“I got hacked and don’t even know how it happened,” mourned one crypto user on Twitter. “I left my wallet open in my browser on MetaMask and they got into my wallet. Lost all saitama, floki and hokk.”
A small crypto investor, @ltjyaussie says he has always been careful with wallet security issues but did not know what hit him this time around. The Cyprus-based investor was a victim of a systematic attack. Against all his perceived defenses, he still got taken for a ride.
He’s just one of the millions of ordinary investors — a good number of them being first-timers — who might face similar threats as they seek to cash in on bitcoin’s (BTC) anticipated record-breaking rally during the last two months of this year and beyond.
So what can retail cryptocurrency investors do to make their money as safe and secure as possible?
Never share your private keys
James Wo, who, as founder and CEO manages millions of dollars at hedge fund Digital Finance Group, stresses that a useful rule of thumb to safeguarding crypto assets is “never let anyone know the private keys to your wallet.” Put simply, private keys are a form of a complex password that prevents theft and unauthorized access to one’s wallet.
Wo cautioned against using insecure Internet connections while making transactions on personal devices such as mobile phones and tablets. That means double-checking the URL of verified websites that you visit often, particularly those that you use to trade. Or simply bookmark them.
“It is also recommended that users maintain multiple wallets to store their cryptocurrency,” Wo told BeInCrypto in an interview. This will help “protect users’ portfolios” and mitigate losses in the event of a breach, he added.
Wo warned that opening “any suspicious and unknown links while making crypto transactions” may be costly. That’s because “hackers embed malicious links in ads and emails,” or even text messages, to perform what is known as a phishing attack to steal funds stored in wallets.
Phishing comes in several forms, but generally involves an attacker luring unsuspecting victims into revealing sensitive information or to visit a booby-trapped website. Users typically receive emails or messages supposedly from a trusted wallet provider requesting they change their passwords or seed phrase.
Once this information is in the hands of the hacker, they will then use that to create new log-in credentials and steal funds.
In other instances, hackers take control of legitimate websites (like what happened to Pancakeswap) and replace them with a fake interface, before tricking users to enter their private keys on the fraudulent site. The use of a virtual private network (VPN) usually solves this problem, say experts, as it encrypts traffic.
“Beyond phishing, there are also malicious mobile apps that have the hidden ability to log users’ keystrokes or watch the activity on users’ screen,” Wo explained. “Retail investors who choose unqualified exchanges to invest or trade also face the risk of losing their money during the breach of these exchanges.”
Crypto dusting attacks
The 2017 bull run was largely driven by retail investors. Now, with the number of ordinary people investing in crypto around the world climbing nearly 900% over the last year, according to Chainalysis, small investors are, once again, expected to play an important role in bitcoin’s drive toward the psychological $100,000 threshold this year.
But many still remain vulnerable to cyber-attacks. Raul Ayala is a crypto investor from Los Angeles, California in the U.S. One day a coin called key7 randomly appeared in his Coinbase wallet and he didn’t know what to do with it.
“I was advised not to try [to] sell it, otherwise it would wipe out my wallet. So I’m not even going to touch it,” said a fretful Ayala, in a tweet. He had just escaped a dusting attack, an offensive activity used by cybercriminals to break and deanonymize the privacy of crypto users by sending a tiny amount of tokens to their wallets.
“The number of tokens sent is so small that they are barely noticeable, and that’s where the name ‘dust’ comes from,” says Wo, the hedge fund manager. “The transactional activity of these wallets is then tracked down by the attackers, who perform a combined analysis of different addresses to deanonymize the person or company behind each wallet.”
Dusting attacks can be avoided by using wallets that create new addresses each time a transaction is made, making it difficult to trace, he added.
Blame it on retail investors
Oleg Belousov, CEO of digital asset exchange N.Exchange, told BeInCrypto that “the best way [to safeguard funds] is to have a self hosted cold wallet.” This is a type of wallet that is not connected to the internet, where most thefts occur.
He suggests keeping funds in hardware wallets such as a Ledger or Trezor, even though recent security tests revealed that the latter could be broken within 15 minutes of gaining physical access to the wallet.
Belousov prefers ordinary investors keep their assets in the official wallets of the coins they buy, and not in “apps that promise to be non-custodial” when often “their source code is closed or not audited.”
Retail investors may be to blame for the loss of their own money, however.
“Believe it or not most people send their money to scammers on their own accord, meaning that social engineering (phishing) and high yield investment programs are accountable for 90% or more of the scams newcomers are falling victim to,” claimed Belousov.
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.