October 14, 2022
Article by
In crypto, it's common to see scams. They may take many forms, but the result is always the same: an unsuspecting victim loses something of value. To put it in perspective, scammers have syphoned $680 million from Americans in 2021. In the first quarter of 2022 alone, they stole another $329 million1. Over half of the reported scams were on social media applications such as Facebook and Telegram. This is a massive problem for people in legitimate crypto ventures and their users.
Scammers have syphoned $680 million from Americans in 2021
How could this happen? There are many layers to this situation. First, crypto is relatively a new industry that isn't as well understood as traditional financial institutions. Most people are familiar with banks, credit cards and brokerages. This noncustodial approach to finance places the responsibility solely on the owner of the private keys to manage their funds. When people send crypto to a scammer, there is currently no recourse to recover the funds. With a credit card and even some debit cards, there is the opportunity to dispute a charge. If the bank loses your funds in the United States for example, there are policies in effect that will help to make a victim whole such as FDIC insured accounts. Of course, this comes with the trade off that a centralized entity ultimately holds custody of their client’s funds. An individual who has control over their funds is empowered, but this also requires more care in how they handle said funds. While this is great for being in control of your finances, this is also great for scammers.
In this article, you will read about a common crypto scam in social media applications such as Discord and Telegram. It will explain some concepts about Hedera Hashgraph that will make the mechanisms behind the scam more clear. Finally, you will learn about some things you can do to protect yourself from scams and improve your security awareness.
In the crypto world, native tokens such as hbar are associated with a public and private key pair. The private key is the most important and most sensitive piece of information related to the account. The private key can also be calculated from a list of words, typically 12 or 24 words, referred to as a mnemonic or a seed phrase. This makes the key pair easier to recover and easier to store outside of a computer. Bitcoin introduced this concept in an improvement proposal and many other networks have adopted this technique2. The private key/seed phrase is so important because it's required in order to send funds from a user's account. Whoever has access to this key has control over the account's tokens and NFTs.
On most networks, the public key is also the account address. That currently isn't the case with Hedera Hashgraph. Generally speaking, Hedera accounts have a private/public key pair and an account ID. This account ID is in the format of 0.0.123456, where the first 0 is a shard number, the second 0 is a realm number and 123456 is the account number3. The shard and realm numbers are all currently zero, but the long term plan is for Hedera to have different shards and realms as the network grows. The exception to this format is a feature that is currently being developed called aliases. An alias account uses a public key as an address, but this is not relevant for the scope of this article.
To make an analogy: Imagine a giant, public room filled with lockers. The account ID would be the number of the locker and the private key would unlock it. If you hold the key to the locker, you can access the contents. The private key/seed phrase is that key.
As for how this works on Hedera, if a user wanted to send funds to another user, the process for a transaction would look like this:
1. User A wants to send User B 100 hbar
2. A transaction is created that subtracts 100 hbar from User A's balance and adds it to User B's balance
3. The user account sending the hbar signs the transaction with their private key and submits it to the network for processing
As demonstrated above, the process of sending hbar from one user to another requires an account ID and a signature with a private key.
A wallet is the piece of software that allows the user to see their balances and interact with the network. HashPack is a noncustodial wallet, meaning you have total control over your keys. In the example of an hbar transaction above, the private key is only used to sign the transaction. The key never leaves the device and HashPack has no way of obtaining a user's key. Instead, signed transactions are submitted to the network and a private key cannot be extracted from a signed transaction.
These ideas are important to understand when evaluating what a scammer wants you to do. There will never be a situation where support will need to synchronize your HashPack or somehow repair it because the network processes the transactions and HashPack is non custodial. No one has any reason to ask you to go to a website and enter sensitive data related to your wallet. There will never be a situation where anyone needs your private key or seed phrase. This is essentially handing a stranger the key to your locker or bank vault.
In the HashPack Discord, we see a very common tactic that scammers use to get users' funds. If a user comes to the Discord to ask for help with a problem or ask a question, the scammers will send them a message directly and claim they are from official HashPack support. The scammer claims that the user needs to perform a task to repair the state of their wallet. This approach employs social engineering and phishing to trick the user into divulging sensitive information. Social engineering is when an attacker uses human interaction to obtain sensitive information from a victim or their organization. Phishing is a form of social engineering where the attacker pretends to be from an official organization and induces the user to reveal personal information, usually through emails or malicious websites pretending to be legitimate4. The scammers may even take the profile picture and a similar Discord handle of the moderators in order to appear more legitimate.
They want to make the victim act quickly and capitalize on the confusion and uncertainty.
In this case, there is also typically an element of high pressure because the user may feel that their funds are unrecoverable and that support may be able to help alleviate the mistake that was made. That feeling works to the scammer's advantage, especially when the user doesn't have a deeper than surface level understanding of the technology. They want to make the victim act quickly and capitalize on the confusion and uncertainty. Most people just want their funds back, and the idea that support can help them do that is a very effective way to manipulate an unsuspecting victim. They typically will send you a link as part of the aforementioned ‘repair’ process. This process will claim that it requires the victim’s seed phrase to repair the wallet. If the victim enters their seed phrase, the scammers now have access to the account and anything of value will typically be stolen. That means tokens, hbar and potentially NFTs will be transferred to the scammer.
As a general rule, you don't want to click on any links from someone you don't know. By clicking on untrusted links, an attacker could do many things such as send an email on your behalf, steal cookies from your browser, install malware or even install a cryptominer5. Verify links in unsolicited emails, especially if they've been shortened. You should also look out for emails with weird characters in them such as URL encoded characters. You can use a link verifier to check the link without opening it. Keep your antivirus and anti-malware software up to date and perform regular scans6.
If this happens in the HashPack Discord, you can reach out to the moderators in a public channel to confirm the information. Screenshots of the scammer's name and Discord ID are helpful for the moderator team to ban scammers. If you'd like to speak privately with the moderation team, you may open a ticket and someone will answer you when they are available. The act of verifying information that you receive but may not trust could make the difference between being scammed and being safe. You may also want to disable direct messages from people with whom you share a server, but are not on your friends list7. This will reduce a lot of unwanted messages that you may receive, especially in crypto Discords. The HashPack moderator team will never message you directly unless they explicitly say so in a public channel.
A great way to store your seed phrase is to engrave it in metal
In addition to the above, you should also be very careful about how you store your seed phrase. It should never be in plain text on a device connected to the internet. Instead, they should be written down and stored in a safe place. This comes with the caveat that paper can become lost or degrade over time and new copies should be made every few years to ensure the longevity of your seed phrase. For more durable storage, a great way to store your seed phrase is to engrave it in metal. These are less likely to be discarded and many plates available for purchase can resist high temperatures and extreme pressure8. For a detailed review on seed phrase plates, please see this great resource.
A hardware/cold wallet such as a Ledger is also a good way to care for your keys. Ledgers integrate seamlessly into HashPack and there is work currently being done by the Ledger team to support more features of the Hedera network such as HTS tokens. The hardware wallet’s sole purpose is to sign transactions from a device that is not connected to the internet and whose private key is not easily accessible. Here's a great video guide for setting up your Ledger with HashPack.
In summation, distributed ledgers are an exciting and innovative technology that have the potential to change many lives for the better. It has applications far beyond simple value transfer and there is a bright future ahead of it. However, as this article discussed, there is potential danger in new technologies as they reach maturity. The best thing that users can do is remain vigilant for potential threats to their privacy and information. Verify all information from untrusted sources, don't click on links from people you don't know and keep your private key/seed phrase safe. There are no circumstances where anyone besides you needs your private key/seed phrase and anyone requesting it is likely trying to scam you. Stay safe with your private information, always remain vigilant and if you have any questions, come ask in the HashPack Discord server!
—
This article was published by Nick Hanna, HashPack CISO.
2. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
3. https://docs.hedera.com/guides/core-concepts/accounts
4. https://www.cisa.gov/uscert/ncas/tips/ST04-014
5. https://phys.org/news/2019-02-dont-click-link-criminals-access.html
6. https://www.lifewire.com/how-to-test-a-suspicious-link-without-clicking-it-2487171
7. https://discord.com/safety/360043857751-four-steps-to-a-super-safe-account
8. https://www.blockplate.com/blogs/blockplate/best-seed-phrase-storage