Scams and scandals are a dime a dozen in the crypto industry. Every morning as I open my crypto newspaper (aka Twitter), I’m almost guaranteed to find at least one piece of news relating to hacks, rug pulls, phishing attacks, wash-trading, compromised wallets, etc., across the crypto-verse.
However, this is expected as most blockchains, cryptocurrencies, and tokens stand on the pillar of decentralization. This implies a certain degree of regulatory absence as governments and authorities struggle to develop solutions to safeguard investors and users in the absence of any central entity to control or regulate. This effectively places a greater degree of responsibility upon individuals to be more mindful, informed, and educated on safe practices to be followed before engaging in the crypto and NFT ecosystem. And for those who firmly believe and profess in the vision of a decentralized future, this is a responsibility that they are duty-bound to accept.
With the NFT explosion in 2021, more scammers have started targeting users and holders of valuable NFTs. Some NFT holders have even lost NFTs worth $2.3 million because of phishing links, while others have lost $2.7 million in Ether because of a rug pull.
While there seems to be an endless list of methods through which scammers dupe NFT investors, we have managed to compile a list of safe practices that you can follow to limit your exposure to these scams. We will also discuss a few famous scams in the NFT space over the past year and the types of scams commonly observed. So if you’d like to know what they are, keep reading to find out.
What are NFTs?
Before we begin, let’s discuss what NFTs are exactly!
NFT stands for Non-Fungible Token. This refers to a unique piece of data in a smart contract address on the blockchain that isn’t inherently interchangeable for some other token. They are used as digital representations of specific rights vested with the owner of the NFT granted by the creator of the NFT. NFTs have grown tremendously in the past few years, with projects granting their holders a wide range of utility.
That said, let us look at some popular NFT scams from the past year.
Famous NFT Scams
While there were many NFT scams in the past year, these two, in particular, caught my eye. They might not be the biggest or craziest scams in the space, but they definitely had some interesting drama in the fold. Keep reading to find out what exactly went down!
When I say NFT scams, most of us think of phishing websites, and rug pulls by founders. Phishing, in particular, is very common, and most projects ask you to always refer to their official social media channels for legitimate links. But what happens when those very same social media accounts become compromised? Because that's precisely what happened with CreatureToadz.
On 20th Oct 2021, members of the CreatureToadz Discord suddenly received a notification in the official Discord about a 'stealth launch'. It urged users to begin minting immediately at the website mentioned in the message. Investors with FOMO implicitly trusted the message's contents to be true since it was posted by a moderator of the official Discord. In a matter of 45 minutes, the hacker had collected a total of 88 ETH from over 580 mint transactions via the phishing website. By then, the CreatureToadz team had managed to regain control over the Discord and urged investors to stop minting from the site posted by the scammer. The team immediately tweeted an apology message to the community and offered to completely compensate the scam victims.
Meanwhile, the team was left wondering how the hacker had gained access to the Discord. In a Twitter Space hosted on the same day by NFT investor and journalist Andrew Wang, the hacker's identity was linked to a Twitter account named HEERR. As this was being announced in the Twitter Space, listeners noticed that the hacker was actually tuning in live to the discussion in the Twitter Space. This prompted the participants to call out the hacker, asking him to return the stolen funds.
The hacker then revealed himself to be a 17-year-old high school student who had made the attack as a joke to show the vulnerabilities of NFT discord communities. This led to a heated discussion within the Twitter Space as people tried convincing the hacker to return the stolen funds. Ultimately the hacker promised to return the funds to the community by sending them to the CreatureToadz team, which refunded each of the affected wallets individually.
Despite this seemingly fortunate ending, participants in the NFT ecosystem were left scarred by this encounter as more NFT projects made it a point to let their community know that they would never deviate or do a stealth launch from the announced launch date. Even so, CreatureToadz wasn't the first, and it certainly isn't the last to fall for this scam.
Most of us are familiar with the phrase ‘pump-and-dump’. It’s a common scam in the crypto and altcoin space, where groups collectively decide to increase the buying pressure of a particular token only to sell it all at the top once more investors get in. This price action is usually the result of a coordinated group effort and is not based on any fundamental utility or development. These schemes are generally seen in more liquid markets. However, this particular project that we will discuss is the subject of a pump and dump scheme in the NFT space- an illiquid market.
Holy Primes is a meme NFT collection by Pokilo.eth that features pictures of calculators with prime numbers. The project started off as a joke and has now introduced some utility to act as a mint pass for collections from new artists. However, this project is on the list today because of a tweet by NFTLlama back in September of 2021. The tweet called for a collective group effort to buy and pump the floor price of the NFT collection to at least 3 ETH. The tweet was very transparent about what it wanted to achieve- becoming the AMC/Gamestop Pump of NFTs and being featured on Forbes. Soon, many investors FOMO-ed in expecting to raise the floor price all the way to 15-20 ETH before it starts crashing. However, the collection started crashing as soon as it hit a floor of 3 ETH. Today, at the time of this writing, the project's floor sits at around 0.03 ETH, with many of the participants in the pump having lost quite a bit from their initial buy prices.
Now, although I've put this project under the title of a scam, looking at how open NFTLlama was about what they were doing, you can hardly call it a scam, can you? Investors were more than aware that participating in this pump had a huge risk, yet they willingly gambled upon the chance of making a quick buck and riding on the hype train. While there was no misrepresentation, and it certainly isn't illegal in an unregulated market such as the NFT space, the point of including this incident in the article is to make you more aware of the different schemes and pitfalls that you can fall into. If you're in the NFT space, you will come across many more projects and community schemes with similar pump-o-nomics, but the best safe practice to keep your money safe is to stay away from participating in them.
Types of NFT scams
Now that we've seen a few real examples of NFT scams, let us look into some of the most common NFT scamming methods.
They say imitation is the best form of flattery, well, maybe not so much in this case. Phishing scams refer to attacks in which investors and users are duped into visiting and interacting with fake websites that look identical to the original. This method of attack is one of the oldest and most common in the history of the internet. You can lose money in this form of attack either by attempting to mint an NFT on the fake website (which just drains your ETH without sending an NFT) or by submitting the seed phrase of your wallet on a fake MetaMask or some other hot wallet website/pop-up.
Pump and Dump Scams
Ah, the era of influencer marketing. What could go wrong? Lil Uzi Vert probably got your back, right?
If you're in the NFT space, it's best you always do your own research about the project and its team. That said, while you might think influencers have your best interests at heart, that's not always true. For example, we need only look at all the crazy pump and dumps we've seen in the space over the past year from high-profile influencers in projects such as Save the Kids, Dink Doink, and CxCoin.
Most influencers get offered crazy sums of money to promote a particular NFT or crypto project, and even if the team seems sketchy, the offer might just be too good to pass up. So regardless of how big a fan you might be, it's in your best interest to look at projects with influencers behind them with more suspicion than usual. If you still need convincing on why your favorite influencer might just be engaging in a pump and dump scheme in the making, all you need to do is watch a few Coffeezilla videos. I swear you will be convinced.
That's right, Catfishing! A practice that is commonly seen in dating apps where people pretend to be someone they're not, to mislead you. I dare say that you'll actually find more catfishes in your Discord DMs than you would in your dating profiles. These malicious DMs would resemble a message from a particular NFT team member or even a Discord bot offering you an exclusive whitelist or mint opportunity.
If you’ve ever replied to one, you’d find yourself being casually asked to disclose your wallet seed phrase or directed to a phishing link of the original project. Unfortunately, this method is so common in the industry that most project members add the word “Will Never DM you” to their name to get the message across.
Imagine cruising along a highway in your car when the wheels suddenly fly off. That’s what it feels like for most NFT investors who get rug-pulled. A rug pull is when the team behind a particular NFT project suddenly decides to abandon the project after launch and withdraws all funds intended to be used for the future development of the project from the treasury.
Recently, there was a massive rug pull of around $1.3 million from an NFT project called ‘Big Daddy Ape Club’ on the Solana Network. This particular rug pull happens to be not only the biggest NFT rug pull on the Solana network but also one of the most brutal ones. While most rug pulls leave investors with an NFT to hold, the investors of the ‘Big Daddy Ape Club’ project that paid the mint fees never even received their NFT.
To add insult to injury, most investors trusted the project as they were even verified by the decentralized identity verification company called ‘Civic’. The identity verification company is now working with law enforcement to track down the scammers. This shows that no matter how much you trust those verification badges, in the absence of direct regulatory scrutiny, you need to buckle down on your own vetting measures and be more critical of suspicious activity that you notice in the discord groups of these projects.
If you’ve ever visited OpenSea or most other NFT marketplaces, you would have noticed that users can place bid offers on NFTs even if they are not listed for sale. This feature allows owners to accept an offer without listing the NFT for sale. While this might save some gas fees and offer more flexibility in trades for the holder of the NFT, scammers have begun to use this feature to attack and snatch NFTs from owners at ridiculously low prices. For example, they might initially place a bid for 5 ETH, which they change to 5 USDC or another lower-priced cryptocurrency before you accept the bid.
Since victims of this scam usually lose their NFTs from oversight or carelessness, it is vital to keep in mind to always double-check the bid and the offered payment token before accepting the bid.
There have been a lot of MetaMask hacks in the past couple of years, with no one being able to understand how exactly the hackers gained access to their wallets. Victims swear that they never visited any phishing websites or revealed their seed phrase to anyone. So how exactly did this happen?
That’s exactly what a Youtuber by the name of CryptoJordin found out. Sometime in December last year, he fell victim to a MetaMask attack and woke up to find all his funds drained from the wallet. Puzzled and determined to find out who the culprits were and how they had drained his funds, he recorded a series of videos documenting his investigation. His investigation reveals that the attackers had managed to install malware into his computer through a file share link in his email by pretending to be a gaming products sponsor. This malware quickly infected and gathered all the data about his home devices connected to his Wi-Fi. This allowed the hackers to remotely access and hack any device in his home. As much as hardware wallets are praised for their security, even they would have been vulnerable to this particular malware attack.
Discord and Social Media Hacks
Just last week, the social media accounts of many crypto influencers were hacked, and promotional videos of some scam projects were posted. While that particular hack happened on the YouTube platform, most of the social media hacking activity directed at crypto and NFT projects seems to occur on the Discord platform. Hackers gain access and control over the official server by compromising the team members’ accounts or posting links on the announcement channel of projects by gaining access to the Discord webhook feature. Many projects such as CreatureToadz, Monkey Kingdom and Fractal have fallen victim to this method of attack.
List of Safe Practices
Now that we've understood the most common scams in the NFT space, let us look at a set of safety guidelines that we must follow as participants in the ecosystem.
That's right, the number one practice to follow is doing your own research (DYOR). Most participants in the NFT space just follow one influencer after the next without taking the time to research and make informed decisions about a project. As entertaining as YouTube videos are, they are no substitute for one's own research into a projects team members, their past activity, the proposed utility of the project and whether or not the artwork and community is something that suits you.
2. Avoid Anonymous or Pseudonymous teams
As a general rule of thumb, I find it safer to stay away from projects with anonymous or pseudonymous founders or teams. With these types of founders or teams, you can never know who they are or whether they've already been a part of previous rug pulls or scams. Primarily, this information allows you to be more informed and predict the team's future actions. Secondly, in the event that the anonymous or pseudonymous founders have been involved with scams in the past, and this information surfaces a few days after the launch, the project gets affected as a whole and might never recover from the bad publicity associated with the founder.
3. Check Social Media Activity
Debatably, one of the best metrics to predict the legitimacy of an NFT project is by looking at the nature of their social media activity. Check to see if their social media campaigns rely a bit too heavily on Influencer marketing and if there is absolutely no trace of discussions on future plans and utility structures for NFT Holders. Moreover, while follower counts might indicate a level of interest in the project, the true gauge for calculating interest lies in the engagement that each of their posts receives from the community.
4. Use a separate wallet for mints
I find that using a separate wallet for connecting and minting from new NFT project websites helps me sleep better at night. As they say, never place all your eggs in one basket. After you've successfully minted an NFT, you can transfer it to your main wallet for safekeeping.
5. Double-check mint website with official channels
Always double-check the website URL before you connect your wallet to it. If you fail to follow this step, you might end up becoming a victim of phishing scams.
6. Check the contract address of the NFT collection
If you're on the secondary market and you spot an NFT from a famous collection for dirt cheap prices, you're probably looking at an imposter. So, before you FOMO in and click that buy button, cross verify the contract address of the NFT you wish to buy with the contract address displayed on the project's official website.
7. Use a hardware wallet
Needless to say, hardware wallets are considered one of the best measures to safeguard your crypto assets. They will protect you against most malicious actors and attacks as they store the private key on the wallet device instead of the computer. This makes it hard for attackers to approve transactions without access to your hardware wallet. Essentially, this protects your NFTs from being moved without your permission. Some of the best hardware wallets in the industry are from Trezor and Ledger.
8. Never give your private keys or seed phrase
Not your keys, not your coins. The only time you will ever have to enter your seed phrase anywhere is when you're either making a backup of your wallet or if you're restoring an old wallet in a new device or browser. No one will EVER ask for your private keys or recovery phrase. If someone DMs you asking for your seed phrase to send you an NFT or whitelist your wallet for mint, you can be guaranteed that it's a scam hoping to steal your wallet. Also, keep a watchful eye on any random pop-ups claiming to be MetaMask asking you to re-confirm your seed phrase; that's a scam.
9. Never click suspicious links
Always be mindful of what you visit on the internet with the device you use to access your crypto wallets and accounts. Your device might become infected with a virus or malware that can target your MetaMask or monitor your financial activity by accessing suspicious websites and links. If possible, I'd suggest using a separate device with an independent internet connection for your crypto transactions.
10. Turn off your Discord DMs
For the love of God, if you're planning to join a ridiculous amount of Discord servers to secure a whitelist or engage with a community, I'd suggest disabling the option to receive DMs from strangers selectively in certain servers, if not completely. This would drastically reduce your chances of becoming a victim of phishing links and catfishing attacks on Discord.
11. If it seems too good to be true, it probably is.
The last safe practice on this list is to doubt everything until proven otherwise. If something seems too good to be true, more often than not, it probably is. So, make sure you verify everything you come across.
If you've managed to better understand what to expect and how to protect yourself when it comes to engaging in the NFT ecosystem, then this article has done its job. But be warned scammers are constantly innovating new ways to attack and steal from participants in the crypto and NFT ecosystem. So the only real way to be safe is to be proactive in educating yourself about safety measures to be followed as the ecosystem keeps evolving. Until then, as they say in the NFT community - WAGMI.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.