Cybercriminals have defrauded hundreds of U.S. investors by convincing them to download fake apps that impersonate legitimate cryptocurrency investment services, the FBI warned in a new Monday private industry notification alert.
So far, 244 victims have reported falling for this scheme, with losses topping $42.7 million, according to the FBI. Cybercriminals first persuaded victims to download fake apps, and the targets then deposited cryptocurrency into wallets associated with their accounts.
“Cybercriminals seek to take advantage of the increased interest in mobile banking and cryptocurrency investing,” according to the private industry notification. “The FBI has observed cyber criminals using the names, logos, and other identifying information of legitimate USBUSs, including creating fake websites with this information, as part of their ruse to gain investors.”
Cybercriminals have pretended their apps are from legitimate U.S. financial institutions, with one campaign between December and May that defrauded 28 victims of $3.7 million using the name and logo of an unnamed legitimate company to trick victims into depositing cryptocurrency on the app.
The FBI tracked another campaign between October and May where attackers operated under the company name YiBit to defraud four victims of $5.5 million after they were persuaded to deposit cryptocurrency into the YiBit app. YiBit is a former legitimate cryptocurrency exchange that appeared to close in 2018. During the month of November, cybercriminals operated an app called Supay - the same name as a cryptocurrency exchange provider in Austrailia - to defraud two victims by convincing them to deposit cryptocurrency.
Attackers behind the fake Supay app leveraged various tactics to try to squeeze as much money as they could from victims: “In November 2021, the cybercriminals told one victim he was enrolled in a program requiring a minimum balance of $900,000 without his consent; upon trying to cancel the subscription, the victim was instructed to deposit the requested funds or have all assets frozen,” according to the FBI.
After depositing money, victims were unable to withdraw funds from these accounts, and when they attempted to do so, they received messages stating that they needed to pay taxes on their investments first.
Cybercriminals are targeting victims in a number of different ways with fake cryptocurrency wallet apps, said Trend Micro researchers in January. Attackers persuaded victims to download these fake apps by sending text messages and emails with malicious links, setting up fake versions of official crypto wallet websites and posting fake tech support messages on social media platforms or in official cryptocurrency communities with links to their copycat websites.
“The Threat Research team discovered a fake version of all the most popular crypto wallet apps available, including imToken, Bitpie, MetaMask, Trust Wallet, and TokenPocket,” said researchers with Trend Micro. “A total of 249 fake apps were discovered, which the team found were downloaded by victims in countries all over the world, including the United States, France, Germany, Australia, New Zealand, and Japan.”
The FBI said financial institutions should warn their customers about this activity and tell customers how to identify legitimate communications from the institution. Companies should also conduct periodic online searches for company names or logos being used in fraudulent activity.
For investors, “be wary of unsolicited requests to download investment applications, especially from individuals you have not met in person or whose identity you have not verified,” according to the FBI. “Take steps to verify an individual’s identity before providing them with personal information or relying on their investment advice.”