As cryptocurrency fraud threats evolve, so must your defence against them. In our first post, we explored the rising financial and reputational cost of crypto fraud, with the total crypto value received by illicit addresses reaching $40.9 billion in 2024.
This second installment dives into the main attack vectors threatening both crypto platforms and their customers: from phishing and social engineering to insider threats and fraudulent token launches. Understanding these risks is crucial, because the platforms that serve as the gateway between Web2 and Web3 are often the first line of defence between scammers and their potential victims.
Despite being extremely well-publicised, phishing remains one of the most pervasive threats in crypto. Attackers impersonate legitimate entities or people, such as on-ramps, exchanges, or wallets, to trick investors into surrendering their credentials or private keys. Specific tactics include:
Fake websites or apps: Attackers create near-identical copies of legitimate platforms, often using typosquatting (e.g. "MetaMaskk.com") or fraudulent app store listings. These fake clones trick investors into entering their credentials, payment information, or KYC documents, which are then harvested and exploited
Spear phishing: Unlike generic phishing, spear phishing involves highly personalized attacks. Hackers research targets via LinkedIn or leaked employee directories to craft convincing messages which they send to their victims. This could be anything from a spoofed email of someone’s CTO requesting urgent API key updates to a fake HR survey linking to a malware-infected form.
Social media scams: This is a growing trend that involves attackers hijacking verified social media accounts (e.g. influencers, project founders, exchange support teams) to promote fraudulent memecoins that are later abandoned in a rug pull.
Despite advances in blockchain security, crypto platforms remain lucrative targets because customers often reuse passwords and employees may lack cybersecurity training. A single compromised account can grant attackers access to customer funds or internal systems. Common attack vectors include:
API vulnerabilities: APIs are crucial for crypto platforms, but they can create vulnerabilities when set up incorrectly. Exposed API keys are a recurring issue, as are poorly rate-limited endpoints that let attackers flood platforms with thousands of micro-withdrawals.
Smart contract exploits: Smart contracts automate transactions but are only as secure as their code - or even, as we’ve seen recently with the Bybit exploit, their UI. Flaws like reentrancy bugs or flawed logic can drain funds. For example, the $80m Qubit Finance breach happened because of a logic error in a smart contract.
Cross-chain bridge attacks: For platforms offering multi-chain services, bridge security is critical. Many exploits hinge on flawed asset-minting mechanisms or compromised governance. For example, the $320M Wormhole bridge attack in 2022 exploited a signature verification flaw to mint 120,000 wrapped ETH without collateral.
Insider threats pose a unique risk. Employees, contractors, or partners with system access can intentionally or accidentally leak data, manipulate trades, or install backdoors. For example, after the Solana protocol Cypher was hacked in 2023 (because of a bug in their code), one of its developers stole $300,000 that had been raised to repay the protocol’s customers.
Insider threats are particularly dangerous because they weaponise trust. Malicious insiders can exploit their position to siphon funds, manipulate markets, or leak data, often under the guise of routine operations. A developer altering code for a "system upgrade" might embed a backdoor. A compliance officer could quietly exfiltrate KYC data.
Address poisoning involves sending tiny amounts of crypto to legitimate wallets from an address that mimics theirs (e.g. by altering one character). The goal is to trick investors into copying the fraudulent address for their future transactions. In March 2024, an investor accidentally sent 1,155 wrapped bitcoin to a hacker’s address because of this technique.
Investors often copy-paste addresses from their transaction history without double-checking. If a crypto platform has poor address verification tools, its customers are vulnerable. Address whitelisting and UI alerts for similar addresses help minimise this crypto fraud risk.
While not a direct attack on platforms, rug pulls and fraudulent token launches pose a serious reputational risk for any business involved. These scams have evolved from the initial coin offering (ICO) boom of 2017-2018, where projects raised millions through ICOs before disappearing. Today's version typically involves:
For crypto platforms, the risk comes from unwittingly facilitating such scams. When customers lose money to a rug pull, they often blame the platform that they bought the tokens on, even if the platform itself wasn't involved in the scam. This can lead to customer complaints, regulatory scrutiny, and reputational damage.
The above examples illustrate the urgency of addressing these fraud threats. Each successful attack erodes customer trust, invites regulatory scrutiny, and destabilises the broader crypto ecosystem. To counter these threats, CoinCover has built the first security solution that directly protects your customers’ accounts with a warranty-backed protection*.
By implementing our fraud prevention technology, platforms can:
Discover how CoinCover can help your company thrive in a dynamic market while safeguarding your customers. Contact us today to learn more.
Missed our first post? Read it here to understand the rising cost of crypto fraud.
*The warranty-backed protection refers specifically to an assurance given to you by Coincover.