Search on TFTC
How To Avoid Bitcoin Social Engineering Attacks

How To Avoid Bitcoin Social Engineering Attacks

May 8, 2024
Marty's Ƀent

How To Avoid Bitcoin Social Engineering Attacks

If you are reading this right now and you have bitcoin on an exchange, in a wallet that you control, or even in a multi-sig wallet it is imperative that you take thirty-five minutes to listen to this episode of Junseth's World (and be sure to leave him a 1 star review). This is the best piece of investigative journalism that is pertinent to bitcoin that has come out in many years.

Junseth answered a call from a social engineering hacker who was attempting to socially engineer him into handing over control of his bitcoin exchange account so that it could be drained. The hacker didn't realize it, but Junseth was recording the conversation and he got the kid to spill the beans on his whole operation. I'm not going to rehash the conversation because I won't be able to do it justice and you really should take the time to listen to it yourself so that you can understand how social engineering hackers are trying to get you to hand over your bitcoin to them.

Instead, I'd like to focus on some actionable advice for you all so that you can either recognize when this attack is being waged against you or avoid it all together.

Here are the most important steps you can take to avoid these attacks.

Don't ever answer calls from unknown numbers

This is something that should be straightforward. We live in the digital age, there are many avenues through which individuals in your network can get a hold of you. If someone really needs to get in touch, they will find a way. Ignoring "Unknown Callers" is something that you should be doing if you aren't already.

Turn off cloud backups for your Two-Factor Authentication apps


If you're using Google Authenticator or Authy as your 2FA tools to protect your exchange accounts make sure you turn off the cloud back ups. If you listen to Junseth's conversation with the social engineering hacker you'll learn that the hackers are able to access their victims' 2FA codes via the cloud backups on their GMail accounts. They first convince their victims to change their GMail passwords, then they use their access to GMail to reset the passwords of the victims' exchange accounts and finally gain access to the exchange account immediately (if their is no 2FA enabled) or by leveraging cloud access to authenticator apps to get past 2FA protections. By turning off cloud backups you make it so a hacker would need physical access to the device your authenticator app is on to get the necessary codes to get past 2FA on your exchange account. When you do this make sure you back up your master 2FA key by writing it down and keeping it safe.

Don't ever input your seed phrase if prompted by a person

If you have taken the proper steps to eliminate the third parties that stand between you and your bitcoin by creating a proper private-public key pair that enables you to hold your own bitcoin the most important thing for you to do is to protect your private key/seed phrase. The only time you ever have to disclose your seed phrase is to recover a software or hardware wallet you lost access to. There is no other reason in the world to input your seed phrase. Social engineering hackers will try to make you believe otherwise. They'll claim a critical wallet software bug is loose and that you need to input your seed phrase immediately to ensure that your funds are safe, but do not believe them. If anyone tells you that you need to input your seed phrase to secure your bitcoin you can immediately write them off as a scammer.

Verify out of band

If someone is presenting themself as a representative of a company and compelling you to act to secure your bitcoin and you are unsure whether they are legitimate or not you should 1.) assume that they are not and 2.) at the very least try to verify that they are by reaching out directly to the company and asking.

Set up social procedures with your family

This was not discussed in the conversation between Junseth and the social engineering hacker, but it is best to start planning with your family in preparation for more advanced attacks that involve generative AI that can spoof audio and video content that seems real. At some point a hacker will call you pretending to be a family member in distress that needs you to move your bitcoin ASAP to save them from a dangerous situation. It may be wise to create a memorable "safe word or phrase" between your family members that can be used to confirm whether or not the person on the other side of the line is who you think it is. These attacks will be the most pernicious because they attempt to manipulate the most primordial of emotions, the familial bond. They will seem very real in the moment and it will be hard not to act against your best interest. It will become increasingly important to be prepared both mentally and procedurally.

Use multisig

Secure your bitcoin in a multisig wallet and make it hard to move your bitcoin. Especially the bitcoin that you plan to hold for a prolonged period of time. If it takes a considerable amount of time to move your bitcoin because you have to physically retrieve keys that are geographically dispersed it will give you more time to recognize that you are being scammed and disincentivize the scammers from following through with the attack. The longer they have to interact with you the more exposed they become and the more likely they are to screw up.

Understanding Bitcoin Custody: Single Sig vs Multisig Wallets
If you’re looking to take control of your Bitcoin holdings, understanding the nuances of wallet security is crucial. With Bitcoin’s rise in popularity, the importance of self-custody cannot be overstated.

Use common sense

If something doesn't feel right that's because it most likely isn't right. If there were ever a critical vulnerability with an exchange or a wallet software the chances that you would be contacted personally via a phone call or a direct email are very slim. You are most likely not special and if something were wrong with a company you are trusting to secure your bitcoin it is most likely that there would be a public announcement made that you would be able to verify. Again, if a hacker does somehow convince you that you are special you should, at the very least, take the time to verify how special you are by seeking a second opinion and reaching out directly to the company to verify.

Whether you like it or not, these are the type of things that you have to be thinking about if you hold bitcoin. With great power comes great responsibility. There are no charge backs or claw backs in the world of digital bearer instruments. Once you give someone access to your bitcoin wallet or exchange account and that person moves the bitcoin there is nothing you can do outside of catching the person who stole your bitcoin in meat space and convincing them to send the bitcoin back to you.

What's very disheartening about the rise of these types of social engineering hacks is that they are made significantly easier due to the current regulatory environment which forces companies to collect and store (often insecurely) a treasure trove of personal identifying information on their clients. These attacks would not be as easy or prevalent as they are today if everyone wasn't forced to share this data with the companies they interact with. KYC/AML compliance rules do far more damage to law abiding individuals than they do to the criminals they were designed to stop. Millions of people around the world would be significantly safer if the Bank Secrecy Act was repealed and this information wasn't forced into insecure databases in the first place.

Final thought...

It was disgustingly humid in Austin, Texas today.

Use the code "TFTC" for 15% off


Current Block Height

Current Mempool Size

Current Difficulty