FTX Compensates Platform Users after Wave of Phishing Attacks

Sam Bankman-Fried, founder of FTX, announced on Twitter that there will be a $6 million compensation to users who had their cryptocurrency stolen via recent phishing attacks. Sam also made it clear that the compensation is only for FTX accounts, and will be a “one-time” settlement, not to be repeated in a future similar incident.

2022, the Year of Hacks

FTX users were recently targeted by attackers. Hackers gained access to users’ cryptocurrency by gaining access to users’ 3Commas API keys and carrying out unauthorized trades. Sam Bankman-Fried took to Twitter to announce the compensation plan. Sam, in his Tweet, also proposed a “5-5 standard” agreement in which he suggested that the cryptocurrency hackers could keep either $5 million or 5% of the total asset stolen. The CEO of FTX urged the hackers to send back approximately $5.7 million, which is about 95% of the total asset stolen, within twenty-four hours to a listed wallet address; the CEO promised to absolve the hackers if they complied.

3Commas in a released statement has denied that the breach originated from a leak of API keys on one of its systems. “There have been no breaches of either 3Commas’ account security and API encryption systems, nor the account security and API encryption systems of our partner exchanges,” the report stated. 3Commas has pointed out that the breach is most likely related to a phishing attack to which the users fell victim.

Hacks have been prevalent in the cryptocurrency space this past year, and hackers have become more sophisticated in the methods and techniques they use in carrying out malicious attacks. There have been incidents of hacks of cryptocurrency exchanges, DeFi protocols, cross-chain bridges, and the draining of liquidity pools, among others. In some cases bugs in smart contract codes have been exploited, giving attackers access to millions of dollars worth of cryptocurrency. In 2022 alone some notable hack incidents include Axie Infinity’s Ronin bridge hack in which the hacker stole over $600 million worth of Ethereum and USDC, the Wormhole bridge attack which resulted in a loss of $320 million in February, and the recent attacks on the Binance bridge as well as Mango protocol resulting in losses of over $600 million and $100 million respectively. Some of these hacks target the users directly who unknowingly hand over their passwords, private keys, seed phrase, and other vital credentials to hackers.

What is Phishing and How to Spot and Avoid a Phishing Attack

Phishing has been prevalent in Web2 and has been carried over from Web2 to Web3. Phishing is a form of social engineering attack where an attacker, pretending to be a legitimate source, tricks a user to divulge vital personal information. Attackers send official-looking emails and create clone login pages and websites to deceive unsuspecting users to take an action such as downloading software via a link or entering credentials into a cloned, fake website. These fake websites often have a similar-looking domain name to the original websites. Phishers employ these methods and techniques to gain their victim’s trust and make them lower their guard. 

Phishers sometimes use social media networks to collect the basic personal information of their victim. With this personal information, a phisher could then plan how to orchestrate a phishing attack on the victim.

Types of Phishing Attacks

Phishing attacks have become varied and sophisticated over the years, with each type of attack having a specific name. Here are some of the most common types of phishing attacks.

• Email Phishing: This is the most common type of phishing. The tone of phishing emails mostly entails a threat, or a sense of urgency to make a user quickly follow through on the instructions in the email without double-checking the email source. Phishing emails mainly contain links to a fake login page or links to a malware site.

• Spear Phishing: This is also a phishing attack carried out by sending phishing emails, however in the case of spear phishing the attacker already has preliminary information such as name, job title, or job role about the victim.

• Angler Phishing: An angler phishing attack is when an attacker uses fake social media accounts to mimic the account of a well-known individual or organization. This is rampant on crypto Twitter; “verified” fake accounts post links to fake airdrops, giveaways and “crypto-doubling” schemes. Phishers are also always active on social media with fake customer support profiles: they quickly reach out to customers who publicly ask for assistance or customer support and trick the victim into divulging sensitive information.

• Whaling: This is a phishing attack targeted at the senior management of an organization.  In this type of attack, attackers electronically send highly-personalized and well-structured offers or proposals to the senior management of an organization: the documents would contain malicious links. If a senior management member of the organization falls victim, it could lead to a compromise of the organization’s confidential data.

Web3-specific Phishing Attacks

As the latest iteration of the Internet, Web3 has not been spared when it comes to phishing attacks. Phishers have infiltrated Web3 communities including Telegram and Discord groups of crypto projects and “crypto Twitter.” Scam airdrops have become rampant. A typical Web3 phishing attack starts with the attacker posting and “shilling” a scam airdrop or any other promotion. These phishers work like an organized crime syndicate; they use various accounts to like, share and comment on the scam airdrop post to give credence to the airdrop and lure victims to the phishing website. When a victim visits the website, which is usually a clone of a legitimate project, the phishing website would prompt the user to enter their private key or seed phrase. The phisher gets hold of the credentials and the victim’s wallet gets drained.

Another common phishing attack in Web3 and the cryptocurrency space adds a malware link to an email or Direct Message (DM). The unsuspecting user clicks the link and the malware gets installed “silently” on the user’s device. The malware constantly monitors the device clipboard; when a user attempts to send crypto and does a copy and paste of the recipient wallet address, the malware changes the wallet address to a wallet address controlled by the attacker, and the sent cryptocurrency is then sent unknowingly to the attacker’s wallet.

How to Spot and Avoid Phishing

Phishing emails always contain some form of urgency. For example, an email that directs a user to update their crypto wallet else access to the wallet would be denied by midnight. This is a classic example of rushing the victim through the process before they realize they are being phished. 

Grammatical errors are very common in most phishing messages. The tone of an email or DM – for example, being overly friendly in a supposedly formal conversation – could also be a tell-tale sign of phishing.

Inconsistencies in web URLs are one of the main characteristics of phishing websites. In phishing websites that mimic a legitimate website, URLs are often hyphenated. For example, the domain name “metamask.io” would become “meta-mask.io.” In some cases, the letters “i” and “l” are replaced with the number “1.” An example would be “binance.com” changed to “b1nance.com.” These subtle changes in the name of the URLs could go unnoticed by a victim.

There are simple measures to follow not to become a phishing attack victim. They include: double checking URLs of visited websites before carrying out any activity on the site, watching out for subtle cues like tone of communication when you receive an email or DM from unknown sources, and never giving out information such as passwords, private keys or seed phrases to anyone – not even the customer support personnel of the supposed platform, and installing necessary security tools such as Two-Factor Authentication (2FA) on all supported apps and wallets.