I'm Stacy Marie Ishmael, Managing editor of Crypto for Bloomberg News, and this is Bloomberg Crypto at Daily Bloomberg. I heart podcast. It's Monday June. Have you heard the one about the crypto investor who got hacked and lost all their bitcoin? It's true. Cryptocurrency spam, hacks, and fraud are all on the rise. That means there's an urgent need to think about the security risks to these often valuable digital investments.
Today I speak with Bloomberg reportsa Hannah Miller about the nature and scope of these hacks, and I talked to a Wrong Way Google, a professor, and a CEO of a security firm about how to avoid them. Hannah, Hi, thank you so much for joining us today. Thank you. I am really really glad you're able to come on
the show because you have been covering well. In addition to covering everything that you're covering, one of your recent stories was all about how social media hacks are particularly affecting people who have invested in crypto or who are thinking about investing in crypto. People may have heard about folks losing their board apes because they clicked on a SPAMMI link on Instagram. Can you just talk a little bit about what it is going on out in this
wild West world? Yeah, I know, there's obviously a lot going on. I think crypto has really been entangled with scams for a very long time, and we've really seen an upswing recently in people using social media as a
tool to rip off crypto investors. And a lot of that comes down to, you know, people posting malicious links click here and all your wildest dreams will come true, spam bots spreading those links, and you know, people really not being aware of the risks that they're taking when and you know they're on social media looking at crypto projects, you know, interacting with different accounts. So it's a it's a pretty interesting phenomenon and something that the industry really
has has been grappling with. What does that experience look like? I, um, you know a person on Twitter, on on Instagram, on Facebook, I see somebody being like, hey, click here to get a free board ape. I think that sounds amazing given them board apes are selling for hundreds of thousands of dollars. What are the mechanics of how these scams work? Yeah, a lot of it comes down to mimicry. So you might be interacting with an account that looks like it
comes from an official source. You know, maybe they have a handle that's really similar to you know, the name of an actual company, or they seem to have, you know, tweets that show legitimate activity in the space, and clicking on that link might lead you to a website that even looks like the official website for an n f T collection or startup, and you know, you're asked to link your wallet, and that just opens you up to you know, having n f T stolen from you, which
was the case with the you know, board eight pack that we saw recently. So I'm a person who you know, I click on this link, I don't realize that it's it's not official. I hand over my credentials, and then some nefarious person on the other end it's like, great, we now own all of your stuff. Yeah, pretty much. I mean you it can happen very quickly. And again, you know, people think that they're going into something that's legitimate.
They think that they're you know, maybe gonna be a part of an n f T drop or crypto giveaway, and they're excited and they might not pay attention to signs that this isn't a legitimate operation. I'm so glad
that you said. There's two things in there that are so important, right then, not paying attention and the being excited pot Because you know, when I've when I've studied and reported on misinformation and disinformation and why people fall for things online, it's often because you're in an emotion chanel state that makes you particularly susceptible to making a
bad decision. And in this case, it sounds like you know, these these these scammers, these hackers, they're preying on that not wanting to miss out on a deal instinct, or just the thrill of being invited to participate to something up your life that are insane. Yeah, that's exactly what's happening here. Um. People get excited, they you know, jump on board. And in some cases too, it's the actual account belonging to the startup or the n f T
collection um, which adds another layer of deception. WHOA, Okay, so I might actually be looking at a legitimate Twitter accounts or Instagram, but they have been hacked. And then so when I click on those links, even though I think I'm doing the right thing because I check to see that Hell, okay, this is the verified account. This looks legit. Turns out it wasn't legit after all. Yes, that's a exactly what happened with the Board eight hack.
It was their official Instagram account that was compromised. We don't really know the details of how that happened. A lot of people think it's because of social engineering that, you know, some an account holder for the board apiacht Club Instagram handle was somehow manipulated into you know, giving access um. But yeah, this was the official board apiacht Club account and it linked to a website modeled off of the board apiacht Club website. So really there was
just uh an extra level of trickery here. So a high, high level of sophistication is what we're dealing with, correct, Given that, it seems to me a little bit unfair for folks to be like, well, you should just pay more attention to the incidents and not click on any links. I like, if people are trying to do the right thing and they're still getting scammed, what are the big social media companies doing about this? What are the big
crypto companies doing about this? Because that does seem to be a direction that you know, systemic intervention sounds like it's what's needed here. Yeah, I know what the big tech companies do have options here encouraging users to do things like two factor authentication to secure their accounts, you know, requiring them to have it secured both via email and
phone number. That's something that can help increase security. Uh. There are also you know, options like using AI to clean out spam bots that might be spreading these scammy links, um, and these tools for filtering out spam bots. Those also come at a cost to the social media company because it clear it lowers their user a count, which isn't a good look. So basically, by reducing spam activity, you
reduce overall engagement. And there's some some analysts looking at metrics and being like why are your numbers down exactly? And for a company that's reporting those things and earnings, yeah, it's not a good look. Um. Yeah no. And with these user accounts, you know, they're also specific policies uh that prevent spam accounts being in place. Twitter requires BOD accounts to be identified as BOD accounts. Um. They have reporting tools that users can you know, put in concerns
about suspicious activity that they see on the platforms. So you know, there there are steps that they can take. And as for crypto companies, you know, it's very interesting. A lot of these companies are growing very quickly, they're very young, UM, and they might be more interested in hiring you know, engineers, developers, people who can help them build out the product. And where they're cutting corners is cybersecurity.
And part of what UM you know, recommendation that I've heard is that they should actually focus on hiring cybersecurity specialists early on, especially those who specialized of blockchain and you know, investing in that part of their business and
that could help prevent scams down the line. UM. They can also do things like offer bug bounties, So if white hat had er see some sort of vulnerability in their code that could be used to scam users, they can work with the white hat hacker and actually reward them for for finding this flaw and you know, kind of advertise that to get more white hat hackers on board. And the idea of a white hat hacker hacker these
are like these are the good ones. These are the ones who are not trying to steal money from people. They're trying to stop people from having money stolen from them exactly. They're using their expertise to find flaws in you know, different in the security of different platforms, and uh there will alert teams as to you know, what they can do to to patch these areas. Other than you know, while we wait for the big tech companies to put these things in place, and other than people
just not clicking any links on the internet. Ever, if you had one piece of advice for folks who will worried about these kinds of scams, what would it be. Pay attention, you know, see whether like this is actually a legitimate operation. Check the Twitter handle, see if it's verified.
Really you know a lot of these startups too, like they're pretty easy to reach out to, like on Telegram or Discord or whatever may like, do your homework essentially and try to find out whether this is like a legitimate announcement and really just I I don't recommend connecting your wallet to anything unless you're a pent sure that this is a real thing, a real legitimate operation. Awesome, Thank you so much, Hannah. You can find more of
Hannah's repoising on the Bloomberg terminal. Of course, on Bloomberg dot com and on Twitter at h G milla nine. We'll be right back. So what can we do about these hacks? And how can people protect their digital assets in an increasingly decentralized environment. Wrong Waygo is the chief executive officer of a blockchain security firm, Cult Curtic and an assistant professor at Computer Science at Columbia University. Professor, what I'm hearing from you is we're dealing with a
couple of things at once. We're dealing with more of these hacks. We're dealing with more sophistication in terms of these hacks, a bigger range of types of people who are being targeted, and you you work with different firms and companies to help them protect themselves and their users from these kinds of exposures. What does that look like in practice? You know, webstue and website are quite different.
Webstry apps are built on top of blockchain, which can be viewed as a world computer that no one has stopped. So if obser the deployment meant even if people have identified militia transactions or code of avulnerabilities in their programs, is very hard to make changes or a hatches so that's why we have to make sure that the software all these applications are as cure as possible before the deployment and on the on kind of the individual consumer side.
And like one of the things that you have alluded to a kind of quote to you on this in her story is around the idea of falling for what's called, you know, social engineering. How do you help people not fall for social engineering? So where where you know somebody is manipulated into revealing credentials, Yes, it's there. It's a good caution. How to I would say, how to protect
you're accust you're as a form social engineering? One chips is as for all these accounts you are vality, the costs or their social medium accounts should be associated was let's say the phones or email addresses that are not publicly available for other people. So that means if somebody calls you and that you know, it's suspicious because nobody
should have it. Got it? Um? What do you think the responsibilities are of you know, these decentralized companies that are coming up or even the web two ones that are playing in crypto in terms of user protection, Yeah, they have played their Their responsibility is to making sure their system their applications are are as you care as as possible. But as I mentioned, website is quite different from Websture company. Many have webbed to several defense techniques.
Just counst be applied directly to this new too. Men, due to the challenges that I've mentioned that you can add patches right you you call many changes after the deployment, so they shouldn't make sure that their their software, our secure are free of boom better to before deployments, which is not a you know, a practice that will be followed by web to company, but they have to situate in web streets. Well, thank you very much for joining us, professor,
who really appreciate you taking the time. Okay, yeah, Man of Thane. On the next episode of Bloomberg Crypto, have you ever heard the saying everything is bigger in Texas? The same applies to mining bitcoin in the state. The States of Texas is flush with bitcoin miners, including the city of Fort Worth that started a small mining operation
out of its city hall. Tomorrow I'll talk with Bloomberg report to Mike Smith about what makes the states so attractive to crypto enthusiasts, and you'll hear from Lee Bratcha ahead of the Texas Blockchain Council, who will share more about that partnership with the City of Fort Worth. I'm Stacy Marie Ishmael, and this is Bloomberg Crypto, a daily podcast from Bloomberg and I Heart Radio. For more shows from I Heart Radio, visit the I Heart Radio app,
Apple Podcasts, or wherever you get your podcasts. Email your questions, comments, or suggestions to Crypto at bloomberg dot net. Follow us on Twitter We're at Crypto. The supervising producer and editor of this episode is Vicky Vergalina. Desk to wonder At is our engineer. Original music by Leo Sidron. Bloomberg's head of podcasts is Francesca Levi.