Bitcoin and other cryptocurrencies are becoming known as game-changers in many different and unique ways, but security isn’t yet sufficient to ensure your coins remain safe. Decentralization is great, privacy is great, but in order to take advantage of these features you’ll definitely need to remember that it also means YOU are the only one who can protect your Bitcoin from hackers, thieves and other bad actors.
The problem is that most of us aren’t security experts, far from it in fact as we have become accustomed to the platforms and services we use to provide security. If you’re going to invest in Bitcoin (and I certainly think you should), you’ll need to learn how to take basic security measures. This includes learning the ways in which hackers can trick you and gain control of your wallets and Bitcoins.
Even those using the supremely secure hardware wallets should take note, because while these are your best option for security in wallets, they still don’t protect you from mistakes you can make yourself. Most hacks have nothing to do with the wallet itself, which remains quite secure, but instead occur at points of connection and are often the result of a lack of attention or some other user error.
Below you’ll learn about 12 different methods hackers have been using to gain control of private keys and steal Bitcoin directly, or by causing you to send your Bitcoin or other cryptocurrencies to an incorrect wallet address. Take note and avoid becoming a victim yourself.
1. Copy/Paste Spoofing – Because the hexadecimal addresses used by cryptocurrencies are nearly impossible to remember, and prone to errors when typing directly, most people use the copy/paste feature when sending Bitcoin or other coins to a wallet address. The problem is that hackers are known to use malware such as CryptoShuffler that acts to replace the address you copied with a different address. Avoiding the theft of your coins is simple if a bit time-consuming. You simply need to check every address to verify it is correct before sending your coins. Even better, use QR codes. And install and anti-malware program on your computer and run it regularly. You can get both Bitdefender and Malwarebytes for free. Finally, don’t ever download and install any app you’re not sure is safe.
2. Fake Mobile Apps – The selection of apps in the Google Play and iTunes stores continues growing exponentially, and because these services are run by Google and Apple we tend to trust the apps by default. This is a mistake as hackers are now known to publish fake apps that steal user data under names that appear to be authentic. The most well known is the Poloniex hack which surfaced in October 2017. Follow these steps to remain safe from this type of hack:
– Make sure the service you are using really offers a mobile app – if that is the case, the app should have a link on the service’s official website.
– Pay attention to app ratings and reviews.
– Be cautious of third party apps triggering alerts and windows appearing to be connected to Google – misusing users’ trust for Google is a popular trick among cybercriminals.
– Use 2FA for an additional (and often crucial) layer of security.
3. Slack Bot Hacks – Slack is an online messaging system that has becoming increasingly popular in large organizations, especially in the technology space. One interesting feature of Slack is the use of bots, automated programs that can do a myriad of tasks including finding and organizing information and even ordering ice cream. Unfortunately hackers have taken to bots on Slack as well, and now there are bots that will warn you about a security breach on your wallet, directing you to a URL that then asks for your login information or private keys. Avoid these like the plague and report them if they contact you.
4. Dangerous Browser Extensions – Efficiency is always a good thing, and there are browser extensions that promise to increase your efficiency on certain trading sites. The problem is that these browser extensions might also be reading and storing everything you type while using them. Find another way to be efficient and avoid the browser extensions to remain safe. In fact, avoid ANY browser extension related to cryptocurrencies. (there are some exceptions like Metamask for Chrome)
5. Cloned Websites – These come from Trojans and malware as well. If these are present on your computer you can begin typing a URL in the address bar of your browser and the hack will replace the real URL with a different URL that is very close to the original. The resulting website will look nearly identical to the real website, but if you enter any information it will be sent right to the hackers. Some hacks to exchange websites will even allow you to log in and seemingly trade your cryptocurrencies, but in fact the hacker is simply stealing your account credentials and draining your account. Always double check URLs, look for the https certificate and use something like the Cryptonite Chrome extension that can inform you of fake URLs.
6. Fake Search Ads/Results – It’s a technique that’s been used for many years in other areas, but now cryptocurrency hackers are getting on board with hijacking Google ads and search results. What they do is register a domain that looks very similar to the actual domain and then either use SEO techniques to get that site to the top of search results, or simply pay for Google ads to put their site a the top of the search results. Many people won’t even notice the slight difference in the URL and will happily click through to the fake site, never realizing they’ve been tricked until their cryptocurrency balances disappear.
7. Fake Social Accounts – It’s so simple to setup a social media account, and hackers will happily do so if they think they can trick you on Facebook or Twitter. To protect yourself never follow accounts unless they are verified, or if you’ve clicked through to them from the official website of the service or product you want to follow. Here’s a recent Twitter scam promising free airdrop coins, but all you really get is hacked.
8. Mobile Phone Hacks – The past few months have seen several prominent occurrences of this hack. This one works because hackers are very skilled at social engineering, and can often fool mobile phone service support teams into resetting a mobile number, basically transferring it to their control. Once they have control of your phone number they are able to reset any number of passwords for services that use SMS 2-factor authentication – including your gmail account. The very easy fix for this is to avoid using SMS-based 2 factor authentication. Remove your phone number from your gmail account, and any other account that stores the number. It isn’t perfect, but at least if someone gains access to your phone number they won’t be able to reset passwords to your email and social media accounts, and from there potentially gain access to your cryptocurrency accounts.
9. Email Phishing – This one has also been around for years and years, but has recently entered the cryptocurrency arena. Hackers that use this technique are also becoming increasingly sophisticated, and it can sometimes be nearly impossible to tell that an email hasn’t come from the service or business it claims. Even so, these are usually easy to notice and easy to avoid. First look at the email address the email is coming from. If it looks fishy, delete the email. Then check the URL of any links in the email in your browsers link preview section. If that looks fishy, delete the email. Finally, don’t ever click on links in emails. If the email claims there is a problem with your account go to the service provider’s website using your own saved bookmarks and log in. If there is actually a problem with your account there will be some sort of notification or message in your account, and you can proceed from there.
10. Wifi Router Hacking – In October 2017 it was discovered that the WPA2 protocol used to encrypt wifi data had a serious weakness that would allow an attacker to read all the secure transmissions, thus giving them access to any information transmitted such as credit card numbers, passwords, chat messages, emails, photos, and so on. It has become known as the Krack Attack and if you haven’t updated your router and other wifi devices you should contact vendors and make sure you do so immediately. Also, never log into sensitive accounts or send sensitive information over a public wifi network.
11. Faked Ethereum Name Service (ENS) Addresses – This is a fairly new trick by hackers. The Ethereum Name Service was created to allow users to purchase domains with the .eth extension. These shorter and more memorable URLs replace the long and nearly impossible to remember hexadecimal addresses used by cryptocurrencies. So, you could have your friend send you Ether or other coins based on the ETH20 blockchain to myaddress.eth rather than 0x8899b47C144d447be2E1c3D9c4A77a047F7255B5. The hack goes like this: A company announces and ICO using an ENS they registered. The hacker creates a similar ENS and then posts that fake ENS on social media and forums. Coins sent are kept by the hacker. As with most other hacks this one can be circumvented by paying attention to the URLs you’re visiting. If you want to use an ENS to participate in an ICO only visit it from links on the official company website. And if you’re planning your own ICO get your ENS (and any close typos), even if you don’t plan on using the ENS.
12. Free Airdrops of Coins – An airdrop is a free distribution of coins that is used either to reward existing coin holders or to bring more users in to a coin in an effort to bootstrap the service behind the coin or token. On the surface it seems great because you’re getting something for nothing, and some airdropped coins have gone on to increase in value by 1000’s percent. Of course with the possibility of stealing personal information hackers have joined in to offer airdrops when there are none by directing you to a URL where they steal your personal information or private keys. Some require you to download a wallet specifically for the airdropped coins, and that wallet includes malware. Be very careful if you want to participate in airdrops and take everything with a huge degree of skepticism.
In short, be very careful out there with your Bitcoins and other cryptocurrencies. Always verify addresses before sending coins, verify links before visiting URLs and verify everything before getting involved with something that seems fishy. There’s a great opportunity out there with cryptocurrencies, but there are also pitfalls to be aware of.