BTC
$0.00
0.00%
My name is Serge Philosopher; I am an investigative journalist, and this story—about the biggest cryptocurrency heists carried out using social engineering—has yet to be published. But let me take it one step at a time.
Over the last two years, I have been working on a feature for an economics publication and eventually tracked down a person who agreed to provide information. However, as it turned out, my source had recently moved to Spain, and to meet him and find out the details of his activities in the realm of crypto fraud, I had to plan a route from London to the town of Torrevieja, in the province of Alicante. We agreed to meet in a secluded spot where the lakes and silence create a strange sense of isolation from the world – Lagunas de La Mata y Torrevieja.
So, to get the scoop, I bought tickets and set off on a journey to the town whose name translates as ‘Old Tower’.
Sitting in a cosy café, in the shade of spreading trees, Michael (a former member of an international group specialising in crypto asset theft) explained how multi-factor authentication can be bypassed not through code, but simply by exploiting trust.
Speaking about the most high-profile crypto thefts, he noted that the attacks on the Ronin Network ($625 million), BNB Bridge ($569 million) and Poly Network ($611 million) were mere ‘peanuts’ compared to the funds their hacker community had siphoned off from other people’s crypto accounts.
“The weakest link in any system is the human factor. And any crypto system is no exception,” he said, enthusiastically describing some of the nuances of his “work”.
The scheme always looked convincing. First, the victim would receive an email purporting to be from technical support. The next step in the scheme was an invitation to a ‘consultation’. The email was sent via email, but with copies to several addresses, creating the illusion of officialdom and complete control of the situation. In reality, these addresses were similar, but nonetheless fictitious.
Then came the key phase of the scam. The victim was sent a document with instructions on how to log in to an online platform. It all looked like a standard security procedure. But in reality, this password granted full access to the account, and through it, to all their bank accounts. The campaign could last for weeks, months, and sometimes even years.
According to him, researchers from the Google Threat Intelligence Group have, however, documented campaigns where hackers used social engineering to trick victims into creating and handing over passwords for apps and crypto wallets. Subsequently, due to the level of detail in the attacks, cyber experts began to draw conclusions about the involvement of state-funded organisations in the theft of cryptocurrencies. And all the threads led to one of the post-Soviet countries.
When I returned to the UK, I was stopped at the airport by a completely unremarkable man: ‘Postpone publishing the article for six months,’ he said firmly and calmly. I knew this secret service agent, and that is precisely why this exposé on the largest cryptocurrency thefts committed through social engineering has still not been published.
