Self-custody of crypto assets & what that means for the user

A meta-theme for self-custody.

‍

By using a crypto wallet, you are opting for ‘self-custody’. ‘Self-custody’ prevents fraud and mismanagement by a central party or middlemen. In fact, it doesn’t take much looking back in history to see where trusting these larger entities with your funds could go wrong.

‍

Just think of what happened with banks during the sub-prime mortgage crisis[1], the numerous hacks of centralized exchanges like Mt. Gox in 2013–14 [2] or the dozens of exchanges hacked since then [3,4,5]. Even more recently, we’ve seen what happened in 2022 with all the negative crypto news about over-leveraged funds like Celsius [6], 3ArrowsCapital [7], and Voyager [7] blowing up and taking their users down with them.

‍‍

However, user mistakes and scams in crypto can be just as, if not more, expensive.

‍‍

While self-custody frees you from the risk of what others might do to your funds, it places that responsibility onto yourself for all actions taken — actions that may cause financial damage due to:

‍

1. Lack of knowledge exposing you to decisions that may lead to things such as Impermanent Loss[8].
2. Actions performed when not alert or focused which lead to errors[9] such as sending your money to an incorrect address.
3. Getting scammed — and it can happen to the best of us.

‍

Scams you say?

‍

Arguably one of the most dangerous things about self-custody is how vulnerable you may find yourself to an attack on your finances. You’re one wrong move away from someone getting ahold of your funds and there’s currently no insurance or entity that will help you get it back.

‍

Scams can run the gamut in style and while many people are incredibly careful, it doesn’t take much to discover you’ve made a grave mistake. One wrong click, while lacking the right security measures, and your self-custodied wallet could end up in the wrong hands. Let’s take a look at some of the more prolific scams out there:

‍

1. Interactions with a scam contract/website

‍

And not reviewing the information thoroughly before signing [10]. Often times scammers will convince you they’ve sent you a safe link. Commonly this happens either under the guise of doing an OTC deal where the link sent is pretending to be something it’s not. Or, maybe the scammer will enter a trusted discord or chat disguised as a team member and send malicious links under the pretext of being a special promotion/mint/etc.

‍

2. Confidence scams

‍

These usually result in you inadvertently giving away your seed phrase [11]. Confidence scams are often undertaken by those pretending to be a support team member for a company you may be requesting help from. One second you’re asking for help in a discord, the next someone is messaging you offering their help in resolving your issue. Suddenly, you’re sharing your screen with them and they’ve just convinced you to click through your MetaMask’s private key or restore code.

‍

1. Youtube/Twitter crypto giveaway scams. These often appear to be sponsored by a crypto luminary (Elon Musk/Vitalik Buterin/Charles Hoskinson, etc.) [12] offering to double one’s BTC/ETH/ADA coins. There is no legitimate ‘double your crypto coin’ scheme out there. (N.B.: In 2020, 130 high-profile Twitter accounts were hacked via social engineering and used to run a massive Bitcoin double your coins scam) [13]
   ‍
2. Apple ID Reset Support Scam, where a scammer convinces one into giving away their 6-digit Apple ID reset code [14]. The scammer then restores the Apple account on iOS and Metamask private keys (N.B.: This scam is also possible with Google Accounts). The solution is turn off cloud backup for the Metamask app on iOS by going to Settings -> User Profile -> iCloud ->Manage Storage -> Backups -> Metamask [15]
   ‍
3. Succumbing to counterfeit crypto exchanges/false high yield DeFi schemes, termed “the Pig Butchering Scam” [19,20] as a result of targeting victims with large portfolios and scamming large sums of money from them. A romance scam may sometimes precede these, but this is not always the case.
   ‍
4. Downloading a counterfeit application, entering one’s seed phrase to restore an existing wallet, only to have the wallet contents wiped clean. Wallet drains mainly occur on the Google Play Store [16,17,18], where numerous counterfeit wallet applications are allowed to fester. Always check the developer credentials before downloading an app. The most sophisticated ploys are wallets that do not exist on the specific platform, e.g., Cardano Daedalus wallet is only for desktops. Yet, people fall for the counterfeit Play Store mobile versions [18]. Thus checking app ratings, downloads count, etc., is not enough to verify provenance. Instead, visit the official wallet developer website/Twitter account and perform some due diligence; don’t be in haste when it comes to wallets.

‍

‍

Don’t forget about phishing.

‍

Another major threat is phishing. The security-conscious exchanges utilize user-defined anti-phishing codewords to identify their emails as legitimate. But there are newer threats, such as placing ‘Google Ads for fake sites’ on essential pages such as top hits of a Google Search [21,22], etherscan.io [23,24], CoinGecko [23,24], etc. A naive user will hastily interact and perform a transaction from an ad (Binance, MetaMask, Uniswap, or Sushi Swap). The ad may be fraudulent, and one has instead provided their login ID and password, thus giving the imposters access to one’s wallet [23,24], or worse, one’s seed phrase under the guise to “restore,” “verify,” or “sync” one’s wallet [21,22].

‍

‍

In the end, there are a plethora of seed phrase attacks. Almost always, the victim has knowingly shared it with someone who has gained their confidence, OR the victim has entered it on a phishing website (wallet verification, sync wallet, or support). Almost universally, there is nothing called “syncing one’s wallet.” The wallet resides on the blockchain, and the blockchain is syncing to reach a consensus with every block. Verifying wallet ownership for Discord servers is a fundamental task and is most often conducted through the Collab.Land bot. One must ensure they are on the correct website and not interacting with a fraudulent bot. Read every message you sign, and ensure there is no transaction with token approvals being signed.

‍

‍

Some newer Discord servers utilize a service called ‘Vulcan Authentication’ Bot that operates the Profile Bio attribute of Opensea wallet-based accounts: the user is allotted a short time for changing the Profile Bio to a custom string generated by the bot [26]. Since only wallet owners can make this change, successfully doing so in the allotted time proves wallet ownership. Vulcan Authentication bot ensures the wallet owner only needs to interact with OpenSea.io, which is a much more recognizable and distinguishable website than collab.land or other 3rd party websites.

‍

The most important thing to remember? ALL THESE ACTIONS ARE IRREVERSIBLE AND NOT INSURED BY ANY MEANS.

‍

When you choose to self-custody — you are your own bank.

‍

‘Self-custody’ is a very significant responsibility. Do not make major financial decisions in crypto when in doubt or if not in a mentally alert and focused state. No financial instrument has a 5 minute or immediate buy-in window. Numerous long-term crypto investors have unintentionally provided their seed phrases by trusting a “helpful” stranger on Discord or Telegram. These situations arose from transactions performed in great haste, where bad judgment and inattention resulted in significant losses.

‍

Always remember to keep your head on a swivel and always approach any too-good-to-be-true or out of the blue promotion/opportunity with great suspicion. It’s important to double check everything you do — especially when that means you’re going to connect a wallet, login to an account, or even share a screen with potentially sensitive information. Be sure to think twice and verify if something doesn’t seem quite right.

‍

Coming Next: We’ll discuss software and hot wallets and how they are made vulnerable by poor device security and user habits. We discuss how to harden devices using anti-virus, anti-malware, VPN, and Ad-Block; and the inevitable need to use Hardware Wallets to protect against zero-day attacks.

‍

—

Written by @MetaversityOne, edited by @crptogrl2

—

References:

1. Wikipedia Contributors (2019). Subprime mortgage crisis. [online] Wikipedia. Available at: https://en.wikipedia.org/wiki/Subprime_mortgage_crisis [Accessed 27 Jun. 2022].
2. Wikipedia Contributors (2022). Mt. Gox. [online] Available at: https://en.wikipedia.org/wiki/Mt._Gox#Bankruptcy [Accessed 27 Jun. 2022].
3. WIRED Staff (2019). Hackers Stole $40 Million From Binance Cryptocurrency Exchange. [online] WIRED. Available at: https://www.wired.com/story/hack-binance-cryptocurrency-exchange/ [Accessed 3 Jul. 2022].
4. Chainalysis Team (2020). The KuCoin Hack: What We Know So Far and How the Hackers are Using DeFi Protocols to Launder Stolen Funds. [online] Chainalysis. Available at: https://blog.chainalysis.com/reports/kucoin-hack-2020-defi-uniswap/ [Accessed 3 Jul. 2022].
5. Ramaswamy, A. (2022). 2FA compromise led to $34M Crypto.com hack. [online] TechCrunch. Available at: https://techcrunch.com/2022/01/20/2fa-compromise-led-to-34m-crypto-com-hack/ [Accessed 3 Jul. 2022].
6. Knight, O. (2022). How Crypto Lender Celsius Overheated. [online] www.coindesk.com. Available at: https://www.coindesk.com/business/2022/06/16/how-crypto-lender-celsius-overheated/ [Accessed 27 Jun. 2022].
7. Malwa, S. (2022). Three Arrows Capital Confirms Heavy Losses From LUNA’s Collapse, Exploring Potential Options: Report. [online] www.coindesk.com. Available at: https://www.coindesk.com/business/2022/06/17/three-arrows-capital-confirms-heavy-losses-from-lunas-collapse-exploring-potential-options-report/ [Accessed 27 Jun. 2022].
8. Newar, B. (2021). Half of Uniswap v3 liquidity providers are losing money: New research. [online] Cointelegraph. Available at: https://cointelegraph.com/news/half-of-uniswap-v3-liquidity-providers-are-losing-money-new-research [Accessed 3 Jul. 2022].
9. Boom, D.V. (2022). How a $300K Bored Ape Yacht Club NFT was accidentally sold for $3K. [online] CNET. Available at: https://www.cnet.com/culture/how-a-300k-bored-ape-yacht-club-nft-was-accidentally-sold-for-3k/ [Accessed 3 Jul. 2022].
10. CT_IOE (2022). https://twitter.com/ct_ioe/status/1534658825843683328. [online] Twitter. Available at: https://twitter.com/ct_ioe/status/1534658825843683328 [Accessed 28 Jun. 2022].
11. Dedenok, R. (2022). Cryptoscam giveaway: phishers go after seed phrases. [online] www.kaspersky.com. Available at: https://www.kaspersky.com/blog/cryptocurrency-giveaway-scam/30535/ [Accessed 27 Jun. 2022].
12. Kozhipatt, J. (2022). 5 Social Media Crypto Scams to Avoid. [online] www.coindesk.com. Available at: https://www.coindesk.com/learn/5-social-media-crypto-scams-to-avoid/ [Accessed 27 Jun. 2022].
13. Wikipedia Contributors (2021). 2020 Twitter account hijacking. [online] Wikipedia. Available at: https://en.wikipedia.org/wiki/2020_Twitter_account_hijacking [Accessed 3 Jul. 2022].
14. Haber, J. (2022). https://twitter.com/jasonhaber/status/1527255440580657152. [online] Twitter. Available at: https://twitter.com/jasonhaber/status/1527255440580657152 [Accessed 28 Jun. 2022].
15. Newbery, E. (2022). Do You Use MetaMask With an Apple Device? Your Account May Be at Risk. [online] The Motley Fool. Available at: https://www.fool.com/the-ascent/cryptocurrency/articles/do-you-use-metamask-with-an-apple-device-your-account-may-be-at-risk/ [Accessed 28 Jun. 2022].
16. Alexandre, A. (2018). Four Fake Cryptocurrency Wallets Found on Google Play Store. [online] Cointelegraph. Available at: https://cointelegraph.com/news/four-fake-cryptocurrency-wallets-found-on-google-play-store [Accessed 28 Jun. 2022].
17. Simms, T. (2019). Fake Crypto Wallet App Imitating Trezor Found on Google Play Store. [online] Cointelegraph. Available at: https://cointelegraph.com/news/fake-crypto-wallet-app-imitating-trezor-found-on-google-play-store [Accessed 28 Jun. 2022].
18. Alex, D. (2021). WARNING: A fake #Daedalus app is back on the Google Play Store. There is no mobile app for Daedalus. Anyone who uses this app will have their ADA stolen. [online] Cardano Forum. Available at: https://forum.cardano.org/t/warning-a-fake-daedalus-app-is-back-on-the-google-play-store-there-is-no-mobile-app-for-daedalus-anyone-who-uses-this-app-will-have-their-ada-stolen/75756 [Accessed 3 Jul. 2022].
19. Rojas, M. (2022). Hunting Fake Cryptocurrency Exchanges. [online] www.maltego.com. Available at: https://www.maltego.com/blog/hunting-fake-cryptocurrency-exchanges/ [Accessed 3 Jul. 2022].
20. Farivar, C. (2022). ‘Pig Butchering’ Crypto Scam Victim To Get Money Back From Binance, Law Enforcement Says. [online] Forbes. Available at: https://www.forbes.com/sites/cyrusfarivar/2022/07/01/pig-butchering-crypto-scam-victim-to-get-money-back-from-binance-law-enforcement-says [Accessed 3 Jul. 2022].
21. Barda, D., Zaikin, R. and Vanunu, O. (2021). CPR alerts crypto wallet users of massive search engine phishing campaign that has resulted in at least half a million dollars being stolen. [online] Check Point Research. Available at: https://research.checkpoint.com/2021/cpr-alerts-crypto-wallet-users-of-massive-search-engine-phishing-campaign-that-has-resulted-in-at-least-half-a-million-dollars-being-stolen/ [Accessed 3 Jul. 2022].
22. Ecency. (2021). Scammers Advertising on Google Ads Sushiswap. [online] Available at: https://ecency.com/history/@digitalworldyou/scammers-advertising-on-google-ads-f-u-example-sushiswap [Accessed 3 Jul. 2022].
23. Sarkar, A. (2022). Etherscan, CoinGecko warn against ongoing MetaMask phishing attacks. [online] Cointelegraph. Available at: https://cointelegraph.com/news/etherscan-coingecko-warn-against-ongoing-metamask-phishing-attacks [Accessed 3 Jul. 2022].
24. Lawler, R. (2022). Phishing attack pop-up targets MetaMask users visiting popular crypto sites. [online] The Verge. Available at: https://www.theverge.com/2022/5/13/23071786/etherscan-coingecko-crypto-phishing-ad-popup-coinzilla-metamask [Accessed 3 Jul. 2022].
25. Staff, T.R. (2022). The 25 Best Batman Villains, Ranked. [online] The Ringer. Available at: https://www.theringer.com/2022/3/2/22957043/batman-villains-ranking-joker-penguin-bane-riddler [Accessed 28 Jun. 2022].
26. Vulcan (n.d.). Vulcan Authentication. [online] vulcanbot.io. Available at: https://vulcanbot.io/ [Accessed 14 Jul. 2022].

The author holds an M.S. in Engineering from Columbia University and has a decade of research and industry experience in software and hardware design. He has been researching crypto security since early 2021. Follow him on Twitter: @MetaversityOne and also on his Hashnode Blog: https://cryptosecurity.hashnode.dev/
‍

‌__________________________________________________________________
‍

Website: vvv.exchange

‍

Twitter: https://twitter.com/vvvexchange