Free NFT mint offers can be legitimate, but more often than not they are a scam designed to steal your crypto assets in one way or another. If you decide to participate in a free mint, use a fresh wallet with no assets held on it, and pay close attention to the permissions requested from the minting smart contract. It is also worth searching the contract itself for any undisclosed minting fees.
If something looks too good to be true, it probably is. Projects offering a free NFT mint can, in some rare circumstances, be legitimate. But more often than not the promise of a free NFT is a vehicle for a scam designed to steal your crypto assets. Free mints tend to fall into one of four categories: marketing for a legitimate project; royalty farming on secondary sales; hidden minting fees; and malicious contracts.
Updated 4/28/2022: added “Bookmark Frequently Used Sites” section
Keeping your funds secure is an ongoing process that requires regular attention and action. Wallets should be disconnected from dapps and websites you are not currently using, and permissions should be revoked for projects you’re no longer invested in. Use separate wallets for holding, DEX trading, and yield farming. If you have high value NFTs, they should be held in separate wallets as well. Never store funds on a CEX or any other custodial wallet, and never, under any circumstances, give out your seed phrase or private key.
Block explorers like Etherscan and BSCscan contain a wealth of information about a wallet or smart contract, but can be overwhelming to navigate. This first of two guides will explain what each piece of information is, and what they mean. The next guide will go into more detail about how the information can be used in research and investigations.
Everything done on a blockchain - every transaction, every swap, every contract signing - is public. Block explorers are how you can search, view, and analyze that data. Every major blockchain (ETH, BSC, AVAX, etc) has its own explorer, and each explorer will only show information for that chain (so, you can only view ETH tokens/transactions on Etherscan, for example). But, they are all formatted the same, so if you learn your way around one you’re good to go with the others. Now, let’s dive in.
Someone claiming to be a project support team or admin DMs asking if a question you posted in the channel was ever answered. Regardless of your answer, they will find some pretext to say you need to validate your wallet, and will send you a link to do so. The link is to a phishing site, and will most often ask you to enter your wallet seed phrase.
The particular approach used in this scam usually comes after a project makes some big announcement, and takes advantage of people asking questions about it. In this case, the SmartCoin team announced it was the last day to request a wallet reputation transfer to a new wallet, but the initial wording was a bit confusing, leading to a lot of questions in the channel.
Updated June 28, 2022 → added link to Bonkalytics
Research into a crypto project can generally be broken into three categories: The dev team; the project fundamentals; and the community. This guide will cover tools and techniques for researching each, red flags to look for, and general tips on how to go about learning as much as you can about a project. This is a reference guide that will be updated regularly to include new tools and services available, emerging threats in the space, and timely examples.
updated 5/3/2022: Updated ‘Name Spoofing’ section examples and tips
After replying to or quote-tweeting a popular Twitter account, you get a reply from someone impersonating them asking you to send a DM. If you do, there will usually be a short exchange about whether you invest in crypto, and if so, what projects and how much. This is followed by a claim that they can make you some quick money, and directions to join an exchange or investment site. These sites are honeypots - you can deposit crypto into them, but cannot take funds out. If you do make a deposit, the scammer will sometimes try to press for you to send additional funds to cover supposed trading fees or taxes.
The security provided by measures such as audited contracts, locked liquidity, and doxed/KYCed teams is often overstated by projects, and misunderstood by investors. Every measure has its strengths and limitations, as well as workarounds that can be exploited by bad actors. Knowing and understanding these will help you better assess the relative risk of a project before investing.
Above and beyond anything else, a project’s team needs to inspire trust in the project itself. Even if people don’t necessarily trust the team (say, if they are anonymous), they have to at least trust the safeguards put in place around the project. Third party audits and code reviews, liquidity locks, and other such measures are common safeguards used to build trust, but how much security do these actually provide?
If you receive a random DM from someone you don’t know, congratulating you on winning a giveaway you never entered, from a crypto exchange you’ve never heard of, it’s a scam. If you follow their prompts, create an account on the exchange and enter the given promo code, it will appear as though the funds you “won” are in your account. However, you can’t withdraw or trade them until you “verify your wallet” by depositing a decent amount of BTC. This will, unsurprisingly, result in a loss of funds.
Unsolicited DMs on Discord, Telegram, and Twitter are a common occurrence if you do not have your privacy settings adjusted to disallow them. I like to leave mine open, however, to catch gems like this. A random account reached out to me with good news: I had won a giveaway from their new exchange!
Rebasing projects promising 6-7 digit APYs require a constant flow of new money buying in to cover for when old money sells. High buy and sell taxes help ensure new investors hold for at least several weeks to avoid selling at a loss, which increases their risk exposure to price fluctuations. While it is certainly possible to turn a profit investing in such projects, it is not likely to happen from APY returns alone. Always do the math, and understand your breakpoints and risk exposure before investing.
Ponzi Scheme (noun) - an investment fraud that pays existing investors with funds collected from new investors, rather than revenue earned from legitimate business ventures. That is, when early investors want to sell, it’s money from new investors that’s paying them. When this concept is baked into the tokenomics of a crypto project, the results can look too good to be true. I’m going to use SAFUU as an example here, but the same principles apply to any such project:
For all the myriad ways a scam can be dressed up and presented - from simple Nigerian Prince emails to complex investor schemes - the vast majority of them are ultimately designed to achieve only one of three goals: trick you into sending them money; trick you into sending them enough information for them to take your money; or trick you into giving them login credentials to online accounts. Knowing and understanding these goals makes it significantly easier to identify scams, and avoid falling victim to them.
For as long as money has existed in any form, there have been people trying to obtain it dishonestly. Even in ancient Greek times, there are records of tax collectors weighing household grain to be taxed on rigged scales, fooling families into overpaying taxes, the excess of which went into the collectors pocket. As financial systems have grown and evolved over the centuries, so too have the methods and techniques used by scammers to exploit those systems. It should come as no surprise, then, that the rise in popularity of cryptocurrencies and DeFi have led to a massive rise in fraud and financial crime.