Cryptocurrency fraud may be declining thanks to tighter controls and better investigative tools, but as cyber criminals exploit new technologies like decentralised finance (DeFi) and non-fungible tokens (NFTs), experts are warning investors to stay vigilant.
Despite the theft of around $18.65b ($US14b) in cryptocurrency during 2021, that amount “is actually a very small number if we look at overall total economic activity” around cryptocurrencies, Ethan McMahon, an economist with blockchain-investigations firm Chainalysis, noted in a recent webinar.
That amount “only represents about 0.15 per cent of all economic activity”, McMahon said, noting that “the number in percentage terms is decreasing.”
That rate is still far higher than the 0.01 per cent fraud rates seen on Australian credit cards last year, with dollar losses from crypto fraud just half the $42.6b ($US32b) recorded worldwide – but even this, McMahon said, is a “miniscule number” compared to the 3.37 per cent fraud rate just three years ago.
Proprietary cross-matching techniques are replacing tedious manual tracing, enabling Chainalysis to follow cryptocurrency between crypto exchanges, cybercriminals, ordinary users, and investment services that all record their transactions on the public blockchain.
After years of high-profile cryptocurrency thefts, rug pulls and disastrous accidents, exchange losses now represent a “smaller and smaller chunk of the pie”, McMahon explained – confirming exchanges are finally stemming their losses with better security and authentication processes.
“Centralised exchanges have started to have better KYC [Know Your Customer] and anti money-laundering [AML] processes,” McMahon said, “and live bad actors are probably a little bit less enthused to interact with them because they’ll more likely than not get caught.”
Even more promising is the newest category in the company’s latest analysis – recovered funds – confirming that authorities are getting ever better at using blockchain analysis techniques to trace, confiscate and return stolen funds.
Yet even as cryptocurrency exchanges shake off their ‘wild west’ early days, crypto criminals are diverting their attention to areas like NFTs – as with the recent theft of over $800m ($US600m) in Ronin NFTs from game developer Sky Mavis by North Korea-aligned Lazarus group.
Using decentralised finance (DeFi) platforms – whose lack of central controls has made them popular for laundering stolen cryptocurrency – Chainalysis watched Lazarus launder the stolen tokens by distributing them across blockchains using transaction anonymiser Tornado Cash.
Even when Tornado Cash applied Chainalysis’s recently released Sanctions API – a free tool that flags transactions related to politically sanctioned nation states – the thieves changed tack to continue their activities.
A new breed of crypto scam
DeFi platforms – which democratise finance by operating without the controls of centralised institutions like cryptocurrency exchanges and banks – are built on open-source components that have proven to be a playground for crypto criminals.
“The general reason for this,” McMahon said, “is that DeFi is new – and, therefore, there are a whole bunch of new ways to exploit users.”
“They’re playing on the very thing that makes DeFi attractive to others,” he continued, noting that decentralised open-source platforms “are actually a hindrance when criminals get involved, because they are able to exploit any code weaknesses.”
Sophos Labs security researchers recently documented a new DeFi scam that lures investors with promised returns from ‘liquidity mining’ – a legitimate system in which investors loan cryptocurrency to a DeFi exchange’s ‘liquidity pool’ to ensure they have enough crypto to complete user transfers.
Users are paid with liquidity pool tokens (LP Tokens) that represent a proportion of the total pool; their value generally increases the longer users allow the exchange hold their funds.
Enter cryptocurrency scammers, who are recruiting users on social media and messaging apps with promises of double-digit returns in days or weeks if they contribute their crypto to the pool of supposed DeFi exchanges.
Most users will struggle to understand the detail of liquidity mining, but as online scammers play the long con even “crypto-curious” investors are being encouraged to get in on the game.
Once they follow instructions to link their cryptocurrency wallets with those of the scammers, punters can count on being cleaned out in a matter of seconds.
“The complexity of cryptocurrency and the DeFi scheme based on it have created an environment where criminals can draw victims in,” warned Sophos Labs senior threat researcher Sean Gallagher in an analysis of this latest scam.
Crypto criminals operating primarily from China, he said, are “using the complexity of DeFi as camouflage for fake apps, malicious contracts, and other schemes that make the victims think they’re on the road to wealth while getting them to turn over more and more currency.”
With digital Ponzi schemes, fraudulent tokens and flat-out theft all increasingly common, he continued, “unfortunately there are several ways things can go awry if the people behind the liquidity pool are unethical or criminal.”
“If the tokens get cancelled – or there was never really a pool backing them at all – that all goes out the window.”