0x01 preview
Yesterday, April 1st BAYC Discord has been attacked and Mutant Ape Yacht Club #8662 has been stolen. the Discords of multiple major NFT projects were hacked as part of a phishing scam to trick users into handing over their digital jpegs. Two wallet addresses have been tied to the hacks, now labeled Fake_Phishing5519 and Fake_Phishing5520 on blockchain explorer Etherscan. At least one Mutant Ape Yacht Club NFT (a BAYC spinoff by developer Yuga Labs) was stolen and quickly sold by the 5519 wallet, which sent 19.85 ETH to the 5520 wallet. This second wallet sent 61 ETH ($211,000) to mixing service Tornado Cash early Friday morning. The latest transaction of that wallet is a transfer of .6 ETH to a previously inactive wallet that then sent the same sum to an incredibly active wallet currently sitting on 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and an assortment of other tokens.
Blockchains and NFTs provide autonomy, but it also means that we are responsible for our assets — because no bank is overseeing them. At this time, understanding the different types of scams will help keep our NFTs safe.
0x02 types of scam
Fake page
When NFT launches many Open Sea pages appear, and many collectors fail to take extra steps to verify the minted provenance of the asset. What follows is that the illegal collectibles are removed from Open Sea along with the NFTs, but the scammers still have the buyer’s money. This happened recently in Punks Comic, where many people were tricked into minting from Open Sea pages and lost hundreds of dollars. so when you came across this situation, firstly, do not click on unverifiable links; secondly, double-check the domain name link — a scam site can often be distinguished by a different character; and finally, visit the work as soon as possible official website, Twitter, Discord, confirm that you are minting a verified connection.
Fake airdrop
Because of the existence of NFTs on the blockchain, your address is public to everyone, and so is your every move. This means that anyone can interact with your account, and they can send NFTs to your wallet as gifts — airdrops. Scammers will often send NFTs to your wallet for you to interact with them and learn your personal details, so it’s best not to interact with any new NFTs unless you’ve verified their origin.
Fake Account
Scammers will make a 1:1 copy of well-known NFT KOL Twitter accounts, and then use the identities of well-known KOLs to defraud. Some of these fake accounts achieve more perfect scams by purchasing fake followers. At this time, be sure to carefully check the Twitter account and the people you follow, and if it is found to be fake, you can report it to Twitter.
Trick out of someone’s seed phrase
Fraudsters will induce users to send their private keys or seed phrase to themselves through various means, such as setting up fraudulent websites, pretending to be an administrator to help users, etc. All these actions are to reduce the vigilance of users and wait for the opportunity to defraud the private key and the seed phrase.
Fraud links and fake links via Discord
Discord private message links are commonly used by hackers to deceive. Hackers often send private messages to members of different communities in Discord in batches, Or send fake phishing websites telling users that they can claim NFTs for free, etc. Once a user authorizes a fake website forged by hackers, it will bring huge losses to the user. Scammers will send fake Open Sea messages to people’s emails, asking recipients to click a “view” button.
0x03 How to preserve your NFT asset
- Backing Up from an NFT Platform
Once a creator or developer has created an asset it needs to be “minted” on an NFT platform, this is the process of registering it on the blockchain and activating the smart contract that governs the NFT e.g. what percentage of future sales are credited back to the creator. Once minted it can be made available for purchase. Buyers will purchase directly from the NFT platform using their crypto wallet.
NFT Platforms support wallets in different ways, some wallets can display NFT records, others cannot — it’s still early days — in this example, we will use Opensea.io a leading NFT platform, and the Metamask mobile wallet.
2. Use a Hardware Wallet
Hardware wallets can vary dramatically in their form and function, as well as their overall security, but in general, even the most basic options generally provide dramatically better security than most centralized wallet providers.
That said, you will need to ensure that the wallet you choose supports the blockchain(s) you intend to store your NFTs on and also that it supports the specific NFT token standards — since not all will.
3. Use a Different Marketplace
If the recent OpenSea bug has taught us anything, you don’t need to be explicitly robbed to lose your NFTs — you might end up inadvertently selling them at a frustratingly low price instead.
Depending on your NFT marketplace of choice, you may or may not have access to the controls necessary to adequately protect your NFTs against attacks or bugs.
In most cases, NFT marketplaces are non-custodial platforms, which means that you always control your assets even while they’re listed on the marketplace or simply presented in your portfolio. However, they do require that users authorize their smart contracts to interact with their assets, e.g. to transfer them to the correct buyer upon sale.
If these smart contracts have bugs, this can leave your NFTs vulnerable.
One of the simplest ways to check this is by looking at their public audits — which essentially check that their smart contracts do not contain any bugs or vulnerabilities, and are overall safe for the public to use.
Unsolicited emails and messages: Telegram, Discord, Twitter, and even your email inbox can be prone to spam, fraud, and various types of fraud-especially if you fall into a database leak.If you receive unsolicited messages from anyone through any of these (or other) platforms, it is likely a scam.Never give your private key or recovery phrases to anyone, regardless of their reason or status, and absolutely never authorize smart contracts that you are unfamiliar with.
- Always double-check: When purchasing an NFT, transferring it, using an NFT marketplace, or performing any other task that requires you to log into a website or service that can access your NFTs, always double-check that you have the correct URL. Cross-reference this on their socials for certainty and bookmark the link to prevent you from falling for a fake link.
- Be wary of copycats: One of the most common ways NFT holders get scammed is by falling victim to a copycat — i.e. somebody impersonating a reputable individual, entity, and organization, or even a phishing site. Only use official lines of communication when dealing with NFT transfers or trades, and always make sure the person you’re talking to is who they say they are.
In the field of NFTs, we must always be vigilant. A short-term error in judgment may mean that the assets in the wallet will be stolen for a while. Let more people stay away from the risk of being cheated!
ref:https://coinmarketcap.com/alexandria/article/how-to-protect-your-nfts
