This Valentine’s Day, stay safe from ‘Crypto romance’ scams’. Here’s how

Cybersecurity firm Sophos on Tuesday released its new findings about such crypto romance scams in its report on fraudulent trading apps that sneak into mobile app stores. In the report, Sophos details two fake crypto romance apps—Ace Pro and MBM_BitScan—that successfully bypassed Apple’s security protocols. Sophos notified both Apple and Google about fraudulent apps on their platforms, which have since been removed.

According to Jagadeesh Chandraiah, senior threat researcher at Sophos, before such apps, scammers typically used workaround techniques to convince victims to download illegitimate iPhone apps that were not sanctioned by the Apple store. But that kind of attack needed aptitude with social engineering, which is not easy. But by getting such fraudulent apps on app stores, scammers vastly increase the size of their target victim pool, especially since most users inherently trust Apple.

How the latest crypto romance scam works

In a scam detected by Sophos, the scammers created and actively maintained a fake Facebook profile of a woman depicted as living a lavish lifestyle in London. The scammers used this to build a rapport with the victim before suggesting that they download the fraudulent Ace pro app.

On the App store, Ace Pro was described as a QR code scanner but actually, it was a fake crypto trading platform. Once a user opens the app, they see a trading interface which makes it seem like they can deposit and withdraw money and cryptocurrencies. But once they deposit any money, it goes directly to the scammer.

Sophos researchers believe that the app got around App Store security by connecting to a remote and benign website when it was originally submitted for review. This domain included code for QR scanning to make it look legitimate to reviewers. But once the app was approved the scammers redirected the app to an Asian-registered domain. This domain then sends a request to get content from another host, which ultimately contains the fake trading interface.

The MBM_BitScan app is also available on Android but on the Google Play Store, it is known as BitScan. Both MBM_BitScan and Ace Pro use the same back-end infrastructure that resembles a legitimate Japanese crypto firm. Most of the malicious content is hosted on a web interface, making it hard for Google Play’s core reviewers to detect it as fraudulent.

How to spot crypto romance scams and stay safe from them

One of the things that makes crypto scams so dangerous is that it is difficult to locate and track the wallets that the scammers use to handle the cryptocurrencies that they scammed out of the victims. So, the best cure for a crypto is preventing it from actually happening.

The adage “There ain’t no such thing as a free lunch” works here. Be as sceptical as possible about unknown individuals who approach you online. Make sure you do not click any links or download any unknown apps that people send you. Also, be smart with your wallet credentials and never ever share your crypto seed phrase or recovery phrase with anyone.