Bank robbery


Beware Of The Bitcoin For Fiat Bank Apps Sting

Ofer Sharon
07 November, 2018
4 min read

Users of mobile money transfer applications of major banks in Israel were scammed into selling their Bitcoin without getting their fiat money's worth.



What's the Story?

Multiple reports have surfaced in recent weeks of innocent Bitcoin holders who fell victim to con artists of fraudulent Bitcoin sales. Victims were convinced to sell their Bitcoin, in return for money being transferred straight into their bank accounts, via mobile payment apps. Everything with the deal seemed to go smoothly at first, except the sellers ended up never receiving their money. The victims were using mobile payment apps connected to their bank account. All were accounts with the three leading banks in Israel – Leumi Bank, Discount Bank and Hapoalim Bank – as reported by Israeli financial news source “The Marker.” Each of the mobile payment apps used were the banks’ very own, developed by the banks themselves, and offered to their own customers as means to manage their accounts, and perform transactions using their mobile phones. 



The Sting - How the Thieves Did It

The victims were approached online through Bitcoin-related Facebook groups and Telegram chat rooms, and agreed to sell their Bitcoin to the “buyers” who convinced them to get paid via money transfers through the banks' payment apps.

The thieves exploited an inherent vulnerability in the way that money is transferred in mobile payment apps. The con relied on the fact that although it seems that the money transferred via such apps is received in the recipient account (once sent by the sender), the actual transfer itself occurs only hours and sometimes even days later. The funds aren't really transferred between accounts, until processed by the bank, and this does not occur instantly, despite what might appear in the payment app.



The “buyers” were using stolen credit cards. Consequently, when the transfer was eventually processed by the bank, it was instantly rejected. The sellers had no prior indication that the buyers were using a stolen credit card at the time of the deal itself; all they saw was an indication that the buyers did put down the order to send them the funds.

Eventually, the sellers ended up empty handed, with their Bitcoin already in the hands of the thieves. Due to their nature, cryptocurrency transactions cannot be refunded or charged back. Additionally, since the identity of the cryptocurrency wallet owner is anonymous – it is not associated with any real-world identity – it is practically impossible to track down the thieves’ identity.

By the Con-Book

It seems like somebody was paying close attention during class in con-artist school, because the thieves simply did everything 'right,' just by the con-book.

In order to create the illusion of trust with their victims, the con performed a very sophisticated stunt of what's called “social hacking.”

The thieves swapped ID cards with their victims, making their victims believe that they were dealing with a real person just like them, merely wishing to innocently trade Bitcoin. Only the thieves were using stolen IDs. But wait, it gets worse.  Once they got their hands on the victim's ID card, the thieves would use the first victim’s ID  to fool the next victim. Thus turning the innocent victims' suspicion towards one another.



In order to establish further credibility to their image as real personas, the thieves fabricated well-crafted social media profiles. In what is known in cybersecurity as “spearfishing,” the thieves were following the victim a long time before snaring the trap, researching the victim’s life and connections, allowing them to better deceive their victims.

Empty Handed

Money transfer apps do not necessarily guarantee buyer or seller protection. As opposed to credit cards, they don't offer insurance against theft or fraud, and the possibility of chargebacks. The victims’ bank could agree to reimburse their customers’ lost funds, as a generous privilege. But even if so, only after a lengthy and complicated process of explaining the details, providing evidence, and proving the innocence of the customer who fell victim to con artists. Otherwise, the victims are left empty handed with their bitcoins lost, never to be returned.

The Moral of the Story

Stories like this demonstrate the difference between cryptocurrency transfers’ instant transaction times, as opposed to the lengthy processing time it takes to perform traditional fiat transactions. At the very least, this issue exposes the inevitable inherent problem in any deal that involves mixing both types of transactions. Any such deal mandates dependency on trusted parties, whether transacting only with trusted parties, or depending on a trusted mediator or escrow. This somewhat contradicts the original vision for cryptocurrencies – being decentralized and decoupled from the dependency on trusted authorities and mediators.

Recommendations: How to Stay Safe

  • You should generally avoid depending on money transfer apps for trading with strangers.

  • Money transfer apps are generally designed for payments between friends or people who trust each other, and are not intended for buying and selling. Payments you receive in transfer apps can be reversed after they reach your account. When you receive a payment, it looks as if the money appears in your account instantly, and you might even be able to use the funds. However, the payment will be reversed if the payer used a stolen credit card number to fund the payment. Eventually, the card’s legitimate owner might file a chargeback, and the payment will be canceled.

  • Do not rely on inspecting social media profiles for establishing trust, as these can be fabricated.

The Bottom Line

Users of money transfer apps should be aware of the risks inherent to payment apps when performing transactions, and be careful when transacting with unknown figures online.

Bitcoin cryptocurrency Theft