Scammers are using the popularity of cryptocurrency by setting up fake apps to steal hundreds of thousands of dollars from would-be Australian crypto investors.
Key points:
- The Australian Tax Office estimates up to 600,000 Australians have invested in “crypto-assets”
- Experts say scammers are using the popularity of crypto, and work too fast for tech companies to act
- The latest scam involves fake apps offered on stores like Google Play
The Australian Competition and Consumer Commission’s latest available data shows almost 30 reports of the emerging scam between June and November last year, with $374,000 in losses accumulated.
However, the ACCC said actual losses from these types of scams were likely to be higher, because research showed only about 13 per cent of scam victims reported their experience.
Last June, Canberra engineer Paul invested about $5,000 in a new cryptocurrency project called Cake Monster.
“I’m not a novice with computers or online safety — I do all my banking online and I’m paranoid about security — but I didn’t fully understand crypto at the time,” he said.
Paul then began looking for a cryptocurrency wallet — a common phone application that allowed him to send and receive the new digital currency on his phone.
Because cryptocurrency is digital, it isn’t stored physically. Instead, all transactions are recorded and stored on the Blockchain — a series of codes that acts as a ledger for every transaction.
Paul wanted to find a wallet that would connect well with Cake Monster so he searched on the Google Play store.
“One of them was to connect through [an app called] WalletConnect,” he said.
What Paul didn’t realise was that while WalletConnect is a legitimate company, it does not offer a phone app.
However, there was a WalletConnect app available on the Google Play Store at the time Paul was looking. It carried the actual company’s logo and had a rating of 4.5 stars.
“I glanced at it and it checked those boxes in terms of looking legit,” Paul said.
“It had the WalletConnect logo and everything, so I downloaded it and it must have asked for my seed phrase.”
A seed phrase is a set of words — much like a unique password — that allows access to cryptocurrency securely, through a wallet.
Although he had reservations, Paul shared his seed phrase. A few days later, he realised something was wrong.
“I was just sitting on my couch and I got a notification on my phone saying that a transaction had gone through,” he said.
“It had basically transferred all of my holdings in this cryptocurrency out without asking for my authorisation or anything.
“It completely emptied my wallet.
“When that notification popped up and I saw that it was gone, I [had] that sinking feeling, knowing I’m never going to get this back.”
Google: ‘We take action’
Google did not address specific questions about the number of fake apps it has removed from its platform.
But in a statement to the ABC, it said “when violations are found, we take action.”
“Our Google Play developer policies are designed to protect users and keep them safe, and we don’t allow apps that mislead users,” a spokeswoman said.
There are dozens of wallet apps available for Australian consumers.
Delia Rickard from the Australian Competition and Consumer Commission said Google and Apple could do more to prevent and remove scam apps.
“There appear to be a number of ways Apple and Google could potentially do this, including through their monitoring of consumer app reviews,” Ms Rickard said.
“You should always check the reviews and number of downloads of apps, even if they are in an official app store. If you have any doubts about the legitimacy of the app, do not download it.
“When investing in cryptocurrencies, never provide your digital wallet seed phrase to anyone, even those claiming to be technical support.”
Scammers moving faster than platforms
The ABC contacted WalletConnect co-founder Pedro Gomes, who is based in Europe.
He said the company started receiving reports of fake apps, websites and emails in 2021.
“This is unfortunately a reality of the cryptocurrency space as a whole and they are not exclusive to WalletConnect, where many apps and wallets suffer the same,” he said.
He said while Google took the fake apps down after they reported the issues, scammers created them much faster than the platforms could actively remove them.
“We even used services that automated reporting to Google and other hosting providers,” he said.
“Basically, these services would submit detailed reports of the fake website or fake app to the platform they are hosted on and within a week or two they would be taken down.
“But scammers create these much faster than the platforms can actively take them down and it becomes a race between the two.”
Mr Gomes recommended consumers never shared their secret recovery phrase — or seed phrase — with anyone, including seemingly reputable companies or support staff.
‘A difficult game of catch up’
Associate Professor Cassandra Cross from the Queensland University of Technology said she was not surprised that scammers were creating fake wallet apps because of the high level of interest in digital currencies.
Dr Cross said scammers were highly skilled, tech-savvy and motivated.
“They will create a website or create an app that does look very similar to perhaps a genuine product or a genuine organisation, and it makes it very difficult for the consumer to be able to differentiate,” she said.
Dr Cross said the pandemic had triggered a huge increase in the type and volume of scams.
“We’ve been forced to live a lot of our lives virtually, and offenders have really taken that as an opportunity and embraced it and targeted victims globally.”
The ABC has contacted the peak industry body Blockchain Australia for comment.
Despite his experience, Paul has gone back to try investing in cryptocurrency again — but with more research this time.
“I guess I’m a lot more aware of how the technology works so that I wouldn’t necessarily fall for something like this again.”
He said through online chat groups, he’s aware of at least five people who have lost all of their money in similar scams in the past few months.
“It’s quite common,” he said.
“Number one [lesson] is you have to keep your seed phrase safe.”