The blockchain space is riddled with malicious actors that will capitalize on your desire to pursue obtaining cryptocurrencies or tokens through social engineering. Whether these social engineers are exploiting your naivety (if you’re newer or less experienced) or your greed (creating FOMO and deceiving even more knowledgeable individuals) — the statistics don’t lie. Over 90% of cases I’ve worked are the result of not hacking, but social engineering of various methodologies.

Who am I, and why should you read this?

I’m sure that if the hundreds of victims across cases I’ve worked could turn back time and have a 30 minute conversation with me, or read articles like this, they’d probably pay extremely good money for it. While hindsight is 20/20, hopefully you haven’t been scammed (yet) — and the X minute investment of reading this article could prevent you from losing more money than you’d likely imagine. You may believe, in a rational state, that you’d never invest more than you could afford to lose in crypto — but social engineers will con you into thinking some “opportunities” are simply too good to not go all-in on. Extremely intelligent individuals, some of which have probably been in crypto longer than the average reader here, have had rationality ripped from them by psychologically manipulative social engineering. If you think you’re better than they are, you can stop reading here — just don’t come to me should you get scammed. If you assess an X minute read as worth the time considering the amount of capital you’re involving, this is an investment in time that can protect your investment in capital.

You can make the decision to read this article and spare yourself a lot of future heartache through educating yourself about sophisticated social engineers whom are statistically more psychologically cunning than individuals are prepared to deal with. In the event you are victimized, most individuals don’t even know where to report this type of crime — so they often go unreported, and thus, not investigated. For the minority of victims that seek investigation of these criminals, they are often unprepared for the blunt truth: funds recovery may be partial, and often can take an extremely long time. As an investigator, I’m asked “when funds recovery” or “any updates” as often as blockchain proejcts are asked “when moon” or “when Lambo.” And my answer is always “when funds recovery happens” and “I can’t reveal details of an ongoing investigation.” As someone in the cryptocurrency realm, you may expect all things to move at cryptocurrency speed — and investigations will move at investigative speed. In most situations, you’ll be waiting months — and possibly longer — because investigations take that long when you’re awaiting things like subpoenas, international law enforcement cooperation, evidence gathering, and numerous other time/resource intensive factors.

Bottom line: you may receive a portion of your stolen funds back after a prolonged period of time, but why even set yourself up for such a situation? As an investigator, I’m a huge proponent of educating the public about preventable crime: the amount of time you’ll take to read this article will prevent multiple times over the amount of time you’ll need to take if you’re scammed, let alone the amount of time and resources it will take to address the crime. It’s time well spent.

Energi Bureau of Investigations: the nightmare of scammers

My name is Rich, and I’m a blockchain cyberinvestigator. I work for Energi, and I lead the Energi Defense department — we’re running a first-of-kind cryptocurrency investigative team which is organically a part of the project’s team. Energi Defense will investigate any bad actors that target the Energi project or community. Since Energi is new, and hasn’t had any attacks, I have been assigned noteworthy cases; for example, I am the lead investigator for Ian Balina’s case. I have a strong working relationship with international law enforcement and most major exchanges, as well as an extensive network of like-minded individuals across the industry, which has led to arrests and funds recovery in many situations.

I’ve already written on the more novice social engineers, impersonation scammers, in a past post. Most people, even those knew to crypto, know enough to avoid being victimized by such low-effort scams. Impersonation scam social engineering is more comparable to a shotgun— and the example below is more along the lines of a sniper rifle, as they’ll target you with more precision once they get to know you. The latter methodology often results in far more loss per victim due to established rapport and trust, and while this approach is more time consuming on behalf of the scammers, the statistics of financial loss prove it is time (temporarily, until justice is served) well spent for them.

I have never thrown my name out there or publicly offered my services, simply due to the massive influx of requests I get on a daily basis — one friend tells one friend about me, and this has resulted in a bare minimum of 3–4 cold outreaches sent to me per day. Hopefully, you never need my services for a scam or hack — I’d prefer you only need me to prevent them. I’ve had to put my time at a premium, and if you value your assets enough to an extremely small relative portion in making yourself a hard target, it’s now possible to arrange.

A Case Study: “Scamspeak”

Let’s take a look at a case I’m currently investigating. I want to preface this case study with a preamble: these facts are used to discuss the structure of a scam operation, and are publicly accessible through various public-facing reports of numerous victims. I can not, and will not, reveal sensitive investigative details — while I will say that I have conducted extensive social engineering on this group with great results, and I can say with confidence their time will come (and likely when they least expect it,) I will not reveal the methods I use or what I know about the perpetrators, as it is not relevant to this article. Many victims have written strong public articles, such as this one, outlining the situation similarly.

I will also not be revealing information about who is responsible for Scamspeak, as it is not my place to do so. Legalities aside, those responsible for Scamspeak are very aware I’m watching them — and I’ve received death threats. I’m not particularly concerned about these threats, which I receive on an almost daily basis, because as a combat veteran, I’m quite more well-trained and well-armed than this group — but I’m not going to equip the public to be able to make the mistake of engaging these scammers and put themselves at risk, despite my assessment this group of scammers would never act upon their threats.

Me, wishing scammers would attempt their threats of physical violence upon me

I will, however, outline the methodologies used by these scammers (hence referred to as Scamspeak) in order to provide examples of tactics, techniques, and procedures used by more sophisticated social engineers targeting cryptocurrency users.

Earlier this year, I was assigned a particularly interesting case. A client that runs a pooling group was scammed for over 3500 ETH by a group of individuals running what was (deceptively) presented as a group of private investors that would secure allocations for highly-demanded and promising blockchain projects. Within hours of investigating this situation, it became even more horrifying: this group of scammers had already victimized hundreds of individuals.

This group of scammers would initially find their victims through Reddit posts, and later transitioned to Telegram and ultimately Discord. They would pose as investors, discussing their allocations and how much money they were making. Initially, they would reach out to individuals offering a slot in their exclusive group — fostering FOMO by premise of having “just one slot left in our exclusive group.” Eventually, they transitioned into simply joining Telegram groups for major ICOs and discussing their allocations:

“Scamspeak” social engineers in Mainframe’s Telegram group, discussing their “teams” forecast on MFT and their allocation. This tactic fostered curiosity in future victims, resulting in numerous victims inquiring as to their allocation and attempting to get a portion.

Once an individual (victim) expressed interest in joining this “team” or “exclusive private group,” the conversation would continue in DMs:

If you didn’t read this far, you’d probably think “Peter” here was being cordial and providing you an opportunity to join an exclusive investment group. Since you have read this far, note what’s actually happening: the scammer is assessing how knowledgeable “Rain” is (to determine how difficult he would be to deceive) and creating uncertainty about being able to join the group, which will lend “credibility” and eagerness to impress from would-be victims. The eagerness to impress would often entail investing higher amounts of ETH than the victims normally would and/or investing in multiple projects.

Eventually, the conversation would move to a Teamspeak server for an “interview.” The interview consisted of almost entirely the same script for every victim — what projects have they invested in? How much did they invest? Amazingly, the Scamspeak group would ask for a LinkedIn of victims — which was often provided, yet not reciprocated (taking notes?) Upon the conclusion of the “interview,” the “team” would go to a private channel to “discuss their thoughts on you.” What was really happening? Not an assessment of your worthiness to join an exclusive investment group — but a discussion of how much could be stolen from you, and how easily.

Inside a Teamspeak server set up by the Scamspeak scammers. The names used by the Scamspeak scammers would vary by cycle, but were often re-used. Note the plethora of highly-demanded projects.

Unless the target claimed to be extremely poor or seemed extremely suspicious, the end-result would be the same: a congratulatory invite to the group to join under a “probationary period,” followed by an immediate followup regarding an upcoming pool — often simultaneously occurring with being informed of the “group acceptance,” or the next day.

Victims would be chain-asked to invest in projects, with increasing amounts of pressure. Upon a shred of skepticism, the scammers would conduct one of two actions: if they had a backlog of seemingly wealthy victims, they’d immediately ban the victim from the server.

If the current victim seemed to be “worth the time” (having extensive investment capital, being extremely naive, or both) the Scamspeak group would put the time in to seemingly convincing “proof” of their investments… such as sending fake tokens to wallet addresses. It’s incredibly easy to make your own ERC-20 token, and simply creating an ERC-20 token titled “MFT” deceived several victims enough to conduct follow-on “investments” with Scamspeak.

And then we have email spoofing…

The raw email forwarded to a victim from Scamspeak to “prove” their “Quarkchain.”

Victims that were suspicious enough, but still deemed to be ripe targets by Scamspeak, would inquire about their tokens — and have “peace of mind” provided by verifying their tokens. Here’s the thing — these emails were spoofed, and spoofing emails is something incredibly easy to do if a blockchain project hasn’t invested the time or talent to prevent email spoofing. Email spoofing is a few keystrokes on script-kiddy level sites like Emkei, and naturally, most victims didn’t know enough to audit the .eml file and determine the emails were spoofed. After all, it came from the quarkchain.io site, so it must be legit, right? Hindsight is always 20/20, but now you’re equipped with foresight.

Eventually, victims would catch on to this ruse — and Scamspeak would ban them from their server. All it took was changing a server address or password, creating fresh Telegram accounts, and rinse/repeat. This group has scammed millions of dollars from hundreds of victims.

After-Actioning Scamspeak: The Red Flags and Lessons Learned

Scamspeak, and many other more sophisticated social engineering scams, have many red flags. Let’s dissect what you read above into key points to remember.

Scamspeak members would often create burner Telegram accounts to discuss their allocations in major project Telegram groups. They would often join these groups as a team of 2–3 people. If you notice 2–3 people (whom often recently joined) seeming to talk to each other, with a similar script — that’s a red flag. The Scamspeak group would select random images and create profiles that may appear legitimate to the untrained eye:

Mysteriously, “Kayla” was never on the Teamspeak. And a brief reverse image search proved this to be a catfishing account. Scamspeak often used male profiles, but the counter-tactic of a reverse image search, or asking for a LinkedIn, is a strong counter-measure to being social engineered out of your cryptocurrency.

Scamspeak would often ask a lot of personal information about victims, such as location, occupation, and portfolio. All of these things are easy to lie about in reciprocation, however, Scamspeak would never provide LinkedIns for obvious reasons. I’ll take this a step further and say that even providing a LinkedIn is not a surefire way to prove the individual is not a scammer, since a new profile or aged account could be purchased — but it’s often a sign of confidence. Put simply, Scamspeak leveraged rapport-building by being extremely friendly and “getting to know” victims — often discussing miscellaneous topics for hours to build trust with victims. A few hours of discussing sports or kids is quite worth thousands, or dozens of thousands, of dollars to criminals. A voice chat seemed convincing enough for hundreds of victims, but a voice chat is still not enough alone to associate an identity to someone in the event of a soured deal — without extensive resources. Scamspeak knew the method of a voice chat would deceive almost every would-be victim, and leveraged this. Unless you’ve got something to hold “the other end of the deal” accountable, such as a verified LinkedIn or other social media with history, website, etc — steer clear.

Scamspeak would often create artificial scarcity by suggesting their group was extremely exclusive , as they’d like to say, “quality over quantity”— and “if” you were accepted, you were very fortunate. This created a psychological need to impress and comply that victims often fell for. Scamspeak would often take this pressure a step further and create FOMO for projects they needed to fill allocations for — and implying you were the “make or break” for them to push forward with these allocations. If you’re the new person in a group, and the determining factor of whether or not they can fill in allocation — I’d suggest suspicion.

Reputable projects don’t deviate from their public statements on bonus percentiles and allocations. Scamspeak would often claim to be negotiating higher bonus percents, faster distribution, or other exclusivity with their allocations. If a project says it’s a private sale for accredited investors only — and no pools are allowed — that is the policy. Many reputable projects have this policy on their website and Telegram pinned message, clearly stated, to avoid this type of social engineering on their community.

Scamspeak would never interview, or have multiple victims, in their server at once. Every reputable ICO investment pool/community has a public channel for community members to interact with each other. Victims were segregated from each other by Scamspeak for obvious reasons — no other voice of doubt in the room provides no room for doubt to be discussed. To combine this point with the point of anonymity/identifiable partners discussed above, I’ll use ICO Syndicate as a case study — while the team is partially anonymous/pseudonym-based, they have a strong and large public-facing community, and a strong history of investment in projects with no issues of distribution to clients. Bottom line: if you can’t identify the “other end of the deal,” interact with other clients, or see a clean record for the “other end of the deal” — don’t risk it.

Some Other Red Flags

But wait, there’s more!

Outside of Scamspeak, there are still some red flags to be aware of.

As discussed above, if there is no community or way for the general public to interact with each other, be wary. I have observed a growing trend of Telegram announcement-only channels, where the only communication you’ll have might be with one of the team members — if even that. These ANN channels often have no associated website and only have a Telegram channel. As per the points above — you can’t identify “the other end of the deal” or see a track record. Avoid these.

Reputable projects have stringent and firm requirements for KYC/AML, and are in full compliance of GDPR. If you’re not asked for documentation for a project that requires this documentation, avoid the “investment.” Many social engineering scammers are aware of this red flag, and are attempting to circumvent suspicion by “whitelist forms” often hosted on Google Forms or Telegra.ph — and not the domain of the project itself. I’ll let you draw your own conclusions as to whether or not these platforms are in security compliance and a project would do that- protip, they wouldn’t.

A healthy level of objective due diligence and preparation through education and preventative measures should be the cornerstone of your strategy, regardless of whether you’re brand new to cryptocurrency or the CEO of a major ICO. It would be impossible to cover every cryptocurrency security topic due to the amount of topics to cover and my current case load, however, if you’d like an individual consult — whether you’re an investor or with a project, it can now be arranged.

Put simply — if you have doubts, ask! A negligible amount of time (or even money) to do your own research or get the opinion of someone with expertise is well worth it — this time (or capital) is likely a fraction of what you stand to lose. No legitimate investment opportunity is going to come up, spur of the moment, and rapidly vanish because you needed some time to make an informed decision.