NEW YORK (BLOOMBERG) - When it comes to crypto hacks, it seems like it is the same story every time. Scammers take advantage of a vulnerability in a blockchain's design and make off with millions, like in the over US$600 million (S$832 million) heist involving the play-to-earn non-fungible token (NFT) game Axie Infinity and the US$77 million theft that took place on April 30 on decentralised finance projects Rari Capital and Fei Protocol.
But a US$3 million hack disclosed on April 25 involving NFTs from the popular Bored Ape Yacht Club (BAYC) universe exploited a different kind of weakness that is not unique to blockchain. Scammers infiltrated the NFT collection's official Instagram account and posted a link to a fake website where users connected their crypto wallets for what they thought was an NFT launch.
In reality, they had unwittingly opened themselves up to theft. When the actual launch happened on April 30, users were again targeted when scammers posted links to fake websites that ended up cleaning users out of NFTs worth a collective US$6.2 million.
The incidents exemplify a growing trend in which social media is being used as a tool for amplifying and executing crypto and NFT scams. These thefts are not just hitting Instagram: Twitter, Facebook, and the chat platforms Discord and Telegram are also fertile ground for these manoeuvres, said Assistant Professor Ronghui Gu, chief executive officer of the blockchain security firm CertiK.
"We have seen more and more attacks and hacks in Web3 and the blockchain industry and many of them have new forms of attack, which we haven't seen before," Prof Gu said in an interview.
The escalating social media cyber threat combines with crypto-based crime hitting an all-time high last year, according to blockchain security firm Chainalysis' 2022 Crypto Crime Report. Illicit crypto wallets received US$14 billion, an 80 per cent increase from 2020. That is a cost crypto firms and tech giants cannot afford to ignore, and it ratchets up the pressure on them to shore up security and tighten safeguards.
Spam bots and account impersonation are already well-known problems on Twitter. About US$2 million was stolen from customers over a seven-month period in 2020 and 2021 through crypto scams advertised by fake Elon Musk accounts, according to the Federal Trade Commission in the United States. These tactics are also rife on Crypto Twitter and other platforms upon which crypto users depend.
"They heavily rely on this social media to get information about all kinds of different crypto projects like NFTs," Prof Gu said, adding that he has seen fake Telegram accounts that claim to belong to his company, CertiK.
Malicious accounts posing as real crypto firms, projects and entrepreneurs often tout fake giveaways of cryptocurrencies or NFTs. They can also disseminate through spam bots, which are automated social media accounts that can make posts and tag users, just like profiles run by humans. Twitter maintains that less than 5 per cent of profiles are fake or spam, according its first-quarter earnings report - but that does not make them any less of a potential threat.
When Mr Musk announced in April that he was acquiring Twitter in a US$44 billion deal, he said he wanted to improve the social media platform by "enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans".
It does not have to be a false account disseminating crypto fraud - real accounts belonging to companies can be compromised too. The official BAYC Instagram account used two-factor authentication, according to a statement from Yuga Labs, the developer of the NFT collection. But that did not keep the account from being hacked.
The breach of this extra security measure indicates that hackers likely gained access to the account by tricking an administrator through social engineering, according to Prof Gu. This practice involves using personal or professional information to gain someone's trust, enabling a scammer to then elicit more data or credentials for a sensitive or valuable account. Both an employee at a social media company and an individual user contacted by a scammer can fall victim to social engineering.
This kind of tactic has been used in hacks of Twitter accounts, with the most notable one being a 2020 incident in which profiles belonging to verified users like then-presidential candidate Joe Biden were used to post a fake Bitcoin giveaway. Twitter employees had been manipulated to provide the access needed for hackers to take over these accounts.
The breach of official crypto accounts has happened on Discord too. Prior to its official launch, NFT marketplace Fractal had its Discord channel infiltrated and used to spread a link to a fake token launch that stole about US$150,000 from users.
What to do?
Crypto scams put more pressure on social media companies to boost security measures and hash out clearer policies on how they plan to better protect users.
When asked about these issues, Twitter, Discord and Telegram told Bloomberg that they all take action to mitigate fraud on their platforms and allow users to report suspicious activity. Meta Platforms, the parent company of Facebook and Instagram, declined to comment on crypto scams on these social media networks and the recent BAYC hack.
Although cutting out scams is difficult, it is not impossible, according to Mr Curt Dukes, an executive vice-president at the non-profit Centre for Internet Security. Requiring users to employ multi-factor authentication to protect their accounts and introducing a patch management system that helps identify and fix security flaws can help decrease vulnerability.
Companies can also provide better education to both employees and users on social engineering and make greater use of tools to verify that a user is human, such as adding a "Captcha" challenge requiring users to solve a puzzle or type in hard-to-read text in order to use the platform.
Mr Musk's plan to open-source Twitter's algorithms "definitely gives credibility to the platform", according to Mr Dukes. Allowing anyone to view Twitter's code would increase the chances of a security issue being spotted, he said.
As for cleaning out bots, there are machine-learning tools available that could be a big help for social media companies, but there are trade-offs involved, said Mr Adam Meyers, senior vice-president of intelligence at the cyber-security firm Crowdstrike. Algorithms can identify posting patterns indicative of a malicious bot account, Mr Meyers said in an interview. Doing so, though, could sharply cut overall user counts, which would not be ideal for a social media platform.
"If you're too good at stopping bots, then that's going to drive that number down," Mr Meyers said.
Steps for start-ups
Crypto start-ups can also take concrete steps to improve their security as scams increase, according to Ms Kim Grauer, director of research at Chainalysis. While it is common for early-stage firms in the sector to prioritise other areas over cyber security, "the industry cannot grow so long as it has this kind of ubiquitous hacking happening", she said in an interview.
Besides hiring security specialists, crypto platforms could undergo code audits that can help identify potential risks for users, she said. For some crypto adherents, the ultimate solution lies in Web3 - a decentralised Internet based on blockchain that proponents see as a step up from the current state of affairs, where tech companies control the biggest online platforms.
Web3 platforms are owned and managed by users, and developers can build tools that can help with issues such as eliminating spam and verifying the identity of users. But a mass migration to a Web3 social media network is not realistic for the crypto industry, according to CertiK's Prof Gu.
Online communities like Crypto Twitter have helped boost mainstream adoption of NFTs and digital currencies. In addition to providing an easy way to promote projects and share information, these social media networks have earned some crypto companies millions of followers. For crypto start-ups, walking away from this kind of exposure is too big of a cost. But not taking steps to address security concerns can also exert a heavy toll.