Bitcoin with dispersion effect. Blockchain fail concept. Physical version of Bitcoin disperses into small pieces in the form of zeros and ones (Binary Number System).
Image: promesaartstudio/Adobe Stock

The FBI is urging cryptocurrency investors and investment firms to beware of fraudulent cryptocurrency apps that try to steal money from unsuspecting victims. Released on Monday, the FBI’s notice says that cybercriminals have been convincing investors in the U.S. to download the phony apps with the intent of defrauding them of their cryptocurrency. The criminals have already stolen around $42.7 million from 244 different victims.

The apps in question impersonate legitimate programs by copying their names, logos and other details to then direct people to malicious websites in an attempt to access their cryptocurrency funds. By exploiting the interest in mobile banking and cryptocurrency investing, the criminals are not only targeting investors but seeking to damage the reputations of U.S. investment firms.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

In one series of incidents between December 2021 and May 2022, cybercriminals scammed at least 28 investors out of around $3.7 million. Using a phony app spoofing the program of a legitimate financial institution, the criminals convinced victims to deposit cryptocurrency into their alleged wallets. When some of the people tried to withdraw funds using the app, an email notice told them that they first had to pay taxes on their investments. But even after paying the purported taxes, the victims were unable to withdraw any funds.

In another series of scams that occurred between October 2021 and May 2022, cybercriminals used the company name YiBit1 to steal around $5.5 million from at least four people. The victims were instructed to download a YiBit app and deposit cryptocurrency into wallets associated with their accounts. Several of the investors received an email telling them that they had to pay taxes on their investments before they could withdraw any funds. The four victims who did so were unable to withdraw funds using the app.

In a third incident that occurred in November of 2021, cybercriminals using the company name of Supayos or Supay2, scammed two victims by instructing them to download the Supay app and deposit cryptocurrency into their associated wallets. One victim learned that he was enrolled without his approval in a program that required a minimum balance of $900,000. Upon attempting to cancel the subscription, the person was told to deposit the required funds or else all his assets would be frozen.

“Although the recent cryptocurrency crash has no doubt soured some investors from participating in the space, the reality is that for many people cryptocurrencies still carry the mystique of being the next big thing in investing, and this has fueled some inexperienced investors into making rash decisions for fear of missing out on the next wave that promises life changing financial returns,” said Chris Clements, VP of solutions architecture for Cerberus Sentinel. “Unfortunately, the same lack of regulation and centralized control that attracts some cryptocurrency proponents can be abused by malicious actors to conduct fraud on a massive scale.”

How to avoid cryptocurrency scams

Since investors and legitimate investment firms are both impacted by these scams, the FBI has words of advice for both groups.

For investors:

  • Watch out for unsolicited requests to download investment apps, especially from people you’ve never met in person or whose identity is unknown. Be sure to verify their identity before giving them any personal information or investing any money.
  • Make sure that a cryptocurrency app is legitimate before you download and install it. Confirm that the company behind the app is real, that it has an actual website, and that any financial documents offered pertain to the actual purpose of the app and the company.
  • Be skeptical of any apps that have limited or broken features and functionality.

For investment firms:

  • Tell customers whether your firm has a mobile investment app.
  • Tell customers whether your firm offers cryptocurrency investment services. Explain how you typically communicate with them so they can distinguish legitimate messages from fraudulent ones.
  • Regularly run online searches for your company’s name, logo and other information to see if you’re being exploited by fraudulent or suspicious activity.
  • Warn customers about any fraudulent incidents associated with your company and give them specific steps to report suspicious activity.

“The FBI’s recommendations for investors to stay safe from similar fraudulent schemes is good advice, particularly to have skepticism towards unsolicited requests to participate in new investment platforms or apps,” said Clements. “But guidance to verify the legitimacy of a new or unknown organization can be a difficult task, as it can be just as easy for fraudsters to falsify a fake company website or address. For now, the best advice may be for investors to stick with larger and more established players in the cryptocurrency market, but even some of those have had significant issues recently due to the crash and so called crypto winter.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday