Several forms of social engineering techniques are being used by scammers to steal seed phrases and cause people to lose their digital assets.
Seed phrase scam involves different techniques used to make targets expose their seed phrase and compromise the wallet holding their digital assets.
The common seed phrase scam is phishing, in which the attacker creates a sense of urgency, asking the target to submit a seed phrase on a phishing website or through a form.
Seed phrases are the master key to a crypto wallet, and exposing them puts the holder at the risk of losing their funds which are not reversible.
Some of the measures to guide against seed phrase scam include: keeping the seed phrase in a safe location, splitting it into pieces and storing each segment in different places, encrypting it when holding it online, and refraining from seeking support except within the app the help is needed.
Measures must be taken not to misplace the seed phrase in the bid to protect as that will lead to loss of access to the wallet and the funds in it.
The crypto-space is choppy water with waves that call for caution and carefulness. It is a realm where enormous power is given to individuals to take charge of their finance, including the safekeeping of funds without relying on a bank or an institution. To whom much is given, much is expected! The vault holding crypto funds, known as a wallet, has a master key that provides access to it and can be used for recovery. This master key is called the seed phrase. Scam targeting seed phrases has been on the rise in recent times. The seed phrase is 12-24 algorithmically generated words provided when setting up a wallet as a backup mechanism. When transferring a wallet from one device to the other or following a loss of the device, the seed phrase will be required to recover the wallet, and one seed can serve to recover an entire portfolio of tokens and coins. Therefore, for scammers to score a bullseye, they have devised different techniques targeted at making people divulge their seed phrase.
Seed Phrase Scam Techniques
A classical poet once said, “I know evil not for doing it, but so that I do not fall into evil.” One way to guide against seed phrase scams is to understand the different techniques used by scammers to get seed phrases from people. Last May, the popular crypto wallet Metamask raised the alarm about a bot used to steal seed phrases on Twitter. The fraudulent scheme was in the form of a request from an account that appeared genuine. The statement suggested filling out a support form and requesting for secret recovery phrase. This is one of the different ways scammers try to gain access and drain people’s wallets by getting their seed phrase.
The scam techniques popularly in use for stealing seed phrases include:
Source: blog.malwarebytes.com
1. Phishing: Phishing is not a new concept when talking about safety and security in cyberspace. It tops the list among the ways scammers lure people to give out their seed phrases by making them enter it on a dubious website. It involves tricking people into divulging their password or personally-identifiable details while creating a sense of urgency, in this case, their seed phrase, to have access to their wallet. Some phishing scams come in the form of popup ads that link to a phishing website or a browser extension that imitates popular wallets like Exodus and Metamask. In a phishing scam attack, Domenic Iacovone lost $65,000 worth of assets. A scammer who disguised as an Apple customer service agent called the target that his Apple account had been compromised and that he would be sending a code to the phone to ascertain that the victim was the account owner. After gaining access to the phone with this trick, the hacker went further to access the seed phrase through the iCloud backup and drained the wallet within seconds.
One typical phishing attack that scammers also use is spear phishing. The attacker, in this case, uses a customized email or message to target individuals pretending to be from trusted senders such as hardware wallet providers and prompting them to update their seed phrases. Whoever falls victim to their trick would have his wallet compromised.
2. Baiting: Baiting is another scam technique through which attackers steal seed phrases. In baiting, the scammer induces people to give their login credentials by promising them goods or items such as airdrops, giveaways or digital collectables. Some also ask their target to enter a given seed phrase into their wallet to bait them and have access to their fund. Bounties distribution is a common incentive for building crypto communities. Scammers often hide under the pretext of distributing bonuses as part of their project launch to bait people into giving their seed phrases, thereby compromising their wallets. Many people see airdrops and other giveaways as opportunities to acquire some digital assets and may not be careful to verify the genuineness of the entire scheme.
One common baiting scam that is trending involves some unscrupulous elements revealing their seed phrases online pretending it is accidental. Some unsuspecting individuals will be baited to enter the seed phrases into their wallets to take the fund. This will enable the scammer to gain access to the wallet resulting in the draining of the entire funds in the wallet both the one in it before and the fund the wallet holder is baited with.
3. Quid pro quo: Quid pro quo is very similar to baiting. Quid pro quo is based on promising to render a service that the target may need for an exchange of login information. The benefit promised under quid pro quo is often in service, such as upgrading a system, while in baiting, it is mainly in the form of good. The case of Dominic Iacovone falls under quid pro quo as a subset of a phishing attack.
How to guide against seed phrase scam
Wallets are stored online, known as a hot wallet or offline in physical hardware, known as a cold wallet. Hot wallets are more susceptible to hacking. Whatever the case may be, preventive measures should be taken to guide against seed phrase scam. Unlike the traditional financial system, transactions in the crypto-space are powered by the blockchain and are not reversible. Once a person has access to your wallet and drains it, there will be no way to reverse the transaction, which makes these measures very important.
Store your seed phrase in a safe place, preferably writing it somewhere. Suppose you must store it online, store an encrypted version of it.
When keeping your seed phrase, adopt the sharding method, which involves splitting your seed phrase into segments and storing them in different locations.
Avoid entering a strange seed phrase into your wallet, as this may be bait from scammers.
Avoid seeking support randomly on apps or social media, and if you must seek help, do so only from within the app you want help on.
A seed phrase is required only on a few occasions; so, never enter your seed phrase on any form online for whatever promise.
If you use a device that automatically writes the seed phrase on cloud backup, such as Apple, you may go to the Manage storage setting and turn off the backup capability.
Always ascertain the legitimacy of a sender and be careful when you are being pressured to take an urgent action that involves you giving your seed phrase.
Enable 2-factor verification and avoid open wi-fi networks especially when interacting with your wallet.
Organizations should give proper training to employees to increase awareness and reporting.
When dealing with websites, check the URL to ensure the website’s certificate is trusted and adhere to warnings that indicate your connection to a site is insecure.
The cost of a bit of carelessness with a seed phrase is enormous, and one can only imagine it if your wallet is holding a considerable fund. For the safety of your assets, you may as well keep only some fractions of in your hot wallet online while you keep the more significant proportion in your cold wallet offline. In any way, It will never be too much to take extra caution with your seed phrase.
Author: Gate.io Observer: M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
This page is not intended for residents and citizens of Spain, Cuba, Bolivia, Venezuela and other Spanish-speaking jurisdictions listed in the Restricted Locations related terms of Gate.io's User Agreement.Español
This page is not intended for residents and citizens of France, Canada and other French-speaking jurisdictions listed in the Restricted Locations related terms of Gate.io's User Agreement.Français (Afrique)