Kaspersky experts took a close look at the phishing pages aimed at potential crypto investors as well as the malicious files that are distributed under the names of the 20 most popular cryptocurrency wallets. Since the beginning of 2022, Kaspersky products detected and prevented almost 200 000 attempts to steal users’ digital currencies and credentials to their wallets via phishing. The number of such attempts almost reached 50 000 in April, which is half of the indicators for the first quarter of 2022. Crypto wallets are the primary target for scamming and malicious activity.
With the boom in digital currencies observed over the past five years, Kaspersky experts have seen various cybercriminal tactics used to steal cryptocurrency – from luring victims with gifts sent by crypto exchanges to distributing Trojanized DeFi wallets. Crypto wallets are the primary target for scammers because they are the initial place of storage for cryptocurrency and deal with large amounts of virtual money.
In 2022, Kaspersky products have recorded 193,125 phishing attempts aimed at potential crypto investors or users interested in cryptocurrency mining. Throughout the first quarter of this year, Kaspersky experts discovered about 107,000 attempts. Then in April alone there were nearly 50,000 attempts – that is nearly half of the previous quarter in a single month.
Fraudsters mimic the original crypto wallets’ websites and lure victims to enter a personal seed-phrase, a secret phrase of 12 or 24 words that ensures the security of the wallet, along with a password and private key. Once the user shares their secret phrase, they’re redirected to the real website, however, their account and all of their savings are now in the scammer’s hands.
An example of a phishing page asking for the seed-phrase
In fact, crypto wallets have become the target of numerous malicious and scamming activities, including not only phishing pages disguised as the most popular wallets but also malware distributed in their names. Kaspersky experts took a close look into the malicious files that are distributed using the names of 20 of the most popular cryptocurrency wallets.
The list of crypto wallets analyzed by Kaspersky
As a result, they found that within the first five months of 2022, Kaspersky products had prevented more than 1100 users from downloading more than 1400 different variants of malicious files spread under the analyzed crypto wallet names. Out of the discovered malicious files, 75% were exploiting the Binance exchange. This was followed by Electrum (10%) and MetaMask (9%). Most often fraudsters distributed Trojan downloaders, programs that download and install new versions of other malicious programs. However, among the analyzed files, we also found bankers, spyware and ransomware.
“Scammers will stop at nothing to steal cryptocurrency. With the growing value of digital currencies, fraudsters have been intensifying their scamming activities toward potential investors. Phishing crypto scams deserve special attention – because they’re based on social engineering, these attacks do not require any advanced technical skills to be launched and work well for the fraudsters. They are often successful due to a user’s inattention and lack of awareness. Hence, users need to be wary of basic scamming indicators: offers that are too generous, proposals from unknown senders as well as requests for money with the promise of future profit,’ comments Alexey Marchenko, Head of Content Filtering Methods Research at Kaspersky.
To protect yourself against crypto scams, Kaspersky experts recommend:
- Being vigilant. Unexpected messages about the loss of money and accounts or transfers, gifts and winnings are almost always a trick
- Always checking links carefully. It’s best not to click on any links in messages from internet service providers at all — instead, type the address of the service into your browser
- Install a reliable antivirus solution to protect yourself against phishing. For example, Kaspersky Internet Security’s built-in anti-phishing and antifraud modules warn users about potentially dangerous sites before it’s too late