A man has spoken of his devastation after losing nearly £325,000 in a cryptocurrency scam – after being fooled by an impersonator of a genuine financial company on X, formerly Twitter.
Olivier Acuña, 61, from Kent, worked for technology firm IoTeX that paid his salary and bonus in its own tokens – an alternative to bitcoin – which he had let accrue over his two-year employment.
But when it came to withdrawing the substantial amount, he encountered a software issue – the “wallet” where his tokens were stored needed updating.
Having posted on the social media platform about the problem, Mr Acuña was contacted by private message by a person claiming to be from the firm which provides the wallet.
But at the other end of the computer was a fraudster, who tricked him into sharing a “seed phrase” – a combination of passwords that allow access to your cryptocurrency.
Initially, Twitter’s blue tick system provided the site’s users with a means to distinguish genuine notable account holders, such as celebrities and organisations, from imposters or parodies.
But when Elon Musk took over he brought in the Blue subscription service in 2022, which allows users a blue tick for a monthly fee.
Mr Acuña told i the theft has left him unable to retire. “This has really hit me because this currency was going to be my pension,” he said. “I’ve no other pension.”
The journalist and PR expert, who worked as director of public relations for IoTeX – a Silicon Valley-based firm specialising in blockchain cybersecurity – blames his former employer for the lack of software update.
However, IoTeX told i that it denies responsibility, stressing that it advised Mr Acuña to wait for the software issue to be resolved and that it was his “misbehaviour” to share personal information online.
‘Today, a blue tick means nothing’
Companies are increasingly opting to pay their employees in crypto, most typically as part of their salary or as a bonus. These tend to be firms operating in the cryptocurrency space. Coinbase and Blockchain.com are some notable examples.
This trend has been prompted by the growth of exchanges and services around digital currencies and blockchain – which is a secure database across a network of participants.
Mr Acuña’s money was stored in a “cold crypto wallet” that, for extra security, does not connect to the internet, making it harder for hackers to access the funds.
The Ledger hardware wallet looks and functions like a USB drive and requires a computer and a specific app to store the keys offline.
A seed phrase, also known as a Secret Recovery Phrase (SRP), is a collection of 12 to 24 words that allows you to restore your entire crypto wallet. Anyone who gains access to the private key or seed phrase of a wallet gains complete control over the coins in that wallet.
Mr Acuña explained he waited for two years to withdraw his tokens when his employment came to an end because he had other work and was in a position where he didn’t need the money to live off.
“I tried withdrawing the money, but my many attempts failed,” he said. “I am not techy, so I had no idea what I was doing wrong. I urgently needed money, so I desperately tried and tried again to withdraw.
“But it appeared that the Ledger needed updating.”
Mr Acuña’s colleague at IoTeX posted on X to ask Ledger to update their app on his company’s network and after Mr Acuña replied to the thread, a person who appeared to be from Ledger’s customer support team sent him a direct message.
“This person took advantage of my vulnerability,” he said. “They shared a link to a scam website where they asked for my seed phrase. I made the mistake of sharing it and they stole all my IOTX tokens.
“The impersonator had a blue tick, which fooled me. Today, a blue tick means nothing.”
Mr Acuña said the stolen IOTX tokens were traced to nine Binance user wallet addresses, and when he contacted Binance – the world’s largest cryptocurrency exchange – it told him they couldn’t act unless the police were involved.
Mr Acuña, who was staying in Spain at the time, contacted Spanish police but says they did not act quick enough and the money was moved on.
He was only able to recover $20,000 (around £16,100) of Stablecoins that were stolen but not the £325,000 ($400,000) of IOTX tokens he had accrued.
A spokesperson for IoTex said: “Mr Acuña received prompt support. We acted immediately to investigate and contacted Ledger for a quick re-publication of the app, which the Ledger team addressed after a few days.
“Unfortunately, despite our advice to Mr Acuña to wait while this issue was being resolved, he chose to proceed on his own after only a few hours. This led to the unfortunate incident where he fell victim to a phishing scam. It’s his misbehaviour to share the seed phrase.”
He stressed that IoTeX does not hold users’ private keys or seed phrases; therefore, the firm cannot “lock” access to assets in any way and that third party tools like Ledger are not under the firm’s control.
He also insisted that it was possible to transfer the native IOTX tokens with the old version of the app and that IoTeX users can always access their assets via software by using the recovery phrase, provided they have the correct technical knowledge.
“While we deeply regret any inconvenience and distress caused to Mr Acuña, we must clarify that the security measures provided for managing tokens on all IoTeX applications are beyond robust. It was an external phishing attack, and not our responsibility, that led to Mr Acuña’s loss.”
X’s press team still autoreplies: “Busy now, please check back later.”
New FCA rules for cryptocurrency
Cryptocurrencies like bitcoin have become increasingly popular in the UK. One in ten Britons is estimated to have invested in the digital asset, according to the Government.
Refundee, a firm that helps people who have been the victim of a scam to get their money back, said the most common scams it sees are cryptocurrency investment scams.
William Ayles, the company’s founder, said: “Scams involving cryptocurrency are the number one scam type that we see at Refundee.
“Where a regulated firm has been involved in transferring the money, victims might be able to get money back. Refundee has recovered millions of pounds for cryptocurrency scam victims and over £35m in total.
“But for victims who lost their money using unregulated firms, the chances of recovering the money is extremely low as they won’t be able to access the Financial Ombudsman Service.”
Since October 2023, companies wanting to promote cryptoassets in the UK must be authorised by the Financial Conduct Authority (FCA) or have their marketing approved by an authorised firm.
Promotions must also be clear, fair and not misleading, labelled with prominent risk warnings and must not inappropriately incentivise people to invest.
The FCA has repeatedly warned that investing in cryptocurrencies is extremely high risk and that people risk losing all their money.
The Government plans to legislate for a regulatory cryptoasset framework by the end of July.
Shaun van Eeden from Refundee said: “The new FCA regulations we anticipate will have a strong impact in protecting the public from cryptocurrency scams. They put stronger controls in place regarding the promotion of cryptocurrency, and the impact is that cryptocurrency use should shift to be more with professional and institutional investors.”
Do you have a real life story? Email claudia.tanner@inews.co.uk.