When it comes to NFTs, two main types of attacks tend to hurt end-users. They differ dramatically in scale, ranging from more common small scams, which are directed at single users or smaller groups of people, to larger-scale schemes and cons.
Small Scams: Tricky, Yet Potentially Crippling
Smaller scams usually utilize some form of phishing or social engineering–ways of manipulating people into giving up confidential information.
Some are easy to spot, like a poorly written email asking you to click on a suspicious link (by now, we have all received at least one tantalizing offer from a Nigerian prince in exile.) Others, however, are extremely sophisticated and can catch even the most careful investors.
For example, one of the most devious methods used by scammers takes advantage of Google’s ad system.
First, they create a page that looks exactly like a popular cryptocurrency or NFT platform with an extremely similar domain name like 0pensea.io, but with a 0 (zero) instead of an O. Then they pay Google to promote it above the real site (Opensea.io), hoping people will click it without checking they are on the right site.
Finally, when visitors try to connect their wallets, the nefarious site will prompt them to approve a malicious transaction or provide sensitive information like their Metamask seed phrase.
Large-Scale Scams: Harder to Pull Off, But Often Devastating
Exploits on a massive scale are significantly less common but can prove much more devastating. The largest cryptocurrency hack ever (or 2nd largest, depending on the price of ETH) took place last week.
About $600-$625 million of ETH and USDC was stolen from the largest play-to-earn game, Axie Infinity.
We aren’t yet sure how much this will hurt Axie Infinity players because a large portion of the stolen funds came from the game’s treasury. However, it will almost certainly have a large impact on thousands of players.
How to Avoid Scams
Once you know the most common methods scammers use to steal cryptocurrencies and NFTs, it will be easy to avoid them.
First and foremost, never give anyone your personal information.
Scammers will often masquerade as “OpenSea Support” or “MetaMask Support,” either through direct messages or emails. Don’t fall for it. Most Web3 platforms don’t even have support.
As a general rule, NEVER enter your Metamask seed phrase into ANY website or send it to anyone. The only reason you would need to key it in is to restore your wallet from a backup or import it into a new browser. If you do have to do this, make absolutely sure you are using the real Metamask extension.
If you want to use a crypto or NFT platform, confirm you are on the right website first. An easy way to do this is to add the correct site to your bookmarks so you don’t have to check every time.
Also, if you frequent NFT project Discords, you will likely run into two different types of scams. Scammers will message you constantly with dangerous links, so it’s generally smart to turn your direct messages off. Sometimes entire Discord servers will be taken over, and an attacker will drop a link to something like a “one-time stealth mint.”
Never click these links. They are always malicious.
Large-scale attacks tend to be harder to avoid because it’s usually the platform making the mistake and not the end-user. It boils down to picking the safest protocols.
The cryptocurrency world is still in its “wild-west” phase, and there are bugs galore. Even massive and well-trusted platforms like Axie Infinity have bugs just waiting to be exploited.
The Law Finally Takes Notice
For various reasons, scams, rug-pulls, hacks, and every other manner of stealing crypto and NFTs have mostly gone unpunished.
Oftentimes, it isn’t all that difficult for an attacker to stay anonymous. To further complicate matters, in many of these cases, governments either didn’t care or weren’t paying attention.
However, this may be changing.
After about six years, $3.6 Billion worth of Bitcoin was recovered this February by the U.S. Justice Department (its largest financial seizure ever) from the 2016 Bitfinex crypto exchange hack.
The couple caught (who were in possession of the Bitcoin) were both charged with conspiracy to commit money laundering. It would be quite difficult to prove they stole the Bitcoin themselves (if they even did it), but money laundering is still an extremely serious crime.
The astonishingly large recovery seems to have inspired the formation of a new FBI unit dedicated to blockchain analysis and virtual asset seizure.
A few NFT scammers might be getting their due punishment too. Two 20-year-olds were arrested and charged last week with conspiracy to commit wire fraud and conspiracy to commit money laundering.
They created the quintessential “rug-pull” NFT collection called Frosties. Instead of delivering on any of the many promises they made for the project, they ran off with the mint revenue.
They were arrested days before they could launch yet another collection which almost certainly would have been a scam, too.
The Bitfinex hackers and NFT scammers, if found guilty, could face twenty-year sentences for each money laundering and wire fraud charge. We can only hope that these extremely harsh punishments will scare off would-be criminals from stealing our hard-earned cryptos.
The apps in which these scams propagate are also fighting back.
Mark Cuban, owner of the Dallas Mavericks and the famous investor from the hit show Shark Tank, has been vocal in his support of cryptos and NFTs and invests in many related startups. One of these ventures was an Instagram account that Cuban purchased called @NFT. The account charged a large fee to promote NFT projects to its 1.7 million followers: $100,000 for five posts.
The only problem was that they failed to scrutinize the projects they were paid to promote. They ended up promoting multiple terrible collections and a few outright scams, and their followers lost a tremendous amount of money.
After a viral Twitter thread from the user @topshotfund exposed @NFT, Instagram finally took action and banned it. Hopefully, it won’t take another viral thread to ban many other similar accounts.
Want to Stay Safe? Protect Yourself
Even though we are finally seeing the space start to change, it’s still on us to ensure that our cryptos and NFTs are secure.
Do you want to learn more about NFTs and keep up with the rapidly evolving market? Check out some of our favorite editions of The NFTimes:
- Check out how Yuga Labs, the creators of Bored Ape Yacht Club, are shaking up the NFT market in NFTimes 11 – $400 Million From One NFT Mint?
- Learn about the popular (and often very profitable) trend of play-to-earn NFT games in NFTimes 12 – A Tale of Two P2Es
- Learn what NFT utility really is and which projects are bringing holders the most value in NFTimes – 9 Now THAT is Utility
Want to keep up with Henry and NFTs 24/7? Join him in AlphaMint’s dedicated NFT Discord server.