When bumping into the topic of hackers and scammers, we tend to picture the stereotypical masked figure in a black hoodie hiding in the shadows, facing a red or green screen with thousands of lines of code, and hands typing faster than light. Surely, you’ve seen those characters in your typical movie and TV hacking scenes.

But, the average hacker or scammer usually isn’t like that. They’re everyday people that could pass off as your neighbours or the friendly person who smiled at you the other day.

Recently, we met with an ex-scammer whom we’ll call Sam (obviously not his real name). At first glance, he looks like a young, decent guy who you wouldn’t think of being the ringleader of a citywide Ethereum-based Ponzi scheme that siphoned thousands of dollars from unsuspecting people.

In an effort to make amends for his involvement in a scam that would deliberately harm investors, he has now agreed to share his experience in an effort to help investors be aware of these types of exploits and be better prepared to avoid them.

Ex-Scammer Confesses: Ins and Outs of Crypto Schemes

Q: Please tell us about yourself and the scam you pulled.

Hi, thanks for having me here. I’m Sam. I led an almost nationwide scam back in 2019 together with a team of 6. We introduced an already popular crypto Ponzi scheme called ******, to the Ethereum network. We marketed it as a fast-growing and high-profit investment with two ways of generating returns: Ether capital gains (something you could already do without joining the scheme) and getting other people to buy into the scheme. Essentially, it was a pyramid scheme disguised as an MLM scheme (multi-level-marketing).

We got a lot of people to sign up from five different cities. We also managed to get some users from other countries. Our team used all types of social media tools to pull people into the scheme: social media accounts including a Discord channel to close transactions, chatbots, and people dedicated to closing a deal to onboard individuals. We even tried to break into influencer marketing to grow the scheme more rapidly. Fortunately, the influencers we contacted either ignored us or were smart enough not to bite our bait.

Of course, our success in growing the scheme got the project noticed not only by those we were trying to onboard but also by those that could see it for what it was. Towards the end, the scheme got so big that it was flagged up by a government financial regulator who issued a warning about the scam and everyone involved. As a team, we were mostly amateurs, including myself. Eventually, one by one, members of the team started to get worried about being caught and started to leave, before the situation and consequences got even worse. I was one of the last ones to go. And now, I wish I was one of the first.

Q: Tell us more about your involvement and how you did it?

I was in charge of communication and our social media channels. At first, our initial targets were people who understood the Ponzi nature of the scheme and that they were getting in early and therefore had a good chance of exiting and making lots of money. Thereafter the network effect took over and all these people were incentivised to onboard others. Exponential growth appears to progress relatively slowly to start with but with the number of people who grew that were strongly motivated to recruit others, we experienced an unbelievable acceleration in the growth of the scheme. And of course, we did everything possible to maximise this growth, opening up more and more social media channels to widen the base of the Ponzi scheme.

We did our best to answer the questions in the social media channels, but when I say did our best, I mean we did our best to obscure what was going on and encourage the community to onboard new users. Showing users that they could make a lot of money fast by onboarding new users was usually all we needed to do in order to get people to cash in, and then we set them up on a call to guide them through the process. Once that was done, the money went into the accounts and progressed up the Ponzi chain to those that joined first. We didn’t completely leave new users on their own. We had post-sales service and got them to join in a mini-community. And that was about it. Providing a big monetary incentive with simple instructions and actions that individuals felt they could achieve. And they were hooked.

Q: How did the scheme affect individuals? How much impact can one exploit create?

Oh, it affects everyone involved. Mainly the victims, but it can affect the scammers too — depending on how much of a conscience they have, and how much money they are making. I have seen first-hand how money can warp your values and sense of right and wrong. Unlike a blackhat hack where an individual steals crypto, this type of Ponzi scheme is bad because it incentivizes the whole community to behave in a selfish and self-serving way at the expense of others. This type of scheme is a sickness to society and a contagious one at that. It’s also hard to heal from, even after you’ve stopped, because of the realization of how many people have been badly affected, or infected, so to speak.

As a scammer, it affects you mentally. As I said, it screws up your value system. Right from the start, I knew it was wrong, but those who invited me presented it as a no-risk offer with a huge upside. They flattered me by telling me how good I was at closing deals, and they told me how much money I could make if I joined them. At first, it was sort of an adrenaline rush, a Wolf of Wall Street kind of thing. Heck, it was easy money paid for by a few chats here and there. And of course, one thing led to another, and before long I was part of the team masterminding a huge scam. I think when people say the “wrong side of the law”, it sounds like a very binary choice, which in some sense of course it is, but what I want to say is that my journey started off with a choice that didn’t seem that unreasonable to me at the time — introducing a few people to a risky project in a risky industry where some people get lucky and some don’t. Others had their opportunity to get rich, and life’s not fair. This was my chance. That was what I told myself anyway.

But, anyway, the most affected individuals are not the scammers, it’s the victims. They are the ones who are affected most, those whose hard-earned money got swiped away from their hands.

It was really only towards the very end of the project I realized just how out of hand the whole thing had become, and how many people were being badly affected. It is something I’ll take with me and that I have to deal with. Of course, now I want to make up for the wrong that I’ve done but obviously, that’s too late for those that were directly impacted. The guilt and shame are hard to face up to.

Being here and sharing my story with you and disclosing how to avoid exploits is one way that hopefully I can do some good.

As a bystander, hacking and exploitation incidents appear to be just unfortunate events where money was lost. In truth, it’s actually more than that.

Q: What changed your mind and made you stop what you were doing? Were you able to return any of the victims’ money?

Circumstance. The seriousness and scale of the situation we got ourselves into changed my mind. The nature of the scheme, where we were encouraging others to grow the scam, meant that it got out of control.

As for me, it was when public authorities started to take notice and warn about the project that I got scared of the consequences of what we had done. It opened my eyes. True, not everyone would react like this. But, it certainly had an effect on me.

I repaid losses to those people that I knew and had onboarded. The nature of the flow of payments in the scheme and the scale of the losses meant that I wasn’t able to do a great deal financially to make good those that had lost money.

Q: What repercussions do exploiters face when caught doing hacks and scams?

It really depends on where the hackers and scammers are based as well as the specifics of what they have done. Laws are different in every country and each government takes a different approach. Authorities and regulators are becoming much more sophisticated, and whilst the blockchain is anonymous, it is transparent as transactions can be followed.

At the end of the day, whether individuals are hacking wallets or exchanges or robbing a bank, the end result is the same. The same is true of a Ponzi scheme whether it is on or off-chain. As to the consequences, I am not an expert, but I imagine that for those that get caught the penalties or sentences would be much the same as for a traditional crime. Hiding behind an impersonal computer screen might make hackers feel more distant from the crime and their victims, but when they are caught I don’t think legal systems treat hackers any differently than other criminals.

How to Spot A Scam

Q: What are the usual signs of a scam?

  1. Scams usually press on your life’s pain points such as your fears and worries. I think almost everyone in the crypto space knows what FOMO is. Sharing the same knowledge, if not greater, hackers and scammers take advantage of many people’s fear of being left out, not getting on the “next moon project”, or this once-in-a-lifetime opportunity. They’ll push undesirable outcomes like not accomplishing your financial goals, growing old poor, and any insecurity they can find.
  2. They pressure their target victims with a sense of urgency. Scammers make you hurry, respond quickly, and/or send money as soon as possible. They’ll make you feel like the opportunity they’re presenting is going away very soon when it’s not. They’ll try to overwhelm and detach you from your logical train of thought so you won’t realize they’re exploiting you.
  3. They promise quick results. There’s no such thing as quick and easy money. Not everyone knows this but even if they do, some still fall victim to temptation. Scammers tend to promise their victims they’ll double their money to the thousands and millions in a matter of months, weeks, or days — provided you give them money first. Temptation is a powerful tool. If it’s too good to be true, it probably is.
  4. They generally ask you to give money upfront or a “buy-in” investment. Exploiters like to throw around financial buzzwords like investment, capital, or professional, just to name a few, to make themselves sound trustworthy to send money to. Research and find out if what they’re saying is true or if there’s information or reports online that mention scams or hacks with similar methods.
  5. They ask for personal information. Private and confidential info like your phone number, email address, bank account number, and most especially, your password are some of the things you should never reveal to any stranger, whatever they say, under any circumstances. No crypto exchange, nor any reliable project would ask you for this kind of information through conversation channels, if at all. KYC should of course be expected for CeFi exchanges, but private and confidential information is not requested. Be cautious and wary of the website you are looking at, some hackers use fake websites for phishing.

Q: So you’ve been part of one scam. Do you think what you’ve shared here today still applies to other exploits?

Yes, absolutely. Many scams, hacks, and exploits use similar tactics and elements. In general, they all use the same tools to manipulate people — using psychology and peoples’ insecurities, vulnerabilities, and of course, greed — who wouldn’t want to get rich quick?

Social engineering is the most typical way a server gets “hacked” — a dev or mod’s credentials are stolen through screen share, blackmail, and/or identity theft.

Protocols and projects should not only strive to strengthen their cyber security and smart contract security but also promote awareness about scams and help users understand how to improve their own security and protect their digital assets. There’s unbelievable strength in communities.

How to Avoid Crypto Scams

Q: How can someone like me avoid getting scammed or exploited?

  1. DYOR. Do your own research. Find out everything you can about opportunities you encounter or presented to you. Search government records if they’re a registered business or regulated organization. Research the team behind the project. Are they credible within the industry? Are they transparent and easy to locate? Analyze and discover what the project intends to solve. Do they have real-world utility? Is the project functional? How is it beneficial? Get information about their revenue sources. How do they make money? What products or services do they offer? If they’re a stranger, be super cautious about what they tell you. A sweet deal without any catch usually takes something more in return. If it’s someone you know, ask them the following questions: What’s your role within the company? How do you make a profit out of this? What’s the product/service I’m investing in?
  2. If they’ll ask you to give money upfront, think twice about joining. Yes, investments involve “investing money”. Credible investments usually don’t make you pay upfront. Also, look into their financials or news about them to understand their growth rate and how they scale the business.
  3. Don’t rush into things especially when investing in a new project.Consider several factors first such as their goals, revenue sources, team, investors, partners, and presence in the industry. Above all, take your time.
  4. Protect your personal information. Keep confidential data secure and private. The use of authentication devices like Yubikey or password managers are highly recommended when dealing with valuable information. Practice safe browsing and digital asset security methods as well to avoid exposing your data to potential hackers and scammers.

More Ways to Prevent Crypto Exploits

  1. Never click links on a Discord channel or DMs about unannounced “stealth mints.” Unless a project says it will do a stealth mint, it’s a scam.
  2. Never trust announcements that play on the fear of missing out or FOMO.
  3. Only visit links in official Discord announcement channels. Even then, take extra precautions.
  4. Don’t trust Discord bot announcements. Founders or admins typically make important announcements personally.
  5. Disable members’ DMs. Discord’s Privacy & Safety settings have this option.
  6. Double-check username handles and account details when transferring admin/moderator ownership to other members of your team.
  7. Be wary of sudden situations that require money — genuine events are frequently advertised in advance to prepare users.
  8. Always check on the exact spelling, and domain of a web address that you interact with — there are over 1,500 top-level domain names, thus a fraud may be performed from any version of a recognizable web address.
  9. Cross-check the credibility of any token offering by checking the official Twitter, Telegram, Discord, and website. If something is only communicated through one channel, you would be right to be skeptical.
  10. Contact the official account of a team member (Google Chat) or reach out over call if you have any questions.
  11. Encourage a platform to have open communication with other community members if they have spotted a problem.

Takeaway

Hacks and exploits in the crypto and DeFi space are highly prevalent. Almost every week, there’s a hack of some kind that’s stolen millions in digital assets. You can visit our recent weekly reports to learn more about them.

Furthermore, companies reveal surprising information about how easily-accessible hacking tools and methods can be. According to a report by RiskIQ, they found 27 unique malware types hosted on Discord’s CDN servers. On the other hand, Google search results reveal hundreds of guides and how-tos that help bad actors hack into Discord accounts and servers. It can be as easy and simple as a Google search for “how to hack a discord server”. Also, many open-source projects and repositories found on Github help scammers use code and techniques to attack Discord servers such as this one.

Investors or users should consider joining communities that are focused on digital asset protection and security, such as Neptune Mutual. These types of communities help others avoid getting scammed by consulting each other about any projects or opportunities that they plan to invest in.

As responsible investors, we should do our own research when getting into something new and promising. When we encounter hacks and exploits, we can help out by letting others know about them. If you are sure of your source and of the information, take it to social media and spread the word.

You can also share this article with your friends, community, and people you know to help them avoid the worst exploits in crypto.


About Us

Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.

Join us in our mission to cover, protect, and secure on-chain digital assets.

Official Website: https://neptunemutual.com
Blog: https://blog.neptunemutual.com/
Twitter: https://twitter.com/neptunemutual
Reddit: https://www.reddit.com/r/NeptuneMutual
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual