Seeking help for crypto wallet problems on social media can attract scammers

The increasing popularity of cryptocurrencies has turned social media into a central place where users look for help when they have problems with their crypto wallet or private key. Scammers take advantage of this situation to make money with fake support offerings or to gain access to wallets or keys.

CISPA researcher Dr. Bhupendra Acharya has presented the first large-scale study on how these scams work and provided an end-to-end analysis of the scam operations in X (formerly known as Twitter). He presented his findings at the 45th IEEE Symposium on Security and Privacy in May 2024. The paper is available on the arXiv preprint server.

Cryptocurrencies such as Bitcoin or Ethereum are widely gaining acceptance because of their decentralized nature and because they grant anonymity to their users. In order to manage and sell cryptocurrencies, users need so-called crypto wallets, which basically are digital wallets for cryptocurrencies.

The best-known wallets are Metamask, Coinbase and Trust. In order to access these wallets, secret keys are required. Anyone with access to the secret keys can manage or access the crypto wallets. In the event of secret key loss, the crypto wallets remain inaccessible.

“We noticed that, as cryptocurrencies have become more popular, people have also been talking about them on social media. This also includes technical support issues such as wallet inaccess, loss of private key phrases, etc., which attracts fraudsters who fake technical support, effectively impersonating official support,” explains Acharya.

Many people prefer to seek help in a chat group or via a tweet instead of contacting the official support channels of the respective crypto wallet provider directly. “In our study, we uncovered how scammers exploit users in social media to either gain access to crypto wallets or simply ask for payment in return for technical support they are faking,” says Acharya.

On the scammers’ trail with HoneyTweet

In order to investigate how support scams in social media actually work, Acharya developed a tool called HoneyTweet. “HoneyTweet automatically sends out unique tweets with keywords for technical support requests in order to bait scammers,” Acharya explains.

“Scammers offering fake support are contacted via a semi-automated tool to detect the scamming payment methods or the modus operandi of scammers,” he continues. The scammers come up with various fake offers such as the software tool “Zeus,” which they claim will retrieve wallet access, and ask for money as part of the support.

Users were often pivoted to external communication channels during the conversation to avoid scam detection on the original platform. With the aid of HoneyTweet, Acharya and his colleagues baited more than 9,000 scammers within three months and traced them on six social media platforms including PayPal and cryptocurrency addresses, which were used as scamming payment methods.

The most important results of the study

In their study, Acharya and his colleagues were able to show that support scams for crypto wallets are a widespread phenomenon on social media such as X. “We found that social media still has some work to do in order to stop these scams,” Acharya says. “And we also found out that scammers often use several social media platforms for their scam attempts.

“Beyond X, the scammers ask to be contacted via direct messages on Instagram, Facebook, Telegram, WhatsApp and others.”

Basically, the scammers work in chain operations that link several social media platforms. During the scam process, the scammers first try to build trust and later perform social engineering tricks, initiating direct message communication where the actual scams take place.

Upon direct messaging, the potential victim is asked to either release their private key or pay for the “fake” support via the scammer’s provided payment method. By collaborating with PayPal and sharing the detected scam accounts with the payment service provider, the researchers were able to further validate the scam’s financial impact.

Takeaways for businesses and users

“There are two groups that could adopt our recommendations,” Acharya explains. “The first one consists of the involved services, like the crypto wallet providers. They should monitor all activity directly associated with their brand name and take action if scammers attempt to impersonate their brand. The second group consists of social media like X, Instagram, Facebook, Telegram and others.

“It is important to jointly monitor what is going on in terms of scam chains, because the scam does not necessarily occur on the platform where the chat started out. The final scam might take place at end of the chain, i.e., on another platform. In order to combat those chains, cooperation between the social media services is particularly important.”

Additionally, users of crypto wallets can also take action. Acharya recommends making sure to engage only with official providers of cryptocurrency wallets and be cautious with all unofficial channels. In no case should the information be shared via Google Forms or similar platforms.

“Crypto wallets or social media accounts affiliated with official crypto wallets will never ask their users for their secret keys,” the CISPA researcher concludes.

The future belongs to (secure) digital currencies

Acharya, who during the conversation reveals himself to be a big fan of digital currencies and a cryptocurrency user, sees a lot of potential in cryptocurrencies. “I believe that digital currencies like cryptocurrencies are the next generation of currencies and that they will replace existing currencies in the future,” he is convinced. “However, what we need is a system that is secure enough to create and operate a digital currency.”

As a researcher, he wants to continue contributing to this goal. “One project is using ChatGPT to chat with the scammers based on HoneyTweet,” he explains. “In this context, we also focus on different categories of fraud, such as alleged account recovery.

“In another follow-up study, we will use a deepfake-based method to chat and communicate with the scammers via Zoom video and phone with the aim of identifying further types of fraud mechanisms.”

It will be exciting to see what fraud mechanisms in the area of cryptocurrencies will be uncovered by Acharya and his colleagues.

Provided by
CISPA Helmholtz Center for Information Security