Consumer Protections Cryptocurrency Businesses Can Have, But Don't (Part 1)
Updated: Jul 28, 2022
Part 1 of X
Note: names have been changed, but stories are real ones GASO has collected from victims of scams.
Blacklisting of Reported Addresses
Martha was pushed by a relationship scammer to send $200,000 to a fake cryptocurrency investment website within 2 months, using a major American Exchange. Upon painfully realizing the scam, she immediately reported the cryptocurrency addresses to American Exchange. In response, American Exchange froze and closed Martha's account.
Meanwhile, Carmen is also being conned into the same fake website. Eventually realizing the scam, she reported to American Exchange. She got the same treatment.
Martha and Carmen later met each other inside GASO and found that Carmen was still allowed to send cryptos to the same address after Martha had already reported it and got "kicked out".
Enhanced Due Diligence with Higher Amounts
Belinda used Kraken Exchange when sending her first few thousand dollars to a scam investment website, coached by a "financial adviser" she's long been talking to online. For her second payment, to pass the scam website's "Pro Verification", she attempted to buy $50,000 worth of cryptos in Kraken, but Kraken stopped her and asked her to answer a security questionnaire. Her answers apparently did not satisfy Kraken and they closed her account. Determined, Belinda then opened an account with Another American Exchange, which allowed her to send away $150,000 into the abyss within a month, including 2 transactions around $50,000.
Prompts Upon Entering Smart Contracts
Greg was told by an online friend that he can learn about cryptocurrency by investing in it. He'll need to download the Coinbase Wallet app to participate in a "mining pool". Of course, the more he puts in, the higher the returns. He enters the URL given by the friend into the wallet app's browser bar to check it out. Unwittingly, just by browsing to that URL, he already authorized the other party to do unlimited withdrawals from his cryptocurrency wallet. Later on, all of Greg's cryptos was drained from his wallet, after putting more and more of his savings under guidance that friend and instructions by the mining pool's "customer service".
Could have, should have
1) On Blacklisting of Wallet Addresses
American Exchange could have blacklisted or at least put a hold on any transactions to the reported cryptocurrency address, immediately upon suspicion, and definitely once they took action against the user. Gemini Exchange for example blocked an outgoing transaction to a reported address:
This oversight and untimely response by American Exchange have resulted in more victims losing their entire life savings on their platform.
2) Enhanced Due Diligence with Higher Amounts
Kraken's internal audit systems did well in preventing Belinda from carrying out a suspicious transaction. But their warning did not really disabuse her from continuing on with the scam. We can say Kraken did a good job in protecting themselves from being party to a crime. But give credit where credit is due; Another American Exchange and other exchanges simply allowed their new users to send out their entire life savings plus loans to the blockchain abyss.
The best automated warning perhaps came from Huobi Exchange, which prompts their users suspected of falling for relationship-investment frauds (a.k.a. pig butchering scams) to a questionnaire and an explanation of how such scams work, since at least 2021.
(Yes, Huobi Global Exchange has a thousand other issues, but failing to protect their own users against Pig-Butchering Scam is not one of them.)
3) On Prompts Upon Entering Smart Contracts
It's long been well-known, since 2018, that the Wild West of decentralized apps has many malicious actors, and that self-custody wallet app users can too easily walk into crypto-draining traps. Many wallet app developers like MetaMask have since taken steps to prevent users from unknowingly getting into malicious and deceptive smart contracts that can execute unlimited withdrawals. For instance, Trust Wallet always lets users know whenever they are about to hand over authentication keys. The following pops up before a user can access the scam app eth-kyushu(.)com shown above, or any other decentralized app.
We feel it could still be made better by explicitly saying that scam dApps can work this way in getting a user's approval to make unlimited withdrawals. They only do so in another page. Still, this is much better than nothing in Coinbase Wallet app, which makes Coinbase Wallet the favorite wallet app among scammers to lead victims into using. See Coinbase Wallet Has A Major Security Vulnerability