Scammers will always try to get as close to you and your funds — whether in crypto or fiat — as they can. One of the places where web3 participants are at their most vulnerable is centralized exchanges (CEXs).
As opposed to decentralized exchanges (DEXs), where one party directly exchanges their tokens with another party according to smart contracts (code), CEXs need their customers' trust due to them taking custody of their funds for at least part of the order process. Whereas DEXs conduct the entirety of every trade on chain, CEXs usually store their order books — the ledger where trades are recorded — off chain.
Since their order is off chain, the user can't track its progress transparently, and instead has to trust that it is being processed and that they will receive the funds they were promised.
And wherever trust is necessary, it can be exploited. Let's take a look at how these scams are usually structured.
Not all exchanges are created equal
None of this is to say that DEXs are fundamentally safer than CEXs. Due to their almost complete reliance on code, they are extremely vulnerable to exploits — if a talented hacker can find one and leverage it to their benefit.
CEXs also vary in their trustworthiness, but since this is a subjective label determined by individuals' experiences and opinions, most discussion is moot. The collapse of FTX in late 2022, a CEX widely lauded as one of the most trustworthy, demonstrates why you should retain a healthy scepticism towards CEXs and look into self-custody solutions to minimize your exposure to the risk of centralization.
How the scam works
Like many scams in web3, fake exchanges operate with a model that lures users with the promises of better-than-average (or, often, spectacularly better than average) returns on investments. Other promises could include sign-up bonuses, such as free crypto. Whilst many legitimate CEXs offer rewards for using their platform, it is rarely without conditions: it's more commonly a reward for completing a certain number of transactions, or for just becoming more heavily involved in the platform through deposits or similar. No-strings-attached free money is usually a sign of a scam. We find ourselves saying this a lot, but it is an almost-universally relevant principle to keep in mind in web3: if it seems too good to be true, it probably is.
Anyway, here's the playbook:
You're presented with the scam site. The scammer's method for getting you on their site can vary, and could be any of the following (and more):
- Unsolicited direct messages on social media
- Traditional communication methods such as email or text
- Mimicking a reputable CEX. This can include mimicking the appearance of the site itself, but also 'typosquatting' with a similar URL, or just adopting similar or related names to major reputable exchanges.
- You're promised significant rewards. To entice you to use the fraudulent site, the scammers need tempting bait. This could be instant sign-up bonuses, extremely high returns (APY) on deposits/staked assets, or something similar. Sometimes, in order to access these returns and use the platform, users are mandated to pay some kind of account fee to setup their profile and enable trading.
- The money you deposit to invest is stolen, and your portfolio and trades manipulated. When you deposit to make trades on the platform, your funds are actually just removed by the scammers. However, they are likely to make sure that your portfolio and/or trade history is configured to suggest that you did make the trade, and received the appropriate amount in return. This manual adjustment of the trades means they can easily reflect the high returns/bonuses that they initially promised. This results in a situation in which the user thinks that they're making considerable returns, since every time they check their portfolio, they will see them reflected there. In reality, any investment they make is likely to be immediately pocketed by the scammer, with no actual trade having taken place.
How to stay safe: red flags to look out for
A common tactic for feigning legitimacy is mimicking the names and branding of existing CEXs. Make sure to inspect the domain name in the site's URL closely, and compare it with the real thing, which should be straightforward to locate. Scammers may also 'typosquat'. This is a technique where the URL is the same as the legitimate version, only with one or two characters replaced. This makes it possible for users to directly input the scam site's URL if they make a simple typo.
Promises of APYs, bonuses, and returns in general that are considerably higher than going market rates should always raise suspicion.
And, of course, always remember: never give your Secret Recovery Phrase to anyone. See more basic safety and security tips here.
- Scammers can pose as crypto exchanges in a bid to get you to deposit funds.
- Usually they offer bonuses or high returns to entice you.
- It's possible that your portfolio will display correct values in the site's UI, in line with what you've actually deposited. This can be a front, with your funds having been gradually stolen all along.
- You'll usually be able to spot these sites before you deposit due to a few giveaway features.
If you have any questions about this subject, feel free to head to the MetaMask Community or get in touch with Support via the 'Start a Conversation' button on the homepage of this site.