What is spoofing?

Spoofing is a deceptive practice that has persisted for years, often involving fraudulent communications that closely mimic legitimate sources. A common scenario includes victims receiving counterfeit emails or calls that appear to originate from their bank adviser, leading them to transfer funds unwittingly. In the realm of cryptocurrency, investors have become prime targets for such attacks. This article provides essential insights into this pervasive issue and offers guidance on safeguarding your investments.

• Spoofing involves crafting fake communications that mimic legitimate sources to deceive victims

• Crypto investors are frequently targeted due to the irreversible nature of blockchain transactions

• Techniques like typosquatting, alias spoofing, and domain spoofing are commonly used in these attacks

• Recognizing warning signs and verifying communications are essential for staying protected

What is spoofing: definition and meaning

The term "spoofing" originates from "spoof," meaning a prank or hoax. In cybersecurity, spoofing involves falsifying communication sources to impersonate a legitimate entity. A typical example is an employee receiving an email that appears to come from their company's CEO, complete with a convincing email address and signature. The message may request an urgent, confidential transfer, exploiting the recipient's trust and sense of urgency. This is particularly effective because several elements are combined:

• Authority: the impersonation of a senior figure, such as a CEO

• Credibility: a plausible context, like a confidential acquisition

• Urgency: pressuring immediate action

• Authenticity: a visually convincing appearance

How does email spoofing work?

Spoofing exploits the inherent trust in internet mechanisms. Imagine the email system as a postal service. In traditional mail, anyone can write any sender address on an envelope. The email protocol (SMTP) works the same way: it was designed for message transmission, not sender verification.

This historical architecture makes spoofing technically simple to achieve. The technical barrier has been further lowered with the appearance of software available on the Web, exploiting one of the following techniques.

Typosquatting

Typosquatting involves creating domain names that closely resemble official sites, relying on subtle changes to mislead users. This can include minor spelling errors (e.g., "laposte.fr" becomes "lappost.fr"), using different extensions (e.g., "amazon.fr" becomes "amazon-fr.com"), or misleading capitalisation (e.g., "PayPaI.com" with a capital I instead of an L).

Email alias spoofing

Email alias spoofing is a simpler yet highly effective technique. Hackers alter the displayed name in your inbox, making the email appear to come from a trusted source. For example, an email might seem to come from "Customer Support - Bitpanda," but the actual sender’s address could be something entirely different, like "[email protected]." Attackers rely on users focusing only on the displayed name and not verifying the complete email address.

Domain name spoofing

Domain name spoofing is a more advanced technique. Hackers manipulate the technical details within the email headers to make the message look like it originates from a legitimate domain. For instance, an email could appear to come from "[email protected]" while actually being sent from an entirely different address.

These methods rely on mass distribution, where even a small success rate can yield significant gains for cybercriminals. A single successful attempt can compromise networks or result in large financial losses.

Variations of spoofing

Spoofing attacks come in many forms, each exploiting different aspects of digital communication to deceive and manipulate targets. Below are two common variations that highlight how cybercriminals adapt their methods to exploit vulnerabilities:

IP address spoofing (IP spoofing)

IP address spoofing is a highly sophisticated cyberattack where the attacker masks their IP address, making their device appear as a trusted one. Similar to a car’s number plate, an IP address is a unique identifier that facilitates communication between devices on the internet. In an IP spoofing attack, the hacker manipulates this "number plate" by altering the data packets sent from their computer, enabling them to bypass security measures or disguise malicious activities.

Phone spoofing (caller ID spoofing)

Phone spoofing, also known as caller ID spoofing, manipulates the phone number displayed on the recipient’s device during a call. This type of spoofing preys on our instinct to trust familiar or recognised numbers. It is enabled by the SS7 protocol, which governs telephone networks and relies on unverified information to display the caller’s number. This lack of verification makes phone spoofing a particularly dangerous and deceptive tactic.

Who are the primary targets of spoofing?

Spoofing attacks often target individuals and organisations with high-value assets or sensitive data. Here are two examples of how these attacks exploit trust and urgency to devastating effect:

Companies and their treasury

One of the most notable cases of spoofing cybercrime involved the French cinema group Pathé. In 2018, fraudsters targeted its Dutch subsidiary, leading to a loss of €19.2 million. Impersonating then-CEO Marc Lacan, the attackers sent emails to the Dutch financial director referencing a confidential acquisition in Dubai and requesting urgent money transfers.

This attack was remarkably elaborate: the emails mirrored the company’s official communication style, included accurate logos and signatures and referred to plausible business processes. To add credibility, the fraudsters even arranged fake conference calls with supposed lawyers. Over time, €19.2 million was transferred to foreign accounts, showcasing the immense risk spoofing poses to businesses.

Crypto investors

Crypto investors are frequent targets for spoofing due to the irreversible nature of blockchain transactions. In December 2024, a sophisticated spoofing campaign targeted users of Ledger hardware wallets. The attackers forged Ledger's official support email address to send fake alerts claiming a "recent data breach."

The emails urged users to "verify" their private recovery phrase (seed phrase) to secure their assets. Victims were redirected to a counterfeit website that closely resembled Ledger's official site. A pop-up on the site prompted users to input their 24-word seed phrase, granting the attackers full access to their wallets. This example highlights how spoofing tactics exploit trust and technical ignorance to compromise sensitive crypto assets.

What is order book spoofing?

In the cryptocurrency ecosystem, spoofing often manifests as a form of market manipulation. The tactic involves placing large buy or sell orders with the sole intention of cancelling them before execution. The goal is to create an illusion of liquidity to influence market prices. Here's how it works in practice:

• A manipulator places large orders at key price levels, just below the current market price. For example, if Bitcoin is trading at $95,000, they might place large buy orders at $94,500.

• Other traders observe these significant orders and interpret them as a sign of strong interest at that price. Sellers, anticipating a price rise, may adjust their selling prices upward.

• Before these large orders are executed, the manipulator cancels them. This action removes the apparent support from the order book.

• The cancellation creates a vacuum in the order book, causing selling traders’ orders to be executed at unexpectedly lower prices. This rapid price drop allows the manipulator to buy assets at a reduced cost.

Once they’ve acquired their position at an artificially low price, the manipulator either works to push prices higher or waits for natural market recovery to sell at a profit.

In regulated financial markets, spoofing has been illegal for years, with authorities actively pursuing and penalizing offenders. For example, in 2021, a former Deutsche Bank trader, James Vorley, received a prison sentence for using spoofing tactics to manipulate gold and silver prices between 2008 and 2013.

However, in the relatively unregulated crypto market, spoofing remains a persistent issue. The lack of stringent oversight allows manipulators to exploit these tactics, disrupting market integrity and eroding trust among investors.

What is a “spoof coin”?

“Spoof coins,” or fake cryptocurrencies, are a type of fraud that targets the crypto ecosystem. These counterfeit tokens are designed to closely mimic popular and legitimate cryptocurrencies by copying their names, symbols and visual identities. Fraudsters create these tokens to deceive unsuspecting investors into purchasing them, thinking they are acquiring the real asset.

Examples include:

• SHIBA on BSC: The legitimate SHIB token operates on Ethereum, but imitations circulate on the BNB Smart Chain.

• BONK on Ethereum: The real BONK token is native to Solana, yet fake versions exist on other chains.

• XRP on BSC: Tokens labelled “Ripple” or “XRP” on the BNB Smart Chain are not the genuine Ripple.

Fraudsters often use subtle naming tricks, such as replacing characters (e.g., “BlTCOIN” with a lowercase L instead of an I), adding symbols (“USDC_”), or introducing slight variations like “ŞOL” (using a cedilla) or “DOGE2.” These counterfeit tokens pose a particular risk on decentralised exchanges (DEX), where anyone can create and list a token without rigorous oversight. Victims may unknowingly purchase these worthless tokens, thinking they are legitimate assets.

Using a regulated platform like Bitpanda helps mitigate this risk. Bitpanda ensures that only official tokens are available for purchase by verifying smart contract addresses and accepting authentic versions on their native blockchains.

Conclusion: how to protect yourself from spoofing

The December 2024 attack on Ledger users underscores the importance of vigilance in the crypto space. Unlike traditional banking, cryptocurrency transactions are irreversible, leaving little recourse after a successful spoofing attack. To safeguard your assets:

• Verify sender information: always check the full email address, not just the display name

• Be cautious of inconsistencies: scrutinize emails for minor errors or unusual requests

• Avoid clicking on unsolicited links: do not engage with unexpected emails containing attachments or links, even if they appear to come from known companies

• Confirm through alternate channels: if in doubt, contact the company directly using official contact information to verify the communication's legitimacy

• Never share confidential information: refrain from disclosing sensitive details like login credentials or recovery phrases via email

Staying safe also requires staying informed about the latest developments and deepening your understanding of how scams operate. The Bitpanda Academy offers many resources to help you stay secure in the crypto world, covering the biggest risks in investing and more.