Scams Lies and Criminals

The Dark Side of NFTs

20–30–45–55–56.

Recently, if you played those lottery numbers, you won 370 million dollars.

After realizing you have the golden ticket, where would you keep it? Would you put it in your wallet, tuck it in your drawer, or sleep with it taped to your body?

That piece of paper changed your life, and you are responsible for claiming the win. If you lose the ticket, game over; no one can help.

NFT ownership means you have self-custody of your property. They are critical digital assets, and if you lose them, it is a fundamental loss, like losing a lottery ticket.

Unfortunately, there is no helpline, no way to replace them, and no technology to reverse your actions.

Even if you consider yourself to be technology literate, there are state-sponsored and professional cyber-criminal groups targeting the NFT community with the singular goal to manipulate, scam, and steal crypto and NFTs from you.

It can happen to anyone; public figures, entrepreneurs, businesses. Everyone is a target.

The options to educate yourself against these attacks are

1. Be scammed and learn from direct experience.
2. Spend time on social networks learning from other people who have suffered.
3. Learn from professional cyber-security experts specializing in crypto/NFTs.

I’ve experienced the pain of being scammed, so I spend time learning about attacks and listening to cyber-security experts.

The biggest lesson from cybersecurity experts is

In 90% of scams, human beings are the single point of failure, not the technology.

Cybercriminals manipulate victims into taking action, which results in the loss of valuable assets.

They trigger powerful aspects of human psychology like greed, pride, empathy, and urgency to cause us to suspend deliberate thought and to act quickly.

The weakest link is not the technology, but you can still protect yourself against attackers.

This article covers common attacks used by cybercriminals. The more knowledge you have about these types of threats, the better equipped you are to safeguard your assets.

Phishing attacks

Phishing attacks are the most common and are seen across all communication platforms.

Attackers send fraudulent messages pretending to be an authority with the aim of inducing the victim to share sensitive information.

These scammers play a probability game betting that if they send enough fraudulent messages, eventually, someone will fall for the trap.

For example, on Discord and Twitter, scammers will make use of NFT owners’ questions about MetaMask to then impersonate customer service pages to capture vital information.

The scammers create fake forms or servers asking people to connect their wallets before “resolving” their issues, giving the attackers access to their cryptocurrency and NFTs.

How to avoid this scam:

Official customer services like MetaMask will never contact you directly. You can contact them on their official websites.

Never click on suspicious links or attachments

There are many ways attackers try to open a conversation and gain trust.

A common method is to offer a monetary incentive, such as asking to buy your NFT or hiring you for your services. The conversation will end up with the scammer sending you a link that contains a PDF or a file.

The link they send is a weaponized document that deploys malware on your computer and allows the attacker to collect keystrokes, take screenshots, and exploit your computer.

Message sent on Twitter with a link to a document hiding malware.

How to avoid this scam:

If something sounds too good to be true, it is.

Never click on links or attachments if you are unsure who the sender is. Attackers commonly use PDFs/file attachments as a method to deploy malware.

Discord

Discord is commonly used for communication within the NFT community. However, scammers also use it to impersonate people because it’s easy to copy anyone’s username and profile picture.

As a result, many projects, including the most trusted like Bored Ape Yacht Club, have had their Discord attacked, and fake links were shared within the community, resulting in stolen valuable assets.

In early April, Bored Ape Yacht Club’s Discord was hacked and scam messages were sent to the community.

How to avoid this scam:

Projects will never tag or direct message the community to a shock/surprise drop/giveaway website link. These types of activities mean the Discord has been hacked.

Turn off your direct messages and never click on links or attachments if you are unsure who the sender is.

Remember, anyone can be impersonated on Discord, so be aware of who you are talking to and what they ask you to do.

Social media impersonation

Attackers create online profiles to convince people of their credibility. This is very common on platforms like Twitter or Instagram because older accounts and followers can be bought.

Furthermore, legitimate accounts can also be compromised, and scammers send fraudulent links or ask contacts to send money.

NFT scammers target accounts with a large number of followers. Emiler Buder, Senior Editor at Quanta Magazine, was among the verified accounts hijacked and used to announce a fake Azuki airdrop.

How to avoid this scam:

Check the account’s socials; do you share any mutual followers? Check their history, content, comments, and timeline.

Don’t think a blue check mark means the account is legitimate, as these can be falsely added to usernames.

Be vigilant because even legitimate accounts can be compromised. Also, be suspicious of unusual requests.

NFT airdrop scams

Anyone can send NFTs/tokens to your wallet. It’s like having a public email that receives spam and legitimate messages.

Scammers will send (airdrop) NFTs to your wallet, and if you interact with them, such as trying to sell them, the underlying smart contact will ask you to sign a message that leads to scammers draining your wallet of valuable assets.

Sometimes legitimate projects will airdrop tokens to your wallet, but they tell you in advance and through official channels.

How to avoid this scam:

Don’t interact with NFTs or tokens that are airdropped to your wallet. You can move them to your hidden folder but don’t try to sell them or accept offers on them.

Platform Impersonation

After you sign up to a platform like OpenSea, they ask for your email. The platform will send you emails when an item in your wallet is sold, or someone makes an offer.

Unfortunately, scammers often pose as these legitimate platforms and send phishing emails with an embedded link that directs you to a fake marketplace. When you connect your wallet, they steal your credentials, resulting in the loss of valuable assets.

How to avoid this scam:

Always verify the email received from a trading platform by adding it to your contact list and double-check using sites such as https://whois.domaintools.com for the domain history.

Platform Risk

Google ads can be used to lead victims to fake marketplaces.

OpenSea is the leading marketplace for digital collectibles. They try to protect the community from scams, but cybercriminals are persistent and fake collections often appear.

As a platform they do not have a strong cross-functional group of people working on the problem, and ultimately if you buy a fake asset, the responsibility lies with you.

How to avoid this scam:

Bookmark platforms because scammers buy ads that lead to fake websites on Google.

Follow official links from the project’s Twitter.

Go via OpenSea’s rankings page.

Check the contract address in the details area, making sure it matches the project’s correct address.

Only participate in over-the-counter trades if you are experienced in buying and selling.

Cryptocurrency Wallets

There are two types of cryptocurrency wallets, custodial and non-custodial.

A custodial wallet is managed by a third party like Coinbase or Nitty Gateway, but the platform ultimately has control of your wallet.

Ledger is one of the leading cold-wallet devices.

For non-custodial wallets, only you manage the wallet. If you lose your private keys or are a victim of an attack, there are limited options for recovering your assets.

How to protect your wallet:

If you decide to have a non-custodial wallet, you must purchase a cold wallet like Ledger or Trezor, which is far more secure than a pure hot wallet.

The NFT space is in its infancy and there are many scammers, much like email had the ‘Nigerian prince money scam’. However, cybercriminals have evolved and learned to extract bigger payouts from individuals and businesses within crypto.

The NFT space is still learning to cope with the world of criminals and scammers intent on separating you from your digital assets.

If human beings are the single point of failure in many cases, then learning how cybercriminals operate and implementing safeguards against common attacks is key to not becoming a victim.

Remember

1. Never share your seed phrase with anyone.
2. Never write your seed phrase on any device connected to the internet.
3. Close direct messages on Discord.
4. Use a strong password on any accounts holding crypto/NFTs, including your iCloud account.
5. Use the Google two-factor authenticator.
6. Buy a cold storage device like a Ledger or Trezor.

Knowledge

I highly recommend reading NFT Security Guide* by @simonartonline if you would like to learn more, and for advanced reading, The BlueNoroff cryptocurrency hunt is still on.

Sources:

1. NFT Security Guide
2. The BlueNoroff cryptocurrency hunt is still on
3. *This is not an affiliate link

GET IN TOUCH

https://twitter.com/_thesignal

https://medium.com/@signaleth