SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

The wild west of cryptocurrency fraud & How Kiwis are getting stung

By Sara Barker
Fri 11 Feb 2022

Cryptopia: A homegrown lesson in cryptocurrency fraud 

When Christchurch-based firm Cryptopia was hacked in 2019, leading to a staggering $27 million worth of customer investments embezzled to other exchanges, the incident made international headlines. First, it was the event itself, followed by rumours that it was an insider job.  After a police investigation, Law firm Grant Thornton was appointed to manage Cryptopia’s liquidation and work with everyone who had lost their investments. 

In October 2021, Grant Thornton conducted identity checks with all Cryptopia account holders. In December, the firm published its sixth statutory report on the saga,  stating that it continued to track down the stolen investments and filed recovery actions in Singapore, Malaysia, and the United States. 

“We continue our investigations to trace and or freeze stolen crypto-assets and are in discussion with exchanges that have frozen stolen cryptocurrency. We are working on providing the detailed analysis of hacked coins to these exchanges in our attempts to have these funds released to the Liquidators' control. The legal decision confirms that any stolen cryptocurrency recovered is to be applied to the specific trust associated with each cryptocurrency.”

 But even Grant Thornton couldn’t keep out of trouble. In August 2020, another former Cryptopia employee stole money from Cryptopia’s deposit addresses after Grant Thornton had taken over the liquidation process.

Grant Thornton states, “This theft affected assets that were deposited after the date of liquidation. No connection between this theft and the January 2019 hack has been identified. These funds have been recovered in full from the ex-employee. We have supported the NZ Police with its prosecution of the individual involved and have sort [sic] reparations.”

Cryptopia went from launch to managing funds for 1.4 million investors to a significant data breach and its inevitable death - all in just five years.

It’s a tragic story that illustrates the downfall of a New Zealand-based business built around cryptocurrency investments. The irony is that cryptocurrencies are, in theory, supposed to be secure - they are encrypted and traced as they move through distributed blockchain ledgers across a computer network.

As of the time of publication, CoinMarketCap statistics report 17,399 different types of cryptocurrencies, contributing to a market cap of almost NZ$2.5 trillion. Cryptocurrencies have traditionally been unregulated and ‘free’ from a central bank or government control. However, that is slowly - albeit cautiously - changing. In many countries, including New Zealand, governments and central banks are now discussing whether they need a central, regulated digital currency.

The Reserve Bank weighs up the pros and cons of an official digital currency

Te Pūtea Matua, The Reserve Bank, is exploring the possibilities for a Central Bank Digital Currency (CBDC). This currency would not prevent other cryptocurrencies like Bitcoin and Ethereum from being traded, but unlike these cryptocurrencies, a CBDC would be centrally managed and could offer more protection.

The Bank states, “a CBDC could present a series of challenges that would need to be worked through as part of any further work. A key challenge would be to ensure that a CBDC could not be compromised operationally by, for example, cyber attacks... These considerations are not new so we would need to adjust existing decision and policy frameworks for CBDC, if a decision was made to issue one.” 

The Reserve Bank has not published guidance on how a CBDC could be secured against attacks, so I asked CERT NZ's senior threat analyst Sam Leggett what needs to be included to protect against potential issues such as credential loss, access management, integration with smartphones, and blockchain technologies. 

  • Credential theft and loss: CBDC access credentials are needed for accessing and transferring funds, much like a bank account number and password. Regardless of the form, the threat of theft and credential loss is significant, meaning account funds and data could be compromised.
  • Roles with privileged access/actions: As with other types of information security, the central bank – and any intermediaries involved – should have and execute a cybersecurity risk-management plan covering any system privileges staff may have.
  • Blockchain technology: It is generally not recommended for non-central bank nodes to have transaction validation powers unless absolutely necessary. If the CBDC operates on blockchain technology, where nodes include non-central bank entities that have powers to validate or invalidate transactions, malicious validator nodes can pose security threats. 
  • Smartphone Integration: Everything is done via smartphones these days, and a CBDC could be locally stored on a smartphone, despite the fact they can be notoriously difficult to secure. This is because smartphones can run multiple concurrent applications, have open physical ports, and can connect to arbitrary networks. As such, any CBDC store of value and any supporting applications running on a smartphone would have a complex threat surface. In addition, manufacturers exert control over the platform and can limit access to critical system components.

More details about the Reserve Bank's plans will emerge in April when the Bank publishes its next steps. 

Cryptocurrency: The perfect storm?

Cryptocurrencies are a marvel of the possibilities of blockchain, but it doesn't take much to reveal the darker side. Market volatility leads to significant price spikes and troughs, a lack of regulation, and the ease of earning these currencies have contributed to a 'perfect storm'. Unfortunately, this storm is ripe for exploitation by people looking to hack, scam, or defraud experienced and inexperienced investors alike.

From cryptomining malware that compromises and enslaves victims' computers, to investment scams and beyond, cryptocurrency is in a perpetual ‘perfect storm’ of market volatility and lack of regulation. As a result, it's truly an open invitation for scammers, hackers, and fraudsters.

According to CERT NZ data, 103 reported cryptocurrency investment scams were reported between Q3 2020 and Q4 2021. The numbers remain relatively stable except for a slight uptick in Q4.

Q2 2021 Quarterly Report, cryptocurrency scams caused $500,000 worth of losses during the quarter, accounting for 13% of total losses. 

Other statistics from the Financial Markets Authority (FMA) show that between January and June 2021, the FMA received 158 complaints related to investment scams, up 79% from the previous year.

FMA senior adviser - investor capability, Tammy Peyper, says that scammers align their pitches with whatever ‘hot’ investment is popular at the time. Unfortunately, cryptocurrency fits that purpose and is often used as bait. 

“Cryptocurrencies aren’t regulated in New Zealand, so if anything goes wrong it can be hard to get your money back. Don’t assume something is safe just because a friend recommends it,” says Peyper.

The FMA also says it’s illegal to sell financial products or investments through cold calls or emails out of the blue. But New Zealand law only goes far when many fraudsters are based outside New Zealand.

Take this story on the FMA’s website about a woman called Samena, who lost $2,300 to a cryptocurrency scam. Samena's colleague of 12 years referred her to an investment opportunity called OneLife and its cryptocurrency, OneCoin. Samena paid her colleague $5,300 for an educational package that included OneCoin tokens.

“A week later she attended a OneLife seminar, but it was there she decided it wasn’t for her. She told her co-worker this and said she wanted her money back, but was told it was “too late”.Her co-worker said she’d already verbally agreed to OneLife’s terms and conditions, despite having never seen them.” 

Her colleague refused to refund the money, didn’t reply to texts or calls, and avoided Samena at work. Finally, after their employer got involved, her colleague refunded $3,000 on behalf of Samena’s sons, but not the remaining $2,300 of Samena’s own money. To this day, Samena remains out of pocket.

“Scammers play on people’s dreams of financial freedom: houses, cars, etc. But if it sounds too good to be true – like being able to quit your job and retire early – it probably isn’t true."

OneLife/OneCoin is just one example of a pyramid scheme that snared Samena and many others. The scam didn’t spread via a cold call or an email from a stranger; instead, it came from a supposedly trusted colleague. And it’s not the only pyramid scheme that has caught Kiwis off guard.

ComCom - does it have the power to prosecute?

In 2021, the Commerce Commission released a document outlining 10 pyramid schemes between August 2001 and August 2021. The document, released under the Official Information Act, states that there have been four known cases of cryptocurrency-based pyramid or multi-level marketing schemes in New Zealand.  

The global OneLife/OneCoin scheme promoted and sold education packages related to the mining and trading of OneCoin cryptocurrency (this currency doesn’t exist).  However, ComCom took no further action.

Social fundraising platform ‘Bitcoin Aotearoa’, which “alleged that participants could earn bitcoin donations and promotion to a higher level in scheme by recruiting additional participants to donate bitcoin.” The platform was issued a compliance letter.

Lion’s Share, run by an Aucklander called Shelly Cullen, promised recruits cryptocurrency rewards if they recruited new people to the scheme. In January 2021, ComCom issued a Stop Now letter which warned Cullen to halt all activities related to the scheme or face being prosecuted in the High Court.

Mobilio/Justbeenpaid - “Programme alleged to offer high rates of interest on investments; alleged that investors were placed at level in programme based on amount invested and could change that level on the introduction of additional investors.” ComCom issued a compliance advice letter.

Add to that the countless global pyramid schemes that tempt people with the promise of big gains, and it is easy to see why Kiwis are getting caught in the crossfire.

NFTs - the new dodgy dealings?

Non-fungible tokens (NFTs) are essentially collectable or rare digital products in the form of art, music, avatars, memes, and much more. NFT ownership rights are allocated to one person at a time, hence their supposed rarity. NFTs are bought and sold online via cryptocurrency transactions, and like any collectable item, people take gambles on an NFT’s value.

In 2021, Twitter CEO Jack Dorsey created an NFT based on the first Tweet ever made on the platform, way back in 2006. The tweet sold for more than US$2.9 million. 

Closer to home, two digital NFTs depicting renowned New Zealand artist C.F. Goldie collectively fetched $127,500 at an Auckland auction house. Another NZ business, Glorious, is slated to open its NFT marketplace this month. Already, celebrities including Neil Finn, Nathan Haines, Dick Frizzell, Dan Carter, Six60 and many others have signed up as collaborators.

NFTs are swept up in a wave of hype as art and blockchain come together, But they are not without controversy. For example, when musician Ozzy Osbourne ran an NFT campaign, scammers quickly jumped on the opportunity to steal ‘thousands of dollars’ due to a simple link redirection in messaging platform Discord.

New Zealand artists have also been targeted in NFT scams. For example, Auckland musician Leaping Tiger discovered an NFT of his album art was being sold, without his permission, on a dubious site called HitPiece. The site has since been labelled a scam site by the US Recording Industry Association of America (RIAA).

CERT NZ has received seven reports related to NFTs, all of which have only occurred in the last six months. This mirrors the recent rise in popularity - and controversy - of NFTs worldwide.

Best practice tips for managing cryptocurrency 

Cryptocurrency is a high-risk investment prone to market volatility and scams - it’s the ‘wild west’ of investment with few user protections. What’s more, investors should be prepared to lose everything they invest.

“If you are going to trade in cryptocurrencies, make sure you use a trading platform based in New Zealand. Unlike offshore-based trading platforms, New Zealand based trading platforms do give some measure of protection as they have legal obligations.”

Tammy Peyper adds, “ If you plan to invest in cryptocurrency, make sure to use a New Zealand-based platform that’s registered on the Financial Service Providers Register (FSPR). This will at the very least give you access to a dispute resolution service. There are fewer or no protections if you use an offshore platform.” 

The FMA advises anyone wishing to use a cryptocurrency trading platform to do their due diligence.

  • All New Zealand-based cryptocurrency trading platforms must be registered on the Financial Services Provider Register (FSPR). This register includes a provider’s registration status, address, filings, and dispute resolution scheme details.
  • All platforms on the FSPR must belong to a Dispute Resolution Service. This service handles complaints and disputes.
  • All platforms on the FSPR are prohibited from making false, deceptive, or unsubstantiated statements and otherwise engaging in misleading conduct.
  • All platforms on the FSPR must follow Anti-Money Laundering and Countering Financing of Terrorism Act 2009. As a result, they need to identify every person registering on their platforms and protect users’ personal information.

CERT NZ adds a few tips about protecting cryptocurrency wallets:

Leggett says, "for anyone who is considering investing into cryptocurrency, we recommend doing some research on the website you are thinking about investing with and/or the wallet you have been asked to pay cryptocurrency into."

  • Think of a cryptocurrency wallet as a physical wallet - you wouldn’t carry more money than you’re willing to lose if your wallet gets lost. Keep a reduced amount of cryptocurrency in your wallet and store the rest offline.
  • Don’t forget your cryptocurrency wallet’s private key. That key is for your use only. If you lose it, you lose access to your funds.
  • Consider the right place to store your wallet - whether you choose to keep it on your own device or with an exchange, the wallet needs to remain secure.
  • Use two-factor authentication to access your wallet
  • Set a strong password
  • Encrypt your devices to prevent attackers from physically accessing them and compromising your wallet.
  • Back up your wallet to offline storage, and test your backup regularly.

Leggett adds, "If you are considering paying via Bitcoin, you can check if the wallet you are paying to has been reported by anyone else in the past. You can check those reports on the BitcoinAbuse website [linked below].

Where to go for information on cryptocurrency scams
Financial Markets Authority - Cryptocurrencies and Spotlight on crypto: Using New Zealand based cryptocurrency trading platforms
Scamwatch - Types of scams
CERT NZ - Cryptocurrency security
Consumer Protection - Stay safe from cryptocurrency scams
BitcoinAbuse - reports

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image