Crypto/NFT: 50 shades of Scams
The following list is -unfortunately- not complete — and never will be.
New content will constantly be added, so make sure to pop in from time to time to check on the latest, gruesome news.
(latest update FYI: April 24th 2022; chapters 1–10)
In this article, we discuss:
— general advice how to increase your level of security
— “The Apple Support” scam
— “The Support” scam
— “The White Knight” scam
— “The fake Whale” scam
— “The instant Instagram reply” scam
— “The verified account that ‘likes’ a lot of your tweets” scam
— “The verified account that tags you in a giveaway” scam
— “There is a surprise pre-mint opportunity” scam
— “The token airdrop” scam
— “The NFT airdrop” scam
— “The Discord DM” scam
General advice we can give for sure is:
1. get a hardware wallet, e.g. a Ledger (check this article)
Below, when I talk about possible scams, I will add the hint “can be avoided if you have a hardware wallet” (and adding an explanation for this assessment) to demonstrate how important having a hardware wallet is — in case you still have doubts.
2. there are some legit ‘airdrops’ out there, but if it is too good to be true, it probably is (not true!!): nobody will raffle away a World of Women, nobody will give you $APE coin for free, and mints of big projects do not start earlier on a ‘surprise’ website, etc.
Every legit giveaway etc. will give you an appropiate timeframe — a time you can use to check back with friends and/or people you trust
3. there is seldom the need for quick action (scammers prey on you making a bad move in a stressful situation — by either creating a new stressful situation for you themselves or making an existing situation more stressful for you)
4. nobody in the world will ever need your seed phrase; it is probably only needed when you set up your existing wallet on a new device — and how often does that happen?
If someone asks for your “seed phrase” which is the same as “your 12 or 24 word phrase” or as the “mnemonic phrase” or as the “recovery phrase”, they all want one thing: your assets = coins and NFTs.
If anyone ever asks you for it, replace the request with “Please show yourself naked on national television while throwing all your money into the fire”.
Then reflect if this person should really be asking you this.
You will notice: no, they absolutely should not.
So should you give anyone your seed phrase (or however they call it to hide their bad intentions)?
No, you absolutely should not.
Important remark: most scams will target your seed phrase.
Your seed phrase is the entry point to all your crypto assets including coins and NFTs — and your digital identity in web3.
Losing your assets and your digital identity is highly critical; to learn more, read in the article linked above about equipping your existing hot wallet with a hardware wallet to turn the hot wallet into a cold one.
If a seed phrase is in the hands of the scammers, they have complete access to everything, and this cannot be revoked or blocked in any way.
I am putting this remark upfront to avoid repeating the impact of the scammers having your seed phrase in every single chapter.
Let’s dive into the types of scams
0. Quick question before we start: could crypto and/or NFTs be a scam?
No.
1.The Apple Support
You are getting a call from “Apple Inc.”, answer it, and they ask for a one-time verification code to prove your ownership of your Apple ID account that was supposedly compromised? — Don’t do it!!
If you are using Apple products, all app settings etc. are backed up into your iCloud. Since MetaMask is a browser extension, all information in your browser like bookmarks, cookie settings etc. are backed up too — along with your browser app settings which includes the MetaMask (or any other wallet you might be using).
If you do not have a hardware wallet, your seed phrase of your precious account is stored in the MetaMask browser extension — if you do have a hardware wallet, only the seed phrase of your dummy account is stored there, and for every transaction, MetaMask needs to contact the Ledger for confirmation since the seed phrase is stored on there.
Assuming you do not have a hardware wallet, your most important seed phrase is backed up into iCloud, and when you give out the authentification code for the Apple ID account on the phone, the scammer has access to this backup — including your seed phrase.
As written in the introductory part, this will make you lose all your assets and your digital identity and cannot be revoked.
Also, you can switch off the automatic backup of the MetaMask settings (Settings>Profile>iCloud>Manage Storage>Backups>choose device>show all apps>MetaMask), but if it already has been backed up, this will not help.
Hint: This scam can be avoided if you have a hardware wallet (since the seed phrase is only stored on your Ledger and not in the browser extension that gets backed up in the iCloud).
2. The Support
Let’s say you have a problem, and your nerves are already pretty thin due to that issue, you might tweet out your question. You can be sure within seconds you will have answers by robots leading you to “support” pages or even Discords.
(Just try it: send a tweet like “Does anyone else have the problem in MetaMask that not all tokens are shown?” or whatever… and see what happens: the Rise of the Machines)
You already might be nervous, the guys know how to make you even more nervous, they tell you to click here and click there and check this and that, and before you know it, they have a screenshot of your seed phrase, use it to set up a recovery account — and bye-bye funds.
Hint: This scam can be avoided if you have a hardware wallet (since the seed phrase of your most precious account is not in the MetaMask settings where the scammer will guide you to).
3. The White Knight
You have learned that there are scammers out there (see “2. The Support”) and managed to find your way to the official OpenSea support Discord or whatever: not everyone who will approach you is actually from the support team.
Tiny variations in the user name (they sometimes choose similar characters of other alphabets to mimic the name of a trustworthy person) that you might not notice while nervously looking for support might be a hint.
Instead of “Ed_OpenSea”, you will be approached by “Ed_Open_Sea”. One will help you, the other will hurt you.
So whatever this knight in shiny armour tells you to do: reflect on it if it is actually legit.
Don’t let yourself be coerced into doing anything that you read a 100 times not to do… but that you are doing in this moment, because they are the official support, aren’t they? (hint: No, they are not.) When in doubt, do not do it immediatly, take a deep breath, ask a friend.
(And if they ask for your seed phrase / 12 word phrase / recovery phrase -which is all the same!-, remember safety tip №4 we gave you in the prologue to this article.)
Hint: This scam can be avoided if you have a hardware wallet (since the seed phrase of your most precious account is not in the MetaMask settings where the scammer will probably guide you to).
4. The Fake Whale
Did you ever have a guy drop in your DMs who has a Punk profile pic? Who just greets you at first with a simple and modest “Hi”?
Who after some minutes just says that he loves your works, and then he leaves for 10 days not sending tweets, not writing again, nothing?
Oh, how we wish he would return… ask us about our art, pay us compliments, maybe is interested in buying even… wouldn’t that be awesome?!
Maybe you did it immediatly, maybe you remember his DMs in those 10 days, and you check his profile, you check his links, and this guy has collected tons of artwork, and his wallet is full of ETH!
Man, what a good luck!
And now you hope he writes again.
And you hope.
And then he does.
And he tells you that you totally undervalue your own work. He shows you a piece of yours that he totally loves. But it is listed for only 0.13 on Foundation… and he says it’s worth 1 ETH.
You say thanks.
A while later, he tells you he’s gonna bid 1 ETH.
Wow!!
But unfortunately, he needs “to burn gas” for the transaction* first… so maybe, maybe you can lend him an advance for 0.27 ETH, and he will give you 0.30 ETH on top of the 1 ETH bid he does for you.
(* in all the time I have been in crypto and NFTs, I could not even explain what that means, and I think it is utter nonsense; nobody needs “to burn gas” for a transaction… that must be total crap — excuse my French)
Oha… alarms go off!! Well, learn the difference between @Brian Proper and @_Brian Proper (yes, one underscore = “_” does all the difference).
The scammer uses all the links of the original, but he is an impostor.
He never wanted to bid 1 ETH, and you also won’t get your “0.27 advance reimbursed”.
(By the way: If you reply negatively at any point, he’ll tell you how you missed a huge opportunity. And that you little artist will never make it. You will always stay tiny and insignificant in this space. — This is just to put pressure on you, and to make you doubt yourself more than you doubt him; don’t fall for it!!)
I had a looong chat with one of these guys… he blocked me at first when he noticed that I noticed he is a scammer (and only had some fun toying with him…), but then he unblocked me, and we had a good converation about emotions in this space and morals. So yeah, been there, done that.
They butter you up, and you might send them money.
Hint: No, even a hardware wallet can protect you from sending out money to a scammer’s account yourself.
5. The instant Instagram reply
Do you use Instagram? Make a post how you sell NFT, and see how quickly they will come:
— my boss loves your work and wants to drop NFTs as well; can you please check the link attached and tell us your expert opinion?
— hey, we are looking to collaborate, and we put a piece in the attachments, have a look maybe?
— hello, can you check my collection, please? link is attached
— Kim Kardashian (or Nicki Minaj) wants to get into NFTs, see -fake!- screenshot attached and loves your work…
— invest in that coin because Elon Musk talked about it (actually, Elon tweeted about drinking water, someone created $WaterCoin after that and shills it to you now)
— hey, we are curating this NFT magazin, and we’d like to feature you; click here for the onboarding link
— do you do commissions? I need a cool gift for my girlfriend, examples in the file attached
Yeah, let’s face it: most of us are probably not the next Leonarda da Digilinci, nobody unknown wants to buy our stuff for a higher asking price, wants to collab, wants our expert opinion on anything.
They want our ETH.
And that’s it. And the software that installs when you click onto their stuff will do exactly that.
Hint: It is hard to foresee if a hardware wallet can help here because if you click links or download attachments that transfer a “virus” code onto your system, they could either try to access your MetaMask settings with this code (in which case a hardware wallet would help), but if you have saved your seed phrase on your hard drive (which you should never, never do!!), they might find it as well.
So the impact really depends on how careful you are besides using a hardware wallet.
6. The verified account that “likes” a lot of your tweets
You tweet something, and there is this verified account that instantly graces you with a “like” — and maybe nobody else does.
Wow, a verified account notices YOU?
Everybody who applied for a Twitter verficiation knows how difficult that is — and even ‘big accounts’ often have issues getting this desired blue tick mark.
So it must be legit, right?
Right??
Right????
Well, no…
It was not always the case that verification was so difficult: people working in areas “of public interest” were able to quickly verify themselves — which means that a small radio outlet with 20 listeners per day counted as an “institution of public interest”, so each radio show host got their 5 follower accounts verified quickly.
Now guess what comes next: the greed.
Of course.
These accounts were approached with offers and then got sold for a couple of hundred Dollars.
The next step was the gutting of the old accounts (part 1 of 2): delete all the previous content, all images, everything. Then download a random Bored Ape profile pic, program a little bot that goes around and randomly “likes” people’s post — and wait for the results.
It is like spam mail: you send it out to a million accounts hoping for the 100 gullible people to react to it, and there is your profit.
So some people followed these accounts back. And since this was an automated process running on various accounts, the programming code was re-used, and these accounts easily collected 100k or more followers.
The next step was the gutting of this account (part 2 of 2): again, they delete every content they might have posted, all images and banner, etc.
And then wait for the right time: promote some other scam from this account, and with 100k followers from a verified account, you get the attention of thousands — and a few of them will not notice the scam and will get hacked.
Until Twitter actually takes these accounts down, they will be gutted and re-used for every new scam — which is why it is advised to not only block these accounts but also report them as scam / leading to malicious sites.
This way, Twitter gets hundreds of reports for the same account — and hopefully they then do something about it.
See part 7 for the continuation of this topic.
7. The verified account with >100k followers that tags you in a giveaway
I remember $APE coin that all Bored Ape Yacht Club members were eligble to claim — and that token than even gained value and has some real utility since some (virtual) goods can actually only be paid in $APE.
And here comes the verified account with 100k followers (see chapter 6 if you skipped the part how some scam accounts got “verified”) tagging us in a giveaway because the rich Bored Ape Yacht Club owners got even richer with the $APE coin airdrop — and they now found a heart for the little guy (and gal), so some $APE coins are allocated to the first x people to claim them from the website of the “Board Ape Yarht Club” (I am not making this way of writing it up! this fake is real!).
Now let’s make a guess if the “Board Ape Yarht Club” is real.
Make a second guess what happens when you connect with that website — and don’t notice that when you sign in with your wallet, MetaMask does not show the button to “sign” but to “approve”?
There is a huge difference between signing and approving because when signing in, you are just confirming the log-in process = the connection to the site.
The approval however normally means that you allow the site to spend something — and believe me: spend they will do! Especially because they will be spending your money and your NFTs.
(It sure is always more pleasant to spend someone else’s money than your own.)
So no: World of Women NFTs will not be given out for free. There will not be an allocation for $APE coin outside the BAYC community.
Nothing like that ever.
8. There is a surprise pre-mint opportunity for <insert big hype project name here> for a few of those who did not make the whitelist — they said so on their Discord
Yes, they said so on their Discord.
But no, there is no surprise pre-mint opportunity.
Their Discord probably got hacked.
When big projects mint, there are sleepless nights in the days before the big day for a majority of the team.
No sane project manager nor a legit dev would agree to do a little random “surprise” for anyone before that when there is so much left to do for the real launch.
Discord owners and moderators are often the target of elaborate scams, sometimes very obvious ones and sometimes even going the full “social engineering” route —the bigger the project, the more money can be stolen, the better the scams get.
If a moderator’s account got hacked, the scammers can easily ban or mute (“time-out”) other members and hijack the announcement channel fully without anyone else having write access to it.
Once everyone else is not able to write anything, they can drop their prepared announcement leading some members to prepared websites where they will be waiting to drain your wallet of all crypto funds and NFTs.
Since you likely “approved” a transaction on your hardware wallet, no Ledger in the world can save you: you have just allowed the scammers to spend it all, and you have confirmed all this on your Ledger yourself.
The good news is: your seed phrase is safe.
The bad news is: your account still is (empty and) compromised because any asset that is sent to this account in the future (crypto funds or NFTs) can again be spent (= sold or transferred) by the scammers since you approved it all.
The good news is: you can revoke these rights to spend everything on Etherscan and/or revoke.cash (while your wallet is empty right now, at least future assets would be safe on that account — if you desperately want to use that particular one instead of switching to a new account).
9. The token airdrop (oh look, the token’s name is a website URL — let’s check it out)
Imagine you want to create a coin. Would you rather name it $scam or $www.GetScammed.com?
Right, you would aways choose the name and not a website link as your token name. Unless of course you want to lure people there.
Now make a guess what will happen when you connect your wallet to this site?
(Believe me, you don’t want to do it, and no Ledger in the world can shield you from what is going to happen next.)
10. The NFT airdrop (that was unexpected, but maybe I can sell it?)
There are several sides to NFT airdrops really: for some artists like myself, it is a way to send people greetings on holidays, as a thank you gift for collecting a piece or ours, or any other reason to make them smile.
Some projects send airdrops to get people to talk about the project — or to make collectors aware that they exist.
(Or some to create some FOMO because people might see the airdrop in the big influencer’s wallet, assume the influencer bought from the project, so people buy too.)
What was a nice marketing idea in the beginning quickly turned into a nightmare for collectors because they were bombarded with unsolicited airdrops cluttering their collection, especially on OpenSea.
OpenSea then made changes and are now automatically hiding airdrops, especially those on Polygon (gas free), unless the sender is a verified account. Recently, they also started to hide the airdrop transaction in the activity logs, so while we could always see if something interesting happened on our own account and if that was interesting enough to log in and take action, we cannot do that anymore.
(We can still see the transactions on Etherscan or through LooksRare etc.)
Another odd thing about NFT airdrops recently is the tax laws of some countries: getting an airdrop is a taxable event for them, so even if someone sends you one edition out of a 150 Christmas NFT, you have to pay taxes for this. Based on what, by the way? And can we now ruin someone by sending them NFT airdrops over and over again until they pay so much taxes that they go bankrupt?
Lots of open questions!
While in the past, the consensus was that NFT airdrops themselves are harmless (since no malicious code can be hidden inside it), and you can hide them (if they were not before) or send them to the burn address, some of these NFT airdrops seem to be not that harmless — but still, there is the chance to avoid a scam.
Basically, these airdropped NFTs lure you to a site (you actively have to click the URL they put into the description or the unlockable content) promising a free mint, and this airdropped NFT needs to be in your wallet to “prove authenticity”.
Unfortunately, when you want to sign into their website, you are not asked to “sign” but to “approve” something — a difference that is often overlooked when pressing the blue button in the MetaMask.
With a signature, you are only legitimating yourself, but with an approval, you do so much more.
In this case, when connecting to that site, you approved something without probably being aware of anything, and then the “mint” button will not call a mint function but a transfer.
In the case that is most widely known, they even go so far to even transfer your ETH if you do not have valuable NFTs in your wallet. But if you have less than 0.09 ETH, you are considered poor, and nothing happens.
So similar to the URL in the coin airdrop (see previous chapter 9), airdrops themselves are harmless — unless you follow them where they want to lead you. They lead you by promising something for free. Just know there will be hardly ever anything for free.
11. The Discord DM
Oh look, I opened a support ticket on the “project XY” Discord, and now someone named “project XY tech support” or “project XY team” or “project XY admin” is DMing me.
But before they can help me, I need to connect my wallet to somewhere so that they can verify I really own an NFT from their project — fair enough…
…
…
… unless…?
…
Why would they not simply reply to me in my ticket that I opened? Why the DM?
When so many projects advise to close DMs (and only open them to friends we actually know and want to communicate with?).
Could this be a scammer?
Yes, of course this is a scammer!
It is so easy to hop onto Discord server as “Joe Innocent” with a regular profile picture, and once you are on there, you change your name and your profile picture and start DMing people who do not have their DMs closed and/or asked questions in the general chat.
Don’t fall for it.
Big accounts either have a ticketing system and will reply to your question right there, or if DMs are necessary, they come from people you know (and love — maybe), but they will not be hiding behind “project XY tech support” or anything.
Generally, DMs in Discord are a no-no.
If you have them open to everyone (which is not advised) or to friends, not clicking links from DMs is the best precaution you can take besides not connecting your wallet to sites outside the official links.
(And yes, Collab-Land-URLs can also be spoofed, so make sure to double and triple check!!)
By the way, there were so many issues around DMs on Discord that all -legit- bots found a way around the DMing part, so no legit bot will ever DM you, no verification or account linking etc. needs to be done from DMs.
to be continued (unfortunately)
