ChangeNOW Returns 60 ETH Stolen by Phishing Uniswap App
Uniswap and MetaMask users face it especially often – fake wallet apps frequently appear on Google Play and App Store, ask users to enter their seed phases, and disappear with stolen funds. ChangeNOW takes action against this type of hack with an AML system that helps stop laundered money. In one such case, we managed to withhold compromised 60 ETH worth $210,000 at the time and return them to their rightful owner.
How a Fake Uniswap App Grabbed Kevin’s ETH
In 2020, Kevin (the name has been changed for security reasons) entered Google Play and downloaded what seemed to be an official mobile app of Uniswap – a decentralized exchange, one of the most popular places for swapping Ethereum-based tokens. In reality, it turned out to be a phishing app that was imitating a renowned platform. A true Uniswap would bring up the MetaMask app where you’d have to enter the password to unlock the wallet. This would give you the means to use the money while keeping your private keys safe – not ever leading to their leakage.
On the contrary, the phishing app asked Kevin to enter his MetaMask seed phrase – a combination of 12 words that allows opening the wallet on a new device or browser session. The seed phrase serves as an extra layer of security, letting the user restore access to their crypto if the device with installed wallet app was stolen. Nevertheless, Kevin shared his seed phrase (hence access to his crypto) with attackers. Soon, they wiped Kevin’s portfolio worth $875,000 at the time.
Advertisement of fake Uniswap websites on Google. Image source
The next step that Kevin took was right – he immediately contacted the police and agencies specializing in cryptocurrency crimes. Their investigation showed that the stolen funds were sent to multiple wallets and crypto exchanges with the goal to launder them.
Thanks to the efforts of law enforcement and investigative crypto services, Kevin’s coins were traced, and their exchange and laundering was prevented. A large part of this job was done by the AML system of ChangeNOW: as we are fighting against money laundering, our tools helped us stop a big portion of Kevin’s funds and return them to the fraud victim.
How Do Phishing Scams Work?
A bait that many users take is simple: hackers upload wallets that mimic popular crypto storage solutions to Apple App Store and Google Play, offer new fake wallets, or make malicious extensions to already existing hardware wallets. The problem is that most of these apps look legit while the administration of app stores fails to do enough research to understand these apps are fraud.
The number of phishing apps surges as the bull market comes: many inexperienced users enter the crypto space for quick profits, don’t do any due diligence, and end up installing phishing applications while these apps manage to look extremely legit. Let’s say you’re a crypto newbie willing to invest in a coin with a good reputation – say, Cardano. You find a wallet app that says it doesn’t collect private data and has a 4.3 out of 5 rating. Why not install it? You do so, and your funds get stolen. This is a real-life example of phishing in a growing market. How could this become possible?
Hackers have invented multiple ways to disguise their apps. First, they pick the most renowned projects (coins or wallets). Second, they lie in the description that they don’t collect or share your data with anyone. Third, they drive up the ratings with bots. Fourth, they manage to sneak through the vetting procedure (that has been criticized by crypto experts). In the end, Apple and Google only delete the apps after users flood them with 1-star reviews and call these applications outright fraud. It is said that in Google Play, the situation with crypto phishing is somewhat worse than in the Apple App Store.
How Did ChangeNOW Succeed to Return Funds to Kevin?
Let’s take a more precise look at what happened after Kevin installed a phishing app and lost his money.
As mentioned above, he did the most rational thing possible in that situation – reported to the police and the cryptocurrency forensics services. This is where the investigation began. First, the addresses where the scammers sent Kevin’s coins had to be found. This is not as simple as it seems: criminals use sophisticated schemes to cover their tracks and direct crypto to the addresses that would be difficult to find.
How attackers launder cryptocurrency. Image source
To combat this, forensics services work closely with analytical platforms and AML trackers. These employ complex methods like big data and clustering to identify all addresses involved in a scam. Crypto services including ChangeNOW have the opportunity to learn about the results of this work.
Our AML system played the key role in stopping Kevin’s funds. Its job is to indicate suspicious flags in transactions and freeze such money transfers. When the funds are stopped, our compliance team conducts an investigation and finds the victim of the scam. Once we have a request from the police, we return the funds to their owner. This is what happened in the case of Kevin, and he got back all $210,000 that the attackers were trying to launder through ChangeNOW.
How Do I Protect Myself From Phishing?
A sure sign of a phishing app is when it asks you for the seed phrase or any other data that would allow it to access your private keys. No genuine crypto app would do so unless you’ve downloaded it from the official website and wanted to restore access to your funds. This is the only situation in which an app can ask you to enter the seed phrase. All other cases indicate it’s a scam!
Here’s the second important tip: download apps from official websites only. Remember that phishing applications disguise well and it’s worth double-checking exactly what app you are installing. Websites are also a common phishing tool – so pay close attention to how the URL is spelled. Fake sites often have a minor misspelling that is a tiny bit different from the original and escapes your attention if not checked properly. The domain name (.com, .net) should also be verified.
Following these simple tips will help you keep your funds safe. Unfortunately, crypto scams are still around, so ChangeNOW thoughtfully monitors the situation: we use various AML systems, get the lists of addresses involved in criminal activity, freeze the funds received from such wallets, and send crypto back to scam victims. In one of the recent cases, we returned $100,000 worth of XRP to a number of users defrauded by fake Ripple giveaways. Head on to this article to see how we managed to save their money.