Crypto scammers may have found a new hunting ground for bitcoin (BTC) and altcoin-holding victims: dating apps.
Per a case study published by the US-based crypto self-custody solutions provider Casa, scammers have developed a “novel attack” that targets crypto enthusiasts. The firm warned of “malicious actors who are lurking on dating apps.” These attackers, it said, “appear to be becoming more crypto-savvy.”
The case in point involved a crypto investor and Casa client who found a match on Tinder, a woman who claimed to share his interest in cryptoassets.
The man began to chat with the woman and the duo eventually agreed to meet up in person. On the date, though, the man’s suspicions were briefly piqued when his date appeared to look very different from her profile picture and spoke very little about crypto, simply mentioning that she said her parents had “bought her BTC 1 for USD 30,000.”
But after spending time at a coffee shop, the client and the woman went for a walk – before going back to his place. But while they had drinks at his domicile, he left to go to the toilet. Returning, he continued to consume his drink – before, Jameson Lopp, Co-founder and Chief Technology Officer of Casa, explained:
“We suspect the woman laced our client’s drink with scopolamine, also known as ‘Devil’s Breath,’ or a benzodiazepine. These drugs are well known to cause loss of inhibition and memory loss.”
This apparent stunt caused the man to lose his inhibitions. Lopp continued:
“His memories are fuzzy after this point, but the client recalls drinking a bit more after returning from the restroom.”
“Some time later,” the client was quoted as saying, the woman “picked up his phone and asked him to show her how to unlock it and find his passwords.”
The custody provider added that “He knew that something didn’t seem right, but his inhibitions and safeguards had been stripped away. The last thing he remembers is kissing her.”
Casa claimed that it did not believe that the attack “was solely perpetrated by the woman he met,” writing:
“She most likely handed the phone over to someone else, possibly a criminal organization, to get to work draining his various accounts as quickly as possible. The woman was most likely acting as a social engineer.”
The victim incurred very minor losses, and was “unable to function lucidly for an estimated 24 hours.” But a “small amount of bitcoin” was removed from the client’s exchange accounts.
“He was able to block some of the other requested purchases and withdrawals by contacting those custodians to inform them of the compromise. Since the attacker only had one of the client’s five keys to his Casa multisig, those funds could not be spent.”
But the moral of the story, perhaps, is that the client was using a two-factor authentication (2FA) solution that involved making use of the Google Authenticator app on their smartphone – meaning that anyone who had gained access to his phone could essentially access his otherwise unprotected crypto wallets. The Google app was not password protected: Once the attacker had access to his phone, they also had access to the authenticator. A number of major crypto exchanges use 2FA solutions like Google Authenticator to prevent fraud.
On Twitter, the Casa CEO Nick Neuman explained:
“No funds were able to be stolen from his Casa account, where he kept the majority of his assets. He had set up a properly distributed 3-of-5 multisig, so it was impossible to steal the majority of his bitcoin in this attack.”
In East Asian nations such as Japan, similar cases are also on the rise, although many of these do not involve in-person meetings, and are instead taking advantage of coronavirus-related travel bans.
Earlier this year, the National Consumer Affairs Center of Japan, a consumer watchdog, said the number of complaints it received from men using international dating apps more than doubled last year. This figure has been bolstered by an influx of “crypto-keen” women ostensibly based in other Asian locations persuading men to move their tokens and fiat to bona fide-looking crypto platforms that then turn out to be bogus.
One man was reportedly duped into parting with some USD 16,150 by a woman he had fallen for on a dating app – who later convinced him to “join her” in investment on a crypto platform. The platform later proved to be an elaborately designed fake.
(Photo : SlasGear)