Entering the exciting world of Bitcoin can feel like discovering a treasure chest – except instead of gold coins, you have digital ones secured within a “hardware wallet” or, as some call it, a “signing device“. These devices are your treasure chest, secured with a lock that only you should know the combination to, a single phrase of 12, 18, or 24 words. These devices can hold any amount of Bitcoin, making the incentive to crack them oh-so irresistible.
With every known or discovered fortune comes a plethora of pirates ready to pillage it, so you need to have a plan to protect said booty.
Bitcoin can be stored on any digital device, like a phone, laptop, dedicated node, or even a USB stick, but the market has a clear bias towards using a dedicated device.
Hardware wallets have proven to be a popular method of securing funds, and with the demand for these devices, certain companies have become front-runners in this niche. Popular manufacturers, including Ledger, CoinKite, Convoy, Blockstream and Trezor, have joined the space with their offerings.
Brand building and blind trust
Bitcoin and the wider cryptocurrency sector are a hotbed for scams, and you can be sure that there are forces out there working tirelessly to find exploits that result in you parting with your money.
While the hardware wallets themselves might be hard to crack, the end user is a far softer target, and with some clever social engineering, some hackers have convinced hardware wallet owners to part with their funds.
As consumers, we’re trained to build trust and relationships with the companies we choose to purchase goods and services from. We trust their communication, and only some take the time to verify that information’s source or intent.
When Apple or Google puts out a new update, we automatically download it; this is our relationship with technology; the provider knows best, and the best practice is to act on their judgement and question nothing.
Hackers understand this is the default user experience, and
hidden among the genuine brands and Bitcoin guardian tech lurk cunning adversaries disguised as their trusted brands. These phishing scams are ready to snatch your precious Bitcoins with a click or two.
What is a phishing attack?
Phishing attacks are as old as the internet itself and can be as low-tech as creating a fake social media account and DM’ing or commenting on user posts, but it can be as elaborate as setting up custom websites, getting access to 3rd party email databases or creating fake desktop and mobile apps all with the intent to lure you into an environment where you might give off sensitive data.
Typically, the sensitive data in question revolves around accessing your funds and will focus on extracting your usernames, passwords, credit card numbers, bank account information, or other vital data to utilise or sell the stolen information.
Phishing attacks rely on your trust in a specific brand, as these scammers use that goodwill to engineer your compliance. Phishing scammers masquerade as a reputable source with an enticing request. An attacker lures in the victim to trick them, similar to how a fisherman uses bait to catch a fish.
Imagine a scammer disguising themselves as your bank, sending an urgent email about “suspicious activity”, and prompting you to click a link to “fix it.” When you click, you land on a fake website that looks just like your bank’s, and in your panic, you enter your login credentials. Boom!
The scammer now has your real banking info. That’s a phishing scam: tricking you with fake urgency and familiar brands to steal sensitive information.
Why are phishing attacks prevalent in the cryptocurrency space?
But I have no counterparty risk with Bitcoin, so how can scammers target my funds?
The short answer is you are at risk; no amount of money is secure if the guardian is willing to hand over the key to the first person who lies to them.
Just because you purchased a device from a company doesn’t mean you should trust their word on everything; it’s your money. Don’t let anyone tell you what to do with it, and you’ll be fine.
Phishing attacks usually occur when hackers are able to access the email databases or social media accounts of these wallet manufacturers; they trust that a minority of the userbase are unsure of what they are doing and would listen to any branded communication.
Phishing attackers can also target users who hold their own keys in hot wallets or with hardware wallets for Bitcoin, using fake websites or emails to steal your private keys and drain your Bitcoin. The important part of dealing with hard money is, unlike banks that could reverse or put transactions on hold, with Bitcoin, if you make a mistake like falling for a phishing scam, it’s over; those funds are gone for good.
There are several methods used for phishing attacks, with the most popular being:
Fake Support Emails
You might receive emails seemingly from Ledger or Trezor, urging you to “update your firmware” or “verify your account” by clicking a malicious link.
Never click links in unsolicited emails!
In many cases, scammers will purchase a domain that is similar to the brand, add a – or use a different TLD extension like a local version .co.uk, for example, to try and target users who won’t do an in-depth check on the source of the email.
These are easier to spot; the ones that are harder will be those where the company’s email server or 3rd party email provider has been hacked, and a hacker can send out an email from a legitimate domain.
Deceptive websites, nearly identical to the real ones, trick users into entering their seed phrases or private keys.
Double-check the URL before entering any sensitive information.
Hacked or fake social media accounts
Hackers can conjure a web of deceit on social media: they spin up fake accounts mimicking real users or even hijack established brands. Using stolen logos, profile pictures, and carefully curated content, they blend in with genuine accounts.
Then, armed with this disguise, they weave phishing links into posts, comments, or direct messages, luring unsuspecting users to click and surrender their information. It’s like a wolf in sheep’s clothing, targeting those who are too lazy to check handles or check if this is the same social account linked on the official website.
While fake accounts are a constant threat, an even bigger one is the threat of a brand having its account hacked, so even if the messaging, like a DM or a post, comes from an authentic and verified social media account, cross reference it with media reports first, or check out comments from popular online sleuths online before you action anything.
If you added your phone number to a list when purchasing a hardware wallet, you may be targeted by SMS or via instant messaging apps like Telegram and WhatsApp.
As is the case with email scams, texts claiming you need to update software or there has been “suspicious activity” in your wallet are popular methods of prompting you to “take action” and end up losing your funds.
Phishing in Disguise: Ledger and Trezor Tales of Woe
Recently, a few popular hardware wallet brands, Ledger and Trezor, have faced the wrath of sophisticated phishing campaigns. By mimicking official websites and emails, scammers lure unsuspecting users into traps that compromise their private keys and drain their wallets.
On 24 January 2024, an unauthorised email impersonating Trezor using their official domain address and accessing their actual subscriber list blasted out a fake newsletter. According to Trezor’s Digital marketing platform, Mailer Lite was the victim of a phishing attack and managed to give a hacker access to Trezor and a few other brands.
In the Trezor example, the email stated that users’ wallets and assets would be undergoing an upgrade, encouraging them to download the update or lose their funds. As a result, users who did respond to the scam lost over $600,000, according to the web3 security and privacy firm Blockaid.
On Oct. 21, 2023, Jade Wallet users were the target of a phishing scam after email addresses from those who purchased the wallet were acquired. The authors of the fake email alleged that the Jade hardware wallet was exploited, and Blockstream issued an emergency firmware release.
Back in June of 2020, over one million people who have subscribed to the Ledger newsletter had their addresses leaked, and since then, we’ve had numerous phishing scams attack this database of users.
Ledger has a complete list of all phishing attacks using their branding.
Fortress of Caution: Building Your Bitcoin Defense
I know this can all sound scary, and having to take personal responsibility can put you off the entire Bitcoin experience, but don’t let fear freeze you from Bitcoin’s potential!
Always remember that as a Bitcoin holder, there will be a constant threat to your funds; never trust, always verify and take your time to make your decisions.
Your keys and hardware wallet might be secure, but the next step is to ensure you are secure in the use and storage of the device. So here’s how to build a fortress of caution around your digital treasure:
When it comes to Bitcoin, slow and steady wins the race; take your time to download the latest software; this isn’t a realm where you want to trade new features for security, so be cautious. Considering that the old technology and software safely stored Bitcoin for over a decade, what is the rush to update?
If there are new firmware or software updates for your specific device or interface, you would like to use, rather have others be the test subjects, and you can wait until the new build has been verified by those who are more skilled in reviewing the code.
Private Keys are Private
Your seed phrase/private keys are the combinations of your Bitcoin vault, and no one needs them but you and no one needs to access them but you.
Never share them with anyone, including the hardware wallet company!
They will never ask for them; they never need them for anything, so if any communication asks you for a seed phrase or private key, close that web page or app and run as far as you can.
Phishing Red Flags
Be wary of urgent messages, typos, or suspicious URLs. Remember, legitimate companies operate with professionalism and clarity. Also, check the branding, if they’re using the latest version, and if the images are hosted with the domain of the applicable brand.
Also, check that the communication is consistent across all platforms. A hacker can rarely access all of a business’s assets, so if communication is only from one channel, it might be a scam.
Review their social media accounts, email messaging, if there are press releases or blogs on their website and if 3rd party websites have picked up and syndicated the news.
Before connecting your wallet to any software or website, always double-check the URL, check that it is indeed the correct domain and confirm the legitimacy of the software you’re downloading; either the company will provide a PGP to cross-reference that the software you downloaded is the correct version.
If you’re unsure of how to do this, it is best you ask someone you trust to verify the download for you.
Backup, Backup, Backup
Securely backup your seed phrase offline, and keep it as far away from an internet-connected device as humanly possible. You only need to engage with your device if you’re looking to spend your Bitcoin, and that’s the only time you need to sign with your device.
Beyond the Walls: Sharing Awareness
As long as users continue to reward phishing attacks, there is no reason why they will stop, and there’s very little one can do to keep up with every new attack or scam circling the various corners of the internet.
All you can do is learn to calibrate your BS meter and look for telltale signs, as mentioned above, that this round of communication might be a scam. Spreading awareness is key to stopping phishing scams in their tracks. Share this article with your fellow Bitcoin newbies, discuss best practices in online communities, and report any suspicious activity to the hardware wallet companies. By being vigilant and informed, we can build a more robust, safer Bitcoin ecosystem for everyone.
So, venture forth into the Bitcoin world with confidence! Remember, knowledge is your shield, caution your armour, and a healthy dose of scepticism is your trusty steed.
Do your own research.
If you want to learn more about phishing scams, use this article as a jumping-off point and don’t trust what we say as the final say. Take the time to research, check out their official resources below or review other articles and videos tackling the topic.