Romance Scams, Ransomware, & Virtual Kidnappings: Exploring 2023 Crypto Crime Trends

2023 was a year for big change in many of the sub-categories that exist within the crypto crime environment. Cryptocurrency value rose after its previous year of devastating losses and industry scandals, yet illegal activity, scams and stolen funds totaled lower than previous years. According to the 2024 Chainanalysis Crypto Crime Report, the total cryptocurrency value received by illicit addresses, which reached its peak of $39.6 billion in 2022, experienced a decline in 2023, dropping to $24.2 billion. Some outliers did see increases in illicit activity, including approval phishing, romance scams, ransomware, and darknet activity, which all continued slow and steady growth in 2023. Crypto scamming revenue lowered by a notable 29.2%, while hacking revenue lowered by a significant 54.3%. This decline in revenue through scamming and stolen funds suggests potential shifts in the larger dynamics of illicit cryptocurrency transactions during that period.

Romance Scams

According to the 2024 Chainanalysis Crypto Crime Report, in 2023 losses reported due to cryptocurrency investment scams surpassed those of any other crime type tracked. Romance scams, also known as Pig Butchering Scams, saw the most significant surge in 2023, with revenue more than doubling year-over-year. The average payment of a romance scam was $4,593. However, when considering that most victims make multiple payments during the life of the scam, the true total is most likely much higher. 

Certain forms of scams occasionally fall into two categories, with a crossover between romance and investment scams being the most common. Here scammers use strategies such as forming close, confidant-type relationships with a target to later take advantage of, before deploying methods closer to traditional forms of crypto investment fraud. In 2023 alone, there were over 64,000 romance scam cases reported to the Federal Trade Commission, with losses totaling more than $1.1billion. It is also widely accepted that, while reporting of romance scams has been increasing, this category is still largely underreported. 

Approval Phishing

With suspected losses reaching at least $374 million in 2023, approval phishing is another area of crypto crime that has continued to grow. Approval phishing scams targeting specific, high value victims has experienced the most notable growth in this category. While traditional scams involve tricking victims into sending cryptocurrency through various means, such as fraudulent investment opportunities or impersonation, approval phishing operates differently. In an approval phishing scam, the threat actor deceives the user into authorizing a malicious blockchain transaction. This approval grants the scammer permission to spend specific tokens stored within the victim's cryptocurrency wallet, enabling the scammer to drain the victim's assets at their discretion. 

In a notable approval phishing scam described by Chainanalysis, threat actors propagated a false narrative about a Uniswap approval phishing scheme. They then established a counterfeit Etherscan page where users could “verify” their transaction approvals and “confirm” whether or not they had fallen victim. Once users connected their wallets to what they thought was a page designed to help them and signed an approval transaction, the actual approval phishing scam took place.

Ransomware

Ransomware, a type of malicious software, encrypts data on the victim’s computer and renders it unusable. The cybercriminal will then demand a ransom be paid for decryption. Over the past year ransomware operators have escalated their activities, targeting prominent institutions and critical infrastructure, including hospitals, educational institutions, and government bodies. In 2023, the Internet Crime Complaint Center received 2,825 complaints of ransomware, 1,193 of those complaints belonging to the critical infrastructure sector, with losses totaling more than $59.6 million. 2023 was also characterized by record-setting payments, which averaged $1 million or more per attack, as well as a notable expansion in the scale and sophistication of attacks. 

Ransomware attacks in 2023 were initiated by a variety of threat actors, from large crime syndicates to individual threat actors. Many notable ransomware supply chain assaults made use of the widespread file transfer software MOVEit, and affected a variety of large organizations, ranging from the BBC to British Airways. 

The 2024 Chainalysis Crypto Crime Report reported that these events resulted in ransomware groups surpassing $1 billion in cryptocurrency payments extorted from victims. It's important to note that this figure doesn't fully encompass the economic ramifications of ransomware attacks, including productivity losses and expenses for repairing systems. This is evident in instances such as the ALPHV-BlackCat and Scattered Spider's targeting of MGM Resorts. Although MGM chose not to pay the ransom demands, it estimates that the damages incurred exceeded $100 million for the business. 

A form of ransomware that has recently grown in popularity is Ransomware as a Service (Raas). This model allows external individuals, known as affiliates, to pay for access to externally developed malware and use it to conduct attacks. These affiliates will often pay a portion of the ransom proceeds to the provider of the malware. The RaaS model streamlines the process for many cybercriminal novices, making it easier for less technically proficient people to execute ransomware attacks. Despite targeting smaller entities and demanding lower ransoms, the RaaS model acts as a force multiplier, enabling the strain to execute numerous smaller attacks effectively. 

The emergence of Initial Access Brokers (IABs) has also played a part in facilitating the successful execution of ransomware attacks. IABs gain unauthorized access to the networks of potential targets, and then sell that network access to ransomware perpetrators for as little as a few hundred dollars. 

The combination of IABs with readily available Ransomware as a Service (RaaS) platforms reduces the level of technical expertise required to conduct a successful ransomware attack.

Virtual Kidnapping

Virtual kidnappings, also known as cyber kidnappings, are another form of crypto crime that are on the rise. Artificial intelligence has played a highly impactful role in the growth of this crime, making deepfakes easier to create, thus making virtual kidnapping scams more believable. Voice cloning AI software can easily be found online, and there is a growing interest from cybercriminals in voice cloning-as-a-service (VCaaS). For VCaaS, a scammer will find a public social media account with the necessary biometrics of, for example, a family member, and will use one of these options to create a realistic and terrifying kidnapping story. 

A virtual kidnapping scam will usually initiate with a phone call informing you that a family member is kidnapped or in danger. The caller might assert that your child or spouse has been abducted, accompanied by the sound of someone screaming, often a cloned, AI-manipulated voice of that family member, in the background. Scammers typically issue detailed instructions to ensure the safe release of the family member. Often this involves a ransom demand of payment in cryptocurrency. In some cases the caller may falsely claim to not have received the payment and demand additional funds.

In a highly publicized 2023 case, a 17 year old Chinese exchange student was found in a freezing tent on a mountain in the Utah town of Riverdale City. Scammers had convinced him to hike out to the remote location on his own, and consent to audio and video monitoring while they swindled his family out of $80,000.   

In 2023, threat actors displayed the continued increase of sophistication in their exploits. While Chainalysis reported that overall illicit cryptocurrency activity declined from $39.6 billion in 2022 to $24.2 billion in 2023, there were certain types of crimes that experienced an increase. Suggesting a potential shift in the dynamics of illicit cryptocurrency transactions, approval phishing, romance scams, ransomware, and darknet activities continued to rise with a new level of aggression and efficiency. However, crypto and blockchain platforms were also able to claim some much needed defensive progress, with enhanced security systems and more coordinated attack response methods. 

Moving forward, it is crucial for cryptocurrency businesses to remain vigilant, assess their exposure to criminal activities, and collaborate closely with law enforcement to mitigate risks and protect users. Individual users must stay educated and up to date on best practices within the crypto and blockchain industries. By fostering transparency and cooperation, the industry can work towards a safer and more secure ecosystem for all stakeholders involved.

Best Practices for Avoiding and Spotting Crypto Crime

Romance Scams

• Leverage Multi-Factor Authentication (MFA) with an authenticator app.

• If in a virtual relationship, use reverse image search to see if they are using someone else’s photograph. 

• Carefully examine email addresses, URLs, grammar and spelling used in all correspondence.

• Verify payments outside of email or phone numbers given to you by the contact.

• Don’t click on anything in unsolicited emails or text messages. This includes anything that asks you to verify or update an account.

• Keep records of all cryptocurrency transaction details.

• Do not invest solely on the advice of someone you met online.

• Confirm the validity of any investment opportunity using information separate of the information your online contact gives you.

• Do not pay withdrawal fees or taxes to withdraw your funds if you believe you have been a victim of a scam.

Ransomware

• The FBI does not encourage paying a ransom to criminal actors. 

• Paying the ransom also does not guarantee that an entity’s files will be recovered.

• Regardless of whether you or your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to the IC3. 

• Doing so provides investigators with the critical information they need to track, hold them accountable, and prevent future attacks by the ransomware attackers.

Virtual Kidnapping

Indicators of a virtual kidnapping scheme:

• Incoming calls come from an outside area code, sometimes from Puerto Rico with area codes (787), (939), and (856).

• Calls do not come from the alleged kidnapped victim's phone.

• Callers go to great lengths to keep you on the phone.

• Callers prevent you from calling or locating the "kidnapped" victim.

• Ransom money is only accepted via cryptocurrency or other wire transfer service.

During a virtual kidnapping attack, the FBI suggests the following:

• Try to slow the situation down. Request to speak to the victim directly. Ask, "How do I know my loved one is okay?"

• Listen carefully to the voice of the kidnapped victim if he/she speaks. 

• While staying on the line with the alleged kidnappers, try to call, text or message the alleged kidnap victim from another phone or application.

• To buy time, repeat the caller's request and tell them you are writing down the demand, or tell the caller you need additional time to meet their demands.

• Don't directly challenge or argue with the caller. Keep your voice low and steady.

• At the earliest opportunity, notify your local police department.