Cybercriminals creating fraudulent mobile apps purporting to offer cryptocurrency investment services have stolen $42.7 million from 244 victims over the past two years, according to the FBI.
In some of these scams, fraudsters mimicked legitimate companies and cryptocurrency exchanges. In one case, unidentified criminals defrauded at least 28 victims of $3.7 million by impersonating a legitimate U.S. financial institution.
The FBI did not name which institution the criminals impersonated. The scam lasted from December to May, during which time the persuaded victims to download an app that used the name and logo of the financial institution. Many of the 28 victims received an email stating they had to pay taxes on their investments before they could make any withdrawals. But after paying the supposed tax, the victims were unable to withdraw funds.
In its alert about the attacks, published Monday, the FBI outlined three cases of cybercriminals creating fraudulent cryptocurrency investment apps. In one, criminals used the name YiBit to defraud at least four victims of $5.5 million. YiBit was a legitimate cryptocurrency exchange that stopped operating around 2018.
In another case, the FBI said criminals used the names Supayos and Supay — the same name as a legitimate currency exchange service in Australia — to defraud two victims in November. The criminals instructed the victims to download the Supay app and make cryptocurrency deposits into wallets associated with their accounts.
Criminals in schemes involving fraudulent crypto investment apps netted an average of $170,000, per the FBI’s data. Fraudsters who created an app that mimicked the Supay app told one victim that he was enrolled in a program requiring a $900,000 minimum balance, to which he had not consented. When he tried to cancel his subscription, the criminals told him to deposit the necessary funds or have all his assets frozen.
Fraudulent applications are not the only vector that fraudsters are successfully using to steal from victims. Romance scams that involve fraudulent cryptocurrency investments have also yielded major losses against victims in recent years. According to data from the Federal Trade Commission, victims collectively lost $329 million to cryptocurrency scams in the first quarter of 2022 — nearly half what they lost in 2021, and more than the previous three years combined.
The FBI did not disclose details on how exactly cybercriminals bypassed app store review processes to get their fraudulent apps onto victims’ phones, but security researchers have documented tactics criminals have used to do so.
Two major app store operators, Apple and Google, each review submissions to their platforms before making them available for customers to download. Apple has faced legal scrutiny over its walled garden approach to app installation, and its CEO Tim Cook argued in court last year that if the company did not review the apps that users could install, the situation would “become a toxic mess.”
However, workarounds and loopholes exist for getting unscreened apps onto consumers’ iPhones and Android devices. Google for one provides a setting users can change to allow this.
Last year, the IT security company Sophos showed scammers abused Apple’s program for distributing enterprise software, allowing them to install on victims’ phones a fraudulent cryptocurrency trading application that mimicked a real application. The attack vector has been open since 2014 at the latest.
The FBI advised banks to actively warn customers about fraudsters’ attempts to put dangerous applications on their devices and provide steps customers can take to report such activity.
The agency also advised banks to inform customers whether the bank has a mobile application, whether the financial institution offers cryptocurrency investment services, and how a customer can verify that a communication from the bank is legitimate.
The FBI also recommends banks periodically conduct online searches for their company’s name, logo and other information to determine whether their brand is being used in fraudulent or unauthorized activities.