Steven Kuhn
How does the bitcoin source code define its 21 million cap?
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…
,At Unchained, we prioritize the security of client bitcoin above all else. Recently, we identified a sophisticated fraud scheme that directly targets bitcoin holders by impersonating employees of companies like Google, Cash App, and Unchained. In this post, we’ll outline the tactics used by these fraudsters, provide guidance on identifying potential risks, and share steps you can take to safeguard your generational wealth.
The threat: Impersonation and pressure Tactics
We have observed fraudsters impersonating employees of real businesses to trick clients into handing over their bitcoin. These scammers use various pressure tactics to create a sense of urgency, making their victims feel that immediate action is necessary to secure their funds. Their techniques include spoofing security alerts, posing as legitimate employees, and mimicking the real security procedures of trusted companies.
These scammers rely on coercion to get victims to cooperate. Even if your email or social media accounts are compromised, your bitcoin is safe in a multisignature vault—unless you help these scammers access your private keys or seed phrases. The good news is that your vigilance is the best defense. You can protect yourself by keeping your private keys secure and never disclosing sensitive information.
How the scam works
1. Establishing a foothold
The threat group frequently creates fake or “spoofed” email domains and phone numbers that imitate organizations like Google, Coinbase, and various IT and security departments. By gaining unauthorized access to victims’ email accounts, they can monitor contacts and activities, allowing them to craft targeted schemes aimed at users of specific companies. To enhance their credibility and pose as genuine employees, the group may also scour social media for additional details.
2. Deepening their access
Once a plausible story is developed, the threat group contacts their victims via text, email, and phone with a fabricated story pressuring them to act quickly.
To disorient and overwhelm victims, the threat may send multiple security alerts from several companies the victim uses (Uber, PayPal, Coinbase, Chase Bank, etc.).
To build credibility and make their requests appear legitimate, the threat group may attempt to mimic Unchained’s security procedures and request authentication codes and other sensitive info.
3. Executing the attack
The threat group creates a sense of urgency by making time-sensitive requests, often urging victims to “act quickly” to “protect their investments.” By impersonating a company employee, they “coach” victims into revealing sensitive information such as passwords and security codes. Once trust is established, victims, believing the attackers to be legitimate, willingly send them funds or disclose sensitive information.
Recognize the warning signs
Here are the common tactics fraudsters use that you should always be wary of:
Unsolicited calls, texts, and messages: Fake account security emails, texts, and calls may be used to trick victims into believing there is an emergency requiring immediate action.
Pressure tactics: Urgent requests to take action by moving funds or providing sensitive information. Scammers often use charisma, technical jargon, and industry terms, to build trust and elicit action.
Requests for sensitive information: Unexpected requests for sensitive information such as passwords, authentication codes, or seed phrases. Unchained will never give you a seed phrase or ask you for yours!
Spoofed contact information: Slight alterations in email addresses, website URLs, or the disguising of phone numbers via caller ID to display a different phone number.
Fake websites: Imposter websites that look nearly identical to services you use and trust may be linked to a fraud scheme. Check for misspelled URLs and ensure you’re actually at the right place before attempting to log in.
How you can protect yourself
The risk of cybercrime has never been higher. Billions of compromised credentials are bought and sold every year. To increase your resilience to threats and threat groups, consider taking the following steps to protect yourself:
Be skeptical of tech support calls: Don’t rely on caller ID to determine if a call is legitimate. Common tools can mimic phone numbers to appear as if a call is from someone you know (like your bank or exchange).
Verify the caller’s identity: If someone claims to work at Unchained, ask for their Support PIN. Unchained’s support PINs are never confirmed over email.
Don’t act too quickly. An urgent text or call about your account may be linked to an imposter scheme. Someone who says you have to move your money to protect it is a scammer.
Don’t give up personal information: Never give out sensitive information like passwords, authentication codes, credit card or bank details, or seed phrases. Unchained employees will never ask you to disclose this information!
Be careful clicking links. Avoid clicking links received via text message, social media, live chat, or email. Carefully inspect the website address before clicking on a link that contains malware.
Password management: Create strong passwords. Don’t reuse them. Use unique passwords for financial accounts. Change passwords often. Consider using a password manager.
Use account security tools: Wherever possible, set up multi-factor authentication to protect your online accounts.
Unchained is here to help
We take security seriously. Our mission is to help our clients secure their wealth by providing the information and knowledge required to protect themselves and their assets.
We have an experienced team here to support you. As important navigators on your bitcoin journey, we’re here to help protect you and learn to protect your assets. If you ever have questions about your accounts, vaults, or operational security, consider scheduling a call with one of our bitcoin experts.
Scam emails, texts, and calls are on the rise. If you receive any suspicious communications from someone who says they are Unchained, we want to know about it. To report a suspicious message, email us at abuse@unchained.com.
This update is provided for informational and educational purposes only. Unchained does not endorse any commercial product or service referenced in this update or otherwise. Unchained does not provide investigation services and does not provide commercial services to victims of fraud.