The world of online misdeeds is an eerie biome, crawling with Bored Apes, Fancy Bears, Shiba Inu coins, self-­replicating viruses, and whales. But the behavior driving fraud, hacks, and scams on the internet has always been familiar and very human. New technologies change little about the fact that illegal operations exist because some people are willing to act illegally and others fall for the stories they tell. 

To wit: Crypto speculation looks a lot like online sports betting, which looks like offline sports betting; cyber hacking resembles classic espionage; spear phishers recall flesh-and-blood con artists. The perpetrators of these crimes lure victims with well-worn appeals to faith and promises of financial reward. In Fancy Bear Goes Phishing, Yale law professor Scott Shapiro argues that technological solutions can’t solve the problem because they can’t force people to play nice online. The best ways to protect ourselves from online tricks are social—public policies, legal and business incentives, and cultural shifts. 

Shapiro’s book arrives just in time for the last gasp of the latest crypto wave, as major players find themselves trapped in the nets of human institutions. In early June, the US Securities and Exchange Commission went after Binance and Coinbase, the two largest cryptocurrency exchanges in the world, a few months after charging the infamous Sam Bankman-Fried, founder of the massive crypto exchange FTX, with fraud. While Shapiro mentions crypto only as the main means of payment in online crime, the industry’s wild ride through finance and culture deserves its own hefty chapter in the narrative of internet fraud. 

It may be too early for deep analysis, but we do have first-person perspectives on crypto from actor Ben McKenzie (former star of the teen drama The O.C.) and streetwear designer and influencer Bobby Hundreds, the authors of—respectively—Easy Money and NFTs Are a Scam/NFTs Are the Future. (More heavily reported books on the crypto era from tech reporter Zeke Faux and Big Short author Michael Lewis are in the works.) 

“If we are committing serious crimes like fraud, it is crucially important that we find ways to justify our behavior to others, and crucially, to ourselves.”

Ben McKenzie, former star of The O.C.

McKenzie testified at the Senate Banking Committee’s hearing on FTX that he believes the cryptocurrency industry “represents the largest Ponzi scheme in history,” and Easy Money traces his own journey from bored pandemic dabbler to committed crypto critic alongside the industry’s rise and fall. Hundreds also writes a chronological account of his time in crypto—specifically in nonfungible tokens, or NFTs, digital representational objects that he has bought, sold, and “dropped” on his own and through The Hundreds, a “community-based streetwear brand and media company.” For Hundreds, NFTs have value as cultural artifacts, and he’s not convinced that their time should be over (although he acknowledges that between 2019 and the writing of his book, more than $100 million worth of NFTs have been stolen, mostly through phishing scams). “Whether or not NFTs are a scam poses a philosophical question that wanders into moral judgments and cultural practices around free enterprise, mercantilism, and materialism,” he writes. 

ABRAMS, 2023

For all their differences (a lawyer, an actor, and a designer walk into a bar …), Shapiro, McKenzie, and Hundreds all explore characters, motivations, and social dynamics much more than they do technical innovations. Online crime is a human story, these books collectively argue, and explanations of why it happens, why it works, and how we can stay safe are human too.

To articulate how internet crime comes to be, Shapiro offers a new paradigm for the relationship between humanity and technology. He relabels technical computer code “downcode” and calls everything human surrounding and driving it “upcode.” From “the inner operations of the human brain” to “the outer social, political, and institutional forces that define the world,” upcode is the teeming ecosystem of humans and human systems behind the curtain of technology. Shapiro argues that upcode is responsible for all of technology’s impacts—positive and negative—and downcode is only its product. Technical tools like the blockchain, firewalls, or two-factor authentication may be implemented as efforts to ensure safety online, but they cannot address the root causes upstream. For any technologist or crypto enthusiast who believes computer code to be law and sees human error as an annoying hiccup, this idea may be disconcerting. But crime begins and ends with humans, Shapiro argues, so upcode is where we must focus both our blame for the problem and our efforts to improve online safety.

McKenzie and Hundreds deal with crypto and NFTS almost entirely at the upcode level: neither has training in computer science, and both examine the industry through personal lenses. For McKenzie, it’s the financial realm, where friends encouraged him to invest in tokens to compensate for being out of work during the pandemic. For Hundreds, it’s the art world, which has historically been inaccessible to most and inhospitable for many—and is what led him to gravitate toward streetwear as a creative outlet in the first place. Hundreds saw NFTs as a signal of a larger positive shift toward Web3, a nebulous vision of a more democratized form of the internet where creative individuals could get paid for their work and build communities of fans and artists without relying on tech companies. The appeal of Web3 and NFTs is based in cultural and economic realities; likewise, online scams happen because buggy upcode—like social injustice, runaway capitalism, and corporate monopolies—creates the conditions.  

Constructing downcode guardrails to allow in only “good” intentions won’t solve online crime because bad acts are not so easily dismissed as the work of bad actors. The people who perpetrate scams, fraud, and hacks—or even participate in the systems around it, like speculative markets—often subscribe to a moral rubric as they act illegally. In Fancy Bear, Shapiro cites the seminal research of Sarah Gordon, the first to investigate the psychology of people who wrote computer viruses when this malware first popped up in the 1990s. Of the 64 respondents to her global survey, all but one had developmentally appropriate moral reasoning based on ethics, according to a framework created by the psychologist Lawrence Kohlberg: that is, these virus writers made decisions based on a sense of right and wrong. More recent research from Alice Hutchings, the director of the University of Cambridge’s Cybercrime Centre, also found hackers as a group to be “moral agents, possessing a sense of justice, purpose, and identity.” Many hackers find community in their work; others, like Edward Snowden, who leaked classified information from the US National Security Agency in 2013, cross legal boundaries for what they believe to be expressly moral reasons. Bitcoin, meanwhile, may be a frequent agent of crime but was in fact created to offer a “trustless” way to avoid relying on banks after the housing crisis and government bailouts of the 2000s left many wondering if traditional financial institutions could be trusted with consumer interests. The definition of crime is also upcode, shaped by social contracts as well as legal ones.

MCD, 2023

In NFTs Are a Scam/NFTs Are the Future, Hundreds interviews the renowned tech investor and public speaker Gary Vaynerchuk, or “Gary Vee,” a figure he calls the “face of NFTs.” It was Vee’s “zeal and belief” that convinced Hundreds to create his own NFT collection, Adam Bomb Squad. Vee tells Hundreds that critics “may be right” when they call NFTs a scam. But while some projects may be opportunistic rackets, he hopes the work he makes is the variety that endures. Vee might be lying here, but at face value, he professes a belief in a greater good that he and everyone he recruits (including the thousands of attendees at his NFT convention) can help build—even if there’s harm along the way. 

McKenzie spends much of two chapters in Easy Money describing his personal encounters with FTX’s Bankman-Fried, who was widely called the “King of Crypto” before his fall. Bankman-Fried professes to believe in crypto’s positive potential; indeed, he has claimed on the record many times that he wanted to do good with his work, despite knowing at points that it was potentially fraudulent. McKenzie struggles to understand this point of view. “If we are committing serious crimes like fraud,” he speculates, “it is crucially important that we find ways to justify our behavior to others and crucially, to ourselves.” While this rationalization certainly doesn’t excuse any crimes, it explains how people can perpetrate eye-boggling fraud again and again, even inventing new ways to scam. The human upcode that makes each of us see ourselves as the protagonist of our story is powerful, even and maybe especially when billions of dollars are at stake. 

Technological innovation does not change our fundamental behavior as humans, but technology has brought speed and spread to the gambling table. A single perpetrator can reach more victims faster now that the global world is connected.

Despite his research, McKenzie did gamble on crypto—he shorted tokens on a specific, and incorrect, timeline. He doesn’t disclose how much he lost, but it was an amount that “provokes an uncomfortable conversation with your spouse.” He’s hardly the only savvy individual in history to fall for a risky pitch; our brains make it painfully easy to get scammed, another reason why solutions that rely entirely on computer code don’t work. “The human mind is riddled with upcode that causes us to make biased predictions and irrational choices,” Shapiro writes. Take the “representativeness heuristic,” which leads us to judge something by how much it resembles an existing mental image—even if that may lead us to overlook crucial information. If an animal looks like a duck and quacks like a duck, the representativeness heuristic tells us it can swim. Phishing scams rely on this rush to pattern matching. For example, Fancy Bear, the titular Russian hacking group of Shapiro’s book, used a visually and tonally convincing message to attempt to hack into Hillary Clinton campaign staffers’ email accounts in 2016. It worked. 

FARRAR, STRAUS AND GIROUX, 2023

Also coming into play for scams, fraud, and hacks are the “availability heuristic,” which leads us to remember sensational events regardless of their frequency, and the “affect heuristic,” which leads us to emphasize our feelings about a decision over the facts, inflating “our expectations about outcomes we like”—such as winning a huge payout on a gamble. When Hundreds was concerned about whether NFTs were a good investment, he reached out to a friend whose belief was steadfast and found himself calmed. “It was that sense of conviction that separated the losers from the winners,” he writes, even when the facts might have supported stepping back. 

The marketing pitch of communal faith and reward, the enticement to join a winning team, feeds a human social instinct—especially as more offline modes of connection are faltering. It’s telling that after the SEC brought charges against Coinbase, the company responded by issuing a pro-crypto NFT, imploring its community to offer support for the struggling industry by minting it. (Coinbase and the minting platform Zora promise to donate the mint fees they’ll receive from consumers to pro-crypto advocacy.) The crypto industry rose to power on this kind of faith-based relationship, and it continues to appeal to some: more than 135,000 of the Coinbase tokens have been minted since the SEC suit was announced. Beyond money, “we’re just as motivated by identity and community (or its upside-down cousin, tribalism),” writes Hundreds, “and the most fervent contemporary movements and trends masterfully meld them all together. The only thing that feels as good as getting rich is doing so by rallying around an impassioned cause with a band of like-minded friends.”

Technological innovation does not change our fundamental behavior as humans, but technology has brought speed and spread to the gambling table. A single perpetrator can reach more victims faster now that the global world is connected. The risks are higher now, as clearly demonstrated by the headline-exploding results of the 2016 Clinton email hack, the billions lost by investors in the volatile crypto industry, and billions more lost through crypto hacks and scams. Shapiro argues that the efforts of the antivirus and antihacking industry to code guardrails into our online systems have failed. Fraud goes on. Instead, we must reexamine the upcode that has fostered and supported online crimes: “our settled moral and political convictions on what we owe one another and how we should respect security and privacy.” For Shapiro, effectively addressing online fraud, hacks, and scams requires political, economic, and social shifts such as creating incentives for businesses to protect customers and penalties for data breaches, supporting potential hackers in finding community outside of crime, and developing government and legal policies to prevent illicit payment through mechanisms like cryptocurrencies. 

Shapiro admits that shifting upcode this way will likely take generations, but the work has already started. The SEC’s recent moves against crypto exchanges are promising steps, as are the FTC’s public warnings against scammy AI claims and generative AI fraud. Growing public awareness about the importance of data privacy and security will help too. But while some humans are working on evolving our social systems, others will continue to hunt online for other people’s money. In our lifetimes, fraud, hacks, and scams will likely always find a home on the internet. But being aware of the upcode all around us may help us find safer paths through the online jungle. 

Rebecca Ackermann is a writer and artist in San Francisco.