18/01/2023
Cryptocurrency and its most prevalent scams
Aperio’s work experience intern, Arisha Shtypel, is currently studying for a BSc in Security in Crime Science at University College London. She has a particular interest in financial crime risks affecting the cryptocurrency, decentralised finance (DeFi) and non-fungible token (NFT) spaces. Her article, written as part of her work placement, presents an overview of the main types of cryptocurrency scams
Introduction
Cryptocurrency’s rapidly increasing popularity has highlighted an important need to shine a light on crimes and potential threats faced by cryptocurrency users. Cryptocurrency is particularly attractive to criminals due to its novelty and anonymity. Its novelty raises two issues: firstly, few appropriate regulations are in place to control cryptocurrency, and secondly, most investors in cryptocurrencies are relatively unfamiliar with the products they are investing in, which makes them easy targets for scams and other threats. The anonymity with which users are able to create cryptocurrency tokens and accounts with which to send and receive funds, meanwhile, allows criminals to easily “disappear” with stolen cryptocurrency funds, which are harder to trace than traditional fiat currency.
Attempts by academics and investigators to establish the profile of a typical cryptocurrency scammer have been made more difficult by the fact that few of the scammers are ever caught. However, according to Routine Activity Theory – an academic crime opportunity theory which relates to the factors which increase the likelihood of a crime taking place – all three of the theory’s factors come together to facilitate illicit crypto activity, namely
the absence of a capable guardian (in this case a lack of regulation); a suitable target, in this case the large numbers of inexperienced cryptocurrency users and investors; and a motivated offender. This article will discuss six types of scams that frequently occur in the field of cryptocurrency.
- Rug pulls
Rug pulls are a relatively new type of crime. The name originated from the phrase “to pull the rug out from under someone”. In general, rug pulls are scams executed by groups of developers who create what appears to be a legitimate cryptocurrency project. After enough funds have been invested, the developers abandon the project, withdraw the invested money and disappear. Rug pulls are prevalent in the Decentralized Finance (DeFi) ecosystem. This is because, with a certain level of knowledge of cryptocurrencies and token creation, it is relatively simple and cheap to create a token and list it on Decentralized Exchanges (DEXs) without a code audit having taken place.[1] [2]
Four “red flags” are common to most rug pulls. First, a rug pull cryptocurrency token will usually be the subject of significant “hype” on social media in order to get potential investors interested in the project. Second, the project’s developers will usually remain anonymous, even as their project is being heavily promoted, to facilitate their exit from the project. Third, the token which is being used for a rug pull will usually be listed on a DEX which allows for rapid removal of the funds received from unsuspecting investors. And fourth, the rug pull token will almost never have been subjected to a code audit.
According to the blockchain research group Chainalysis, in 2021 37% of the total revenue generated by cryptocurrency scams came from rug pulls, accounting for $2.8 billion worth of cryptocurrency.[3]
The scope of rug pulls can vary widely. One significant rug pull in 2021 was the Luna Yield project.[4] It was the first rug pull that took place on the Solana blockchain, a public access blockchain which had been launched in March 2020. Even though extensive documentation relating to the project was submitted, the Luna Yield’s developer stole $6.7 million in investor funds three days after its Initial DEX Offering (IDO). Although small rug pulls attract less widespread media attention, their increasing frequency is equally concerning as large-scale rug pull scams. These include rug pulls using non-fungible tokens (NFT) such as the Mercenary Gold NFT project, in which users were encouraged to invest in a “play-to-earn” video game which would reward them with the game’s cryptocurrency for playing. Just a week after the game was launched, Mercenary Gold’s anonymous developer deleted the game’s website and social media profiles and withdrew all invested funds from the game, stealing some $1 million.[5]
Further examples of NFT rug pulls include:[6]
| NFT name | Amount stolen | Year |
| Iconics NFT | $140,000 | 2021 |
| Baller Ape Club NFT | $2 million | 2021 |
| Evolved Apes NFT | $2.7 million | 2021 |
| Frosties NFT | $1.3 million | 2022 |
- Pump-and-dump[7]
Pump-and-dump scams are similar to rug pulls. Cryptocurrencies are not backed up by fiat currencies or other real assets, so their price is dependent entirely on supply and demand. This allows scammers to manipulate the market. For the pump-and-dump scam, fraudsters buy a cheap coin and artificially inflate its price by giving false information on social media (usually Discord or Telegram). This “hype” around the coin leads investors to buy in, driving up demand and consequently the coin’s. At a certain point when the value of a coin is high enough, the fraudsters sell their holdings in the coin, causing the price to crash. One such notorious scheme was the “Squid Game” token, which was launched to cash in on the huge popularity of the eponymous Korean TV show, and in which fraudsters walked away with $12 million in investors’ funds.
Although a recurring fixture in cryptocurrency scams, pump-and-dump schemes have existed since long before the introduction of cryptocurrencies, with high-profile examples of these schemes including the stock brokerage Stratton Oakmont, of Wolf of Wall Street Fame, and the scammer Greg Mulholland, who prior to being sentenced to 12 years in prison in February 2017 had orchestrated over 50 pump and dump schemes, stealing an estimated $250 million in investor funds.
- Ponzi schemes:
Ponzi schemes are not an emerging scam, they have existed for decades. The concept of a Ponzi scheme is tricking people into thinking that they are making a legitimate investment which guarantees gain but instead uses money from new investors to pay off old investors[8]. Recently fraudsters started using cryptocurrency in Ponzi schemes.Thecase of Finiko illustrates well how effective the application of Ponzi scheme tactics to cryptocurrency has been. Finiko was a Russian Ponzi scheme which ran for approximately 19 months, terminating in 2021. It asked users to invest Bitcoin or Tether on its platform and promised a guaranteed monthly 30% gain. By the time it was terminated following an investigation by Russian authorities, it had acquired more than $1.5 billion worth of Bitcoin and lost investors an estimated $95 million.[9] Although three of the project’s four developers have been arrested in Russia and the UAE, the fourth remained at large as of December 2022.
- Employment scams:[10]
The nature of employment scams lies in the name. Scammers pretending to be prospective employers will reach out to people who have posted their CVs online. They will then offer the candidates a job and ask potential “employees” to pay for initial training or equipment in cryptocurrency. After depositing the cryptocurrency in the scammers’ accounts, the candidates find that in reality there is no job offer and no training.
- Man in the middle attack (MITM)[11]
MITM attacks usually happen in public spaces, such as cafes and airports, where the perpetrator accesses the user’s private information via an unencrypted Wi-Fi connection and places himself between two parties conducting a cryptocurrency transaction. By doing so he can steal personal information such as cryptocurrency wallet keys, granting access to the victim’s funds.
- Non-fungible token (NFT) wash trading[12]
Wash trading refers to a transaction where the seller and the buyer are the same person. It is done to create a false sense of demand and increase the value of a product. Such practice is not allowed in traditional markets, but those rules have not yet affected NFTs. A user would send their NFT to a self-financed account (a new wallet, which is controlled by the same seller). According to a report by Chainalysis, this process carries significant financial risk to the scammer as there is no way to predict with any certainty that the demand will actually result in a sale at inflated prices. The Chainalysis report indicates that 110 addresses collectively gained $8,875,315 through NFT wash trading, while 152 addresses lost $416,984.[13]
Conclusion
Most of the scams targeting the cryptocurrency sector are not novel. They have existed for a long time in different traditional finance areas before being applied to cryptocurrency. The cryptocurrency scams discussed in this article all have similar traits. Cryptocurrency is relatively easy to manipulate as it is not backed up by real assets, making scams like rug pulls and pump-and-dumps easily executable against unsuspecting investors looking to cash in on cryptocurrency’s popularity.
One of the main reasons why cryptocurrency scams are occurring so commonly is the lack of regulations. As cryptocurrency is relatively novel some existing measures do not apply to it and new measures have not been fully introduced. In the absence of strong regulatory frameworks, it falls upon the investor, who most likely does not have a detailed knowledge of cryptocurrency, to perform their own due diligence to ensure that the projects they are investing in are legitimate.
[1] A code audit is a manual review of a cryptocurrency project’s underlying code, usually undertaken by third parties independent from the project.
[2] https://academy.binance.com/en/glossary/rug-pull
[3] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
[4] https://coingeek.com/solana-sees-first-rug-pull-luna-yield-disappears-with-6-7m-in-digital-currency/
[5] https://coincodecap.com/mercenary-gold-nft-project-rugpull
[6] https://www.banklesstimes.com/cryptocurrency/top-nft-rug-pulls/
[7] https://cointelegraph.com/news/what-are-crypto-pump-and-dump-groups-are-they-legal
[8] https://academy.binance.com/en/glossary/ponzi-scheme
[9] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
[10] https://help.coinbase.com/en/coinbase/privacy-and-security/avoiding-phishing-and-scams/avoiding-cryptocurrency-scams/employment-scams
[11] https://coinmarketcap.com/alexandria/glossary/man-in-the-middle-attack-mitm
[12] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
[13] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf