How to Protect Your Anonymity Against Crypto Dusting Attacks

Understanding the nature of dusting attacks and airdropping can help you determine the best way to protect yourself and your crypto holdings from hackers and scammers.

Since Bitcoin’s debut to the public more than a decade ago, supporters have praised the benefits of cryptocurrency transactions including decentralization, transparency and anonymity. While these benefits certainly have their advantages, crypto’s nature also opens you up to a level of risk that has been realized through activities like dusting attacks and airdrops that often go completely unnoticed if crypto holders don’t know what to look for. Fortunately there are steps you can take to protect yourself from malicious entities interested in deanonymizing you. Understanding the nature of dusting attacks and airdropping can help you determine the best way to protect yourself and your crypto holdings from hackers and scammers.

The blockchain: Not as anonymous as you might think

Many people mistakenly think bitcoin is private. It’s anonymous, yes, but not private. A transaction is made up of input(s) and output(s). When you spend, you are creating a transaction using your address as an input. When you receive, your address is given an amount of bitcoin, which becomes the output. All of this transaction information (including the addresses involved, amounts and times of the transactions) are recorded on the blockchain. As that ledger is 100% transparent and public, so are your transactions. Any uninvolved party (people who have not transacted with you directly) examining the blockchain can see the cryptocurrency being received or spent — they just won’t know it’s you spending or receiving it because the owners of the addresses are not revealed. If the person you’re transacting with knows who you are however, they may be able to associate your blockchain wallet (and future transactions) with you, as anonymity only applies when referring to non-involved parties. And even still, a non-involved party may not know who you are from the beginning, but by watching blockchain activity, they may be able to figure it out if your wallet is maliciously “dusted” and use this information to deanonymize you in the future.

Dusting: Revealing your identity, one satoshi at a time

When you use bitcoin to pay for something, one or more addresses (UTXOs) are selected that most closely match the amount due and you receive an output UTXO with your change. For example, if you were paying for something equal to $400 and you had three UTXOs in your wallet equal to $5,000, $5, and $399, you could use the UTXOs equal to $399 and $5 and would receive a UTXO back worth $4. All of this information is recorded on the public ledger.

With dusting, a hacker or scammer sends very small amounts of a cryptocurrency (dust) to a large number of addresses. If you receive dust, you will have a UTXO in your wallet with a very small value. As you spend from your wallet, the attacker watches to see when the dust UTXO is picked up. When it is, they take note of all the other UTXOs that go along with it as well as what addresses they go to. When these entities study transactional patterns long enough, they can eventually identify all the addresses linked to your wallet, which means they can figure out how much crypto you have. If your account is of interest (you have large sums), they can work on figuring out it belongs to you, which can make you a target for anything from scams and phishing campaigns to cyber-extortion threats.

One reason dusting is so insidious is that the amounts of crypto sent to accounts are so very small; they are smaller than the minimum transaction fee required to use cryptocurrency. Most times, the dusting amounts are calculated in units known as satoshis; one satoshi equaling 0.00000001 bitcoin. Given the minuscule size of dust, the chances are pretty good that many people won’t notice them as they casually scan their cryptocurrency total.

Airdropping: Free tokens, potential scams

Airdropping is similar to dusting in that it adds small amounts of crypto to your wallet. But airdropping’s purpose is far less ominous. Companies that airdrop want to use you to spread the word about their great new cryptocurrency. As such, they will send free coins or tokens to your address (found on the public blockchain). Sometimes they send them free and other times they ask for something in return (like a tweet about the company and its currency). You might also actively encourage airdrops to your wallet in hopes that the new cryptocurrency will ultimately have a large payout. There are hundreds of airdrop lists and websites, all eager for your interest.

While the purpose of airdrops is often benign, problems come up when hackers and scammers reach out for more than your public wallet address. If you aren’t careful, you could be at risk from the following:

  • Private key theft. Private key theft takes place when an airdrop entity asks for the private key to your wallet. You should never give out your private key. While more savvy crypto users can spot such a scam, those new to cryptocurrency trading could fall victim to it.
  • Trolling/information collecting. Sometimes nefarious airdrop websites are used, not to promote currencies, but to gather data — such as email, wallet addresses or even social media information — that can be sold to third parties or used for future phishing attempts.

Protect your crypto from malicious dusting and airdrop attacks

Because cryptocurrency transaction information is public knowledge, it’s important to protect yourself, your holdings and your anonymity. In addition to ensuring anti-spam and anti-viral protection for your wallet, consider the following steps.

If you think you’ve been dusted, don’t move the dust. Look for wallet apps that allow you to “mark” small, unknown deposits in your wallet to prevent them from being used for other transactions.

Monitor your balance — 100% of the time. If wayward satoshis suddenly show up in your cryptowallet, you might have been dusted. It’s a good idea to find a wallet app with a push notification, which tells you when you receive new funds.

Don’t give out private information — ever. If a website — or other airdrop entity — wants more than your wallet address in exchange for tokens or coins, it’s a red flag. Be as wary of handing out your cryptocurrency information as you would be of providing fiat bank account log-in data.

Keep your anonymity in place

None of the above is meant to suggest that cryptocurrency trading or usage is dangerous. It is, however, a reminder that while transactions can be anonymous (when actually conducting a transaction you may potentially be revealing information about who you are to complete it, which can then be associated with your wallets), they aren’t private. Unfortunately, scammers and hackers are taking advantage of the very public blockchain technology to determine the identities of those behind cryptocurrency transactions.

The good news is that knowledge is power. You can protect yourself from malicious entities and preserve your anonymity by being aware of attacks like dusting and taking preventative action. Doing so will better protect you and your holdings while helping to ensure you don’t become victim to phishing or cyberextortion threats.

How to Protect Yourself Against Phishing and SIM Swapping Attacks

Image for post

As cybercriminals are becoming more sophisticated, their attacks are becoming increasingly challenging to defend against. Two of today’s most concerning types of cyberattacks for cryptoasset owners are phishing and SIM swapping. Phishing accounts for 90% of all social engineering incidents and 81% of all cyber-espionage types of attacks, while SIM swapping, although less common, can cause equally devastating effects. Cryptocurrency holders in particular, are attractive to black hat hackers and are uniquely vulnerable to phishing and SIM swapping attacks — here’s what you need to know to protect yourself.

Protecting against phishing attacks

Phishing is a socially-engineered cyberattack that is primarily used to obtain sensitive information including as usernames, passwords, bank/credit card details, or public and private keys to cryptocurrency wallets. The vast majority of phishing is done through email but it can also come through texts/SMS, social media, and chat services. Disguised as a trusted entity, the perpetrator tricks you into opening a message containing a malicious link or attachment. The links will typically then lead you to copycat sites resembling webpages of banks, payment processors, or online crypto-wallets. These sites are designed to trick you into entering your usernames and passwords.

There are also phishing scams that specifically target cryptocurrency holders. In most instances, the attackers masquerade as some of the more popular online wallet services (e.g. Blockchain.info or Coinbase) and prompt you to give up your credentials. In other scams, emails may include seemingly relevant attachments containing malware that infects your device and stealthily scans its files, searching for private keys to a cryptocurrency wallet.

As a general rule of thumb, if you get an email you weren’t expecting, and if something — anything smells “phishy,” disregard it entirely. Additionally:

  • Consider anything that comes into your spam folder a red flag
  • Be aware of email spoofing, which is when an attacker makes an email look like it came from a legitimate sender. For example, an email can look like it came from whitehouse.gov but it will likely (not always) go into spam since the address is spoofed.
  • Attackers can also make look-alike domains using a Cyrillic character that looks identical but isn’t. Those may show up in your inbox (not spam).
  • Always check the authenticity of any URLs included in the email and beware of URL redirects.
  • Avoid reacting impulsively to any calls to action (downloading attachment files or replying with any sensitive information). Keep in mind that phishing attacks are designed to make you feel a sense of urgency to respond.

Preventing SIM swapping

SIM swapping is a type of account takeover attack whereby the perpetrator breaks the two-factor authentication (2FA) security protocol by hijacking your telephone number. The attack usually starts with social engineering; scammers gather your personal details (e.g. full name, address, phone number) and call your mobile phone provider pretending to be you. Using various social engineering techniques, they then convince the wireless carrier employee to port your phone number to the attacker’s subscriber identification module (SIM).

After they’ve successfully hijacked your phone number, usually just by asking for a password reset, the attackers can break into any of your accounts — email, bank/online wallet account, and others that require a call or SMS 2FA. If your phone suddenly becomes unable to make or receive calls, you may be a victim of a SIM swapping attack and should take immediate action.

To avoid becoming another SIM swapping statistic, refrain from using your phone number with 2FA where the second factor is a call or SMS-enabled authentication. In fact, if you can, avoid giving your phone number to your email or other service providers entirely. Authentication apps like Google Authenticator or Authy are a much safer alternative, as they’re tied to your physical device instead of your phone number.

If you must provide a phone number to access a specific service, contact your cell phone provider about extra layers of security for preventing number porting. Some carriers provide additional layers of security. Also, make your standard pin something random and store that pin in a secure place like a password keeper.

Safeguard your crypto assets and personal information

Ownership over cryptoassets is established solely through digital signatures (public and private keys). Couple that with the irreversible nature of blockchain transactions and you get a potential recipe for disaster. If an attacker gets ahold of your keys or your recovery phrase, whether that’s through tricking you into abdicating them yourself (phishing) or by forcefully porting your phone number and breaking the 2FA of your online wallet (SIM swapping), the result will always be the same: your funds will be lost forever.

For these reasons, taking the precautionary steps to protect your accounts, your online identity, and, ultimately, your cryptocurrency holdings, is worth the extra effort.

The first card powered by your crypto,
not your credit score.

The first card powered by your crypto,
not your credit score.

Three SALT credit cards floating