SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The wild west of cryptocurrency fraud & How Kiwis are getting stung
Fri, 11th Feb 2022
FYI, this story is more than a year old

Cryptopia: A homegrown lesson in cryptocurrency fraud 

When Christchurch-based firm Cryptopia was hacked in 2019, leading to a staggering $27 million worth of customer investments embezzled to other exchanges, the incident made international headlines. First, it was the event itself, followed by rumours that it was an insider job.  After a police investigation, Law firm Grant Thornton was appointed to manage Cryptopia's liquidation and work with everyone who had lost their investments.

In October 2021, Grant Thornton conducted identity checks with all Cryptopia account holders. In December, the firm published its sixth statutory report on the saga,  stating that it continued to track down the stolen investments and filed recovery actions in Singapore, Malaysia, and the United States.

“We continue our investigations to trace and or freeze stolen crypto-assets and are in discussion with exchanges that have frozen stolen cryptocurrency. We are working on providing the detailed analysis of hacked coins to these exchanges in our attempts to have these funds released to the Liquidators' control. The legal decision confirms that any stolen cryptocurrency recovered is to be applied to the specific trust associated with each cryptocurrency.

 But even Grant Thornton couldn't keep out of trouble. In August 2020, another former Cryptopia employee stole money from Cryptopia's deposit addresses after Grant Thornton had taken over the liquidation process.

Grant Thornton states, “This theft affected assets that were deposited after the date of liquidation. No connection between this theft and the January 2019 hack has been identified. These funds have been recovered in full from the ex-employee. We have supported the NZ Police with its prosecution of the individual involved and have sort [sic] reparations.

Cryptopia went from launch to managing funds for 1.4 million investors to a significant data breach and its inevitable death - all in just five years.

It's a tragic story that illustrates the downfall of a New Zealand-based business built around cryptocurrency investments. The irony is that cryptocurrencies are, in theory, supposed to be secure - they are encrypted and traced as they move through distributed blockchain ledgers across a computer network.

As of the time of publication, CoinMarketCap statistics report 17,399 different types of cryptocurrencies, contributing to a market cap of almost NZ$2.5 trillion. Cryptocurrencies have traditionally been unregulated and ‘free' from a central bank or government control. However, that is slowly - albeit cautiously - changing. In many countries, including New Zealand, governments and central banks are now discussing whether they need a central, regulated digital currency.

The Reserve Bank weighs up the pros and cons of an official digital currency

Te Pūtea Matua, The Reserve Bank, is exploring the possibilities for a Central Bank Digital Currency (CBDC). This currency would not prevent other cryptocurrencies like Bitcoin and Ethereum from being traded, but unlike these cryptocurrencies, a CBDC would be centrally managed and could offer more protection.

The Bank states, “a CBDC could present a series of challenges that would need to be worked through as part of any further work. A key challenge would be to ensure that a CBDC could not be compromised operationally by, for example, cyber attacks... These considerations are not new so we would need to adjust existing decision and policy frameworks for CBDC, if a decision was made to issue one.”

The Reserve Bank has not published guidance on how a CBDC could be secured against attacks, so I asked CERT NZ's senior threat analyst Sam Leggett what needs to be included to protect against potential issues such as credential loss, access management, integration with smartphones, and blockchain technologies.

  • Credential theft and loss: CBDC access credentials are needed for accessing and transferring funds, much like a bank account number and password. Regardless of the form, the threat of theft and credential loss is significant, meaning account funds and data could be compromised.
  • Roles with privileged access/actions: As with other types of information security, the central bank – and any intermediaries involved – should have and execute a cybersecurity risk-management plan covering any system privileges staff may have.
  • Blockchain technology: It is generally not recommended for non-central bank nodes to have transaction validation powers unless absolutely necessary. If the CBDC operates on blockchain technology, where nodes include non-central bank entities that have powers to validate or invalidate transactions, malicious validator nodes can pose security threats. 
  • Smartphone Integration: Everything is done via smartphones these days, and a CBDC could be locally stored on a smartphone, despite the fact they can be notoriously difficult to secure. This is because smartphones can run multiple concurrent applications, have open physical ports, and can connect to arbitrary networks. As such, any CBDC store of value and any supporting applications running on a smartphone would have a complex threat surface. In addition, manufacturers exert control over the platform and can limit access to critical system components.

More details about the Reserve Bank's plans will emerge in April when the Bank publishes its next steps.

Cryptocurrency: The perfect storm?

Cryptocurrencies are a marvel of the possibilities of blockchain, but it doesn't take much to reveal the darker side. Market volatility leads to significant price spikes and troughs, a lack of regulation, and the ease of earning these currencies have contributed to a 'perfect storm'. Unfortunately, this storm is ripe for exploitation by people looking to hack, scam, or defraud experienced and inexperienced investors alike.

From cryptomining malware that compromises and enslaves victims' computers, to investment scams and beyond, cryptocurrency is in a perpetual ‘perfect storm' of market volatility and lack of regulation. As a result, it's truly an open invitation for scammers, hackers, and fraudsters.

According to CERT NZ data, 103 reported cryptocurrency investment scams were reported between Q3 2020 and Q4 2021. The numbers remain relatively stable except for a slight uptick in Q4.

Q2 2021 Quarterly Report, cryptocurrency scams caused $500,000 worth of losses during the quarter, accounting for 13% of total losses.

Other statistics from the Financial Markets Authority (FMA) show that between January and June 2021, the FMA received 158 complaints related to investment scams, up 79% from the previous year.

FMA senior adviser - investor capability, Tammy Peyper, says that scammers align their pitches with whatever ‘hot' investment is popular at the time. Unfortunately, cryptocurrency fits that purpose and is often used as bait.

“Cryptocurrencies aren't regulated in New Zealand, so if anything goes wrong it can be hard to get your money back. Don't assume something is safe just because a friend recommends it,” says Peyper.

The FMA also says it's illegal to sell financial products or investments through cold calls or emails out of the blue. But New Zealand law only goes far when many fraudsters are based outside New Zealand.

Take this story on the FMA's website about a woman called Samena, who lost $2,300 to a cryptocurrency scam. Samena's colleague of 12 years referred her to an investment opportunity called OneLife and its cryptocurrency, OneCoin. Samena paid her colleague $5,300 for an educational package that included OneCoin tokens.

“A week later she attended a OneLife seminar, but it was there she decided it wasn't for her. She told her co-worker this and said she wanted her money back, but was told it was “too late”.Her co-worker said she'd already verbally agreed to OneLife's terms and conditions, despite having never seen them.”

Her colleague refused to refund the money, didn't reply to texts or calls, and avoided Samena at work. Finally, after their employer got involved, her colleague refunded $3,000 on behalf of Samena's sons, but not the remaining $2,300 of Samena's own money. To this day, Samena remains out of pocket.

“Scammers play on people's dreams of financial freedom: houses, cars, etc. But if it sounds too good to be true – like being able to quit your job and retire early – it probably isn't true."

OneLife/OneCoin is just one example of a pyramid scheme that snared Samena and many others. The scam didn't spread via a cold call or an email from a stranger; instead, it came from a supposedly trusted colleague. And it's not the only pyramid scheme that has caught Kiwis off guard.

ComCom - does it have the power to prosecute?

In 2021, the Commerce Commission released a document outlining 10 pyramid schemes between August 2001 and August 2021. The document, released under the Official Information Act, states that there have been four known cases of cryptocurrency-based pyramid or multi-level marketing schemes in New Zealand.

The global OneLife/OneCoin scheme promoted and sold education packages related to the mining and trading of OneCoin cryptocurrency (this currency doesn't exist).  However, ComCom took no further action.

Social fundraising platform ‘Bitcoin Aotearoa', which “alleged that participants could earn bitcoin donations and promotion to a higher level in scheme by recruiting additional participants to donate bitcoin.” The platform was issued a compliance letter.

Lion's Share, run by an Aucklander called Shelly Cullen, promised recruits cryptocurrency rewards if they recruited new people to the scheme. In January 2021, ComCom issued a Stop Now letter which warned Cullen to halt all activities related to the scheme or face being prosecuted in the High Court.

Mobilio/Justbeenpaid - “Programme alleged to offer high rates of interest on investments; alleged that investors were placed at level in programme based on amount invested and could change that level on the introduction of additional investors.” ComCom issued a compliance advice letter.

Add to that the countless global pyramid schemes that tempt people with the promise of big gains, and it is easy to see why Kiwis are getting caught in the crossfire.

NFTs - the new dodgy dealings?

Non-fungible tokens (NFTs) are essentially collectable or rare digital products in the form of art, music, avatars, memes, and much more. NFT ownership rights are allocated to one person at a time, hence their supposed rarity. NFTs are bought and sold online via cryptocurrency transactions, and like any collectable item, people take gambles on an NFT's value.

In 2021, Twitter CEO Jack Dorsey created an NFT based on the first Tweet ever made on the platform, way back in 2006. The tweet sold for more than US$2.9 million.

Closer to home, two digital NFTs depicting renowned New Zealand artist C.F. Goldie collectively fetched $127,500 at an Auckland auction house. Another NZ business, Glorious, is slated to open its NFT marketplace this month. Already, celebrities including Neil Finn, Nathan Haines, Dick Frizzell, Dan Carter, Six60 and many others have signed up as collaborators.

NFTs are swept up in a wave of hype as art and blockchain come together, But they are not without controversy. For example, when musician Ozzy Osbourne ran an NFT campaign, scammers quickly jumped on the opportunity to steal ‘thousands of dollars' due to a simple link redirection in messaging platform Discord.

New Zealand artists have also been targeted in NFT scams. For example, Auckland musician Leaping Tiger discovered an NFT of his album art was being sold, without his permission, on a dubious site called HitPiece. The site has since been labelled a scam site by the US Recording Industry Association of America (RIAA).

CERT NZ has received seven reports related to NFTs, all of which have only occurred in the last six months. This mirrors the recent rise in popularity - and controversy - of NFTs worldwide.

Best practice tips for managing cryptocurrency 

Cryptocurrency is a high-risk investment prone to market volatility and scams - it's the ‘wild west' of investment with few user protections. What's more, investors should be prepared to lose everything they invest.

“If you are going to trade in cryptocurrencies, make sure you use a trading platform based in New Zealand. Unlike offshore-based trading platforms, New Zealand based trading platforms do give some measure of protection as they have legal obligations.

Tammy Peyper adds, “ If you plan to invest in cryptocurrency, make sure to use a New Zealand-based platform that's registered on the Financial Service Providers Register (FSPR). This will at the very least give you access to a dispute resolution service. There are fewer or no protections if you use an offshore platform.”

The FMA advises anyone wishing to use a cryptocurrency trading platform to do their due diligence.

  • All New Zealand-based cryptocurrency trading platforms must be registered on the Financial Services Provider Register (FSPR). This register includes a provider's registration status, address, filings, and dispute resolution scheme details.
  • All platforms on the FSPR must belong to a Dispute Resolution Service. This service handles complaints and disputes.
  • All platforms on the FSPR are prohibited from making false, deceptive, or unsubstantiated statements and otherwise engaging in misleading conduct.
  • All platforms on the FSPR must follow Anti-Money Laundering and Countering Financing of Terrorism Act 2009. As a result, they need to identify every person registering on their platforms and protect users' personal information.

CERT NZ adds a few tips about protecting cryptocurrency wallets:

Leggett says, "for anyone who is considering investing into cryptocurrency, we recommend doing some research on the website you are thinking about investing with and/or the wallet you have been asked to pay cryptocurrency into."

  • Think of a cryptocurrency wallet as a physical wallet - you wouldn't carry more money than you're willing to lose if your wallet gets lost. Keep a reduced amount of cryptocurrency in your wallet and store the rest offline.
  • Don't forget your cryptocurrency wallet's private key. That key is for your use only. If you lose it, you lose access to your funds.
  • Consider the right place to store your wallet - whether you choose to keep it on your own device or with an exchange, the wallet needs to remain secure.
  • Use two-factor authentication to access your wallet
  • Set a strong password
  • Encrypt your devices to prevent attackers from physically accessing them and compromising your wallet.
  • Back up your wallet to offline storage, and test your backup regularly.

Leggett adds, "If you are considering paying via Bitcoin, you can check if the wallet you are paying to has been reported by anyone else in the past. You can check those reports on the BitcoinAbuse website [linked below].

Where to go for information on cryptocurrency scams
Financial Markets Authority - Cryptocurrencies and Spotlight on crypto: Using New Zealand based cryptocurrency trading platforms
Scamwatch - Types of scams
CERT NZ - Cryptocurrency security
Consumer Protection - Stay safe from cryptocurrency scams
BitcoinAbuse - reports