Scammers want your Bitcoin
The FBI says Americans lost $5.6B in crypto to scams in 2023, up 44% vs. the prior year. Here's what you need to know and how to stay safe
There were 200 Bitcoin sitting in the safe when the burglars pried it open. This wasn’t a low-level smash and grab job. Investigators would later determine that this was a professionalized crew from Colombia who had snuck into the country to target lavish homes in Hollywood.
But they were not expecting a fortune in Bitcoin for the taking. And they never noticed it.
This Bitcoin was stored on a paper wallet and taped to the ceiling of the home safe. A Bitcoiner’s personal fortune was saved by the providence and foresight of a small strip of painter’s tape, snugly fastened where grasping hands would not think to look.
I heard this true story because I work in the Bitcoin custody space. I suspect that I would not have heard this tale if it had an unhappy ending. We tend to more readily share our wins rather than our painful losses.
Which begs the question: how many personal stories of Bitcoin loss are out there, like scarlet letters privately borne? A lot more than we realize.
In fact, the FBI estimates that Americans lost $5.6B to crypto-related scams in 2023, up 44% from the prior year. What do these scams look like?
Interviews with social engineering scammers
Recently, a well-known early Bitcoiner has taken up a personal project of uncommonly raw journalism. Somehow, Junseth’s personal contact info ended up on a list of probable crypto holders. Apparently this list is available for sale on the dark web. As a result, Junseth gets calls from a variety of scammers plying their unscrupulous trade.
When we worry about crypto security, we tend to think about the wrong things. For example, people holding their coins on Coinbase take comfort in the fact that Coinbase’s security has never been hacked. However, these same people are often persuaded by social engineering scammers to hand over their login credentials to their Coinbase account, only to have their funds stolen. Coinbase may have excellent security, but for many, storing coins on Coinbase is not secure.
Of course, these scammers don’t simply ask. They deceive, they impersonate. As Junseth has now documented in two separate recorded phone calls, these scammers convincingly represent themselves as customer support staff employed by Coinbase, or Swan, or Ledger, etc. They reach out to let you know your funds are in jeopardy, but that you can resolve this urgent crisis by following a few simple steps. Of course, this carefully choreographed performance is a trick to get the victim to enter their login information (and disable 2FA “temporarily”) into a fake version of the real website.
These social engineering attacks have been going on for all of crypto’s history, but the recent professionalization of this cottage industry has led to increased success. That success has induced many more to follow suit and resulted in a recent explosion of sophisticated social engineering efforts by various groups.
Interestingly, these are not scammers in a third-world country searching for a gullible senior citizen. In crypto, the user base tends to be fairly young and tech savvy. Evidently, the group best-positioned to outwit this cohort is ultra-tech savvy American teenagers with the moral flexibility necessary to self-justify their financially ruinous actions.
In Junseth’s first impromptu interview, he coaxed “Daniel” into revealing that he was an American highschooler looking to make a quick fortune in order to fund a showy lifestyle on social media. In bragging about his various exploits, the young scammer divulged some eye-opening details about the relative ease with which he conducts his attacks.
“It's kinda ridiculous how people just give up their seed phrases.”
“There’s like infinite of these people. Stupid people. Like infinite.”
“In social engineering attacks, the victim is willingly giving up the information … if you do everything correctly, you don’t get arrested. It’s almost like there’s no consequences.”
“It’s really fun, honestly, it’s like the best job.”
Seemingly the most difficult aspect of these attacks is obtaining the customer datasets. Once the scammers have a list of potential leads, they begin their playbook of impersonating client services or tech support of exchanges or hardware device manufacturers. Once the scammer has socially engineered this valuable information, they can quickly sweep the customer’s account or wallet and go on their merry way. “Daniel” claims to make these types of calls for 8 to 10 hours per day, “earning” him anywhere from $10k to $100k per day.
When Junseth published this interview, it also served to notify Swan that they had just approved a $1.2M withdrawal of Bitcoin, which “Daniel” had bragged about achieving. Swan was able to cancel the withdrawal in time.
Just a few weeks ago, Junseth released yet another impromptu interview, this time with a scammer named “Ryan.”
As Bitcoin’s price continues to appreciate, the target on the backs of Bitcoin holders will grow commensurately, and the proliferation & increasing ingenuity of these scams will likely continue.
Thieves explore all options
Of course, scammers are not limiting themselves to cold calling their targets. Swan users have recently received two separate phishing emails, intended to deceive Swan users into clicking a nefarious link and handing over their Swan login information. Most people know not to trust this kind of email, but you can see how some small percentage of people might be fooled – it looks pretty official!
In addition to these scammers attempting to gain access to accounts, there’s the looming threat of physical world violence. To date, there have been limited examples of thugs targeting crypto holders and forcing them to hand over their coins. The ones that have been documented are rather horrifying (1, 2, 3). As crypto continues its ascent (and continues to gain cultural prominence), these “$5 wrench attacks” will likely grow in number.
The stakes are high
It’s hard to know just how many victims these scammers have actually claimed. But without a doubt, the answer is “too many.” For each victim, the funds lost represent the Bitcoin portion of their portfolio. That may be obvious, but it’s extremely unfortunate for the victim if Bitcoin does what we think it could over the coming years.
It’s still early days for Bitcoin, such that the purchasing power that a person stashes away in Bitcoin today may be worth 200x in 20 years, according to Michael Saylor’s recent presentation (which used my “Bitcoin’s Full Potential Valuation” piece as its starting point and methodology). That means that $1.2M lost today could have been worth $240M in 20 years.
Imagine losing generational wealth… all because a social engineering scammer convinced you that they were tech support here to help.
And it’s not much better if a user loses “only” $100k in Bitcoin today. That could be $20M in 20 years. What would your life look like with $20M in savings? For the untold victims of these scammers, that kind of future has been snatched away from them.
In my opinion, the primary reason that these tragedies occur is that Bitcoin holders tend to think about the value of their Bitcoin holdings in today’s terms. It’s easy to convince oneself that $100k sitting on Coinbase is fine. However, if you think about those funds as possibly worth $20M in 20 years… you will take action to protect those funds with security befitting their significance.
Does this describe you? Well, consider this a sign from the universe. Take some time to upgrade your Bitcoin security so that none of the threats described above can ruin a future where your Bitcoin grows 200x in value.
My advice for Bitcoin security
Everyone’s circumstances are different. But these guidelines apply for most individuals holding Bitcoin.
Not your control, not your coins
Historically, self-custody has been vastly safer than third-party custody
Recently, the development of Multi-Institution Custody creates an additional option where the end users retain control
Multisig for fault tolerance and risk mitigation across multiple keys
Don’t have all of your eggs in a single custody basket
I’ll explain these guidelines before sharing the options that could make sense for you, depending on your circumstances and preferences.
First, the common phrase in crypto circles is “not your keys, not your coins”. Historically, this has been excellent advice. The biggest failures over the 15 years of Bitcoin history have been centralized exchanges that were hacked or otherwise collapsed – Mt. Gox, Quadriga, BlockFi, Celsius, FTX, and many others. By contrast, individuals who have opted for self custody (i.e., setting up and securing their own private key / public key pairs) have suffered much fewer losses.
That said, I have slightly updated the sage advice here. The true spirit of “not your keys, not your coins” is to make sure that no third-party can move your funds. This prevents rehypothecation (BlockFi, Celsius), misappropriation (FTX), loss (Quadriga), and theft (Mt. Gox).
Historically, the only two options available to Bitcoin holders were self-custody and third-party custody. Only self-custody ensured end user control. However, now there is an additional model of Bitcoin custody, known as Multi-Institution Custody.
With Multi-Institution Custody, the end user maintains control of their coins by having three institutions each hold one key on their behalf, in an arrangement where more than one key is needed to control funds. (Note: I am biased here, since I have spent the last few years helping to build Onramp, the leading provider of Multi-Institution Custody, but I have only been spending my time on this because I think it solves a huge problem for Bitcoiners and for Bitcoin adoption as a whole.)
Second, Bitcoin addresses can be set up either as a “single-signature” address or as a “multi-signature” address. In a single-sig setup, a Bitcoin address is controlled by a single, very long password, what’s known as a “private key.” In a typical multi-sig setup, a Bitcoin address is controlled by three separate private keys, any two of which must sign a transaction before it is processed. Multi-sig setups are vastly superior to single-sig setups, specifically because they inherently provide fault tolerance, enable geographic distribution of private keys, and ensure that private keys do not have to physically come together at any point in time.
Third, I have personally found it very helpful to partition my Bitcoin holdings into more than one basket. When I had all my eggs in one basket, I spent many nights wondering if I had screwed something up or was somehow exposed to risks I was not aware of. By splitting my Bitcoin into multiple baskets, I found that these worries dropped away. Each basket has its own risks, but I know that even if a disaster scenario occurs with one basket, the loss will not be complete.
That said, it’s important to also limit the number of baskets in order to keep complexity down and prevent screw ups. Having a primary basket and a secondary basket is a great solution. Splitting equally between three baskets also works nicely. I don’t think I’d recommend going beyond that, unless you are extremely paranoid or dealing with generational wealth.
The options to consider for your custody setup
To start, it’s worth mentioning what custody options should generally be avoided:
Keeping your coins on an exchange (or any third-party custodian)
As we’ve discussed, coins on an exchange are at risk from failure at the exchange level (Mt. Gox, FTX, etc.) but also from potential social engineering attacks by scammers
Single-sig wallets (paper wallets, phone wallets, hardware wallets)
Coins held in this manner are at risk from social engineering scams, $5 wrench attacks, and the completely unforgiving risk of user error
With a single-sig wallet, there is no fault tolerance, so losing or breaking a hardware wallet can mean a total loss of funds
Here are the options that are worth considering. And again, I personally recommend considering using 2 (or even 3) of them in order to diversify your custody method risk:
Pure self-custody multisig
Description:
In this custody model, the user sets up their own multisig quorum using any of the available open-source wallets that offer this functionality
Strengths:
Fault-tolerant setup with distributed risk across hardware wallets
High flexibility for power users
Zero cost to the end user (besides hardware wallets)
Weaknesses:
Highly technical
Greater risk of user error
All technical & security burden on user
Reliant on integrity and functionality of small plastic devices
Vulnerable to a $5 wrench attack (user holds all keys)
Collaborative custody multisig
Description:
In this custody model, the user sets up a multisig quorum via a collaborative custody provider’s interface and infrastructure (e.g., Unchained, Casa)
Strengths:
Fault-tolerant setup with distributed risk across hardware wallets
Utilizes well-constructed UI/UX services to streamline and clarify setup
Outsources a single key to the collaborative custody provider
Weaknesses:
Still need to be technical enough to setup and maintain a majority of the keys in the multisig quorum
Majority of technical & security burden on user
Annual fees for the service
Reliant on integrity and functionality of small plastic devices
Vulnerable to a $5 wrench attack (user holds majority of keys)
Multi-Institution Custody
Description:
In this custody model, the user sets up a multisig wallet via a Multi-Institution Custody provider (e.g., Onramp). In this model, the end user doesn’t have to setup or maintain any of the keys themselves, instead outsourcing this responsibility to several separate institutions
Strengths:
Fault-tolerant setup with distributed risk across institutional keyholders
Removes technical & security burden from the end user
Leverages institutional-grade key management and security practices for each key in the multisig quorum (i.e., no small plastic devices)
No keyholding institution has unilateral control, meaning that end user retains control of their coins
Greatly reduced risk of $5 wrench attack (user holds no keys)
Weaknesses:
Involves some degree of trust in the integrity and practices of institutional keyholders
Annual fees for the service
Whatever choices a Bitcoin holder opts for, the important part is to prepare for a future where the underlying asset is more valuable. Overall, I believe it’s a good idea for Bitcoin holders to mitigate the risks in their custody setup as if their Bitcoin savings is worth ~200x what it is today. Because, in time, it may be.
If you’re interested in learning more about the Bitcoin custody options that exist today, consider signing up for Onramp’s upcoming webinar here: The Evolution of Bitcoin Custody. I will be presenting and fielding Q&A questions.
If you found my description of Multi-Institution Custody interesting, check out Onramp’s website to learn more (onrampbitcoin.com). I’d also be happy to chat with you about your Bitcoin custody concerns and needs, just schedule a consultation & mention you’re a Once-in-a-Species reader.