Contributions to this article made by Pamela Clegg, Vice President of Crypto Investigations and Risk from CipherTrace, by Mastercard.
Most root-causes of “crypto” fraud start outside of the crypto ecosystem
Fraud is any activity that relies on deception in order to achieve a gain¹. When we hear about crypto fraud, or more broadly, virtual asset fraud, we typically think of that deceptive practice to gain from some type of virtual asset activity. We immediately think the “crypto” part of that phrase is the vulnerability, but that’s rarely the case.
Fiat, not crypto still appears to be the primary choice of financial criminals
Despite widespread fears that crypto is used for criminal purposes, fiat, not crypto, still appears to be the best choice of financial criminals. The US Treasury in its 2022 National Money Laundering Risk Assessment² highlights how fiat and traditional financial activities continue to be substantially higher than virtual asset use to perpetrate illicit activities. Similarly, EUROPOL in its 2021 Spotlight, Cryptocurrencies: Tracing The Evolution of Criminal Finances,³ states: “The overall number and value of cryptocurrency transactions related to criminal activities still represents only a limited share of the criminal economy when compared to cash and other forms of transactions”.
Where is the real fraud - crypto or fiat? Is the fraud origin non-financial?
Just because something is called a crypto-scam or crypto fraud, does not automatically mean that it would be unique to crypto activity or that it even touches cryptocurrency in some way. Crypto fraud must involve some on-chain movement, transactions on the blockchain. Any fraud occurrence that ends with stolen crypto or a crypto scam, but originates from non-financial activity or fiat activity, still has an element of traditional fraud to it. Think of it this way…criminals utilize cloned credit cards to purchase crypto at a cryptocurrency exchange. The fraud perpetrated here was credit card fraud, not crypto fraud. The crypto was just the asset acquired thanks to the credit card fraud. This is not crypto fraud and the traditional AML or transaction monitoring system at the bank or card company should pick up on the red flags for those credit card purchases.
A perpetrator steals someone’s private key to gain access to their bitcoin and take that value. On the surface, we may say that is “crypto-fraud” or virtual asset fraud to be more inclusive beyond crypto. However, did that perpetrator get the private keys from a crypto transaction flaw, or did they hack into the blockchain? NO! Most likely, they manipulated the victim into giving up their private key or the victim was careless with the safekeeping of their information, such as via a phishing attempt or a SIM swap. The execution of the crime to obtain the access to the funds, is not specific to just crypto and really only involves crypto as it is the asset that is being stolen – liken it to this scenario:
- Victim A has a safe in their home with $100,000 in cash.
- Victim A has the safe combination written on a piece of paper next to the safe.
- Perpetrator B is a guest in Victim A’s home - they see the combination, enter the code, open the safe, and steal the $100k in cash.
- That’s NOT “safe fraud” or even breaking into the safe – that’s Victim A having poor control over their combination that opens the safe.
Use of Virtual Assets in scams and the actual root causes
The Federal Trade Commission⁴ highlighted that for the period Jan 2021 – Mar 2022, more than 46,000 people reported to have lost over $1 billion in crypto to scams⁵. The top cryptocurrencies people said they used to pay scammers were Bitcoin (70%), Tether (10%), and Ether (9%). Let’s examine just a few common schemes and their root causes:
Fraudulent investment schemes (i.e., ponzi schemes, fake applications⁶, etc.) had $575 million in reported crypto losses during the period Jan 2021 – Mar 2022⁷.
Examples: Scammers introduce themselves as "cryptocurrency investment managers" and claim to have made millions investing in cryptocurrency. They may encourage their victims to invest in “cryptocurrency investment funds” via fake websites, showing great (fake) investment growth, only to realize they are fake after they lose their funds. They may convince their victims to download fraudulent mobile apps that have scammed millions from their victims, or use fake celebrity endorsements via hacked social media accounts, persuading the victims to send an upfront fee in cryptocurrency which is never returned.
Root-cause: For those victims that didn’t own crypto, the fraud starts way before the crypto activity; the funds sent to the scammers are in fiat and utilize traditional payment rails, like wire transfer or electronic funds transfer. The scammers never convert the fiat into crypto, instead they persuade their investors into believing there is growth on their “account” by faking numbers on a fake website, fake social media or through some type of other communication.
Crypto Romance Scams with $185 million in reported crypto losses during the period Jan 2021 – Mar 2022².
Description: Romance Scams occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.⁸ The FBI has also warned⁹ of a rising trend in which online romance scammers are defrauding victims, by persuading them to send money to allegedly invest or trade cryptocurrency by directing their victims to fraudulent websites, applications or exchanges.
Root-cause: The fraud has occurred way before the crypto activity; with the building of an online, non-financial, unverified relationship. In most Romance Scams, funds are typically moved in fiat from i.e., a bank account or an ATM. If crypto is involved, funds are typically moved from fiat form, a bank account or an ATM, into a VASP of some sort to acquire crypto. There are multiple opportunities of possible intervention via the traditional fiat payment rails, before there is a single bitcoin or other crypto transaction.
Credit Card Frauds with $28.6 billion lost worldwide to credit card fraud for the payment industry in 2020¹⁰
Description: Credit card fraud occurs when someone that is not you uses your credit card or account information for an unauthorized charge. Some of the most common types of credit card fraud include¹¹:
- Card-not-present fraud: scammers use stolen credit cards to make online or by phone purchases;
- Credit card application fraud: scammers use stolen personal information to apply for credit cards, which can remain undetected until the victim itself applies for credit card or checks his credit score;
- Credit card skimming: skimmers are devices that steal credit card information from the magnetic strip on the back of the card, usually attached to credit card readers, ATMs, gas and retail stores etc.
- Lost or stolen credit cards: scammers steal someone's credit card, use a card someone has lost, or intercept credit cards sent to cardholders in the mail.
Root-cause: The fraud has occurred way before any crypto activity; there are many opportunities of possible intervention via the traditional fiat payment rails (protection, detection, reporting) before there is any crypto transaction.
Decentralized Finance (DeFi) hacks with the top 10 DeFi hacks for the period Jan 2021 – June 2022 amounting $2.4 billion¹².
Description: These attacks were either an exploit of a system or a smart contact and in other cases were intentional fraudulent acts.
Root-cause: These examples might be more closely correlated to virtual asset fraud, given these are not vulnerabilities in crypto-assets, but rather, risk management protocols within decentralized finance and decentralized applications. Further, phishing was the origin of several of these events.
Potential ways to combat the fiat fraud that eventually leads to crypto fraud
Fraud trends clearly call for increased efforts in training, education and AML and transaction monitoring intelligence, to proactively identify and prevent against continued attacks. The FBI recommends¹³ financial institutions (among other) to:
- Proactively warn customers about such activity and provide steps customers can take to report it;
- Inform customers as to whether the financial institution offers cryptocurrency investment services or other related services;
- Periodically conduct online searches for your company’s name or logo, to determine if they are associated with fraudulent or unauthorized activity.
The FBI recommends investors to remain vigilant, take the following precautions and look for the most common red flags¹⁴:
- Unsolicited requests to download investment applications;
- Promises for free money, large gains or extraordinary returns;
- Fake influencers or celebrity endorsements that seem out of place;
- Never share sensitive information with individuals with unverified identities;
- Never pay money to receive a prize, or get hired when searching for a position;
- Avoid an unfamiliar exchange. Do your own research to ensure legitimacy;
- Use only encrypted websites when entering your debit or credit card details;
- Use hardware wallets, VPNs and strong passwords to protect digital wallets;
Financial fraud has been present in all human eras, and is constantly shifting. Despite the change in the means for executing frauds – now involving the use of Virtual Assets - fraudsters will still rely for their success on the same basic aspects of human psychology.
Just because something is called crypto-fraud or virtual asset fraud, doesn’t mean the crypto is the fraud. Crypto-fraud must involve on-chain activity. Increased efforts regarding education, training, AML and transaction monitoring intelligence tools, will help both financial institutions and investors identify the fiat rails and mitigate the majority of these risks even before they take place.
³ Europol (2021), Cryptocurrencies - Tracing the evolution of criminal finances, Europol Spotlight Report series, Publications Office of the European Union, Luxembourg. https://www.europol.europa.eu/cms/sites/default/files/documents/Europol%20Spotlight%20-%20Cryptocurrencies%20-%20Tracing%20the%20evolution%20of%20criminal%20finances.pdf
⁴ The FTC's mission is to protect consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity.
⁶ The FBI issued a warning to investors and financial institutions about cyber criminals creating fraudulent cryptocurrency investment applications (apps) to defraud cryptocurrency investors. 244 victims have been scammed who have lost about $42.7 million.