Email scams are catching crypto investors offguard and stealing millions

A recent wave of email scams is catching crypto investors off-guard and stealing millions of dollars in cryptocurrency.

Friday morning, it appeared that one such email scam was behind the theft of some $60 million in ETH from a dog-themed crypto project during its token sale.

One of the persons behind the project shared a screenshot of an email they received containing an attachment. The email looked like it was from a prominent crypto investor but it wasn't their real email address. It contained a PDF file that was presented as an investment deck, which may have contained malware. This malware may have managed to access the crypto wallets controlling the funds before sending them to another address.

Since then, the project says it has gotten in touch with Chainalysis to monitor the movement of the seemingly stolen funds and it has let professional security researchers look at the PDF.

This project wasn't the only target, however.

VC firms County Capital and Sneaky Ventures both shared tweets showing that they, too, received the same phishing email. The one sent to County Capital was also sent to VC firm Sino Global Capital, the screenshots show.

Inspired by a previous phishing attack

The individuals behind the attack posted a message on the Ethereum blockchain, which said that they were inspired by a similar phishing attack.

This was the attack against trading firm mgnr that happened earlier this month. In this attack, an email was made to look like a VC investor had shared a Google Docs file with them.

"The intrusion was probably used to implant a key logger and steal credentials to a password manager where we had (stupidly) shared a [private key] as temporary hot wallet between a few team members," the firm said. Mgnr added that they were aware of two other crypto firms receiving similar phishing emails with documents pretending to be from the same VC firm.

A pseudonymous crypto investor by the name of mewn — part of investing group eGirl Capital — pointed out that these attacks are targeting specific crypto individuals with specialized knowledge of crypto news.

"This to me is like a big red alert to everyone in the space to be very careful," they tweeted.

The individuals behind today's hack said, in a message on the blockchain, that they were not the same people that phished mgnr. But they added that they were inspired by it.

How does this type of attack work?

In order to understand how a phishing attack like this works and how it can be so successful, The Block spoke with Oren Falkowitz, founder of Area 1 Security and former analyst at the NSA.

Falkowitz explained that, typically, these emails would be made to look authentic, such as coming from a trusted entity or person. In the cases mentioned above, the emails appeared to look like they were from notable crypto investors.

On how they lead to the damage, Falkowitz said that the links within the emails might not be what they seem. While the document might appear to be a PDF file — by having ".PDF" at the end of the filename — it may actually be a very different type of file. What it could be is an executable file that contains a series of instructions for the computer to perform a task. This is similar to downloading and installing software.

Once installed, it may be a piece of code that takes instructions from another computer, such as downloading further malicious software. Through this, the code could get access to a keylogger or other services that could observe activity on the computer.

Once the attacker is able to obtain this kind of access, it becomes much easier for them to intercept any kind of private blockchain data in order to get access to the victim's cryptocurrency holdings.

For more breaking stories like this, make sure to follow The Block on Twitter.