The FBI just dropped its annual report examining the costs of crypto-related cybercrime, painting a predictably grim picture as total losses in the US exceeded $5.6 billion in 2023 - a 45 percent year-on-year increase.

More than 69,000 complaints were made to the Feds' Internet Crime Complaint Center (IC3) last year, with the bulk of these coming from those aged 60 and over, highlighting just how vulnerable the older generations are to internet scams.

The conventional wisdom is that opportunistic criminals love to target older, sometimes tech-illiterate folk who barely know their way around their PC in (sometimes brutal) attempts to fleece them of their assets.

Investment scams are the primary driver of the sharp increase in crypto-related losses. The vast majority of cases are geared toward promising malleable victims huge returns from their "investments," but instead the scammers just take the money and run. Think liquidity mining scams, fake forex investments, and property schemes.

It's clearly a tried and tested method - the number of yearly complaints has doubled in the past few years. Fewer than 35,000 complaints were made in 2021, the last time crypto scams saw any kind of downturn. Since then, annual losses have soared by multiple billions each year.

"Scams targeting investors who use cryptocurrency are skyrocketing in severity and complexity," said Christopher Wray, director at the FBI. 

"The best way to help stop these crimes is for people to report them to ic3.gov, even if they did not suffer a financial loss. The information allows us to stay on top of emerging schemes and criminals' use of the latest technologies, so we can keep the American public informed and go after those who commit these crimes."

Investment scams "with a nexus to cryptocurrency" incurred losses amounting to $3.9 billion alone - the only category of crypto-related financial fraud to exceed nine figures.

To illustrate just how pervasive the issue really is, the next most lucrative category for cybercriminals was "personal data breach" incurring losses of $494 million. This refers to criminals extorting their victims by threatening to send their personal data to their families, employers, and the like.

Scams in the spotlight

There are many flavors of crypto-related scams that contribute to the billions in annual losses, although confidence-enabled investment scams were particularly prominent in 2023, the feds said.

These are more costly in terms of time spent convincing victims to trust the criminals, a process which can take weeks and months before the scam itself is put on the table.

"The schemes are socially engineered and trust-enabled, whereby criminals use dating apps, social media platforms, professional networking sites, or encrypted messaging apps to establish relationships with their targets," the report [PDF] states. "Once trust is established, criminals introduce the topic of cryptocurrency investment. 

"Criminals claim to have some expertise or know an expert who can help potential investors achieve financial success. Criminals then convince their targets to use fraudulent websites or apps, controlled by the criminals, to invest in cryptocurrency."

Trust will be built by the scammer showing fake profits and spending lots of time with the victim explaining how their investment will lead to big returns. However, when it comes to withdrawing their earnings, victims are told to pay a withdrawal fee on top and ultimately have all their money stolen.

To make matters worse, criminals sometimes re-victimize these individuals by posing as fake crypto-scam recovery specialists who then take more money, promising to recover the funds the previous scammers stole, and then again take that money and run.

"There is one thing these scammers typically will not do - they will not meet with you in real life," the feds said. 

"If an investment opportunity comes from someone who you have never met in person - you have never met them for coffee, never walked together in the park, never gone together to see a movie - be extremely cautious of the advice."

Liquidity mining schemes were also highlighted as one to watch out for, among the many variations of crypto scams that exist.

There are legitimate liquidity mining operations running, which see investors' assets pooled together to support the liquidity traders require, and in return investors are paid a portion of the trading fees. 

Victims are typically promised daily returns in the 1-3 percent range and coached through the process in a confidence scam-style process, which can also lead to victims handing over access to their wallets, which are of course then drained in their entirety against their will.

And what about ransomware?

If the idea that investment scams are far more lucrative for criminals than ransomware, then you'd be right to be a little skeptical.

You may remember our coverage of the FBI's annual IC3 report back in March, which again valued the investment scam business in the billions while ransomware only led to reported losses of $59.6 million. We were quick to point out that the data seemed off, to put it modestly.

The findings were clearly faulty. We didn't have to read the many caveats made by the feds in the data to see that. 

The figures informing ransomware were drawn from IC3 complaints only and not the reports made to FBI field offices. They do not comprise estimated costs related to lost business, time, wages, files, equipment, and third-party investigators. The feds also acknowledge that many victims fail to report any losses to law enforcement at all, so it knows the data sucks but still included it anyway.

Eagle-eyed readers gawked at the strikingly low costs of ransomware in the comments on our earlier reporting, as we did when we first read it. Just by looking at single attacks in recent times, you'll see that the data is off by a huge margin. 

Ransomware incidents routinely cost big organizations sums far in excess of the tens of millions the IC3 reports. Just look at Change Healthcare as one example, or MGM Resorts which was punished for not paying its ransom demands with a far costlier $100m recovery bill than what the ransom was likely set at.

That's not to cast doubt on the report as a whole though, as the IC3 is better suited to supporting consumer complaints about things like consumer scams than it is in cases like industrial ransomware. We mention it here to simply acknowledge the fact that there are some shortfalls in the Feds' data. ®

https://www.theregister.com//2024/09/10/crypto_scams_rake_in_56/