Web3 Security Essentials: Spotting Scams & Protecting Your Crypto

Table of Contents

As the world of Web3 continues to evolve, wallets have become essential tools not only for storing digital assets but also for conducting transactions and accessing decentralized applications (DApps). In the previous edition, we introduced the various types of wallets and common risks, helping readers develop a foundational understanding of wallet security. With the increasing popularity of cryptocurrency and blockchain technology, cybercriminals are more frequently targeting Web3 users' funds. Reports from the SlowMist security team indicate that many users have fallen victim to theft by downloading or purchasing fake wallets. This guide aims to address why users download or purchase fake wallets, the risks of private key/mnemonic phrase leaks, and provide actionable security recommendations to protect your funds.

I. Purpose of This Guide

Importance of Wallets in Web3

Wallets are integral to the Web3 ecosystem, serving not only as repositories for digital assets but also as gateways to the decentralized world. They enable users to conduct transactions, interact with decentralized applications (DApps), and manage their digital identities. As the adoption of blockchain technology grows, the importance of securing these wallets becomes paramount. Without proper security measures, the assets stored in these wallets are vulnerable to theft and misuse, making it essential for users to understand how to protect their digital valuables.

Recap of Previous Edition

In the previous edition of the Web3 Security Guide, we provided an overview of the different types of wallets available, such as hardware, software, and paper wallets. We also highlighted some common risks associated with each type, such as the potential for physical theft of hardware wallets, or the susceptibility of software wallets to malware and phishing attacks. This foundational knowledge is crucial for understanding the more advanced security measures discussed in this guide.

Rising Cybercrime Threats

As cryptocurrency and blockchain technology continue to gain mainstream attention, they have also become lucrative targets for cybercriminals. Reports from the SlowMist security team and other industry sources indicate a sharp rise in the number and sophistication of attacks aimed at Web3 users. These include phishing schemes, malware attacks, and the distribution of fake wallets designed to steal users' private keys and mnemonic phrases. The increasing complexity and prevalence of these threats make it imperative for users to stay informed and vigilant.

II. Risks of Fake Wallets

Why Users Download Fake Wallets

The prevalence of fake wallets in the Web3 space can often be traced back to a few common scenarios where users inadvertently download fraudulent applications.

Mobile Device Restrictions and Network Issues:

Some users find themselves unable to access official app stores like Google Play Store or Apple App Store due to device compatibility issues, regional restrictions, or network limitations. In such cases, they might turn to alternative sources to download wallet applications, inadvertently exposing themselves to fake wallets.

Common Sources of Fake Wallets

Understanding the common sources of fake wallets is crucial to avoiding them. Here are some typical avenues through which users might encounter counterfeit wallets:

Third-Party Download Sites:

Websites such as apkcombo and apkpure often advertise themselves as providing mirrored versions of apps from official stores. However, these sites lack the stringent security checks that official stores implement. The SlowMist security team found that many of these third-party sites host versions of wallets that do not exist in official app stores. These fake wallets are designed to steal users’ private keys and mnemonic phrases by sending them to a phishing website’s server.

source: slowmist medium

Search Engines and Paid Rankings:

Cybercriminals exploit the marketing capabilities of search engines to place their fraudulent websites at the top of search results. Users who search for wallets on these platforms may inadvertently click on a top-ranked link leading to a fake website. These websites are meticulously designed to mimic official sites, making it extremely challenging for users to differentiate between the real and the fake.

QR Codes from Friends/Scams:

In the interconnected world of Web3, it's common for users to share wallet download links or QR codes with friends and family. Unfortunately, even well-intentioned individuals can unknowingly share links to fake wallets. Scammers also use social engineering tactics to gain the victim’s trust and then provide them with fraudulent download links, resulting in both emotional and financial losses.

Fake Telegram Groups:

Telegram, a popular messaging platform in the cryptocurrency community, is rife with fake groups claiming to be official channels for wallet providers. Scammers use these groups to distribute fake wallet download links, deceiving users into installing malicious software. They often mimic the look and feel of legitimate groups to lower users' guard.

App Store Fraud:

While official app stores like Google Play Store and Apple App Store are generally more secure, they are not immune to fraud. Malicious developers sometimes manage to publish fake apps by manipulating app descriptions, developer information, and even app ratings and reviews. Users who do not thoroughly vet the app and developer details might end up downloading a counterfeit wallet.

III. How to Avoid Fake Wallets

Verifying Official Websites

To safeguard against fake wallets, it's crucial to verify the authenticity of the websites from which you download wallet applications. Here's how to ensure you're accessing legitimate sites:

Using Twitter for Verification:

Start by checking the project's official Twitter account. While follower count, registration time, and verification badges can provide some indication of authenticity, they can also be manipulated. Therefore, it's advisable to follow security companies, industry experts, and reputable media outlets on Twitter. These sources often share updates and alerts regarding fake wallets and other security threats. By cross-referencing information from multiple trusted sources, you can increase your confidence in the authenticity of the wallet project's Twitter account.

Cross-Referencing with Reputable Sources:

After identifying the official Twitter account, further verification is essential. Cross-reference the website link provided on the project's Twitter profile with links listed on reputable sources such as DefiLlama, CoinGecko, and CoinMarketCap. These platforms curate information about various cryptocurrency projects and provide links to official websites. By confirming consistency across multiple trusted sources, you can mitigate the risk of accessing a fake website.

Bookmarking Verified Links:

Once you've confirmed the authenticity of the official website, bookmark the link for future reference. This simple yet effective practice ensures that you always have quick and direct access to the correct website, minimizing the likelihood of inadvertently visiting a fraudulent site in the future.

App Store Safety Measures

When downloading wallet applications from app stores, it's essential to exercise caution and follow these safety measures:

Checking Developer Information and App Ratings:

Before downloading any app, thoroughly review the developer information provided on the app store listing. Verify that the developer's name and contact details match those of the official wallet project. Additionally, pay attention to app ratings and read user reviews to gauge the app's credibility and reliability. Higher ratings and positive reviews can indicate a more trustworthy app, but be wary of fake reviews and ratings artificially inflated by scammers.

Official Version Verification

After downloading a wallet application, take the following steps to verify its authenticity:

File Integrity Checks and Steps to Verify Hash Values:

Perform a file integrity check by comparing the downloaded application's hash value with the official hash value provided by the wallet project. Various hash verification tools, such as MD5 or SHA-256 hash calculators, can help you generate and compare hash values. If the hash values match, it indicates that the downloaded application has not been tampered with and is likely genuine. However, if the hash values differ, it may signify that the application has been altered or replaced with a fake version.

Immediate Actions for Fake Wallet Downloads

If you suspect that you've downloaded a fake wallet application, take prompt action to mitigate potential risks:

Steps If No Private Key/Mnemonic Phrase Entered:

If you haven't entered your private key or mnemonic phrase into the fake wallet application, immediately delete the app from your device. Then, download the official version of the wallet application directly from the verified website or app store. By refraining from entering any sensitive information into the fake app, you prevent the risk of unauthorized access to your funds.

Steps If Private Key/Mnemonic Phrase Compromised:

If you've entered your private key or mnemonic phrase into a fake wallet application, it's crucial to act swiftly to protect your assets. First, delete the fake app from your device to prevent further unauthorized access. Next, download the official wallet application from the verified source and import your private key or mnemonic phrase into the legitimate wallet. Once you've imported your credentials, create a new wallet address and transfer your assets to this secure address. By taking these steps, you mitigate the risk of potential theft or compromise of your funds.

Actions If Cryptocurrency is Stolen:

If your cryptocurrency is stolen due to a fake wallet download or other security breach, seek assistance from reputable security providers and community resources. Organizations like the SlowMist security team offer free community assistance for evaluating and addressing security incidents. You can submit a form detailing the nature of the incident, such as funds stolen, scams, or ransom demands. Additionally, provide any relevant information, such as the hacker's address, to aid in risk control and recovery efforts. By leveraging community support and professional assistance, you can mitigate the impact of cryptocurrency theft and enhance your security posture in the Web3 ecosystem.

IV. Purchasing and Verifying Hardware Wallets

Risks of Buying Fake Hardware Wallets

When considering the purchase of a hardware wallet, it's essential to be aware of the potential risks associated with counterfeit devices:

Tampering with Internal Components:

Counterfeit hardware wallets may undergo tampering with their internal components before reaching the end user. These alterations can compromise the security and integrity of the device, putting users' funds at risk. Despite their outward appearance resembling genuine products, counterfeit hardware wallets may contain malicious hardware or firmware designed to intercept private keys or manipulate transactions.

Uncertain Supply Chain:

Unlike official channels authorized by reputable hardware wallet manufacturers, unauthorized sellers and online marketplaces cannot guarantee the authenticity and integrity of the devices they sell. The lack of oversight and accountability in these unofficial supply chains increases the likelihood of users unwittingly purchasing counterfeit or tampered hardware wallets.

Avoiding Supply Chain Attacks

To mitigate the risks associated with counterfeit hardware wallets, follow these guidelines when purchasing and verifying the authenticity of hardware devices:

Purchasing from Official Channels:

The most effective way to ensure the authenticity and integrity of a hardware wallet is to purchase it directly from the official website or authorized retailers endorsed by the manufacturer. These official channels adhere to rigorous quality control standards and supply chain protocols, minimizing the risk of counterfeit or tampered devices.

Inspecting Packaging:

Upon receiving a hardware wallet, carefully inspect the packaging for any signs of tampering or irregularities. Genuine hardware wallets typically come in sealed packaging that displays the manufacturer's branding and security features. Look for tamper-evident seals, holographic stickers, or other indicators of authenticity. If the packaging appears damaged, altered, or lacking these security features, exercise caution and contact the manufacturer for verification.

Using Official Device Verification Services:

Many hardware wallet manufacturers offer official device verification services to help users authenticate their devices. During the initialization process, the hardware wallet prompts users to verify its authenticity by visiting the manufacturer's official website or using a dedicated verification tool. By following these verification steps, users can confirm that their device has not been tampered with during transit and is genuine.

Choosing Tamper-Evident Mechanisms:

Consider purchasing hardware wallets equipped with tamper-evident mechanisms designed to detect and deter unauthorized access to the device's internal components. These mechanisms may include sealed casings, anti-tamper seals, or built-in sensors that trigger alarms or render the device inoperable if tampering is detected. By opting for hardware wallets with robust tamper-evident features, users can enhance the security of their digital assets and safeguard against supply chain attacks.

V. Preventing Private Key/Mnemonic Phrase Leaks

Common Causes of Leaks

Understanding the common causes of private key and mnemonic phrase leaks is essential for implementing effective security measures:

Sharing Keys Inappropriately:

One of the most common causes of private key and mnemonic phrase leaks is sharing them with others. While it may seem harmless to entrust these sensitive credentials to friends or family members for safekeeping, doing so can inadvertently expose them to potential theft or misuse. Even well-intentioned individuals may unknowingly compromise the security of your wallet by mishandling or disclosing these credentials.

Storing or Transmitting Keys Online:

Despite the inherent risks, some users resort to storing their private keys and mnemonic phrases in online platforms or transmitting them over the internet. Platforms such as cloud storage services, messaging apps, and email accounts may seem convenient for storing and sharing sensitive information, but they lack the robust security measures necessary to protect against unauthorized access and data breaches. Malicious actors actively target these platforms to exploit vulnerabilities and steal users' private keys and mnemonic phrases.

Risks of Copying and Pasting Keys:

Copying and pasting private keys and mnemonic phrases using clipboard tools or input methods pose significant security risks. Many clipboard tools automatically upload clipboard records to the cloud, where they can be intercepted by malware or accessed by unauthorized parties. Additionally, malware installed on a user's device can monitor clipboard activity and extract sensitive information, including private keys and mnemonic phrases, when copied.

Best Practices for Key Security

To mitigate the risk of private key and mnemonic phrase leaks, adhere to the following best practices for key security:

Not Sharing Keys:

Never share your private keys or mnemonic phrases with anyone, including friends, family members, or third-party service providers. Keep these sensitive credentials confidential and avoid disclosing them to anyone under any circumstances. By maintaining sole control over your private keys and mnemonic phrases, you minimize the risk of unauthorized access and potential theft of your digital assets.

Physical Storage Methods:

Opt for physical storage methods to safeguard your private keys and mnemonic phrases from online threats and cyberattacks. Consider writing down your private keys and mnemonic phrases on durable materials such as high-quality paper or metal plates. Store these physical copies in secure locations, such as a safe deposit box or a personal safe, to prevent unauthorized access and protect against physical theft.

Using Multi-Signature and Distributed Storage:

Implement multi-signature setups and distribute storage locations to enhance the security of your private keys and mnemonic phrases. Multi-signature wallets require multiple signatures from different parties to authorize transactions, reducing the risk of unauthorized access and mitigating the impact of a single compromised key. Similarly, distributing your private keys and mnemonic phrases across multiple secure locations minimizes the likelihood of complete loss or theft if one storage location is compromised.

Conclusion

This guide has covered the risks of downloading or purchasing fake wallets, methods to find and verify genuine websites, and the best practices for preventing private key/mnemonic phrase leaks. We hope this information helps you navigate the Web3 landscape securely. Stay tuned for the next issue, where we'll discuss wallet usage risks such as phishing, signatures, and authorization risks.

About Orochi Network

Orochi Network is a cutting-edge zkOS (An operating system based on zero-knowledge proof) designed to tackle the challenges of computation limitation, data correctness, and data availability in the Web3 industry. With the well-rounded solutions for Web3 Applications, Orochi Network omits the current performance-related barriers and makes ways for more comprehensive dApps hence, becoming the backbone of Web3's infrastructure landscape.

Blog