Co-founder of Superalgos.org, an open-source project building a Collective Trading Intelligence.
The number, frequency, and scale of scams involving impersonations are growing like fungi. It’s probably the sign of our times and it’s worrisome.
And it’s not just amateur operations run from basements. It’s reached the level of organized crime.
Coindesk recently reported their newsletters had fallen victim too, with fake newsletter-like emails directing unsuspecting victims to XRP “reallocation” fraudulent sites. I could feel the pain of Noelle Acheson, Director or Research, when she wrote “And please, please, for the sake of my pride, assume that I would never write anything like… your bags are in for a happy week.”
Few things are more disheartening than seeing your hard-earned reputation tarnished by fraudsters.
Yes, the odd, clumsy teenage hacker plays the game too, like the 17-year-old who fooled a Twitter employee — over the phone — into giving him access to admin systems, which led to the hijacking of multiple high-profile Twitter accounts to perpetrate a well-known double-your-coins crypto scam impersonating celebrities.
It’s clear that impersonators are upping their game.
Long gone are the days in which the Nigerian Prince scam or the broken-English phishing emails impersonating banks you’d never worked with were the main threats. The staging is ever more elaborate and considerate, thus credible at first sight.
Even low-profile scammers are taking the game up a notch too. Take this example coming from my own experience running the still-young Superalgos Community Telegram group.
A new user came to us to report that someone with a Telegram profile seemingly identical to that of Luis Fernando Molina— the project’s lead developer — had contacted him in a way that raised slight suspicions.
After a quick, friendly chat, the impersonator had offered to run a trading bot for him. That would save him the hassle of setting it up himself. All the would-be victim needed to do was to surrender his exchange API keys, and he would be up and running in no time. What could possibly go wrong, right?
Trying to scam crypto traders out of their API keys is certainly not a new endeavor.
What is concerning is the level of consideration evidenced by the precise
formulation of the heist, and how fitting it was in the context of Superalgos.
This is not the same kind of low-cost, carelessly deployed scammy propositions thrown out in the open in the hope that a very small percentage of the public may engage with it.
Take the thank you Mr. Jackson for diligently investing my capital, I’ll forever be grateful-kind of a scam as an example. This is likely to be the most common scam message in any given crypto trading group these days.
How effective can such a ridiculous bait be?
My take is that — if they keep doing it —it works.
The tactic involves luring certain kinds of people into trusting the supposedly forever-grateful, uninterested referrer of Mr. Jackson. Trust the referrer enough, and getting to trust Mr. Jackson himself is just one step away.
The scam is based on what Robert Cialdini called social proof, by which — given an ambiguous proposition — certain kinds of people tend to take action provided that other people take action first. By the way, this is also one of the psychological principles upon which marketers have been crafting referral programs for decades.
It used to take certain personality traits, or a certain level of Internet illiteracy to qualify for being scammed.
However, the quality of the staging and the care for details of the new generation of scams is now threatening even knowledgeable, sensible people.
The recent attack on Superalgos users is a good example. The scam was specifically tailored to the context, and resulted in a credible proposition, at least for new users.
Getting to a credible proposition must have required considerable dedication and planning.
To illustrate the investment involved in formulating such a targeted attack, this is the shortest mental process required for someone new to Superalgos to come up with such an idea:
* The scammer must have found us while searching for crypto trading groups. Scammers understand the power of diversification, so they constantly search for new groups to target.
* However, he didn’t act impulsively. He didn’t attempt any of the typical scams. Instead, he took his time and studied what Superalgos was about.
* He noticed that Superalgos wasn’t the typical crypto-trading group, where traders discuss recent price action, BitMex funding, or market predictions.
* He realized the group deals with trading bots and the Superalgos software in particular.
* He also noticed that Superalgos is not a company offering an online service, but an open-source project run by the community, developing software that runs on users’ machines.
* He studied the nature of personal interactions in the group and noticed users usually help each other to get started.
* He identified Luis as one of the admins helping out with the technical aspects. He witnessed how Luis would help someone get started or troubleshoot an issue, right then and there.
Only after observing and processing all of the above information was it that it all clicked-in.
All the scammer needed to do then was to set up a Telegram account with a username similar to Luis’, steal his profile picture, copy the bio, and attack his first victim.
Fake — real, real — fake… which is which?
He contacted a new user: someone who had recently introduced himself to the community acknowledging he was new to trading bots.
Luckily, the would-be victim was sharp as a tack. He let the impersonator spill the beans to find out what the scam was about and swiftly reported the scammer to the real Luis.
So, the good guys win, the scammer gets unmasked ala Scooby Doo meme, and everyone’s happy… Sweet, right?
Not so fast, cowboy.
Unmasking after the fact is not enough!
It took us five minutes to track the offender and craft a quick message to alert the community. By that time, several other users had been attacked already.
Fortunately, no one had acted upon the malicious offer, but still, the experience made us realize how vulnerable our community was to impersonators.
Telegram Can’t Handle the Threat
The crypto community has adopted Telegram, running away from other platforms that won’t offer the most basic privacy guarantees or grant ownership over users’ data.
However, Telegram seems unable to find a technological solution to the impersonation conundrum and scams in general.
The challenge seems to lie in the unlikely balance required for successful group communication, in which personal privacy embodied in anonymity seems to be at odds with the quality of the interactions and general users’ safety.
Anyone who has spent any time on Internet forums knows that the quality of the conversation is proportional to how invested participants are in keeping a personal reputation. After all, anonymity enables multiple forms of identity deception and communication vices.
While anonymity is a desirable feature, the option to have a unique, unforgeable identity is too, even when the online identity may be pseudonymous — that is, not tied to a physical identity.
In the context of a community, pseudonymity is always preferable to anonymity, as a pseudonymous member may keep a reputation, while an anonymous one may not.
However, Telegram accounts are easily forgeable, as shown earlier with the fake Luis Molina profile. If anyone may easily pretend to be anyone else, then it’s pretty much like rendering everyone anonymous.
Attacking Impersonators’ Weak Spot
So it seems that we are left with the sole option of taking matters in our own hands.
What do we do then?
First, we need to understand how impersonators operate in the context of a Telegram group. They wouldn’t try to impersonate a trusted member of the community out in the open, right?
The answer is no — most of the time. Impersonating an admin out in the open would be risky, as admins’ messages in the group are tagged with either the default admin label or a custom label that may be set by the group owner.
Impersonators may hijack other identities in the open, but they also run the risk of the owner of the identity noticing it and raising the matter to the group admins.
As a rule of thumb, it’s safe to assume that a criminal investing time and effort infiltrating a community does everything possible not to get caught, as the cost of getting caught is blowing the details of the scam out in the open, alerting the otherwise unsuspecting community.
Impersonators may only deal with their victims in private. That is their weak spot.
How may group admins interfere with unknown impersonators’ private communications?
The answer lies in the Community Policy.
A Solid Anti-Scam Community Policy
If impersonators may only trick community members by contacting them in private in an unsolicited fashion, then the community’s first and foremost, the rule must be:
1. Group admins will never contact you in private unless you contact them first.
Let community members know that if anyone ever contacts them claiming to be an admin in your group, it’s a scam; period.
This is a clear and unambiguous policy that every Telegram group should
adopt if we are ever going to eradicate Telegram impersonators.
If an admin ever needs to have a private conversation with a community
member, the admin must call the member in the public group and publicly
ask the member to be contacted in private.
For a community member to contact an admin in private, he or she will find one of the admin’s messages in the group, which are properly labeled,
click on the admin’s user name, and click Send Message on the admin’s profile.
By doing this, the community member establishes a trusted channel, with a virtually 100% guarantee that the party on the other side is the real
admin. Once the private communication channel is established, it may be
safely used by either party in the future.
2. Identify what else community members should never expect from admins, and state it explicitly.
In the case of Superalgos — being an open-source project developing a free and trustless system to build, test, and deploy crypto trading bots — that would be:
Admins will never ask you to submit exchange API keys or funds, for any reason. In fact, we will never ask you — and you should never need — to trust us in any way.
3. Make it a priority to educate newcomers about the first two rules.
In the case of Superalgos, a warning message awaits newcomers right on top of our pinned welcome message, before information on how to download and install the software is provided.
We also educate users about how to stay safe while operating the software and interacting with the community in prominent pages of the documentation.
4. Use a tried and tested Telegram bot to help with managing the community.
Implementing a host bot to help manage repetitive tasks can free up human resources, which may be better used for things that may — or should not — be automated.
At Superalgos, we are using Miss Rose.
In our case, the first and foremost automated task is greeting newcomers
and pointing them to the pinned message, so that they may be briefed on
all the important matters of the project before they get started with
5. Lock abuse-prone user functions and enable member-policing tools.
Telegram offers limited admin control over what user actions may be locked. The good news is that your bot host may expand the built-in admin
functionality incorporating finer-grain controls to manage the group.
In our case, we started by locking the ability for users to:
Add bots to the group
It’s crazy that Telegram’s admin interface does not provide this function, as it is crucial. If you allow users to add bots to the group — which is enabled by default — you are guaranteed to have an endless stream of spambots harassing the group until the end of time.
While it would be nice to allow users to post links to useful resources, the
truth is this is one of the most abused user functions and a major source of scams. Telegram allows blocking URLs, but Miss Rose expands
the functionality by keeping a whitelist of domains and URLs. This
allows filtering out all URLs but the ones that are deemed to be of use
to the community, such as links to the documentation, specific GitHub
repositories, the official website, or the project’s social media.
Share their location and contact cards
We’ve seen users accidentally sharing their location and random contact
details, so locking this ability, which has no particular use in our
case is a way of protecting community members.
Post polls, games, and buttons
In our case, there is no interest in such things, thus locking such functions helps keep the community-focused.
Send commands to the host bot
By default, Miss Rose allows users to interact with her in many ways. The
problem is that those interactions happen publicly within the group, which may be annoying when abused.
On the other hand, we enabled a couple of features that help keep the
group clean and tidy, and enable members to take part in caring for the
Report bad behavior
Miss Rose enables community members to report any message by replying to the offending message with a simple command: /report. This not only helps the group stay civilized; it’s also a great tool for members to report scammers and fraudulent messages that may go unnoticed by admins. The report is sent to the group of admins, pointing to the offending message so that they may take appropriate action.
Auto clean-up of administrative messages
Miss Rose may take care of deleting welcome messages, as well as entry and exit notifications. This helps keep conversations streamlined and easy
The more Telegram groups implement these policies, the more Telegram users will become familiar with the notion that when someone — whomever that may be — contacts you in an unsolicited manner, it is enough reason to be suspicious, and act accordingly.
Julian Molina is Co-Founder of Superalgos, an open-source crypto trading bots project managing an incipient Telegram community group.
(Read Behind a Paywall here)