Author: NEFTURE SECURITY
Compiled by: Vernacular Blockchain
Source: Finance Magnates
2024 has been a brutal year for retail Web3 investors. Too many investors have been robbed by scammers and hackers.
Although, as previously reported, obtaining precise data on the amount of money lost by retail investors is an extremely difficult task, criminal reports show that at least $ 5.84 billion has been wiped from their wallets. Of this, at least $ 4 billion was lost to “pig-killing” scams, more than $ 1 billion was lost to phishing scams (including wallet theft and address poisoning), and $ 444 million was attributed to exit scams.
It must be noted that the cryptocurrency market conditions in 2024 do provide huge opportunities for these scammers.
The bull run that began in late 2023, culminating when Bitcoin reached a new all-time high of $73,738 on March 14, 2024, attracted a massive amount of liquidity, not only from seasoned crypto enthusiasts, but also a swarm of eager new retail investors. 2024 was billed as the year Bitcoin broke the $100,000 mark (which it did!), and this, combined with the explosive activity of the memecoin supercycle, turned the crypto market “ghost town” of 2023 into a thriving hub of trading activity!
Source: Dune
Many newbies are unaware of the treacherous waters of cryptocurrencies, making them extremely vulnerable and an ideal target for scammers. Experienced traders, having experienced a long and painful bear market, are equally or even more susceptible to FOMO (fear of missing out), creating the perfect environment for scammers to prey on retail investors.
Shockingly, excluding the "pig killing" scams, the top five fraud projects in 2024 caused a staggering loss of US$611 million.
Here are the most successful cryptocurrency scams of 2024!
1. $243 million stolen: largest social engineering phishing heist to date – second largest heist of the year
The most eye-popping cryptocurrency scam of 2024 was a simple social engineering phishing attack, which ranked as the second most financially destructive crime of the year with its staggering amount, second only to the $308 million attack on DMM Bitcoin private keys by a North Korean threat group.
Currently, this also appears to be the largest amount of money lost by a single individual in a single crypto-phishing attack.
On August 19, 2024, crypto detective ZachXBT revealed on Twitter that he had discovered a suspicious $238 million transfer, with funds being laundered and cashed out through multiple centralized exchanges (CEX). Soon, rumors spread about the identity of the victim - was it an individual, a hedge fund, or an exchange? How was the heist carried out: through a private key vulnerability, phishing, or both?
For a long time, few details of the case were known, except for two updates from ZachXBT reporting that Firn Protocol and NonKYC had successfully frozen approximately $500,000 in stolen funds - a drop in the bucket.
A month later, exactly one month after the $238 million attack, ZachXBT once again took to Twitter to reveal the full story of the incident.
ZachXBT’s survey map - Source: ZachXBT
The heist was a "highly sophisticated social engineering attack," or a phishing scam targeting a single individual. The victim was a creditor of bankrupt crypto exchange Genesis.
On the day of the attack, he received a fraudulent call pretending to be from Google support, which allowed the scammer to hack into his personal account. According to ZachXBT's investigation, the victim then received another call, this time from a scammer impersonating Gemini support, claiming that his Gemini account had been hacked and instructing him to reset two-factor authentication (2FA) and transfer funds from his Gemini account.
After much persuasion, the victim shared his screen using AnyDesk, allowing the scammers to access and leak his Bitcoin Core private keys.
The attackers successfully stole $243 million and immediately attempted to disperse the funds across multiple wallets and then transferred them to more than 15 exchanges. According to ZachXBT’s research, the stolen assets were quickly converted between Bitcoin, Litecoin, Ethereum, and Monero to cover their tracks.
ZachXBT’s initial vulnerability tracking – Source: ZachXBT
Unfortunately for them, and fortunately for the victims, they were not careful enough during both the attack and their escape. This oversight allowed ZachXBT to trace the phishing attack back to the three main suspects and their accomplices.
ZachXBT created a list of suspects - Source: ZachXBT
One of the many mistakes they made was revealing the names of two of them to the victim during screen sharing.
Source: ZachXBT Twitter
Other errors were related to their money laundering techniques. Although the attackers converted most of the stolen funds into Monero, ZachXBT found that two of them accidentally mixed stolen and clean funds by reusing deposit addresses. One attacker also exposed an address used to buy designer clothing when sharing the screen, which was associated with millions of dollars in stolen funds.
Source: ZachXBT Twitter
Most of them left enough traces on social media — or their predecessors left traces — to eventually reveal their full identities during an investigation by ZachXBT, which worked with the BN Security Team, Zero Shadow, and CryptoForensic Investigators to freeze a further $9 million.
The day before ZachXBT released its findings, Box (Jeandiel Serrano, 21) and Greavys (Malone Lam, 20) were arrested by the FBI and indicted on September 19.
Malone Lam - Source: ZachXBT
Phishing attacks carried out through social engineering have been at the heart of many high-yield crypto heists, with one extremely sophisticated attack nearly succeeding in stealing $125 million from a single individual.
2. November 2024: $129 million address poisoning attack
On November 20, 2024, a victim decided to transfer approximately $129.7 million from the address TGrS7QNCf85X2B6ddvGZY2MF9VwvFn6XAE to TMStAjRQHDZ8b3dyXPjBv9CNR3ce6q1bu8.
They first sent 100 USDT as a test transfer to the address TMStaj…6q1bu8. After the transaction was successfully completed, the victim almost immediately decided to transfer the entire $129.7 million.
What they didn’t know was that after the test transaction, the scammers “dusted” their wallet (sent 1 USDT) through an address disguised as a test address. When the victim copied and pasted the target address, they accidentally selected this fake address. This fake address was even crudely forged, with only the last 6 digits matching, while the first half was completely different, starting with THcTxQ instead of TMStaj.
Source: Certik
Fortunately, the address poisoner returned $116.7 million within 1 hour and the remaining $12.97 million 4 hours later.
The two transfers and the amount of the second transfer ($12.97 million) seem to indicate that the attacker initially considered taking 10% of the "bug bounty" but later changed his mind.
Source: SlowMist via ScamSniffer
The most likely reason they returned all the funds was fear — fear of being tracked down by victims with resources, the blockchain forensics community, and law enforcement, especially given the sheer amount of money stolen, which would make them a huge target.
3. Crypto4winners: $100 million Ponzi scheme
On March 9, 2024, the investment company Crypto4winners (which promised 3-20% returns per month) announced that they had suffered a vulnerability attack.
Source: Crypto4winners Telegram channel
Due to this “bug,” Crypto4winners claims it is unable to process withdrawals until the issue is resolved.
The problem is that as early as two months ago, the crypto newspaper DL News revealed that one of the co-owners of Crypto4winners was Luc Schiltz, a Luxembourger who was sentenced to six years in prison for defrauding more than $1.5 million in 2017 and served only two years. Shortly after his release from prison, he co-founded the Crypto4winners project.
So when the “hack” was announced, suspicion immediately rose. After the initial announcement, Crypto4winners went completely silent. By March 12 or earlier, its customers contacted lawyers and the police.
In the following days, Crypto4winners was revealed to have all the hallmarks of a Ponzi scheme, causing thousands of victims and losses of at least $100 million.
According to DL News, Luc Schiltz is the co-founder of Crypto4winners, but he has kept his involvement hidden. Its public CEO and founder is another Luxembourger, Adrien Castellani, but in reality, Castellani only co-founded the company with Luc Schiltz.
Source: Virgule
Despite the constant questions about Luc Schiltz’s involvement in Crypto4winners over the years, he never acknowledged him as a co-founder or partner, only referring to him as an advisor. In 2023, he promised to completely cut ties with Crypto4winners by the end of the year, which he apparently did not do.
Source: DL News
Lies abound.
For example, the crazy returns they promised. They even claimed to have achieved a 377% return on customer Bitcoin deposits since 2019, and an average return of 7% to 20% per month, regardless of whether the crypto market goes up or down, which is a typical feature of a crypto Ponzi scheme.
They also claimed to be working with Chainalysis and Ledger, leading both companies to publicly deny the claims in 2022.
Crypto4winners is incorporated in Sweden. In 2023, when the Swedish Company Registration Office asked them to submit annual reports for 2021 and 2022, they claimed that as a trust management company, they did not need to submit, which was false. Even though they were at risk of liquidation or being declared invalid, they still did not submit the report when the deadline came.
It was also discovered that Crypto4winners was ostensibly a Luxembourg-Swedish entity, but was in fact a complex structure through Dubai, Lithuania, Ireland, Sweden and Luxembourg.
To make matters worse, Crypto4winners was actually a shell company; all of the investor funds were transferred to an Irish company called Big Wave Developments Limited.
According to Luxembourg newspaper Virgule, out of an estimated $100 million in client funds, less than $200,000 remained in the Big Wave Developments Limited account.
What's most jaw-dropping about this entire case is the reason for its unravelling: a very strange car accident that allegedly caused Luc Schiltz to lose his memory.
Luc Schiltz crashed into a roadside guardrail and drove up a slope before dawn on March 5. He was not injured in the accident, but then for unknown reasons he walked onto the highway and was hit by a bus, according to Luxembourg police.
He was not fatally injured and was hospitalized in an orthopedic department.
However, he claims that the accident caused him to lose his memory. The problem is that Luc Schiltz has full control over client funds; this means that he no longer has access to the funds in his cryptocurrency wallets and trading platform accounts.
It is worth noting that, according to Virgule's investigation and those who visited Luc Schiltz in the days after the accident, his amnesia was questionable.
A friend of Adrien Castellani, who goes by the pseudonym Mario, recalled to Virgule:
"He initially pretended to have amnesia and then told us that he would get the USB key back from his parents and everything would be back to normal..." (Translated from French)
That day, Mario discovered the shell nature of Crypto4winners and Big Wave Developments Limited. Later, in a call with Shiltz on March 12, Mario asked about the only $200,000 left in the Big Wave Developments Limited account, and Shiltz comforted him that this was normal because it was only funds in the hot wallet.
Despite claiming amnesia, Luc Shiltz seems to be fully aware of who he is and how his company operates. So, what exactly did he forget that prevented him from accessing the funds? Apparently not the seed phrase; in the history of crypto, it is almost unheard of for one person to manage $100 million based on memory alone.
He himself said that everything was at his parents' place and assured that things would return to normal soon. So, what was the problem?
Hopefully, this incident and all the questions it raises will be answered in court.
On March 15, the Luxembourg Public Prosecutor’s Office announced that it had opened an investigation into Crypto4winners on charges of fraud and money laundering, and that two individuals had been detained and charged.
One of them is believed to be Luc Shiltz.
Source: TrustPilot
4. Poisoning attack on $72 million address in May 2024
On May 3, 2024, a person fell victim to an address poisoning attack, which became the largest address poisoning robbery in history at the time. The victim transferred 1,155 wrapped bitcoins to a malicious address, losing $72.7 million.
What happened can be attributed to extreme bad luck. The victim first successfully completed a test transfer of $149 to a legitimate address (starting with 0xd9A1b). After that, they mistakenly copied and pasted a fake address - a poisoned address that imitated 0xd9A1b.
Address poisoning breakdown - Source: Chainalysis
The victims tried to negotiate 10% of the “bug bounty” in exchange for their funds but failed. The attackers were blinded by greed and thought they would get away with nothing - they were dead wrong.
Message sent by victim to attacker - Source: Chainalysis
The entire blockchain security community was involved in the investigation, and soon there was news that the attackers had returned the funds, minus the $7.2 million set aside as a "bug bounty." On May 10, the attackers returned almost all of the stolen funds, and due to the appreciation of the Token, they only took away $3 million.
The funds were quickly returned two weeks later not because the attackers had a change of heart, but because despite their best efforts to cover their tracks, their "device fingerprints" revealed part of their identities, according to a report by Match Systems CEO Andrey Kutin.
5. Epoch Times CFO $67M Crypto Scam and Money Laundering Heist
In June 2024, Bill Guan, CFO of Epoch Times, was arrested for involvement in a massive crypto scam.
The U.S. Department of Justice (DOJ) charged Guan with conspiracy to launder at least $67 million in fraudulently obtained funds, including proceeds from unemployment insurance fraud . The scheme allegedly involved using cryptocurrency to purchase illicit funds at a discount and then transferring them through multiple accounts, including the Epoch Times account, to hide the source of the funds.
The crypto scam was exposed when the bank reported that its revenue surged 410% from $15 million to more than $62 million in one year.
The Justice Department’s indictment stressed that the charges were unrelated to the Epoch Times’ journalistic activities. Guan faces serious charges, including conspiracy to commit money laundering and bank fraud, and could face up to 80 years in prison.
6 Summary
In 2024, the Web3 sector is a year full of crises for retail investors. Scams and hacking activities are rampant, causing investors to lose up to $5.84 billion, among which "pig killing" scams, phishing scams and exit scams are the main forms of crime . From the bull market of Bitcoin to the super cycle of meme coins, the prosperity of the market has attracted a large number of novice and experienced investors, but also made them an ideal target for scammers. Despite this, there are still some positive signs, such as the recovery of some stolen funds, and the severe crackdown and tracking of criminal activities by relevant law enforcement agencies and the blockchain security community.
However, these events also remind us that risks in the cryptocurrency market are everywhere. While pursuing high returns, investors must be vigilant, strengthen security awareness, and be cautious in every investment decision to avoid becoming the next victim.
Link to this article: https://www.hellobtc.com/kp/du/03/5728.html
Source: https://medium.com/coinmonks/the-biggest-crypto-scams-of-2024-0bc452327b97
