Sift. More than 1 in 5 consumers (22%) who have encountered crypto scams have lost money, and more than 2 out of 5 (43%) have encountered scams asking them to join fake crypto exchanges, according to Sift’s findings.

At the root of many of these crypto-scams is “misleading or fraudulent content,” particularly published on social media, which has caused unwitting investors to be taken in by these increasingly sophisticated fake applications, Sift reported. Nearly three-quarters (73%) of the consumers Sift had surveyed said they see misleading content on at least a weekly basis, and two-thirds (65%) said that they see social networks as the “most dangerous” source of false information.

Names of fake apps closely related to legitimate crypto exchanges

These attacks are not only becoming more frequent and advanced, but fraudsters are also leveraging legitimate applications and financial concerns along with false information to steal steadily more money from their victims with each individual scam. Between Dec. 22, 2021, and May 7, 2022, the FBI discovered that “unidentified cybercriminals purporting to be a legitimate U.S. financial institution defrauded at least 28 victims of approximately $3.7 million.”

In that particular scheme, cybercriminals convinced victims to download an app that used the name and logo of an actual U.S. financial institution and deposit cryptocurrency into wallets associated with the victims’ accounts on the application.

“When 13 of the 28 victims attempted to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals,” the FBI reported in its notice. “After paying the supposed tax, the victims remained unable to withdraw funds.”

And that’s just the tip of the crypto-fraud iceberg: Between October 2021 and May 2022, one group dubbed YiBit1 (close to the same name of a real crypto-exchange that shuttered in 2018) stole roughly $5.5 million from at least four victims. In November 2021, cybercrime group Supayos (also known as Supay2, which is very similar to the name of legitimate currency exchange in Australia) coaxed $900,000 out of one victim by convincing the crypto-investor that there was a “minimum balance” of that much that had to be deposited in the account.

As cybercriminals increasingly exploit the names of or connections to legitimate financial and cryptocurrency concerns, it has become harder for even savvy cryptocurrency investors to discern the real from the fake. One-third (33%) of consumers who have been a victim of payment fraud identified financial service sites as “the ones that pose the highest risk,” according to Sift’s Q1 Digital Trust and Safety Index. The Sift report also found that crypto exchanges alone had seen a 140% uptick in “abuse” over the first quarter of this year.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.