Betterment users hit by classic crypto giveaway scam

Betterment, a traditional investing service, was breached by crypto hackers. Thousands of users received fake push notifications and emails, promoting the classic “crypto giveaway” scam.

Users received the fake alerts from Betterment’s mobile app. Others received emails promoting the giveaway scam. The fake message promised to triple users’ cryptocurrencies. The “promo” was valid for three hours.

Crypto attackers impersonate Betterment

The email instructed users to deposit as little as $1 or up to $750,000 in Bitcoin or Ether. The mobile app notification said, “For example, if you send $10,000 in Bitcoin or Ethereum, we’ll send you right back $30,000 to your sending Bitcoin or Ethereum address.”

The hackers added specific Bitcoin and Ether wallet addresses. At the time of writing, the Bitcoin wallet had received 0.14626084 BTC, or $13,290.75. The Ether wallet has a net flow of $1,779.30.

Two hours after the breach, the Betterment team issued a warning on X and Reddit. On Reddit, a Betterment representative replied to a thread about the hack, saying, “We apologize for the confusion. This is not a real offer from Betterment…”

On X, Betterment’s official account explained that an unauthorized person gained access to its system. This allowed the attacker to send emails and push notifications on behalf of the company.

The company clarified, “If you clicked on the offer notification, it did not compromise the security of your Betterment account.” Betterment reassured users, saying that “The unauthorized access has been removed,” and an investigation has been initiated.

In a follow-up post, Betterment said the fake promo came from a third-party system. It wrote, “This was an unauthorized message sent via a third-party system we use for marketing and other customer communications.”

Upon further inspection, the fake emails came from two inboxes belonging to e[dot]betterment[dot]com. This appears to be a subdomain of Betterment’s main website.

A Redditor said, “I got an email about this. Everything appears to check out, headers look good, SPF, DKIM, and DMARC all passed.” This means the email was cryptographically authenticated. It was not a spoofed Gmail or a fake sender line. Betterment’s domain approved the fake email.

It’s unclear if user data was leaked from Betterment’s database to the dark web. Moreover, the compromised third-party tool is unidentified yet.

The breach shows how crypto hackers no longer rely on fake websites or cold emails. Attackers now use trusted financial platforms as a means of delivery. Once a user sends crypto, the money is gone. No chargebacks, no reversals, no recovery.

If you're reading this, you’re already ahead. Stay there with our newsletter.