Trading advice part 6: Special risks with crypto assetsSpecial risks, especially when dealing with crypto assets
--------------------------------------------------------------------------------------------
As the crypto market is comparatively “young” and only lightly regulated (compared to conventional markets), there are a number of potential risks to losing your own assets. In the following section, we highlight some of these risks and provide tips on how to avoid them.
--------------------------------------------------------------------------------------------
-- Risks with self-custody wallets --
--------------------------------------------------------------------------------------------
When using self-custody wallets, regardless of whether they are hot wallets (software) or cold wallets (usually hardware), the control over your assets lies with you and no one else. If fraudsters manage to convince you to disclose your private keys or the secret recovery phrase, they will subsequently have full access to your funds.
--------------------------------------------------------------------------------------------
A little metaphor for better understanding:
--------------------------------------------------------------------------------------------
The wallet can be imagined as a locked safe deposit box in a public place. The private key is the key to the locker. The secret recovery phrase is a construction manual for the key to the locker. If an attacker succeeds in obtaining the private key, they can directly unlock the locker and steal the contents. If the recovery phrase can be obtained, it can be used to create a copy of the key to the locker and open it within a very short time. In both cases, this is possible very quickly and without the locker owner being able to do anything about it.
Once an attacker has stolen crypto assets from your wallet, it is no longer possible for anyone to reverse the transaction in decentralized blockchains. Immutability, i.e. the inability to cancel or reverse transactions, is one of the most important features of blockchain technology.
So be aware that with control over your assets comes the added responsibility of protecting those assets. Below we outline some common tactics for detecting fraudulent intent or attacks. Being aware of these is already an essential preventative measure.
Caution
If you suspect that you have been defrauded, we recommend that you report this to your local law enforcement agency as a criminal offense.
Attention
If you suspect that you have been cheated, we recommend that you report this as a criminal offense to your local law enforcement agency.
--------------------------------------------------------------------------------------------
--> Phishing <--
--------------------------------------------------------------------------------------------
The attack variant of phishing is one of the most widespread and successful methods of gaining access to other people's assets. This is a method in which the attackers pretend to be someone else, usually famous people, or pretend to be from reputable, mostly well-known companies. The aim is to get people to disclose as much personal data as possible. The attackers “fish” (phishing) for information, so to speak.
To this end, fake emails are usually sent, fake websites are created or the attackers pretend to be someone else on social networks. The ultimate goal is often to obtain the secret recovery phrases, private keys or other specific personal information of potential victims and steal their assets or money.
Phishing scams are ubiquitous and not unique to crypto assets. However, attackers are very active in this area due to its unique characteristics. These attacks can target assets in self-custody wallets as well as assets on exchanges.
--------------------------------------------------------------------------------------------
--> Possible attack vectors for phishing <--
--------------------------------------------------------------------------------------------
-- Attack by means of spoofing: fakes of legitimate websites --
--------------------------------------------------------------------------------------------
Spoofing is when a malicious website is disguised as a well-known, trustworthy platform. Fake websites may look almost exactly like an official website, but on closer inspection, small differences can be detected. For example, attackers use a domain address that looks very similar to the real website. They may change one letter of the company name or use other domain extensions such as “.biz” or “.info”.
Fake websites are successful because many attackers buy advertising space in search engines. As a result, advertising links for the fake sites appear higher up in the search results, making people think it is a legitimate website. Therefore, avoid clicking on advertising links when searching for a website. Even if some ads lead to the correct websites, it is good security practice to only click on the search engine results themselves and not the advertising links, and also to check that the address begins with “https://” and that the URL is spelled correctly.
Note
The initial letters in web addresses “https” stand for “Hypertext Transfer Protocol Secure”. This protocol, the transfer protocol, is the language in which your web browser communicates with the server, so to speak. In contrast to “http”, this communication is encrypted with “https”. This prevents external parties from being able to read the content directly. But beware, the fact that an “https” connection is used is no guarantee that the website is secure.
Be very careful not only with search engines, but also with social media when it comes to advertising links. Fraudsters often set up accounts on popular social media platforms such as X/Twitter, Reddit, Facebook, TikTok, Telegram, Instagram, Discord and other social media platforms and wait for vulnerable users to exploit them.
The attackers often offer good advice or seem to actively want to help you to make you believe that they are reputable and that you can rely on them. Once they have gained your trust, they redirect you to a fake website where they ask for your personal details. They use official-sounding terms like “validate your wallet” or “verify your wallet” or “verify your info”.
--------------------------------------------------------------------------------------------
-- Attack using fake crypto tokens --
--------------------------------------------------------------------------------------------
Similar to fake versions of legitimate websites, fraudsters can also create and distribute fake versions of legitimate tokens, particularly in over-the-counter (OTC) trading. Fraudulent tokens look and behave like their legitimate counterparts, but have no value.
Counterfeit tokens can be recognized in particular by checking the underlying token contract address. This can be viewed on the major overview platforms such as xxxx or xxx.
Be wary of tokens with an unknown reputation, low holder numbers, low transfer numbers and missing code audits. Although none of these checks automatically rules out the legitimacy of a token, a token that does not meet all of these criteria should be treated with caution.
--------------------------------------------------------------------------------------------
-- Attack using fake wallets and apps --
--------------------------------------------------------------------------------------------
Both hot wallets and cold wallets can be counterfeited. When purchasing cold wallets (e.g. Ledger, Trezor, SecuX, D'Cent, Shift Crypto), make sure you buy from reputable platforms or from the manufacturer itself. Counterfeit or tampered products are increasingly coming into circulation, particularly on resale platforms or in marketplace trading.
Although Apple and Google control their app stores very well, counterfeit wallets and malicious apps can sometimes still get through. When attackers put fake versions in the official stores, they use screenshots and images of the real app as well as fake reviews to make their wallets look legitimate.
If you are technically savvy, you can use a checksum and look for the release hashes to verify that the download is signed. You can also enable auto-update in your phone's settings or desktop app to update your already legitimate installed apps.
------------------------------------------
Note:
This is a small excerpt from learning content, so the list is incomplete at this point. There are a few more dangers & risks.
Greetings from Germany :)
