[HN Gopher] Anatomy of a cryptocurrency scam
___________________________________________________________________
Anatomy of a cryptocurrency scam
Author : atilla_bilgic
Score : 84 points
Date : 2024-06-29 16:22 UTC (6 hours ago)
(HTM) web link (practicalsecurity.substack.com)
(TXT) w3m dump (practicalsecurity.substack.com)
| yieldcrv wrote:
| lots of scams are able to continue by getting the victim to do
| things they wouldn't report to the police, or even to their
| relatives out of embarrassment
|
| although I think it is an interesting idea that scammers
| intentionally make typos and absurdities, just to weed out
| discerning people in favor of easier victims, I think there is a
| larger market for meticulous more legitimate looking scams as
| well
|
| this one fits somewhere in between
| Algemarin wrote:
| > I think it is an interesting idea that scammers intentionally
| make typos and absurdities, just to weed out discerning people
| in favor of easier victims
|
| This is an apocryphal anecdote or theory that gets passed
| around, but I'm not sure how true it actually is, and certainly
| not universally true. In that, I think scammers are way more
| likely to just make typos than to setup an elaborate low-level
| target filter. Regardless, I've also never actually seen
| scammers admit to this.
| the_snooze wrote:
| https://www.microsoft.com/en-us/research/publication/why-
| do-...
| Algemarin wrote:
| This is exactly the kind of thing I was talking about,
| taken to an extreme. A lot of theorizing about ROC curves
| and optimal operating point formulae, and absolutely no
| empirical, qualitative evidence (such as any interviews
| with actual scammers).
|
| For example, there is no actual sample data provided to
| substantiate even the premise, let alone the conclusion of
| this claim:
|
| > In choosing a wording to dissuade all but the likeliest
| prospects the scammer reveals a great sensitivity to false
| positives.
| bediger4000 wrote:
| Thanks for being more eloquent about critiquing that
| paper than I could be. But that leaves the observation
| about grammar and spelling in spams and scams
| unexplained. How should we explain scams terrible
| presentation?
| teractiveodular wrote:
| Occam's razor: the messages are created by the uneducated
| dregs of society in countries where English is not a
| first language, and that's the best they can do.
| alwa wrote:
| Although sometimes, rarely, the victim confesses their
| embarrassing actions as a warning to others in a well-written
| firsthand perspective in a national newsmagazine [0]
|
| [0] https://www.thecut.com/article/amazon-scam-call-ftc-
| arrest-w...
| nradov wrote:
| I doubt the veracity of that story. No real evidence, and it
| reads like a creative writing exercise. Did the editors even
| fact check it?
| wslh wrote:
| I suggest you the following exercise to see it with your own
| eyes: enter a Telegram channel on a top 100 cryptocurrency, say
| that you are trying to recover your wallet and...
|
| Suddenly a lot of scammer will contact you in less than 5' with
| techniques that you cannot imagine are real. For example,
| telegram handles with the same name as the channel admin but
| using unicode characters to make tou think it is the same
| account.
| TheDudeMan wrote:
| What is the standard solution to this type of phish? This
| problem did not exist in the ASCII world, of course. Unicode is
| useful, but what is the best way to prevent this malicious use
| of it?
| omneity wrote:
| This problem extends beyond character encoding. The average
| joe (and not so average alike) seems to have a hard time to
| distinguish official channels from non-official scammy ones,
| even more so when the official channel doesn't exist on a
| given platform ("we don't offer support via Telegram" kind of
| situations). Cue in some greed as well and you got a perfect
| recipe for disaster.
|
| The root issue is the lack of skepticism and verification. At
| the same time humans have limited energy and verifying
| everything causes significant fatigue over time, so the
| problem might as well be intractable.
| pessimizer wrote:
| It's not about average Joes, it's about large numbers. If
| the scam works on 1/100 people in the US, that's 4 million
| people. If you're automating pitching it to 500 people a
| day, that's 5 wins a day. If your average haul is $500,
| that's $2500 a day. That's $900K a year.
| raincole wrote:
| I do think it's good for certain things to be ASCII-only.
| People will say it's Americentrism or Anglo-Saxon-centrism.
| Ok so be it. Make the account handles and email addresses not
| inclusive and ASCII-only.
| irusensei wrote:
| Reminds me of an elaborate reverse scam where the person asking
| for help have some USDT or other tokens on that ethereum
| address and a script to immediately swipe the funds the scammer
| will use for gas.
| Algemarin wrote:
| This scam is successful because it is predicated on the same
| appeal that ventures like lotteries, sweepstakes, slot machines,
| or giveaways have (albeit accentuated with a seemingly guaranteed
| win, that these other ventures don't have): the belief that you
| can just luck into a giant treasure chest of money by expanding
| minimal effort.
|
| Broadly, this is a modern version of what's known as an advance-
| fee fraud, which has been around for hundreds of years - paying a
| small amount upfront (hence the 'advance fee') under pretense of
| receiving a much larger amount later.
| nradov wrote:
| The difference is that while lotteries and casinos are out to
| take your money they're at least honest about it. If you win
| they'll pay out in real money. They're not rug pull scams.
| Algemarin wrote:
| The dishonesty lies in obfuscating the actual odds of
| winning, making the honesty about the payout a moot point as
| it's not particularly applicable for most entrants.
| nradov wrote:
| Where is the obfuscation? Most lotteries post the odds
| right on the main game page. What more do you want?
|
| https://www.calottery.com/draw-games/superlotto-
| plus#section...
| Algemarin wrote:
| > What more do you want?
|
| For it to be clear how unrealistic the odds are. They're
| not exactly broadcasting "you're 40 times more likely to
| be struck by lightning than to win the jackpot", instead
| their site screams "Millions Could Be Yours!". That is
| the dishonesty and obfuscation. Millions _could_ be
| yours, but they are very unlikely to be yours, in fact
| realistically approaching zero. While advance fee scams
| say "millions will definitely be yours", with the odds
| being absolutely zero. But neither are meaningful odds.
|
| Though regardless, my original point wasn't about odds
| but about the lure and the appeal of both of these
| things: the potential for getting a lot of money for
| doing virtually nothing (other than spending a bit of
| money up front).
| Calavar wrote:
| At a certain point it falls to personal accountability. A
| would be lottery ticket buyer can get all that info in 30
| seconds by googling "How likely am I win to win the
| lottery?" If they don't do that, that's on them.
|
| Advance fee scams are different because 1) they are
| telling outright falsehoods and 2) they come cloaked in a
| broad variety of disguises, which means that a naive web
| search is not guaranteed to unveil the deception
| Algemarin wrote:
| A user can just as easily identify a scam such as the one
| in this post by also taking 30 seconds to do a web search
| for some phrasing from the email.
|
| And "if they don't do that, that's on them"? This is
| victim blaming in both cases.
| isawczuk wrote:
| If it was not a scam, you are ok to steal someone's savings.
| Maybe those type of scams are instant karma?
| grotorea wrote:
| "You can't cheat an honest man"
|
| But there are plenty of cryptocurrency scams that don't require
| that. Just some place that looks like an exchange but is
| actually a money hole.
| jfengel wrote:
| Yeah, that expression is how people protect themselves. "Of
| course you got hurt. You were dishonest. It therefore cannot
| happen to me."
|
| Honest people get cheated every day.
| grotorea wrote:
| Oh sure but at least honest people can avoid being swindled
| by this stuff or falling for some types of pump and dump or
| pyramid schemes.
| m3kw9 wrote:
| First ingredient is the scumbag itself
| georgeecollins wrote:
| One thing I feel like I have learned from Reddit/ TikTok is the
| average person is terrible with money. Some VCs argue we should
| lower the bar to investing to democrative it. I am all for
| democracy, but maybe we would be better served if the average
| person didn't try to be a tycoon.
| SkipperCat wrote:
| One of workplace tragedy in America is how we moved from
| professionally managed pensions to individual 401k retirement
| plans. Most folks have no business deciding asset allocation,
| managing risk, etc.
| virtue3 wrote:
| good thing the investment firms kept the fees the same tho :)
| pizzalife wrote:
| Most 401ks will just default to a target date fund, which is
| usually a total market stock ETF + bonds. That will certainly
| perform better than most actively managed pension funds.
| paulryanrogers wrote:
| But worse than the defined benefit pensions that 401k's
| were leveraged to replace.
| paulpauper wrote:
| Two types of people: those who have money and those who have
| yet to be separated from it.
| paulryanrogers wrote:
| Aren't those one and the same group?
| Terr_ wrote:
| I think the tricky thing is the distinction between:
|
| (A) Democratization: Let everyone participate as individuals on
| a freshly equalized playing field that was previously so
| slanted they couldn't even _try._
|
| (B) Democratization: Encourage lots of small disorganized
| weaker players into the market as _unwitting prey_ for existing
| interests that have already established themselves with
| regulatory or competitive edges that they retain /maintain
| indefinitely.
| Terr_ wrote:
| _P.S.:_ A closely-related rant over another situation
| involving market-access and devil-in-the-details: Various
| attempts to "privatize social security" often with the pitch
| of "giving individuals more control."
|
| In this case I'm not focused on whether individuals can act
| wisely, but rather that such plans often means replacing an
| _insurance policy_ with an _investment account_. Those two
| kinds of financial instruments have _extremely_ different
| features, benefits, and risks!
|
| So even if believe that's a great idea, be be suspicious of
| anybody who seems to be trying to hide that aspect of their
| plan from the public, since it means they're trying to get
| voters to make an _un_ informed choice.
| greentxt wrote:
| Well, if the privatized version doesn't allow other people
| to take my money away from me at the point of a gun and
| give it to other people, using the state's proverbial
| "monopoly on violence" it doesnt seem like a very fair
| comparison. Apples and oranges. Maybe that was your
| implicit point?
| pants2 wrote:
| As it turns out, the accredited investor rule (>$1M liquid
| assets) isn't to filter for savvy investors, it's to make sure
| you can still land on your feet after your investment
| disappears.
| smeej wrote:
| This is...not realistic on any level. I've been professionally
| investigating cryptocurrency scams/thefts/fraud since 2017.
|
| This is at least twice as convoluted a process as is necessary to
| separate people from millions and millions of dollars in
| cryptocurrencies if the site stays up for a week. People don't
| bother spinning up stuff like this when the easy stuff works just
| fine.
| paulpauper wrote:
| Yeah a fake livestream of Elon Musk or Mike Saylor still makes
| hundreds of thousands of dollars/day undetected and untraced,
| no FBI involvement or arrests at all, still going strong to
| this day. Why waste time with this crap.
| redorb wrote:
| I've been reporting fake tesla and space x accounts so often
| on youtube - that I eventually wrote a script to copy and
| past into the report.
|
| Most of the time they do get removed - sometimes successfully
| before the QRcode is displayed. They even bot the streams so
| it appears like 30-40k people are watching creating 'social
| proof'
| dullcrisp wrote:
| But don't you want to buy the book to learn how not to fall for
| these scams?
| landryraccoon wrote:
| I'm curious, do you advertise your services to the public? I
| have a relative who's been victimized by a cryptocurrency scam.
| Would you mind if I contacted you about it?
| yieldcrv wrote:
| As a counterpoint it is very realistic. If you ever launch a
| token and run your own telegram channel, all sorts of
| specialists come out the woodwork with extremely convoluted
| schemes
|
| The sad thing is that the legitimate ones look just like the
| illegitimate ones
|
| My first top exchange listing was through a DM
|
| I've done partnerships with no name exchanges that turned out
| fine, also initiated over unsolicited DM
|
| been scammed a few times by people that didnt deliver, and had
| no intention to
|
| both the legit and illegit ones have no references because
| their clients are all other token projects whose community
| needs to feel everything happened organically
|
| scammers take advantage of this desire for secrecy
|
| it's really just all about niche and specialization
| MaintenanceMode wrote:
| smart enough to do all that, but not smart enough to spot the
| scam? LOL!
___________________________________________________________________
(page generated 2024-06-29 23:00 UTC)