Introduction

For most people, the early morning of April 2 was no different from any other. I had lost track of time exploring the beautiful world of Horizon: Forbidden West, while my brother stayed up late to catch up on the latest episodes of Attack on Titan. Usually, this would be a great way to end a long day — but ours was only beginning.

That’s because at 5:00 a.m., our company’s latest client was set to lose more than $200,000 worth of cryptocurrency to scammers. Over the last few weeks, he had fallen for several scams, losing more than $775,000 of cryptocurrency in the process. All that remained were his LUNA tokens, which the scammers were going to steal as soon as his fixed-term stake unlocked. With no emergency fund to pay towards his house mortgage, he and his wife would be evicted or forced to sell their home if we could not recover the $200,000 of LUNA tokens. We were his last line of defense, his only chance to recover the money before it would be gone for good.

From an objective point of view, we didn’t have much to worry about. Our success rate in this exact scenario was 100%, since we had already done this twice before. Plus, from studying the scammers’ previous transactions, we could tell that they were making manual withdrawals, rather than using automated software. All we could do now was wait, as we nervously called Patrick and his friends to discuss our plans one last time. Between Virginia and Oregon, more than 10 of us were standing by.

A happy ending?

In the end, it was over before we knew it. I managed to create and broadcast the recovery transaction in just 3 seconds, with several others close behind. Everyone was overjoyed as the transaction confirmed! We all slept well that night, knowing that we had saved more than $200,000 for a couple who desperately needed it.

Unfortunately, situations like this are few and far between. When people come to us after being scammed, there usually isn’t much we can do to help besides giving them advice for the future. As crypto veterans, we love to see adoption grow as new people plunge into the world of cryptocurrency! However, newcomers often lack an understanding of the crypto fundamentals, which makes them more vulnerable to scams. Crypto veterans aren’t immune either — all it takes is a single mistake.

The Fundamentals

Sometimes, we will go for weeks or even months without receiving any new clients — and that’s great! Of course, we are always happy to help whenever we can, but our ultimate goal is to teach you how to recognize and avoid the multitude of scams that exist. That’s why we created some fundamental rules to help keep you safe!

1. Protect your seed phrase!
2. Use a hardware wallet
3. Avoid fake phishing websites
4. Don’t click on fake ads or links
5. Don’t sign unfamiliar contracts
6. Be patient, rather than greedy
7. Be familiar with classic scams

We encourage you to review these rules several times. Once you’re feeling confident, you can test your knowledge with the security quiz at the bottom of this page!

Rule #1: Protect your seed phrase!

When you create a new cryptocurrency wallet, you generate a new “seed phrase” that contains 12 to 24 words. This list of words is the master key for your wallet — if your device ever gets lost or stolen, or if you forget the password or PIN code for your wallet, you can recover all of your funds with just the seed phrase.

However, this also means that your seed phrase is a single point of failure, unless you use stronger techniques like multi-signature wallets or Shamir secret sharing. The safest method is to record your seed physically (write it on paper, stamp it into metal, etc.) and store it in a safe place, like a fireproof box or safety deposit box. Never store your seed phrase digitally! Don’t take a photo of it or store it on your computer, even if it’s encrypted. Also, you must never share your seed phrase with anyone! Keep repeating this rule until you have it memorized! There’s no legitimate reason for any “service agent” or “support form” to request your seed, ever!

The purpose of your seed phrase is to represent your master key in a human-friendly format. The words in your seed phrase come from a unique list of 2,048 words that was established by Bitcoin Improvement Proposal #39 (BIP39). Many wallets also offer the ability to add an extra word that gets combined with your seed phrase to generate your master key. This custom word is known as a passphrase, but it may also be called a “13th/25th word” or “hidden wallet”. Unlike the other words in your seed phrase, your passphrase doesn’t have to be on the BIP39 wordlist, or even be a word at all. You also don’t have to use one, since it’s an optional feature.

However, if you do decide to use a passphrase, you won’t be able to recover the funds in your wallet without it. Besides your seed phrase and passphrase, you don’t need anything else (fingerprint, password, PIN code, or hardware wallet) to recover your money. That’s why it’s so important to protect your phrases from scammers!

Rule #2: Use a hardware wallet

Unfortunately, wallet software that you install on your computer or phone can be compromised by malware. This is because your master keys must be stored locally. Even though the local keystore is encrypted with your wallet password, malicious programs can simply use a keylogger to obtain your password and steal your funds.

For maximum security, you must use a hardware wallet that is produced by reputable manufacturers like Ledger or Trezor. Hardware wallets make it impossible to remove crypto keys from your device. Instead, you must approve each transaction from your hardware device, which signs the transactions internally. Always buy hardware wallets directly from the manufacturer and check the tamper-proof seals before opening. Never use a seed phrase that you did not generate yourself.

We recommend Ledger and Trezor equally, and we don’t have a financial interest in either company. Just make sure to buy directly from the manufacturer and follow the safety tips above. Ledger Nano S ($59) and Trezor Model One (€69) can both handle more than 1,000 different cryptocurrencies with equivalent levels of security.

Rule #3: Avoid fake phishing websites

The first two rules are designed to keep you safe from direct attacks — those where your master key is stolen and used to withdraw everything from your wallet. By protecting your seed phrase and using a hardware wallet, you ensure that the only person able to spend your money is… you! But if you’re not careful, you might still make a mistake. That’s because most crypto scams are “indirect”, where people get tricked into sending their crypto voluntarily. Since these scams take many forms, it would be impossible for us to list them all. Thankfully, as long as you learn to recognize common “red flags”, you’ll be able to avoid 99% of crypto scams with ease.

First and foremost, you need to avoid fake phishing websites, which are often configured to look like legitimate websites that you already use. Fake websites might trick you with similar names, like www.coimbase.com or www.metemask.io. Always double-check the URL at the top of your web browser to make sure that you’re visiting legitimate websites. Also, you should consider using a password manager like Bitwarden to ensure that your passwords are only auto-filled on trusted sites.

Rule #4: Don’t click on fake ads or links

Scammers use fake advertisements to attract new victims. For example, when you search for a website on Google or Bing, you may see ads that lead to fake websites. Fake ads can be difficult to spot, so it’s best to be in the habit of never clicking on search results with “Ad” or “Sponsored” markings. Better yet, installing ad blockers like uBlock Origin on all of your web browsers will automatically block most ads. You can also bookmark frequently visited sites to avoid the need to search for them.

Similarly, you shouldn’t click on links from random emails or social media messages. We recommend using a modern email provider like Gmail to prevent most scam emails from showing up in your inbox at all. If you’re suspicious about an email, you can check the sender’s email address by expanding the email header at the top. For example, anyone can send you an email with the Binance name and logo, but only the real company can send emails from an address ending in “binance.com”.

Rule #5: Don’t sign unfamiliar contracts

No one can steal your money without your private keys — right? For many coins, this isn’t actually true. “Liquidity mining” or “liquidity pooling” is a modern scam that tricks people into signing a transaction that grants “token approval” to the scammer’s smart contract. This approval basically gives the owners of the smart contract permission to steal your coins. Later, you may see the stolen coins appear in a “mining portal”, but this is all part of the scam — the coins are already gone for good.

Of course, liquidity pools are a legitimate concept in decentralized finance (DeFi), which helps to make this scam more convincing. Plus, decentralized exchanges use token approvals for legitimate purposes, so your wallet software may not display much of a warning. The best way to avoid this scam is not to sign any transactions with unfamiliar smart contracts — even if you’re not sending crypto now, you might be giving them your permission to steal your crypto later, without any warnings.

If you’re curious about your own crypto addresses, you can view token approvals for any address with an online block explorer. Just visit the “Token Approval” page for the relevant blockchain: Ethereum, Binance Smart Chain, Avalance C-Chain, Polygon, or Fantom. From here, you can revoke approval for any unfamiliar addresses.

Rule #6: Be patient, rather than greedy

As cryptocurrencies evolve, so do the scammers and the techniques that they use. Even if you could predict all of the possible ways that you might get scammed, it would be smarter to focus on why people fall for scams in the first place. After all, your knowledge and reasoning skills are useless if you get overtaken by emotions.

No emotion is quite as powerful as greed. Sometimes, scammers appeal directly to our greedy nature by offering “guaranteed” or “risk-free” profits. Cryptocurrency investments involve a lot of risks — if a truly risk-free strategy did exist, the scammers would be using it to enrich themselves instead of selling it to others. Scammers also offer returns that are unrealistic, such as “doubling your money” or promising an annual yield (APY) of more than 20%. Even if you’re sure that a smart contract or website is legitimate, we recommend using Google to search “(website name) scam” and reviewing any concerns or problems that other people have reported.

Massive gains are still possible, but they require detailed analysis and long-term patience. Scammers bypass this process by inducing a “fear of missing out” (FOMO). They may offer you an “exclusive opportunity” or impose deadlines that pressure you to act immediately. On the other hand, legitimate opportunities are available to everybody and don’t force you to make a rushed decision. Even if you know you’re making a legitimate investment, we recommend taking a few extra days to sleep on it or to perform extra research. By being patient, you allow yourself to make smart decisions! Remember — if anything sounds too good to be true, it probably is!

Rule #7: Be familiar with classic scams

Most scams have existed long before Bitcoin was created. Make sure that you’re familiar with these classic scams, since they can be applied to cryptocurrency as well.

• Gift cards: They’re for gifts, not payments! Never use gift cards to pay for anything, and never give out gift codes over the phone or through the Internet.
• Poor grammar: Sometimes, scammers make grammar and spelling mistakes. They may even do this on purpose to attract only the most gullible victims.
• Romance scams: To be safe, don’t discuss crypto with anyone through the Internet, even if you’re not on a dating site or you seem to have met by accident.
• Sextortion: A hacker recorded a naughty video through your webcam, and they threaten to send it to your friends unless you pay them. As proof, they show you a password that you have used before (usually from a data breach). This is all a scam! There is no video, and you should never pay a ransom with cryptocurrency.
• Tax imposters: Scammers may pretend to represent your tax authorities (IRS, CRA, etc.) over the phone. The real authorities would have mailed you a letter.

Crypto Security Quiz

Once you’re feeling confident, you can test your knowledge with the security quiz below! We don’t record your answers, but feel free to share them with your friends!

If you’d like to retake this quiz, you can simply refresh the page. If you liked this quiz and want to keep going, you can try some of the quizzes linked below:

• Google Phishing Quiz
• Scams quiz (Australia)
• Can you spot fraud? (Canada)
• Scam IQ Quiz (Singapore)

Contact Us

If you have any questions about potential cryptocurrency scams or how to avoid them, we encourage you to contact us.