Cryptocurrency and NFT scams over the past year have cost over $1B to their victims. Just today, @lazslo_btc lost 7 Apes worth over $1M on a phishing incident :
As web 3.0 professionals, it pains us to see these incidents happening regularly.
As such, we’ve decided to share guidelines that can help provide better security while trading NFTs.
1) Fake Mint Pages
As you know, mints do not appear out of nowhere. They are announced at the very least one week before, across ALL website and social channels of the projects.
Social accounts can be compromised, even for the largest projects.
If you see a mysterious mint announcement out of nowhere, you should (1) scroll up and see if it was announced before, (2) check if the same announcement was posted on the official website and on the other links and (3) check and ask over on discord.
In general, it’s useful to be on discord during the mint to check the pulse of the project and ask any questions you may have.
If you go on a fake mint page, not only will you pay for a worthless NFT, but you will most likely get your account completely drained of your balance and NFTs.
If this ever happens, you should instantly revoke all access from your account. Please follow instructions here to do just that: https://metamask.zendesk.com/hc/en-us/articles/4446106184731-How-to-revoke-smart-contract-allowances-token-approvals
Also, make sure the project shares the link to their verified smart contract on Etherscan, and wait until you see multiple transactions before you mint.
2) Phishing with fake NFTs
Many high profile investors lost valuable NFTs, including Apes through this method.
If you suddenly see NFTs getting airdropped to your wallet for free — even if they appear on Opensea — you should be highly cautious and ask around before interacting with them.
What usually happens is you get sent an NFT as a free airdrop, then someone sends you an wETH offer — though you won’t be able to accept it because the smart contract is rigged. So when you check the description of the NFT, you click on the link and you land on a scam page that will attempt to drain your account.
Unless you mint or give permission to a marketplace, you should NEVER perform a transaction on ANY website. A transaction writes on the blockchain, editing its state. When you visit www.meta-places.io for example, and connect with Metamask, we will only read from the blockchain, and (a) ONLY ask to see your balance or (b) sign a transaction to prove that you’re the owner of the address.
The Metamask signature request allow our backend servers to which we send an API request to verify that you’re the rightful owner of the account and the NFTs.
If you believe you may have interacted with an unsecure smart contract, revoke all permissions to your metamask account.
3) Fake collections
There are thousands of fake collections and fake social media accounts of popular projects, sometimes with a high number of followers and supply. It’s increasingly harder to differentiate. We usually have a watermark on most of our NFT images until after the mint and after the reveal for this reason.
You should make sure to only follow the official links shared on discord and the official website.
4) Compromised centralized exchange accounts
If your account credentials are leaked, you may get your account drained of your balance. Make sure to use a dual factor authentication app such as Google authenticator — and keep a backup key somewhere safe.
Usually, this happens when your email or exchange password gets leaked or if you download a trojan, a spyware or some other form of key logger.
We recommend using a 2FA app such as Google auth instead of your phone number, because hackers are sometimes able to get ahold of your number through techniques called SIM swapping and social engineering.
5) Traditional phishing
The plain old emails you receive — sometimes deceivingly realistic— that will ask you to download some sort of PDF or excel file with embedded code or to click on a link. Hackers are getting smarter with this.
The $620M Axie infinity hack occurred because of this. A lead developer who was looking for a job was tricked into downloading a file by a recruiter.
6) Discord vanity URL takeover
Vanity links are the ones that contain a name such as discord.gg/nameoftheproject.
The team at discord made the incredibly stupid decision to have these names expire when the server boost levels goes below a certain threshold.
We were warned by our security advisor at the time but ignored his warnings, yet this actually happened to Metaplaces — thankfully, we immediately detected the change, announced it on discord and changed the links everywhere before any damage could be done.
Hackers are surprisingly well prepared: they have a server ready, with a huge number of botted members and active users ready that looks like the real one — a fake website and fake twitter pages before executing this.
Because of this risk, we have stopped using vanity links for discord.
7) Unsolicited DMs
Random users sending you unsolicited offers, help or opportunities through private messages on Discord, Twitter and other social media.
They also create fake account handles that look similar to popular influencers and projects, bot them up to increase the followers and send you a follow request.
The first thing we tell our community is that we will never DM them first.
8) Asked to test a drainer app after building trust
An owner of a large project was talking with an extremely credible project’s team for months. They were building trust over time, and created a whole project and website for this.
They insisted to have the owner test their web app.
The owner used a burner account without any balance — and the scammers insisted he use his main account. He found that strange, so he checked the code and discovered how he would have gotten drained if he had used his main account.
9) Centralized exchange failures
Avoid leaving your assets inside small centralized exchanges. If you need to use one, go for the major exchanges such as Binance, Coinbase, Gemini and Kraken.
In general, we recommend you transfer your assets to a cold storage wallet unless you need to trade.
Remember you can store NFTs on separate accounts — including cold storage wallets — to ensure you don’t lose everything in case your wallet gets drained.
Feel free to comment if we forgot to mention other scam techniques so we can add them to the list.
