Cybercriminals have defrauded hundreds of U.S. investors by convincing them to download bogus apps that pose as legitimate cryptocurrency investment services, the FBI warned in a new private industry notification alert on Monday. .
So far, 244 victims have reported falling for the scheme, with losses exceeding $42.7 million, according to the FBI. Cybercriminals first tricked victims into downloading fake apps, and the targets then deposited cryptocurrency into wallets associated with their accounts.
“Cybercriminals are looking to take advantage of increased interest in mobile banking and cryptocurrency investing,” according to the private sector notification. “The FBI has observed cybercriminals using legitimate USBUS names, logos, and other identifying information, including creating fake websites with that information, as part of their ruse to win over investors.”
Cybercriminals claimed their apps were from legitimate US financial institutions, with a campaign between December and May that defrauded 28 victims of $3.7 million using the name and logo of a legitimate anonymous company to trick victims to deposit cryptocurrency on the app.
The FBI followed another campaign between October and May where attackers operated under the company name YiBit to defraud four victims of $5.5 million after they were persuaded to deposit cryptocurrency in the YiBit app. YiBit is a legit old cryptocurrency exchange that appeared to shut down in 2018. During November, cybercriminals exploited an app called Supay – named after a cryptocurrency exchange provider in Australia – to defraud two victims by convincing them to deposit cryptocurrency.
The attackers behind the fake Supay app used a variety of tactics to try to extort as much money as possible from victims: “In November 2021, cybercriminals told a victim that he was enrolled in a program requiring a minimum balance of $900,000 without his consent; when trying to cancel the subscription, the victim was instructed to either deposit the requested funds or freeze all assets,” according to the FBI.
After depositing money, the victims were unable to withdraw funds from these accounts, and when they attempted to do so, they received messages stating that they must first pay taxes on their accounts. investments.
Cybercriminals target victims in different ways with fake cryptocurrency wallet apps, Trend Micro researchers said in January. Attackers tricked victims into downloading these bogus apps by sending text messages and emails containing malicious links, setting up fake versions of official crypto wallet websites, and posting bogus tech support messages on the platforms. social media platforms or in official cryptocurrency communities with links to their copycat websites.
“The Threat Research team discovered a fake version of all the most popular crypto wallet apps available, including imToken, Bitpie, MetaMask, Trust Wallet, and TokenPocket,” Trend Micro researchers said. “A total of 249 fake apps were discovered, which the team says were downloaded by victims in countries around the world, including the United States, France, Germany, Australia, New Zealand and in Japan.”
The FBI said financial institutions should warn their customers about this activity and tell them how to identify legitimate communications from the institution. Companies should also conduct periodic searches online to find company names or logos used in fraudulent activity.
For investors, “beware of unsolicited requests to download investment applications, especially from people you have not met in person or whose identity you have not verified,” according to the FBI. “Take steps to verify an individual’s identity before providing personal information or relying on investment advice.”