It’s hard to believe there is anyone involved in cryptocurrency who doesn’t know that this is an area infested with fraud, theft and exceptional risks. Anyone landing on the dark side of digital coins – be they naïve investors or more seasoned ones – will pay a hefty price. According to some estimates, the damage wrought by scams and hackers in this field has amounted to tens of billions of dollars over the last decade.

The U.S. Federal Trade Commission reported recently that from October 2020 to May 2021 there was a sharp uptick in the number of reported scams. Around 7,000 people reported damage totaling $80 million, with a median loss of $1,900, implying a large number of small-scale frauds. Obviously, not all the people who were defrauded reported this to the authorities in the U.S. or anywhere else, and the total amount of money accumulated through fraud in the global crypto market is much larger. According to an estimate published in Business Insider, the scope of fraud and theft between January and August this year totaled $3 billion.

In Israel, as part of an investigation called “The Big Game,” the police arrested businessman Moshe Hogeg, the owner of the Beitar Jerusalem soccer team, in November. In addition to sex offenses, Hogeg is suspected of fraud and of scamming cryptocurrency investors. He is also suspected of theft and tax evasion, as well as money laundering. He and his partners are accused of deceiving investors by falsifying business transactions. They did so, among other methods, through glamorous marketing that used celebrities such as Leo Messi and Leonardo DiCaprio. Police claim that they made tens of millions of shekels each using these methods. And in October, Israel Police arrested suspects in a sting operation involving virtual currency worth millions of dollars taken from American citizens. The arrests were part of an international investigation conducted by the FBI.

Of course, fraud, theft and black-market money were invented long before bitcoin came into being a decade ago, and most financial crimes today still involve dollars, shekels and other traditional legal tenders. It’s also worth noting that much cryptocurrency activity is conducted fairly under the banner of decentralization and freedom from regulatory supervision. Many countries, including Israel, are in the process of regulating this business sector, a process which is proceeding slowly. However, the combination of great temptation, with assets gaining hundreds of percent in value in an instant, along with their technological complexity, is fertile ground for exploiting the ignorance and naïve mistakes of investors, and for luring them through false dreams of getting rich quick.

An advertisement for bitcoin in Hong Kong.
Kin Cheung/AP

An unbroken chain

Investors in the cryptocurrency market are at risk in two main ways. There is individual risk, due to the decentralization of this asset and the fact that everyone is responsible for their own coins. This makes it easy to fall prey to scams, and one mistake is enough to lose access to one’s money, with no recourse and no one to fix the problem. More on that later.

There is also potential collective risk due to the nature of huge commercial transactions that are attractive to hackers, or internal fraud by the system’s operators themselves. If that weren’t complicated enough, there are cases involving both types of fraud and theft.

The first serious breach in the crypto market happened in 2014, hitting the Japan-based Mt. Gox bitcoin exchange, which at the time managed most bitcoin trade. Investors lost $450 million and the exchange was shut down. Investors launched prolonged legal proceedings against the owner after it turned out that he had managed trade in a sloppy fashion, enabling serious security breaches.

There have been dozens of breaches and cases of fraud since then. In one salient case, hundreds of millions of NEM (New Economy Movement) coins were stolen in 2018 from another popular Japanese exchange, Coincheck. The exchange admitted retroactively that it did have some security problems that enabled the breach, but it continues to operate to this day, after compensating 260,000 clients.

Despite the great exposure to hackers, the core element of bitcoin, its blockchain database, which documents all bitcoin transactions, has never been hacked. The security and encryption methods and a set of incentives have foiled incessant attempts to breach it. This is also true of other well-managed cryptocurrencies. Furthermore, blockchain networks are usually relatively transparent, which helps in protecting against hackers.

Although the addresses of digital currency owners aren’t public, this anonymity is often only partial. There are two reasons for this: Anyone trading with someone from a specific address can find out who owns the address, and then track with relative ease the transactions from this address. There are companies that provide such services, and governments are improving their ability to do so, too. A second reason for compromised anonymity is the increasing regulation of crypto trade, including a demand to list the personal details of investors, allowing law enforcement agencies to obtain these details in cases of suspected crimes.

Many breaches now occur on decentralized finance (DeFi) platforms. These are cryptocurrency businesses that are trying to develop financial services such as savings and loans, inviting investors to deposit their coins with them in order to earn interest. This is a rapidly expanding area, growing from $0.5 billion two years ago to $250 billion now. Many DeFi businesses market themselves as decentralized even though they are definitely not operating as such.

This year, the so-called “biggest ever crypto breach” occurred, ending quickly with a full return of the coins to their owners. The break-in happened on the Chinese Poly Network DeFi platform, which is akin to a decentralized exchange. Anyone wishing to exchange, for example, bitcoin for ethereum, can deposit one kind of currency in one account and withdraw the other type of coin from a second account, after the system certifies, through smart contracts, that the deposit was indeed made. Hackers managed to withdraw coins without depositing them first, stealing $610 million.

The hackers first tried to deposit this large sum elsewhere, but were rejected. This may have led them to realize that it would be difficult to launder more than half a billion dollars, even in a decentralized cryptocurrency world with ostensibly no regulation. At the same time, the managers of Poly Network were able to convince several operators of the stolen coins to freeze them.

This obviously undermines the cryptocurrency world’s principle of decentralization. Such a move is impossible with bitcoin and ethereum, but there are currencies that do have such mechanisms, and system administrators utilize them sometimes, for more or less appropriate reasons.

In the end, anonymous spokesmen for the hackers claimed that they had only wanted to warn about security vulnerabilities at Poly Network before others exploited them, and that the original plan was to return the coins to their owners, which is indeed what happened a few days later.

Along with these headline-making break-ins into large exchanges, there are many less publicized instances of small investors falling prey to sting operations. The U.S. Federal Trade Commission has reported on websites that offer investment opportunities, with boastful testimonies by previous investors. These websites use the correct crypto market jargon, but happen to be fraudulent. The deception often includes specious displays, showing supposed investment growth. In the end, however, it turns out there is no way to withdraw coins from these sites.

A 3,700% sting

The FTC report noted that cryptocurrency investment carries risks, but that there is no reason that fraud should be one of them. Since most people are still unfamiliar with the workings of the crypto market, it’s relatively easy for criminals to present their scams as reasonable cryptocurrency investments. The report noted that these criminals exploit the buzz around this market, tempting investors with shady investment opportunities. The report adds that the scammers seem friendly, willing to share tips, but that this could be part of the con game. Sometimes these deceptions are based on a chain of contacts intended to draw in new investors, says the report.

One popular swindle involves a promise to distribute coins. Swindlers copy accounts belonging to celebrities or cryptocurrency personalities, and use the impersonations to invite victims to send them coins, promising to return double the amount or more as part of an “investment.” It sounds ridiculous, but there are people who buy into such promises, especially those in their 20s and 30s. In one case, cited by the FTC, unsuspecting victims sent crypto coins worth $2 million to fake accounts that they believed belonged to Tesla owner and well-known cryptocurrency investor Elon Musk. In other cases, coins were stolen through ostensible long-distance relationships, or even by people posing as representatives of public welfare institutions.

One of the biggest scams took place in 2018, when a currency belonging to a company named Bitconnect fell 90 percent. Bitconnect had attracted investors by promoting an automated trade system that could ostensibly reap handsome profits through bitcoin investments. After a prolonged investigation, the U.S. Federal Trade Commission charged Bitconnect’s owners and employees for perpetrating a $2 billion fraud – the investment was a Ponzi scheme. One of the company’s owners who used to live in India has not yet been found. The company falsely depicted investors’ gains, with some investors making supposed returns of up to 3,700 percent.

Not your keys, not your coins

Cryptocurrency investors like to say “not your keys, not your coins.” The maxim underscores the unique decentralized nature of the cryptocurrency trade and is meant as a warning to investors that when you let a third party manage the coins, you lose full ownership and become susceptible to scams. This highlights the unique risks of the cryptocurrency market, in which the entire responsibility for watching the money lies with the owner.

Digital coins are kept at an address on a blockchain, a ledger which documents all trades. It’s where the coins are stored, to the extent that one can talk about a physical space in a digital network. Since these are open networks, with no one managing them, each such address has two encryption keys, each one of them consisting of a long sequence of letters and numbers. One key is public, enabling its dissemination in order to conduct business with other parties. The second key is private, and is used to move coins through a blockchain. This is somewhat complicated and requires technical skills, which is why it’s more convenient to manage these coins through centralized sites such as exchanges. These sites take responsibility for all the technical aspects, allowing people to trade in these coins through friendly and convenient interfaces, which more closely resemble what we’re used to in our banking apps, without requiring all the headaches associated with encrypted keys.

However, anyone investing their coins this way is in fact giving up their private key, which is now in the hands of the platform’s operators. If they are trustworthy, it’s an effective solution. But if it turns out that the operators are scammers or if they themselves fall victim to hackers, then you realize the meaning of “not your coins.”

On the other hand, those who choose to manage their coins on their own face the challenge of protecting keys from loss or theft. Digital crypto wallets translate the long sequence of numbers and letters that make up the key into a list of words. This list must also be well guarded, but at least it’s in a more friendly language, and the chances of making typing errors are smaller. Some wallets work on computers or smartphones, but it’s recommended to use “cold” wallets, managed through a flash drive not connected to the internet, in order to afford better protection against hacking.

All these techniques will not help anyone who’s lost access to their key, or who has sent coins to a wrong address. Over the years, the keys to 20 percent of all bitcoins have been lost, amounting to losses of $200 billion. It’s likely that hundreds of billions of dollars are floating in blockchain space, with no one ever likely to retrieve them.