Scammers rob at least $11 million in Bitcoin deposits from unsuspecting customers, research finds

Dallas Hall at Southern Methodist University (Dallas, TX)

New cyber security research from Dallas-based Southern Methodist University (SMU) observes that scammers have stolen at least $11 million in Bitcoin deposits from unsuspecting cyber customers.

According to the SMU Research blog, computer security expert Marie Vasek, the study’s lead research and a graduate student in the Lyle School’s Computer Science and Engineering Department at SMU, said that it was the first empirical study of its kind in which SMU researchers found that scammers used four different types of ploys through authentic-looking web-based online investment and banking outlets to lure customers and pilfer deposits.

“Our calculation of $11 million is almost certainly at the low-end,” Vasek said. “The amount of Bitcoin that depositors have lost to these scams is probably many millions more.”

Typically these schemes succeed by exploiting not only individuals’ greed, but also the urge to “get rich quick,” along with the inability to judge web services’ legitimacy to decide which financial websites are good or bad, said Bitcoin and cyber security expert Tyler W. Moore, who co-researched the study and is director of the Economics and Social Sciences program at SMU’s Darwin Deason Institute for Cyber Security.

“Because the complete history of Bitcoin transactions are made public, we have been able to inspect, for the first time, the money flowing in and out of fraudulent schemes in great detail,” said Moore. “It’s like having access to all of Bernie Madoff’s books for many of these scams.”

The researchers identified 41 scams taking place between 2011 and 2014 and in which fraudulent websites stole Bitcoin from at least 13,000 victims, and most certainly more, said the SMU Research blog.

“We found that the most successful scams draw the vast majority of their revenue from a few victims,” said Vasek.

The researchers were only able to track revenues from approximately one-fifth of the scams, which would indicate that the amount of Bitcoin actually stolen most likely far surpasses $11 million.

The results emerged when the researchers ran a Structured Query Language database dump of all relevant Bitcoin transactions, then analyzed Bitcoin addresses of both victims and the pilfering transactions of scammers.

“The amount of fraud being attracted by Bitcoin is a testament to the fact the virtual currency is gaining in legitimacy,” said Moore. “But scams that successfully hijack funds from depositors may end up scaring away consumers who will fear using Bitcoin for their legitimate digital transactions.”

Vasek and Moore identified four common schemes by tracking forum discussions, where scams are often initially advertised and later exposed, and by tracking websites:

• High-yield investment programs, otherwise known as online Ponzi schemes, which promise investors outlandish interest rates on deposits. This time of scheme has taken the lion’s share of money from victims.
• Mining investment scams are classic advanced-fee fraud, tacking orders and money from customers but never delivering any Bitcoin mining equipment.
• Scam wallets in which victims make deposits under the promise the service offers great transaction anonymity. If a deposit amount rises above a certain threshold, scammers move the funds into their wallet.
• Exchange scams offer PayPal and credit card processing, but at a better exchange rate than competitors. But customers soon learn they never receive Bitcoin or cash after making payment.

The researchers say their study is not a comprehensive review, as they were limited to those schemes for which they could determine a minimum estimate of the prevalence and criminal profits of the schemes after analyzing the public ledger of all Bitcoin transactions ever made.

Vasek and Moore conservatively estimate that $11 million had been taken by schemes, while only $4 million has ever been returned. They say most of the successful schemes catch “big fish” who pay the bulk of the fund into the scheme.

“Bitcoin scams pose a problem for more than the victims who directly lose money,” said Moore. “They threaten to undermine trust in this promising technology, and cast a chilling effect on those interested in trying out new services. By mining the public record for fraudulent transactions, we hope to deter would-be scammers and assist law enforcement in cracking down on the bad actors.”

The researchers presented their findings at the 19^th International Financial Cryptography and Data Security Conference, taking place this week in Puerto Rico.

According to the SMU Research blog, the study was partially funded by the US Department of Homeland Security’s Science and Technology Directorate, Cyber Security Division, and the Government of Australia and SPAWAR Systems Center Pacific.

Image: Public domain image by Elred