Scams Explained to Protect Yourself as Scammers See New Frontier
What is this all about?
There’s exciting news sitting among your direct messages or emails. When you open it, your digital wallet is more likely to be empty. How come? Let us lift the lid on the most common NFT scams.
Scams have always been a significant threat to any sort of investment or business. In May 2021, millions of Americans experienced first-hand the damage of cybercrime. Malicious software gained access to the password of one employee of the Colonial Pipeline, which provides about 45% of the oil supplies to the east coast of the US. This presumably happened through phishing emails. The cost escalated from 4.4 million into the billions for shutting down the whole infrastructure for a week. By far, the most expensive phishing attack ever seen.
NFTs are no exception. As we move into Web3, the flaws do not necessarily lie in the technology itself, but in the naivety of many of us entering the space without much information. Many consumers fear and do not give it a try, others are discouraged or even traumatized by a bad experience. I think keeping ourselves informed is key. Therefore, scam techniques are probably the first things you should know before digging into the topic of NFTs. More often than not, you can catch scammers if you know what to look for. We will explore this in more detail now.
EXPLORING MOST COMMON NFT SCAMS
1. Phishing with a long-known trick: Emails
Phishing is undertaken through multiple channels, including email, mobile, social media, and phone calls. Most phishing attacks share common characteristics of an urgency to act or an impersonation of an individual or brand. Attacks will often leverage current topics to increase the likelihood of a victim taking the lure.
MetaMask is one of the most popular crypto wallets and gateway to blockchain apps giving you access to buy, store, send, and swap tokens on many platforms. Once you register, you will be given a 12-word called seed phrase, which is exactly what scammers are looking for.
Below is a typical email phishing sample asking for verification, which Metamask itself published on its social channels to raise awareness.
2. Tinder → Crypto Roms
Bulgaria-based cyber forensics call these new-age romance crypto scammers as “CryptoRoms.” The fraudsters manipulate their victims with love and seduction into transferring their tokens to strange third-party-applications and then ditching them afterwards.
Cyber Forensics reported a recent scam involving $277,000. The victim thought that it was a serious romantic connection, but it turned out to be emotionally manipulative tactics to gain access to the victim’s personal and financial information.
Here are the different ways Tinder crypto fraudsters operate.
- Tinder Verification on a particular app to enter personal and financial information, which is vital to bypass your crypto wallet.
- Catfishing or fake profiles as women establishing emotional connections and promising nudes, but draining your wallet, -good for ‘her,’ a kinky job with a clever move.
Rule #1, never share your seed phrase, even if you are falling ‘in love’.
3. Discord Bot | Channels | Direct Messages
Discord, along with Twitter, Reddit, and Slack, are popular in the crypto space. Once you join the projects’ channels, you will receive links from people pretending to be one of the founders, and urge you to click on them. However, no project will send you a direct link to mint an NFT, and to be safe, make sure you read their channel dedicated to guiding you on what NOT to do and follow their official social media to be aware of possible scams.
Hackers took phishing to another level by exploiting Discord bots on popular NFT projects and persuading users to click on malicious links. …one wrong click can cause irreversible damage to individual earnings, and a hijacked Discord server can pose threat to a large audience.
Many Discords have been hacked. The attackers make themselves administrators through webhooks and post a fake minting link in the Announcements channel.
Most projects even suggest turning your DM off, as they will never approach you with a promoting link to click on.
Another way to avoid this type of scam is to follow and check the official support accounts of wallets and platforms and to keep yourself informed.
4. Customer Support NFT scams
Scammers are usually faster and more reachable than official support channels ;). As soon as issues come up during minting, scammers jump to help under customer support accounts. As seen below, one Adidas fan asked the entire community if the dm received was a scam or real. It turned out to be a scam, — scam exposures like this, can raise awareness among the Adidas team and community and thus reduce damages.
5. Fake NFT Airdrops, Giveaways & Stealth Drops
When a new collection of NFTs is released, members of the white list or active community members are entitled to free limited edition or promotional items known as giveaways. NFT Airdrops are digital assets distributed among members’ wallets for free in return for any sort of marketing effort. The ultimate goal is to add additional value or draw attention to the brand by promoting awareness and circulation of the new project.
Scammers will use free airdrop events with posters, QR codes, or links to promote within a community. When users enter the website and approve to receive airdrop tokens, scammers get permission to make transfers and to manipulate assets easily.
Rule #2, do not click/open received files by direct messages.
6. iCloud Backup
Storing seed phrases with iCloud’s automatic MetaMask wallet backup stores keys online, — and therefore are susceptible to hackers.To that end, here is a warning from the official MetaMask account (@MetaMask):
7. Hardware Wallet
Even hardware wallets like Trezor or Ledger are vulnerable once they are connected to the internet and used for transactions.
In addition, Rogue actors at e-commerce partner Shopify exposed 20,000 new Ledger customer records, including emails, names, postal addresses, and phone numbers. Scammers are sending fake replacement devices to Ledger exposed customers, — devices designed to steal cryptocurrency wallets.
Rule #3→ it is not worth connecting your high-value NFT wallet. You can have more than one wallet.
8. Fake Works & Plagiarism
Welcome to the other side of the much-hyped NFT coin, where fake works and plagiarized art dominate what in 2021 was a $44 billion market. The scourge is so prevalent, in fact, that in January of 2022 the self-described “world’s first and largest NFT marketplace,” OpenSea, admitted that more than 80 percent of the NFTs minted using its free minting tool “were plagiarized works, fake collections, and spam.”
CEO and co-founder at Cent, Cameron Hejazi told Reuters, “There’s a spectrum of activity that is happening that basically shouldn’t be happening — like, legally”
He also highlighted three main problems:
● people selling unauthorized copies of other NFTs,
● people making NFTs of content, which does not belong to them, and
● people selling sets of NFTs which resemble a security
9. Copycats
Copycats are more common on open platforms despite their fight against it. The image below shows how much effort is required to really dig into each project's foundation and to understand it before investing. Original projects are usually slightly altered, like colors, background colors, small details, or simply mirrored.
Prof. James Grimmelmann, digital law at Cornell Law School, explained that as long as the NFT platforms respond to complaints from copyright holders, they are operating within the law.
“NFTs don’t solve this problem,” he said. “These platforms are just the latest to discover how hard that really is.”
As scammers get creative, technology tries to catch up. There are more and more software solutions detecting similar artworks uploaded online.
Rule #4 → familiarize yourself with artists, projects, and artworks before investing & watch for details: colors, spelling, symbols, numbers, domains, extentions, …
10. Social Media | Influencers
● Fake Accounts
Make sure you follow official accounts and watch possible misspellings of influencers’ social media, mostly on Twitter. The difference can be as little as a letter, symbol, number, inverted letters… calling for donations, funding, support, trades, etc. Once again, do not respond to DMs sent by possible founders or influencers.
● Hacked Accounts
Hackers stole NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets. BAYC’s warning came too late for many holders of expensive collections.
11. Duplicated Websites & Platforms
Searching for the official site of a project can also lead you to a nightmare. There have been cases where full websites or platforms were duplicated leading users through Google Ads, at the very top of the search results, to connect their wallets, only to find out that after seconds, they have been drained. The difference in the domain spelling are minimal or simply just the extension such as .com .co .io
Rule #6 → make sure you follow official channels and certified accounts. Analyse the history, number of followers, comments, and community engagement.
12. Pump-and-Dump
A pump-and-dump scam is a sort of fraud in which the perpetrators amass a commodity over time, inflate its price artificially by disseminating false information (pumping) and then sell what they have accumulated to unwary buyers at a higher price. Once the perpetrators have fraudulently inflated the price, it usually declines (dumping), leaving purchasers who made their decision based on misleading information at a loss.
As reported in the Washington Post, an NFT of Twitter founder Jack Dorsey’s first tweet was purchased for $2.9 million, a year later listed for 48 million, then was put up for auction in April at $280.
The pixelated CryptoPunk #273 sold for 265 ETH on Oct 19, 2021, and roughly 55 ETH later.
A popular Bored Ape Yacht Club #9518 — was purchased for 186 ETH on April 30, and sold for only 111 ETH 10 days later.
Such experiences lead to dismissive comments like the following:
“I think of NFTs as pure froth,” said Peter M. Garber, an economist and author of “Famous First Bubbles: The Fundamentals of Early Manias.” “It is more of a pump-and-dump, Wolf-of-Wall-Street operation than anything else.”
13. Investor's Scams
Developer ‘Evil Ape’ suddenly vanished with $2.7 million from the NFT project along with his Twitter account, website, and any other social account leaving no trace. Find more details here:
Rule #7— get very familiar with the projects, the team behind it, the history of transactions, and accounts’ verification.
14. Bidding Scams
It happens pretty often in secondary markets, once an NFT is listed for sale and goes for the highest bidder, their cryptocurrency might have been switched sporadically, for example, ETH vs USD. So, make sure to double-check the currency before accepting it because reading the chart below, you may end up receiving 1$ instead of 1ETH, equivalent to 1591 USD as of today.
Rule #8 — keep an eye wide open when selling or trading.
15. Wash Trading
Although the underlying blockchain technology allows for keeping public records of NFTs transactions, the names of the parties involved can be anonymous showing simply a wallet address. A person can own multiple wallets, acting as both, buyer and seller in a trade inflating the price. It also happens among team members transferring to each other while inflating the price of the artwork.
In the example below, there is an ‘info’ tag leading us into details: “2. This sale occurred using a flash loan.” Normally, granted loans need to be paid back within months or years.
Flash Loans: these are common in decentralized financing systems. They must be repaid in a very short period of time, such as hours or just a few days, at a very high-interest rate. This time period runs while speculating on certain trades, more often expecting that the artwork can be resold at a very high price instantly or within a couple of hours or days.
Rule #9 — compare the number of items in a collection, transactions, and number of owners. The more decentralized, the lower the risk for price manipulation. Explore and analyze re-sellers account history for credibility.
16. Rug Pull Scams
The scam, which gets its name from the expression “pulling the rug out,” involves a developer attracting investors to a new cryptocurrency project, then pulling out before the project is built, leaving investors with a worthless currency. It’s part of a long history of investment schemes.
Rule #10— Iguess → ‘no risk no game’ or ‘no risk, no story’? uh, a hard one, I’ll let you choose.
17. Centralized Storage
This is a big topic for another article to dig into deeply. In short, NFT can go missing after purchasing, and here is briefly why. The smart contract, giving you the right of ownership right after payment (like a home deed), lives on the blockchain and points to an address (URL). So, the artwork file itself (just like a physical artwork) is stored elsewhere being subject to manipulation, changes, and even leaving you holding a token that essentially points to nothing. Make sure the platform/artist your purchase from is trustworthy, and make sure you take possession of the asset.
18. Instagram DM from “Collector”
For more samples, follow @01011000.io’s Instagram story highlights NFT#3
19. YouTube Videos & Platforms → generated by AI
(coming soon)
Thieves profiting off the work of artists, photographers, illustrators, musicians, filmmakers, writers, and other creative minds aren’t new. And although art is very subjective, artists and collectors have been divided. Some see the technology as a trading ape or gambling tool for easy money. Others believe the technology is only in its very early steps, but it is here to support them through royalty fees, copyrights, plagiarism, and exposure on a global scale.
As the technology matures, not only gamers and real artists can benefit from it, but hundreds of applications growing by the day and relying on the advantages of the blockchain, like real estate, food chain supply, carbon footprint, and many more. Technology soon catches up with security issues, but we users may always keep our eyes wide open to the creativity of scammers and cyber attacks. In any trendy system and new opportunities, scammers take their chances to shine at first glance until users inform themselves. The beauty of this technology itself, with all its use cases, utilities, its hype, and hope, has a lot to offer.
More on: Crypto investment scams — how do they work?
Internet Organised Crime Threat Assessment (IOCTA) | Updates
Stay Tuned!
▸ #0 — A Journey into the NFT Space
▸ #1 — The Core Concept explained
▸ #2 — Scams Explained
▸ #3 — Centralized vs Decentralized
▸ #4 — Web3 & Climate Change
▸ #5 — A Deep-Dive into Earth’s Limits
▸ #6 — Una inmersión profunda en los límites de la Tierra
X-iO ▸ Instagram | Linkedin
