This is...not realistic on any level. I've been professionally investigating cryptocurrency scams/thefts/fraud since 2017.
This is at least twice as convoluted a process as is necessary to separate people from millions and millions of dollars in cryptocurrencies if the site stays up for a week. People don't bother spinning up stuff like this when the easy stuff works just fine.
As a counterpoint it is very realistic. If you ever launch a token and run your own telegram channel, all sorts of specialists come out the woodwork with extremely convoluted schemes
The sad thing is that the legitimate ones look just like the illegitimate ones
My first top exchange listing was through a DM
I’ve done partnerships with no name exchanges that turned out fine, also initiated over unsolicited DM
been scammed a few times by people that didnt deliver, and had no intention to
both the legit and illegit ones have no references because their clients are all other token projects whose community needs to feel everything happened organically
scammers take advantage of this desire for secrecy
it’s really just all about niche and specialization
TFA isn't talking about a scam targeting creators of tokens. This is a scam targeting random people by text message who don't know enough about the crypto space to know what USDT is, but would somehow research and figure out how to jump through hoop after hoop to try to steal someone else's money.
> both the legit and illegit ones have no references because their clients are all other token projects whose community needs to feel everything happened organically
I realize that you probably have no clue how this sounds, so I'm going to translate this sentence into how it sounds to those of us outside the crypto world:
> Both the scammers-of-normal-people and the scammers-of-the-scammers have no references because their clients are all scammers who don't want their marks to know that it's a scam
Please do correct me if I'm somehow misinterpreting the reason why it is so important to these "legit" contacts that secrecy be maintained lest their "community" find out.
I'm curious, do you advertise your services to the public? I have a relative who's been victimized by a cryptocurrency scam. Would you mind if I contacted you about it?
Unfortunately, I have no services to provide for the recovery of the resources. After seeing an increase in these kinds of scams in my social circle, I have compiled that book to share my professional knowledge to spread knowledge with everyone.
One of my readers has recently reached out to me about the examples and this has motivated me to start writing these articles for reaching out to more people.
I have no issues to get contacted and I would like to help as much as I can.
That particular scam sounds like the old "binary option" scams out of Israel. Those involved large numbers of people, typically recent immigrants to Israel, working in call centers to con people. The scam binary options brokers were not only rigged, cashing out was next to impossible.
Those were finally shut down, after the Times of Israel published a many-part expose, "Predators work at night"[1] Also, one of the big operations tried spamming Wikipedia really hard, which resulted in so much pushback that it attracted significant negative attention to the scams.
The people behind those scams were not punished much, and pivoted to crypto, "contracts for difference", and other related scams.
For the simple scams, see r/metaverse-blockchain. This is currently full of pump and dump memecoin scams, promoted as such. Get in and out before the dump is the pitch. Of course, the issuers of the coin are guaranteed a gain, while, collectively, everybody else loses.
There is no "metaverse" component to these coins any more. There used to be claims that the money being raised was going to develop a 3D virtual world. A very few of the "metaverse" coins actually got something going, but most just took the money and ran. Even the ones that got something going didn't do a very good job. The result either looked awful or was so expensive to run server side that they could only run it for special events.
There's several new crap memecoins each week. The promotions look like they come from a template.
This looks like a low-effort operation.
Where's the SEC when you need them? (Mostly dealing with higher-dollar scams, actually. They bring the hammer down on one or two crypto scams per month, but there are so many.)
Yeah a fake livestream of Elon Musk or Mike Saylor still makes hundreds of thousands of dollars/day undetected and untraced, no FBI involvement or arrests at all, still going strong to this day. Why waste time with this crap.
I've been reporting fake tesla and space x accounts so often on youtube - that I eventually wrote a script to copy and past into the report.
Most of the time they do get removed - sometimes successfully before the QRcode is displayed. They even bot the streams so it appears like 30-40k people are watching creating 'social proof'
This scam is successful because it is predicated on the same appeal that ventures like lotteries, sweepstakes, slot machines, or giveaways have (albeit accentuated with a seemingly guaranteed win, that these other ventures don't have): the belief that you can just luck into a giant treasure chest of money by expanding minimal effort.
Broadly, this is a modern version of what's known as an advance-fee fraud, which has been around for hundreds of years - paying a small amount upfront (hence the 'advance fee') under pretense of receiving a much larger amount later.
The difference is that while lotteries and casinos are out to take your money they're at least honest about it. If you win they'll pay out in real money. They're not rug pull scams.
The dishonesty lies in obfuscating the actual odds of winning, making the honesty about the payout a moot point as it's not particularly applicable for most entrants.
One thing I feel like I have learned from Reddit/ TikTok is the average person is terrible with money. Some VCs argue we should lower the bar to investing to democrative it. I am all for democracy, but maybe we would be better served if the average person didn't try to be a tycoon.
I think the tricky thing is the distinction between:
(A) Democratization: Let everyone participate as individuals on a freshly equalized playing field that was previously so slanted they couldn't even try.
(B) Democratization: Encourage lots of small disorganized weaker players into the market as unwitting prey for existing interests that have already established themselves with regulatory or competitive edges that they retain/maintain indefinitely.
P.S.: A closely-related rant over another situation involving market-access and devil-in-the-details: Various attempts to "privatize social security" often with the pitch of "giving individuals more control."
In this case I'm not focused on whether individuals can act wisely, but rather that such plans often means replacing an insurance policy with an investment account. Those two kinds of financial instruments have extremely different features, benefits, and risks!
So even if believe that's a great idea, be be suspicious of anybody who seems to be trying to hide that aspect of their plan from the public, since it means they're trying to get voters to make an uninformed choice.
There isn't really a distinction between the two; they are the same sentence with different frames.
However, if you don't let smaller players into the market then they'll be fleeced using some other mechanism (for example, taxed and then handouts given to the wealthy). If access to markets is expensive then small players won't be able to save at all since any method that lets people invest exposes them to risk, and once risk is involved larger players will outmanouver smaller ones.
Damned if you do, damned if you don't but giving people easy access gives people the best shot at achieving prosperity.
One of workplace tragedy in America is how we moved from professionally managed pensions to individual 401k retirement plans. Most folks have no business deciding asset allocation, managing risk, etc.
Most 401ks will just default to a target date fund, which is usually a total market stock ETF + bonds. That will certainly perform better than most actively managed pension funds.
I've also heard things that sound like they tend to have sharp eligibility cutoffs or amount calculations. There aren't issues with a 401k if I keep changing employers every few years. And you can't play stupid games with taking lots of overtime for your final year to boost retirement benefits beyond what they "should" be.
As it turns out, the accredited investor rule (>$1M liquid assets) isn't to filter for savvy investors, it's to make sure you can still land on your feet after your investment disappears.
I suggest you the following exercise to see it with your own eyes: enter a Telegram channel on a top 100 cryptocurrency, say that you are trying to recover your wallet and...
Suddenly a lot of scammer will contact you in less than 5' with techniques that you cannot imagine are real. For example, telegram handles with the same name as the channel admin but using unicode characters to make tou think it is the same account.
Reminds me of an elaborate reverse scam where the person asking for help have some USDT or other tokens on that ethereum address and a script to immediately swipe the funds the scammer will use for gas.
What is the standard solution to this type of phish? This problem did not exist in the ASCII world, of course. Unicode is useful, but what is the best way to prevent this malicious use of it?
This problem extends beyond character encoding. The average joe (and not so average alike) seems to have a hard time to distinguish official channels from non-official scammy ones, even more so when the official channel doesn't exist on a given platform ("we don't offer support via Telegram" kind of situations). Cue in some greed as well and you got a perfect recipe for disaster.
The root issue is the lack of skepticism and verification. At the same time humans have limited energy and verifying everything causes significant fatigue over time, so the problem might as well be intractable.
For web URLs, browsers will sometimes display "punycode" where for example "домен" would be represented as "xn--d1abbgf6aiiy"
I believe different browsers have different heuristics about when to switch to that representation - suspicious characters, mixing scripts in the same URL, and so on.
I do think it's good for certain things to be ASCII-only. People will say it's Americentrism or Anglo-Saxon-centrism. Ok so be it. Make the account handles and email addresses not inclusive and ASCII-only.
> What is the standard solution to this type of phish?
For domain names I use a "corporate" setting in Firefox, disallowing the use of DoH/DoT: to make sure that every single domain name resolution goes through my own local DNS resolver.
And my firewall inspects every packet on port 53 and rejects any packet containing "xn--" (the way they encode Unicode chars in ascii URLs).
For text: my editor is configured to display in bold, fluo, on a dark background any character that is no a visible ASCII char (except newlines and spaces) and "zero width" char are forced to have a width.
But it's a losing battle: too many people don't understand the security implication of using Unicode everywhere.
The most enraging in all this is how stupid these homoglyph/homograph attacks are to pull off: any dumbfuck can pull it off. The bar is insanely low.
It reminds me of a scam they tried with my mom: and old person that apparently cannot read asks you about a lottery ticket, another “random” person comes and checks the lottery results from their phone, and you have a winning ticket for millions in your hand. Old person says it is hard for them to do cash it and asks for help, the random person pulls you in a corner and says you could offer some money to buy the ticket and cash it.
Well, mom was naive enough to believe it but honest enough to reject it.
It flips the who is scamming and who is the scammer around so that you think you are the one getting an advantage, much like here where you would withdraw some money that clearly is not yours. Much less likely to report.
Also makes the scammers feel less guilty when you also tries to scam another person.
Best crypto scam I see right now is the (MEV) bot scam. There are a bunch of promoted videos like below. Just download some code, connect it to your ETH wallet and you'll make 20-50-100% profits daily. I reported some over a month ago but still up. Has nearly half a million views.
lots of scams are able to continue by getting the victim to do things they wouldn't report to the police, or even to their relatives out of embarrassment
although I think it is an interesting idea that scammers intentionally make typos and absurdities, just to weed out discerning people in favor of easier victims, I think there is a larger market for meticulous more legitimate looking scams as well
> I think it is an interesting idea that scammers intentionally make typos and absurdities, just to weed out discerning people in favor of easier victims
This is an apocryphal anecdote or theory that gets passed around, but I'm not sure how true it actually is, and certainly not universally true. In that, I think scammers are way more likely to just make typos than to setup an elaborate low-level target filter. Regardless, I've also never actually seen scammers admit to this.
Although sometimes, rarely, the victim confesses their embarrassing actions as a warning to others in a well-written firsthand perspective in a national newsmagazine [0]
I recently watched John Oliver's video[1] about the "pig butchering" scam. It's a brutal scheme where scammers invest months in building fake relationships, gain a ton of trust, and then rob all of their money.
Even though I'm pretty tech-savvy, I'm not sure I could totally avoid falling for this. These scammers don't ask for money directly; they casually mention how they're making big bucks through crypto trading on some app. Naturally, you get curious about the app, but you're still cautious. Then you see it's got a ton of good reviews on the app store, so your trust increases a little.
You install the app, and it looks legit - like it was made by a solid dev team. It offers some limited-time crypto deals where you can't withdraw for a while. The victim invests a little, watches the crypto value climb, and sees their "money" grow on paper. So they put in more. When they finally try to cash out, they realize they can't. They panic and turn to their "romantic partner" for help. That's when the scammers and the fake app squeeze out the last bit of cash, claiming it's for taxes or fees, and they need to put some money. And the victim loses everything.
It's not unreasonable for the victim to think the relationship is real if they've spent months chatting and calling, sharing really personal stuff. Plus, the app seems totally legit, both from the store reviews and how it looks and works. I really hope these scams will disappear soon.
I watched the video but I wasn't fully sure what the scam was. Where it became unclear to me was where it transitioned from a chat to an app.
The app mentioned in his video (MetaTrader 5) is still up - and seems actually legit... at least I think?
So is the scam that they send links to fake versions of the app? How'd the reviews look legit then? Or is there some sort of scam they run on the app where they actually have control of your account?
EDIT: nevermind, I found this[1] post that explains it - the app connects to brokers and is not one itself. So they basically just make a fake brokerage and convince you to use it. So John Oliver's explanation was a bit lacking on that part, and misleading/incorrect about MetaTrader 5 itself.
Readit News
This is at least twice as convoluted a process as is necessary to separate people from millions and millions of dollars in cryptocurrencies if the site stays up for a week. People don't bother spinning up stuff like this when the easy stuff works just fine.
The sad thing is that the legitimate ones look just like the illegitimate ones
My first top exchange listing was through a DM
I’ve done partnerships with no name exchanges that turned out fine, also initiated over unsolicited DM
been scammed a few times by people that didnt deliver, and had no intention to
both the legit and illegit ones have no references because their clients are all other token projects whose community needs to feel everything happened organically
scammers take advantage of this desire for secrecy
it’s really just all about niche and specialization
I realize that you probably have no clue how this sounds, so I'm going to translate this sentence into how it sounds to those of us outside the crypto world:
> Both the scammers-of-normal-people and the scammers-of-the-scammers have no references because their clients are all scammers who don't want their marks to know that it's a scam
Please do correct me if I'm somehow misinterpreting the reason why it is so important to these "legit" contacts that secrecy be maintained lest their "community" find out.
Unfortunately, I have no services to provide for the recovery of the resources. After seeing an increase in these kinds of scams in my social circle, I have compiled that book to share my professional knowledge to spread knowledge with everyone.
One of my readers has recently reached out to me about the examples and this has motivated me to start writing these articles for reaching out to more people.
I have no issues to get contacted and I would like to help as much as I can.
That particular scam sounds like the old "binary option" scams out of Israel. Those involved large numbers of people, typically recent immigrants to Israel, working in call centers to con people. The scam binary options brokers were not only rigged, cashing out was next to impossible. Those were finally shut down, after the Times of Israel published a many-part expose, "Predators work at night"[1] Also, one of the big operations tried spamming Wikipedia really hard, which resulted in so much pushback that it attracted significant negative attention to the scams. The people behind those scams were not punished much, and pivoted to crypto, "contracts for difference", and other related scams.
For the simple scams, see r/metaverse-blockchain. This is currently full of pump and dump memecoin scams, promoted as such. Get in and out before the dump is the pitch. Of course, the issuers of the coin are guaranteed a gain, while, collectively, everybody else loses.
There is no "metaverse" component to these coins any more. There used to be claims that the money being raised was going to develop a 3D virtual world. A very few of the "metaverse" coins actually got something going, but most just took the money and ran. Even the ones that got something going didn't do a very good job. The result either looked awful or was so expensive to run server side that they could only run it for special events.
There's several new crap memecoins each week. The promotions look like they come from a template. This looks like a low-effort operation.
Where's the SEC when you need them? (Mostly dealing with higher-dollar scams, actually. They bring the hammer down on one or two crypto scams per month, but there are so many.)
[1] https://www.timesofisrael.com/tel-aviv-binary-options-firm-a...
Most of the time they do get removed - sometimes successfully before the QRcode is displayed. They even bot the streams so it appears like 30-40k people are watching creating 'social proof'
Broadly, this is a modern version of what's known as an advance-fee fraud, which has been around for hundreds of years - paying a small amount upfront (hence the 'advance fee') under pretense of receiving a much larger amount later.
(A) Democratization: Let everyone participate as individuals on a freshly equalized playing field that was previously so slanted they couldn't even try.
(B) Democratization: Encourage lots of small disorganized weaker players into the market as unwitting prey for existing interests that have already established themselves with regulatory or competitive edges that they retain/maintain indefinitely.
In this case I'm not focused on whether individuals can act wisely, but rather that such plans often means replacing an insurance policy with an investment account. Those two kinds of financial instruments have extremely different features, benefits, and risks!
So even if believe that's a great idea, be be suspicious of anybody who seems to be trying to hide that aspect of their plan from the public, since it means they're trying to get voters to make an uninformed choice.
However, if you don't let smaller players into the market then they'll be fleeced using some other mechanism (for example, taxed and then handouts given to the wealthy). If access to markets is expensive then small players won't be able to save at all since any method that lets people invest exposes them to risk, and once risk is involved larger players will outmanouver smaller ones.
Damned if you do, damned if you don't but giving people easy access gives people the best shot at achieving prosperity.
I've also heard things that sound like they tend to have sharp eligibility cutoffs or amount calculations. There aren't issues with a 401k if I keep changing employers every few years. And you can't play stupid games with taking lots of overtime for your final year to boost retirement benefits beyond what they "should" be.
Suddenly a lot of scammer will contact you in less than 5' with techniques that you cannot imagine are real. For example, telegram handles with the same name as the channel admin but using unicode characters to make tou think it is the same account.
The root issue is the lack of skepticism and verification. At the same time humans have limited energy and verifying everything causes significant fatigue over time, so the problem might as well be intractable.
I believe different browsers have different heuristics about when to switch to that representation - suspicious characters, mixing scripts in the same URL, and so on.
For domain names I use a "corporate" setting in Firefox, disallowing the use of DoH/DoT: to make sure that every single domain name resolution goes through my own local DNS resolver.
And my firewall inspects every packet on port 53 and rejects any packet containing "xn--" (the way they encode Unicode chars in ascii URLs).
For text: my editor is configured to display in bold, fluo, on a dark background any character that is no a visible ASCII char (except newlines and spaces) and "zero width" char are forced to have a width.
But it's a losing battle: too many people don't understand the security implication of using Unicode everywhere.
The most enraging in all this is how stupid these homoglyph/homograph attacks are to pull off: any dumbfuck can pull it off. The bar is insanely low.
Ah yes, homograph/homoglyph attacks. Bruce Schneier warned about that decades ago. He predicted all these homograph/homoglyph attacks.
Work for domain names too seen that there can be internationalized domain names.
But there are plenty of cryptocurrency scams that don't require that. Just some place that looks like an exchange but is actually a money hole.
Honest people get cheated every day.
Well, mom was naive enough to believe it but honest enough to reject it.
It flips the who is scamming and who is the scammer around so that you think you are the one getting an advantage, much like here where you would withdraw some money that clearly is not yours. Much less likely to report.
Also makes the scammers feel less guilty when you also tries to scam another person.
https://www.youtube.com/watch?v=dK6U9P9pt6A
although I think it is an interesting idea that scammers intentionally make typos and absurdities, just to weed out discerning people in favor of easier victims, I think there is a larger market for meticulous more legitimate looking scams as well
this one fits somewhere in between
This is an apocryphal anecdote or theory that gets passed around, but I'm not sure how true it actually is, and certainly not universally true. In that, I think scammers are way more likely to just make typos than to setup an elaborate low-level target filter. Regardless, I've also never actually seen scammers admit to this.
[0] https://www.thecut.com/article/amazon-scam-call-ftc-arrest-w...
Even though I'm pretty tech-savvy, I'm not sure I could totally avoid falling for this. These scammers don't ask for money directly; they casually mention how they're making big bucks through crypto trading on some app. Naturally, you get curious about the app, but you're still cautious. Then you see it's got a ton of good reviews on the app store, so your trust increases a little.
You install the app, and it looks legit - like it was made by a solid dev team. It offers some limited-time crypto deals where you can't withdraw for a while. The victim invests a little, watches the crypto value climb, and sees their "money" grow on paper. So they put in more. When they finally try to cash out, they realize they can't. They panic and turn to their "romantic partner" for help. That's when the scammers and the fake app squeeze out the last bit of cash, claiming it's for taxes or fees, and they need to put some money. And the victim loses everything.
It's not unreasonable for the victim to think the relationship is real if they've spent months chatting and calling, sharing really personal stuff. Plus, the app seems totally legit, both from the store reviews and how it looks and works. I really hope these scams will disappear soon.
[1] https://youtu.be/pLPpl2ISKTg?si=15RzmtRGMpptF-Dv&t=539
The app mentioned in his video (MetaTrader 5) is still up - and seems actually legit... at least I think?
So is the scam that they send links to fake versions of the app? How'd the reviews look legit then? Or is there some sort of scam they run on the app where they actually have control of your account?
EDIT: nevermind, I found this[1] post that explains it - the app connects to brokers and is not one itself. So they basically just make a fake brokerage and convince you to use it. So John Oliver's explanation was a bit lacking on that part, and misleading/incorrect about MetaTrader 5 itself.
[1] https://old.reddit.com/r/explainlikeimfive/comments/1b4070o/...