Threat actors have defrauded 244 U.S. investors of about $42 million through fake cryptocurrency apps that exploit people’s legitimate investments in digital currency, the FBI has revealed.
The agency observed a number of cybercriminal campaigns that duped people into downloading malicious apps through which threat actors extorted money from victims, the FBI said in a Private Industry Notification published Monday.
Threat actors used the names, logos and other identifying info of legitimate U.S. financial institutions to gain the trust of and fool investors into thinking they were interacting with an actual cryptocurrency-related firm, the agency said. They even went so far as to create fake websites using the info as part of their ruse to gain the trust of investors, according to the FBI.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
Indeed, the rise of interest and investment in cryptocurrency also has made it a popular target for cyber thieves, who have invented creative ways to get people to trust them into falling for malicious campaigns.
In February of last year, hundreds of investors fell prey to a fake cryptocurrency scam that conned them out of $11 million through investments in a fake cryptocurrency called “Bitcoiin.” The campaign even had celebrity backing, as actor Steven Seagal was hired to promote the company called “Bitcoiin2Gen” or “B2G” that served as the front for the fraudulent activity.
The latest FBI warning also is not the first time the feds sounded an alarm over cybercriminals targeting investors. About a year ago the FBI warned that threat actors were posing as financial advisors to try to lure victims into various investment scams.
Malicious Campaigns Uncovered
In its warning, the FBI revealed the details of three specific cryptocurrency fraud campaigns observed between October 2021 and May 2022 that alone defrauded investors of more than $10 million.
In a campaign that occurred between 4 October 2021 and 13 May 2022, cybercriminals operating used the company name YiBit to steal about $5.5 million from at least four victims, according to the FBI.
Threat actors convinced victims to download a bogus  app and deposit cryptocurrency into wallets associated with their YiBit accounts. Once the deposits were made, 17 of the victims received an email stating they had to pay taxes on their investments before withdrawing funds. Four victims who were ultimately defrauded said that they could not withdraw funds through the app.
In a similar campaign that occurred between Dec. 22, 2021, and May 7, 2022, cybercriminals impersonated a a legitimate U.S. financial institution to steal about $3.7 million from at least 28 victims, according to the FBI.
Again, threat actors convinced victims to download an app that used the name and logo of the legitimate company and deposit cryptocurrency into wallets associated with the victims’ accounts on the app.
When 13 of the 28 victims attempted to withdraw funds from the app, they received an email stating they had to pay “taxes” on their investments first before making withdrawals. After proceeding to pay the bogus tax, they still couldn’t withdraw funds from the apps, according to the FBI.
Yet another investor-fraud campaign occurred between Nov. 1 and Nov. 28, 2021, with threat actors this time operating under the company name Supayos, also known as Supay. This campaign, which snared two victims, instructed targets to download the Supay app and make multiple cryptocurrency deposits into the crypto wallets associated with their accounts.
In November 2021, the cyber criminals told one victim without previous consent or knowledge that he was enrolled in a program requiring a minimum balance of $900,000; upon trying to cancel the subscription, attackers told the victim to deposit the requested funds or his assets would be frozen.
Precautions Urged
The FBI is urging both institutions and individuals alike to take some basic precautions to avoid being defrauded when dealing with cryptocurrency transactions.
Institutions should proactively warn customers about the potential for such activity and provide a way for their customers to report it. They also should inform customers about the specifics of their own cryptocurrency-related services—such as if the company actually has a cryptocurrency app–so clients can identify legitimate communications and transactions, the FBI said.
Institutions also should periodically conduct online searches for any unauthorized use of company name, logo or other identifying info to determine if cybercriminals are using it for nefarious purposes.
Investors themselves also can protect themselves by being wary of unsolicited requests to download investment applications, verifying if an app is legitimate before downloading it, and treating apps with limited and/or broken functionality with suspicion, according to the FBI.
The FBI is encouraging people to report any suspicious activity related to cryptocurrency fraud to their local field offices.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]