Table 7 Description of the fraud types identified in the private sector literature
Label | Description |
|---|---|
SIM swapping | SIM swapping refers to fraudsters moving their victim’s phone number to a SIM card they control. Getting access to the victim’s phone number enables attackers to break into their accounts (such as cryptocurrency exchange accounts) (CipherTrace, 2018) |
Commodity fraud | The definition of commodity fraud was not reported in the private sector literature. The U.S. Code defines it as carrying out a scheme ‘to defraud any person in connection with any commodity for future delivery, or any option on a commodity for future delivery’ or ‘to obtain, by means of false or fraudulent pretenses [sic.], representations, or promises, any money or property in connection with the purchase or sale of any commodity for future delivery, or any option on a commodity for future delivery’ (Corporate & Criminal Fraud Accountability Act of, 2002, 2009). The commodity in this case would be a crypto asset |
Access device fraud | The private sector literature failed to report the definition of access device fraud. U.S. statute defines a perpetrator thereof as someone who ‘knowingly and with intent to defraud produces, uses, or traffics in one or more’ of items like ‘counterfeit access devices’; ‘unauthorized access devices’; ‘a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services’; or ‘a scanning receiver’; among others (Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, 2015) |
CPO / CTA fraud | The definition of CPO / CTA fraud was not reported in the private sector literature. We understand this to refer to fraud committed by Commodity Pool Operators or Commodity Trading Advisors, in this case, fraud involving cryptocurrency (Ropes & Gray, 2019) |
Credential stuffing | Credential stuffing occurs when brute-force attackers automatically try huge sets of login credentials in login pages in an attempt to access an account which exists (Krone et al., 2018). Attackers could use credential stuffing to access custodial wallet or exchange accountsa |
Discount scams | The private sector literature failed to define discount scams. From the context in which they were mentioned, they appear to involve the promise of discounts for early investors in a cryptocurrency. The purported discounts may be for a counterfeit or fraudulent cryptocurrency (Bolster, 2019) |
Dusting | Dusting involves scammers sending small amount of cryptocurrency to lots of addresses. The fraudster can then track these funds in an attempt to figure out which addresses are housed in the same wallet or identify wallet holders. They then use this information for targeted phishing or blackmail scams (Musiala et al., 2020). It is worth noting that dusting is not necessarily malicious; it has also been used for advertisement purposes |
Embezzlement | Embezzlement was not defined in the private sector literature. However, the U.S. Supreme Court defined embezzlement ‘the fraudulent appropriation of property by a person to whom such property has been entrusted, or into whose hands it has lawfully come’ (Moore v. United States, 1895). In the context of cryptocurrency fraud, this would mean the misappropriation of crypto assets |
Forex fraud | The private sector literature did not include a definition of forex fraud. The Financial Conduct Authority states that these scams involve unauthorised foreign exchange trading and brokerage firms who ‘promise very high returns and guaranteed profits’ (Financial Conduct Authority, 2020), in this case, from exchanging cryptocurrencies. Generally, victims will initially receive some returns, but, following further investment, the scam forex firm will halt all communication (Financial Conduct Authority, 2020) |
Issuing false account statements in connection with soliciting investments | This was not defined in the literature, however, from the context in which it was mentioned, appears to refer to scammers publicising fake profit and loss information from their cryptocurrency ‘investment opportunity’ in order to entice new investors to join their scam (Malyshev et al., 2018) |
Options fraud | Options fraud was not defined in the private sector literature. This review, again, interpreted the literature as referring to the U.S. statutory definition, namely, ‘to defraud any person in connection with…any option on a commodity for future delivery’ or ‘to obtain, by means of false or fraudulent pretenses [sic.], representations, or promises, any money or property in connection with the purchase or sale of…any option on a commodity for future delivery’ (in this context, an option on a crypto asset) (Corporate & Criminal Fraud Accountability Act of, 2002, 2009) |
Impersonating celebrities or a federal employee | The private sector literature did not define scams involving the impersonation of a federal employee (Lucking & Aravind, 2019). The public sector literature specifically referred to impersonation scams involving celebrities, defining them as involving a scammer using ‘the image, name, and personal characteristics of a well-known person to sell a product or service’ (Australian Competition & Consumer Commission, 2020). This could involve, for example, a fraudster impersonating a celebrity to recruit victims to a cryptocurrency investment scam. We understand the definition of impersonating a federal employee to be largely the same (albeit with the perpetrator impersonating different targets). In practice, this is closely related to giveaway and advance-fee fraudsb |
Exploiting vulnerabilities | Though this was not defined in the publication that mentioned it, exploiting vulnerabilities is understood to refer to any fraudulent behaviour enabled by web browser, software, hardware or firmware security issues (PYMNTS.com & Trulioo, 2019). This could also potentially apply to exploiting vulnerabilities in smart contracts, though this was unclear from the context in which it was discussed |
Ransomware | The private sector literature that referred to ransomware specifically as a type of fraud defined it as malware that controls a victim’s computer or device and ‘holds it hostage until the victim pays the hackers to regain access’ (Musiala et al., 2020). Generally, the hackers require payment in cryptocurrency |