Keywords

1 Introduction

Social engineering attacks are often used in cybercrime. With the subtle use of psychological tricks, criminals exploit the natural weaknesses of humans. The victims of social engineering attacks are unknowingly influenced in their actions and persuaded to reveal secret information. For example, the sender of a phishing e-mail pretends to be a financial institution and orders the recipient to disclose personal account data on a phishing website. Due to the use of persuasion principles such as authority, social proof, and reciprocity social engineering is quite successful.

Previous research describes and analyses compliance principles and their application in social engineering [e.g., 1,2,3,4,5,6,7]. The research of [8] defines a commonly accepted set of five persuasion principles (Authority; Social Proof; Liking, Similarity & Deception; Commitment, Reciprocation & Consistency; Distraction) and assesses their occurrence in phishing e-mails.

Overall, blockchain applications, such as cryptocurrencies, are considered secure [9]. This security has been proven in the past, especially for the integrity and availability of stored data. The decentralized applications have many built-in protection mechanisms, such as cryptographic algorithms or redundant data storage. However, these technical security mechanisms are useless when cyber criminals target the “weakest link” in security – the user [1].

Recent cases of successful attacks on cryptocurrency users - resulting in losses of millions of dollars - make use of social engineering techniques and compliance principles. For example, in November 2017 several potential buyers of the Red Pulse Token responded to fake news spread by Twitter accounts and entered their access credentials into a phishing website. The lost tokens being worth more than $3 million.

Although the numbers show that there is a severe impact of social engineering attacks on cryptocurrency users, no research exists – to the best of our knowledge – that analyses the exploitation of human weaknesses in cryptocurrency frauds. Within this paper, we therefore describe five cases of cryptocurrency frauds. We analyze, based on the [8] set of compliance principles, which psychological tricks have been used by the social engineers to steal the users’ cryptocurrencies. For the description of the cases, we use the ontological model for social engineering attacks proposed by [10].

With this paper we contribute to research by

  • increasing the understanding of the users’ role in information security with regards to a new technology (blockchain, cryptocurrency);

  • adding a psychological perspective to the use of cryptocurrencies and blockchain technology;

  • testing the compliance principles from [8] in a broader social engineering context (not only considering phishing e-mails);

  • assessing the applicability of the ontological model of social engineering attacks in the context of cryptocurrency frauds;

  • describing and analysing the impact of social engineering on cryptocurrency users; and

  • deriving initial recommendations for protecting cryptocurrency users against exploitation from social engineers.

The rest of the paper is organized as follows. In the related work section, we give a quick introduction to the blockchain technology and cryptocurrencies. Further, we introduce the concept of social engineering and the psychological tricks used within. We then introduce and describe five cases on cryptocurrency fraud. Afterwards we explain the utilization of the compliance principles in the cases. In the discussion section we analyze the results, describe our contributions, and give recommendations. Finally, we summaries our findings and give an outlook to future research.

2 Related Work

2.1 Security Issues in Blockchain Technology and Cryptocurrencies

The blockchain technology has become very popular since the introduction of Bitcoin, especially due to Bitcoin’s rapid price increase. A blockchain is a distributed ledger, with the fundamental property that once the data has been recorded, it becomes nearly impossible to change it [11]. A network of computers, known as nodes, verifies that the data added complies with the rules of the network, thus providing consensus among the participants. By using cryptographic techniques such as asymmetric cryptography or cryptographic hash functions, the blockchain helps building up trust between two or more parties, without relying on a trusted third party.

The blockchain was first described by [12] in the context of Bitcoin and was later adapted by numerous other cryptocurrencies, such as Litecoin or Ether. Cryptocurrencies are virtual currencies that are not hedged and managed by a central, administrative entity, but by cryptographic methods [13]. A cryptocurrency is called token if it has other uses in addition to the currency function. For example, such a token could be a right to vote or the digital representation of an asset.

The interaction of human users with cryptocurrencies is based on public-key encryption methods. A new participant in the network initially generates a private key, from which the public key and the user’s address are calculated. With their private keys the users are able to authenticate themselves in the network. Anyone who is in the possession of the private key can digitally sign transactions and thus has access to the balance of the corresponding address. Private keys can be stored in so-called wallets. There are paper, hardware, software, and website wallets [14]. For paper wallets, the private key and public key are printed on paper. In hardware wallets, the private key is permanently stored in a hardware device that can be connected to a computer. Software and website wallets allow users to interact with the blockchain via a visually enhanced graphical user interface. Depending on the provider, website wallet users can view their balance and transaction history, send transactions, or use other services. To access their address, users enter their private key or upload a file that stores the key. This can be done in combination with a password or a hardware wallet.

Most researchers analyzing security and privacy issues of blockchain and cryptocurrencies focus on systems flaws, technical limitations, and network attacks, such as double spending, DDoS attacks, and man-in-the-middle attacks [e.g. 15,16,17].

Few studies take a different approach and analyze the risks a user faces when interacting with blockchain technology in general and cryptocurrencies specifically. [18] state that cryptocurrency users face some risk when using intermediaries such as currency exchanges, online wallets, mining pools, and investment services; because those operate as de facto centralized authorities. For example, if the intermediary becomes insolvent or it absconds with the users’ deposits, users suffer a financial loss. Further, blockchain transactions are irreversible in contrast to other forms of financial transactions such as credit card payments or bank transfers. Therefore, cryptocurrency transactions are prone to abuse by cyber criminals. Their victims usually only identify fraud after the transaction took place and hence cannot reclaim their money.

As an additional risk for cryptocurrency users, [9] identified the usage of software and website wallets. Those wallets have become a target for cyber criminals, too. Having analyzed some successful cryptocurrency attacks, they name, among others, the exploitation of human weaknesses, neglect, and inexperience as success factors. They state that attackers often utilize social engineering techniques.

The role of the user in protecting the security and privacy in a cryptocurrency environment has been intensively studied by [19]. In their online survey participated nearly 1’000 Bitcoin users. They found evidence for the risks involved in using website wallets. Many survey participants used at least one website wallet, but many of them lack background knowledge: About a third of the participants were unaware whether their wallet was encrypted or backed up. Moreover, nearly one fourth of the participants had already lost Bitcoins or their private keys at least once. With nearly 45%, the main reason for those losses had been the user’s own mistakes, such as formatting the hard drive or losing the physical device storing the private keys. Other reasons had been hardware and software failures. About 20% had been victims of hackers or malware.

2.2 Social Engineering

When securing information and information technology, it is not sufficient to rely on technical security controls such as firewalls and virus scanners. Including the user – or the “human factor” – in information security considerations is at least as much as important [20, 21]. The user is sometimes seen as the weakest link in information security [e.g., 22,23,24] – or as Kevin Mitnick poses: “… security is not a technology problem - it’s a people and management problem.” [1]. However, recent research shows that users are also an important line of defense [25].

Social Engineering is the art of manipulating human behavior without the victim being aware of it. The “target” takes an action that may not be in her best interest [4]. “Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” [1]. In the context of information security, social engineering is usually used in its malicious form. A social engineer may try to obtain login credentials by pretending to be an IT administrator and simply asking users over the phone about their password. This social engineering technique is called pretexting or impersonation [26, 27]. A typical example of the baiting technique is when the social engineer leaves an infected USB flash drive lying around with the intention of it being picked up by the curious target [10, 28]. The social engineer employs the information obtained or the inappropriate action taken by the user in the actual attack in order to reach the intended goal (e.g., getting access to confidential information, stealing money) [29].

The most prominent and successful social engineering technique is phishing [30]. Phishing is an attempt to get unauthorized access to sensible information [31]. A common approach for phishing attacks is to send e-mails to random e-mail addresses. The fraudulent e-mail contains links to a spoofed website and a text requiring the victims to follow the link and enter their personal data. As soon as the form on the website is submitted, all information entered is sent to the attackers. If the spoofed website is an exact copy of the original entity, the individual will not ever suspect that she was a victim of phishing [32]. Spear phishing is a more sophisticated phishing approach in which a specific user or group of users is targeted. The attacker incorporates personalized information, such as the salutation, in the e-mail to make it more believable [33].

The Social Engineering ontological model proposed by [10] allows for systematically describing and analyzing social engineering attacks: “A Social Engineering attack employs either direct communication or indirect communication, and has a social engineer, a target, a medium, a goal, one or more compliance principles and one or more techniques.” Direct communication is when attacker and target directly communicate with each other, either bidirectional (e.g., in an (e-mail) conversation, over telephone) or unidirectional (one-way, usually from attacker to target, e.g., as in phishing). In an indirect communication, communication occurs through some third-party medium, e.g., a USB flash drive or a web page. Figure 1 shows the ontological model and gives some examples of media, goals, and techniques. Compliance principles will be discussed in the following section.

Fig. 1.
figure 1

Ontological model of a social engineering attack [in accordance with 10].

Full size image

2.3 Compliance Principles

Social engineers are excellent psychologists exploiting typical human behavioral patterns as vulnerabilities, such as the desire to be helpful, the tendency to trust people and the fear of getting into trouble [7]. In their study, which investigated whether end users really plug in USB flash drives they eventually find, [28] found that at least 45% of their dropped drives indeed had been used. Their victims disclosed two reasons for picking up the USB flash drives: the altruistic intention of returning the USB drive to its owner, and curiosity.

Social engineers know how to influence and persuade their victims by linking their message to deep human motivations. Humans show recurring behavioral patterns that constitute inherent security vulnerabilities in any complex system [34]. One of those behavioral patterns is reciprocity, which refers to the feeling of being obliged to return a favor [35]. In a society it is expected behavior that people repay what another person has provided. For example, if we get a present from our colleague for birthday, we feel obliged to also make them a gift to their birthday. Reciprocity is also involved in a mutual exchange of information and knowledge. [7] demonstrate the power of reciprocity in their study on password disclosure. They conducted short interviews on IT behavior with more than 1’100 participants. During the interviews, participants were asked to disclose their passwords. In the total sample, 30% revealed their password. Nearly one third of participants were offered a piece of chocolate directly before the password question. Of those participants, even 48% revealed their password. Due to the reciprocity effect, the incentive given (a piece of chocolate) to the participants resulted in returning the favor by revealing some personal data (i.e., the password). As this study demonstrates, it is important to understand the psychological triggers or principles used in social engineering attacks in order to set up an effective defense strategy [2].

[8] analyzed work of [2, 34, 35] and proposed a reviewed list of persuasion principles used in social engineering. Their list contains the following five principles:

  • Authority: People are trained to not question authorities, such as teachers, parents, policeman, doctors, or chief executives. They usually follow the requests or orders of someone they think is an authority. In a CEO fraud, this principle is used: an employee from the financial department receives a fake e-mail from a company executive and is convinced to transfer a large amount of money to a fraudulent account. Authority can be indicated by titles, clothes (especially uniforms), or trappings (e.g., jewellery, cars) [35].

  • Social Proof: Especially in unfamiliar situations, people tend to mimic the behaviour of others. That way they limit the risk of showing inappropriate behaviour. Further, they feel not being held solely responsible for their actions. A social engineer can convince a person to comply with a request by informing the person that many other individuals, maybe friends or colleagues, already took the same action or behaviour [4].

  • Liking, Similarity & Deception: People more willingly comply with requests from friends. This principle also works on people they know or like, as well as on people they are similar to or familiar with, as well as attracted to. If social engineers get their victims to like them, for example with compliments or shared interests, it is a much more likely that they will be successful in their requests.

  • Commitment, Reciprocation & Consistency: Once committed to a specific action or decision, people tend to follow it through until the end. They comply with requests consistent with their position. People also feel socially obliged to repaying favours. Once a social engineer gets the victim to divulge some information, the victim remains consistent with further requests on disclosing information [4].

  • Distraction: As people have limited ability of processing information, they focus on seemingly important facts or actions and automatically ignore other stimuli. Distraction can take several forms: information overload, surprise, needs and desires, time pressure, fear, greed, scarcity, or decreasing availability of goods or information. A social engineer that directs the attention of the victim in a desired direction, interferes with the victim’s ability to think logically. A fake competition that offers prices to the fastest respondents makes use of that principle [1].

The psychological principles used or named by other researchers in social engineering [e.g., 1, 3,4,5, 36, 37] can be mapped onto those five principles. Therefore, we use this list as basis for our investigation on social engineering in cryptocurrency fraud.

3 Case Studies

Criminals are creative when manipulating cryptocurrency investors. This section describes five cases of successful cryptocurrency frauds. We will show that the selected cases can be classified as social engineering attacks. All cases took place within the last 36 months, when the public interest in cryptocurrencies attracted many unexperienced and non-IT-savvy people to invest in cryptocurrencies. The selected cases gained attention within the cryptocurrency community due to their heavy or lasting impact. It is not our intention to give a complete overview on cryptocurrency frauds. We selected the cases to demonstrate the impact of social engineering on cryptocurrency investors and to show several types of social engineering attacks.

We base our case descriptions on the ontological model proposed by [10]. In all cases, the goal of the social engineers was financial gain, therefore we do not include this item in the description. The social engineers convinced their victims to either transfer the cryptocurrencies to the attackers’ addresses, or to disclose their private keys. With the private keys the attackers were able to steal the cryptocurrencies from the victims’ address. In addition to the ontological model, we add some background information, a description of each attack and its impact to make the attacks more comprehensible. We explain and discuss our appraisal of used compliance principles (based on the list of [8]) in the subsequent chapter.

3.1 A) Red Pulse [38]

The project NEO is an open platform network for creating decentralized applications and is also known as the Chinese Ethereum [39]. Red Pulse, being the first Initial Coin Offering (ICO) on the NEO platform network, was sold out in one hour raising $15 million. Red Pulse is a market intelligence platform that covers China’s financial and capital markets. The Red Pulse platform promises to deliver real-time information impacting Chinese companies, sectors and the overall economy for investors to make better informed decisions [40]. In November 2017, cyber criminals offered a fake airdrop for the newly launched Red Pulse Tokens (cf. Table 1). An airdrop is when a blockchain project decides to offer free tokens or coins to the community [41]. It is a common marketing method used by many companies to promote or to spread their tokens.

Table 1. Social engineering features of the Red Pulse attack
Full size table

Attack Description. Criminals used a fake Twitter account (@RedPulseNEO) to lure victims to a phishing website (redpulsetoken.co), promising to offer an airdrop (free tokens) for a limited period of time. The attackers made the site look secure by using a real HTTPS certificate. The website offered a bonus calculator. Visitors were asked to enter the amount of their Red Pulse tokens into the calculator which then outputted the alleged bonus of 30%. To claim that bonus, the victims were asked to enter their private key of their NEO wallet. The description on top of this form stated that this was a secured process and every input would be encrypted. With the private keys the criminals stole the victims’ funds.

Impact. 246 investors lost more than $3 million worth of tokens.

3.2 B) Blockchain.Info [42]

The website www.blockchain.info offers free website wallets for users of the cryptocurrencies Bitcoin, Ether, and Bitcoin Cash. It allows users to easily generate a wallet in the required network, check their balance, do transactions, or buy and sell currencies. After signing up, users can log into their address by submitting their e-mail and password. In February 2017 a Google AdWords campaign lured users to a phishing site that appeared like the popular website wallet (cf. Table 2).

Table 2. Social engineering features of the blockchain.info attack
Full size table

Attack Description. The criminals created a Google AdWords campaign. When victims searched for terms like “blockchain” or “bitcoin wallet”, the targeted ads eventually showed up and lured them to URLs like www.blockchien.info or www.block-chain.info, showing a nearly perfect copy of the original www.blockchain.info. The websites had HTTPS certificates and were hosted by European companies. When victims tried to log in, their login credentials were submitted to the hacker group, allowing the hackers to steal the victims’ funds.

Impact. Around $50 million of funds were stolen by the attackers. This type of attack was later expanded to other similar websites such as www.myetherwallet.com.

3.3 C) Bee Token [43, 44]

Bee Token is the currency of the decentralized Beenest platform. The project aims to develop a decentralized home sharing marketplace, which is similar in functionality to the Airbnb platform. Bee Tokens were sold in advance to investors in an ICO. Investors interested in the ICO took either part in the outsourced Know-Your-Customer (KYC) procedure or registered to a newsletter. The Bee Token team limited the contribution to all investors between 0.1 and 0.2 Ether (ETH). Many investors were complaining about this fact. On January 31, 2018 investors’ e-mail addresses were leaked [44].

Attack Description. Attackers either stole customer data from the outsourced KYC procedure or from the newsletter module. Having heard about the complaints of strongly limited contributions, they sent e-mails to potential investors a few minutes before the ICO launch (cf. Table 3). They explained that they decided to increase the contribution limit up to 30 ETH and included their own addresses. Although Bee Token stated that the correct wallet address will only be announced through a YouTube video, many investors sent their contribution right into the attackers’ wallets [43].

Table 3. Social engineering features of the Bee Token attack
Full size table

Impact. With three of the fraudulent ICO addresses the criminals gathered about $1 million – half as much Ether as the real ICO collected. Many investors lost their trust in the Bee Token team and even the blockchain technology as a whole.

3.4 D) Fake Twitter Accounts [45]

Twitter is a popular social media platform within the cryptocurrency community when it comes to announcing news and share thoughts or ideas. All the important players of the blockchain and digital economy have a Twitter account. Scammers used the social network in early 2018 to trick users into a false competition using fake Twitter accounts impersonating these players (cf. Table 4).

Table 4. Social engineering features of the Fake Twitter Account attack
Full size table

Attack Description. The scammers copied the account of the famous entrepreneur and investor Elon Musk by choosing “Elon Musk” as display name and using his profile picture. As username they chose “@elonlmusk”, similar to the original username “@elonmusk”. The scammers gained attention of Twitter users by commenting a post of the original Elon Musk. In their comment they said that they gave away 5,000 ETH to Elon’s followers. In order to participate, the followers should send 0.5-1 ETH to his address and would get 5-10 ETH back. The scammers also used other fake accounts, to seemingly verify the offer, by commenting that they received the offered ETH. Several followers transferred some of their ETH to the fake addresses.

Impact. The scammers were able to obtain about 172.57 ETH from 282 different wallets. Later, a lot of other fake accounts from Elon Musk or other people like Vitalik Buterin, co-founder of Ethereum, started to appear. Due the large amount of fake accounts, it is hard to estimate the total amount of lost ETH.

3.5 E) Minerium Token [46]

Minereum Token (MNE) is a project focusing on a self-mining smart contract approach on the Ethereum blockchain. It was released in April 2017 and used a custom implementation. Therefore, commonly used websites like Etherscan.io display wrong balances. In April 2018, scammers used some of those tokens in a honeypot like scam [47] (cf. Table 5).

Table 5. Social engineering features of the Minereum Token attack
Full size table

Attack Description. In a crypto chat, criminals published the private key to their address containing 31,500 MNE ($5,000). Would-be thieves tried to withdraw those tokens. However, there was no ETH on that wallet, so the transaction fee for withdrawal could not be paid. The would-be thieves started to send ETH to the address in hope to be the first able to pay the transaction fee for the MNE withdrawal. The attackers prepared a script that sent all incoming ETH from the leaked wallet to another safe wallet.

Impact. 0.755 ETH were collected through 242 transactions. The attackers did this kind of attack multiple times, since their wallet shows incoming transaction from at least three different wallets filled with MNE [48].

4 Findings

In all of the above presented cases three or more compliance principles have been used by the social engineers. Based on our appraisal, examples for two of them can be found in all five cases: Commitment, Reciprocation & Consistency as well as Distraction. The Authority principle had been used in four cases. Two cases utilized the Liking, Similarity & Deception principle and the Social Proof principle. In the following we will give short explanations that should demonstrate our appraisal and the usage of the principles in the cases.

From the Commitment, Reciprocation & Consistency principle the social engineers make specifically use of commitment and consistency. What the social engineers utilized is the commitment of the investors to their previously taken actions and decisions [35]. And the investors want to appear consistent in their own behavior as well. Once the victims had decided to visit the website, i.e., clicked on a link, in both the Red Pulse case (case A) and the blockchain.info case (case B), they were trapped by their own commitment. In order to be consistent with their previous decision to visit the website, in order to obtain free tokens (A) or access their website wallet (B), the investors follow through with their initial intention and enter their private keys into the phishing sites. In the Bee Token Case (case C) commitment is quite strong. With taking part in the KYC process or registering at the website, the potential investors already claimed their interest in investing in the ICO. Once the offer came, they consistently took the chance. Similar, in the fake Twitter account case (case D), the victims committed to be interested in ETH investments when they decided to follow Vitalik Buterin on Twitter. The would-be thieves in the Minereum case (case E), were committed to steal the MNE from the address once they happened to get access to it. When they found out, they first have to transfer ETH to the address in order to be able to withdraw the MNE, they consistently did so.

Reciprocation only plays a minor role in the cases. One could argue that the offer of 30% bonus tokens in case A is seen as a favor that the victims returned with entering their private keys into the phishing site. The valuable information that the maximum investment amount has risen to 30 ETH in case C is probably a stronger example of reciprocation [4]. The investors returned the favor when transferring their ETH to the social engineers’ address.

Distraction takes many forms in the cases and is usually the main driver for the victims to comply with the social engineers’ requests. Due to the distractions the victims are not able to evaluate facts or actions by logical reasoning [36]. In case A the victims get distracted in several ways. First, the airdrop offering arose their desire, if not to say greed, in receiving free token. Which was intensified by offering a bonus calculator at the website that showed them the expectable bonus. Second, the offer was only available for a limited time (scarcity [cf. 35]). And third, the social engineers made sure that their website was considered to be secure by using HTTPS certificates and other clues demonstrating its trustworthiness. The victims in case B were so focused on their task to access their own website wallets and therefore did not recognize slight differences in the websites’ URL or appearance. The rush to make a quick decision distracted the victims from thinking logically in case C. The offer to invest more ETH than originally announced was valid for 24 h only. Furthermore, it seemed to be a scarce one – offered to selected individuals only. In case D the social engineers combined the victims’ desire for free tokens with a fake competition, in which only the fastest respondents would be able to win. Greed was the main distraction in case E as well.

When using the Authority principle victims are less likely to question the validity of a request (or offer). In the cases, authority is established through pretending to be a valid and trustworthy entity using digital symbols of authority [cf. 8]. In cases A and B, the websites included security mechanisms and imitated the look and feel (B) or at least the names (A, B) of the true entities. Also, the social engineers in case C pretended to be the original Bee Token team in their e-mails by, e.g., using the correct logo [43]. The strongest effect did the authority principle show in the fake Twitter accounts (case D). The scammers copy the online appearance and name of a celebrity. They show a surprising but believable behavior when offering free Tokens to the community. Through imitating a celebrity at Twitter the attackers made themselves look trustworthy and credible with a significant chance that their victims would follow their offer [49].

With the Liking, Similarity & Deception principle the social engineers take advantage of the fact that their victims are more likely to respond to someone they like or is similar to them. In case D the victims follow the famous Elon Musk (and other celebrities) because they probably like or respect him. When getting the chance to receive free tokens from their idol, they took it of course. Investors of cryptocurrencies and participants of crypto chats surely share the same interests and have further similarities, too. For example, the participants in the [19] study were male (85%) and had an IT background (˜50%). So, the would-be thieves in case E were more willing to believe that a poor (similar to them) individuum by accident disclosed its private key on the crypto chat.

A strong evidence for the Social Proof principle can be found in case D. The social engineers not only faked the account of the celebrity but created additional fake Twitter accounts. Those fake Twitter accounts responded to the initial offer and “verified” that they indeed received some of the promised free tokens. According to the social proof principle this twist probably convinced several till then uncertain followers to mimic the behavior of the other followers. They transferred their ETH to the fake address. In case E, social proof worked in a criminal way. None of the crypto chat users alarmed the social engineers that they disclosed their private key. They either ignored or even tried to profit from this mistake. Obviously, this seemed to be the correct behavior in the situation. Otherwise, surely someone would have helped the “victim”.Footnote 1

5 Discussion

The five cases illustrate that social engineering attacks can be successful and profitable in the cryptocurrency environment. The social engineers succeeded with a combination of different communication strategies, techniques, media, and compliance principles. They either convinced their targets to transfer their funds directly to the attackers’ addresses or they lured their targets into revealing their private keys.

We used the social engineering ontological model from [10] to describe the five cases. The model provides a valid and convenient way to structure and compare social engineering attacks. A description of the impact of the attacks could be considered as an additional class in the ontological model. The impact could indicate from the social engineers’ point of view whether the attack was successful or not, i.e., whether they reached their intended goal. Further, it could specify the impact or damage caused by the attack from the victim’s point of view, for example, the amount of the financial loss.

In all cases, the social engineers took advantage of several psychological triggers, persuasion or compliance principles. We found evidence for all five principles proposed by [8]. We demonstrated that the principles can be applied to the cryptocurrency context and that they are not only utilized in phishing e-mails but in other social engineering techniques as well.

When using compliance principles, the social engineers induce their victims to use automatic decision mechanisms rather than rational reasoning [36]. These mechanisms are also called heuristics or mental shortcuts. Humans automatically use these heuristics in most decisions taken every day in order to reduce cognitive load [6]. The heuristics are evolutionary beneficial, because people cannot fully analyze every decision.Footnote 2 The distraction principle can serve as an excellent example for intuitive decision making. Instead of having time to carefully consider an offer, the cryptocurrency investors were rushed by the social engineers to make quick (automated) decisions. In the case of the fake Twitter accounts (case D), the followers were offered a limited number of free tokens. They were distracted for at least three reasons: (1) the greed to get something valuable for free, (2) scarce availability of the tokens, and (3) time pressure due to many potential rivals (Elon Musk has more than 20 Mio. followers). If the victims would have taken some time to carefully consider the offer, they could have easily found out, that the Twitter account was fake due to the wrong account name.

The cryptocurrency cases indicate that, by cutting out the middlemen, there is one major shortcoming for blockchain users: there are no banks or other trusted third parties to protect unsuspecting users from malicious acts and frauds. Moreover, due to the structure of the blockchain, the damage is irreversible. As it is true for other information systems as well, the attackers target the human factor as the weakest link to fulfil their goals. Although, the attackers need technical skills in preparing and executing their attacks, they ultimately exploit human weaknesses. Compared to an attack on blockchain’s technology, it is far easier to hack its users [1].

In addition to the exploitation of the compliance principles, another success factor might be the lack of knowledge of cryptocurrency investors about blockchain technology. A study shows that 80% of people who have heard of blockchain technology do not understand it [51]. However, understanding is essential for securely using a technology [52]. Users need at least basic knowledge of blockchain constructs, such as private keys, to prevent them from simply revealing it as shown in case A. The [19] study also revealed a lack of security knowledge amongst cryptocurrency users. Many users did not even apply basic security measures such as encryption and backups. On the other hand, when it comes to social engineering, users seem to be overconfident: they think it is not likely that they will be targeted by a social engineer and if so, they would be able to detect or resist such an attack [36, 53].

In order to decrease the possibility that cryptocurrency investors fall for social engineering attacks – as it is the case for all threats that exploit the human factor in information security – there is a need to increase their information security awareness [54, 55]. Several theoretical models express different views on what constitutes information security awareness. However, there is a common understanding about three aspects of information security: cognition (understanding of the problem and the knowledge to solve it), intention to act (willingness of the user to behave in accordance with the knowledge), and organization [56].

Therefore, users need to be informed about blockchain technology, public key cryptography, monetary systems and cryptocurrencies, and effective technical security mechanisms (e.g., for website wallets) [19]. Additionally, they need to know about social engineering attacks including compliance principles, the principles’ effects, and possible counter strategies [2]. The intention to act or behavioral intention is a complex construct consisting of several factors, such as attitude to the specific behavior, the perceived norm of that behavior, and the assessment of the personal capacity to act [57]. In order to influence the behavioral intent, security awareness measures must address the users’ feelings and beliefs [58]. As one specific consequence, users not only need to be informed about social engineering attacks, but effectively trained in detection and counter strategies, using for example serious gaming, role plays, experimental exercises, and repeated decisions trainings [2, 56]. The above mentioned overconfidence might be tackled by confronting users with examples of successful attacks [59]. The last aspect of information security awareness – organization – refers to the ability to behave according to knowledge and intention. The organizational setting should be designed in a way that it does not hinder but facilitate secure behavior. The whole research field of usable security or user-centered design of security mechanism addresses this aspect [e.g., 20, 21]. An improvement in the cryptocurrency context would be more intuitive user interfaces of website wallets or key management systems [19].

Programs for raising information security awareness of employees have a long tradition in public and private organizations [cf. 54]. The programs not always deliver the intended results, one reason being that the above-mentioned aspects of information security awareness and their implications in how to design effective programs have not yet been fully understood by most organizations [60, 61]. The importance for also addressing individual or home users with information security awareness programs is stressed by [e.g., 55, 62]. However, it is even more difficult to effectively address an uncoordinated group of inhomogeneous private cryptocurrency users. [60] demonstrate that awareness campaigns started by governmental organizations often fail. To conclude, future research is needed to propose methods that effectively increase information security awareness of individual users in general and of cryptocurrency users specifically. It should be in the interest of cryptocurrency service providers to educate their users about risks and threats. If the blockchain technology loses acceptance, their business model would suffer as well. The platform www.myetherwallet.com gives two examples of how to increase awareness. Upon entering the website, a popup informs visitors about important facts about website wallets: users’ responsibility for security, services the platform offers and not offers, blockchain technology, the role and importance of private keys, threats such as phishing and scam, as well as protection mechanisms.

6 Conclusion and Outlook

The human nature of using mental shortcuts is being exploited successfully by social engineers. They take advantage of the five compliance principles Authority; Social Proof; Liking, Similarity & Deception; Commitment, Reciprocation & Consistency; and Distraction to make their targets fall for their attack [8]. Social engineering has been used in five recent cryptocurrency frauds, resulting in financial losses for the victims. The social engineers lured the targets either into transferring cryptocurrencies to the social engineers’ addresses or into disclosing the targets’ access credentials to their addresses.

To the best of our knowledge, this has been the first study that analyses social engineering attacks in the cryptocurrency (and blockchain) environment. As a limitation, we did not do a thorough, quantitative assessment of all known cryptocurrency frauds, and the selected cases are probably not representative for all types of frauds. However, it was our intention to generate some first substantial insights into the use of social engineering in blockchain applications. We showed that the above-mentioned compliance principles have been exploited by the social engineers in their attacks and we analyzed how the principles helped the social engineers to reach their goals. We described five cases of cryptocurrency frauds, structured according to the social engineering ontological model of [10], which proved to be a valid and helpful tool for this purpose. An additional purpose of our paper was to increase the awareness of cryptocurrency users for potential threats by presenting real world cases that resulted in severe financial losses.

We encourage future researchers to follow the path of analyzing social engineering attacks, the use of compliance principles, and information security awareness in the cryptocurrency and blockchain environment. So far, the social engineers targeted mainly individual users and profited financially from their attacks. But with the increasing adoption of blockchain technology in the business environment (e.g., in biomedical and health care [63]), criminals will draw their attention to companies and their employees. They will use similar tactics to gain access to the companies’ information and information systems. In other blockchain use cases, stolen token may as well represent a suffrage or an identity proof [e.g., 64]. It is advisable to prepare for these new threats.