I'm Sarah, the artist known as Looona Lou (@looonalou) across the interwebs. I've been involved in NFTs since early 2021, vibing and having fun with many lovely humans in this space but just recently experienced my first scam and phishing attack, resulting in the loss of my most valuable NFTs and control over my wallet. That truly shook me to the core and stillâŚdoes feel very surreal. However, I believe in the motto "never give up," and so I've come up with a wallet system to keep myself and hopefully you safe in the future of this wonderful Web3 space. So in this article, I'm gonna spill some smol but mighty tips on how we can protect ourselves better, avoid scams, and keep our Web3 identity, funds, collections, and wallet control intact. Ready to hop down that rabbit hole with me? đłđ Then grab some coffee or tea and letâs go:
Me and My Case
Even before NFTs, I have been very cautious and suspicious about everything and everyone, despite usually being a very positive person. Huge thanks to my history high school teacher for that "Many people lie or distort the truth at times. Always remain vigilant and consult multiple sources." This has often saved me from being scammed, both in real life and online. With getting into this new territory of Blockchain and NFTs, it became even more challenging to keep yourself protected. In the end, we are all humans, which some of do stoopid or unaware things and everyone might at some point fall for some kind of scams in their life - might it have a small or big impact on their life. I still don't fully understand everything Web3 or crypto myself and probably never will because atm I am not a trader, neither an expert nor a developer, and I definitely lack coding language skills. I am just an artist trying to explore this world and this space, as I have explored every other social media site and possibilities for artists before. And in each space I made many beautiful connections to other artists, mentors, collectors, organizations and all kinds of lovely human beans, that I can call friends or companions now and I am very grateful for that in the first place.
But yeah, what did happen?
One hot sunny morning, I clicked on what I thought was an official link posted by someone I usually follow. Still feeling secure and confident - we vibinâ - I signed into that website which didnât look unfamiliar to me, intending to register some of my NFTs for the future, another whitelist and more, only to discover it was an imposter and a malicious link. So, of course, that promised registration didn't happen, but instead, all my NFTs of any higher value were transferred to a scammer's wallet using a flash bot or something. Many token approvals were opened, and also a suspicious contract has "upgraded" something to a âproxyâ in connection to my Opensea in the back. With that, I lost at least around (potential) 11.000⏠worth of NFTs (and thatâs measured in our beloved floor price), most of which I didnât even wanted to sell and had diamond-handed for about two years already and wanted to hodl for even longer, if not forever! đ Ofc my body instantly reacted, and I nearly fainted or even had a heart attack, it just hurt and was fast idk tbh. But since it was pretty early I gladly was still lying in bed and already know how to help myself in such a similar situation since fainting is nothing new to me. So yeah, that was a very fast and hard "Bye-bye" to my adorable Pudgy Penguins and beautiful handpicked anime waifus and artworks drawn by artists whoâs art I adore for years...(Shoutout to Zeronis, Gharliera, James Jean, Naoki Saito and Zumi) âBut why did you have to take my waifus, man⌠frl, my waifus!?â uwu
Nevertheless, that wasnât all that happened that day. deep breath ( â˘_â˘)
Although I can still log into that now compromised wallet, I lost sole control over it due to a second incident on that same day. How could that happen, you ask? Still morning, already hurt, still in shock, and therefore very vulnerable, I was tricked by someone who apparently just wanted to "help me rescue" what was left and make sure I am "safe" now, but instead knew what he did and now also has control over my wallet. Lesson learned: Never do a screen-share with someone you donât know especially not if you do have problems understanding what the person wants to tell you due to his poor language skills⌠I still donât know who either of these people were, maybe the police will find out, but I definitely believed in the good of humanity with the second person and are very disappointed now. Luckily I was able to quickly save the most important NFT in that moment, while I saw how my funds left my wallet: My ens address! Next to a beautiful work by JeyRam. (ăŁâ˘á´â˘)㣠âĽ
With that, I just knew I needed to become over 9000% safer again before I continue my CryptoArtist journey. That's why I want to share the wallet system that will hopefully have the power to not only protect me and my future collection of NFTs by artists and projects I like but also inspire you to spice up your safety mechanisms or at least bring more awareness to this topic.
To become and stay safe, I have considered a precaution that may not be unfamiliar to OG CryptoArtists, CryptoTraders or other degens. However, as an artist who has only used one (Ethereum) wallet plus believed in having everything under one address and standing for it with my artist name was a matter of principle, provenance and the norm - it is certainly a new approach for myself. And I have seen some artist friends who might want to consider this system as well:
Have a multiple wallet system âOne, two, three, safety is the keyâ
Itâs good stuff, I promise, because it provides:
clearer management
is better for sorting out tax stuff
protects your creator account and most valuable assets
As a creator I do recommend having at least a 3 type wallet system:
Wallet Type 1
đ¸ Creator Walletfor minting and selling your creations
connect to trusted creator sites like OS, FND to set up your artist profiles
can use an ens address of your artistname with this wallet (e.g.: âartistname.ethâ)
never have too many funds on here (send them to Wallet Type 3 or through a CEX if you want to cash out to your bank account)
Wallet Type 2
đ¨ Trading Walletmost risky wallets
recommend to always use with hardware wallet + browser extensions
to connect to sites (like marketplaces) for trading, lending, bying and selling NFTs and coins
to mint and collect NFTs from others
to hold NFTs you want to connect to Discord for special roles
you can create a subnames of your main ens name for this wallet type (e.g. âcollection.artistname.ethâ ) but if you have an old ens name you need to wrap it first to create subname ERC-1155 NFTs
recommended to not have the majority of your funds here either
You can have more of this type of wallet to stay even more protected!
Examples: Have one for trading coins and DeFi (on sites such as uniswap), one or some for minting new/risky NFTs, one for selling and buying on official marketplaces and one to hold and connect NFTs to Discord servers and official websites.
This is totally up to you and what you want to do in the crypto space. I personally recommend to use this type of wallet with the connection to a hardware wallet and to use (D)APPS on a PC browser or Mac because you are able to use it with browser extensions like Pocket Universe or Wallet Guard to stay even more safe and check what transactions and signatures do behind the scenes and if assets get traded or not. Big thanks to @morello and @Jon_HQ for telling me about them.
Wallet Type 3
đ Treasure Walletfor sending in NFTs and coins you collected on Wallet Type 1 and 2 and want to (longtime) hold.
for sending out those you want to sell/trade later on your Wallet Type 2.
do not approve anything or only the necessary on here - no signs, nothing. You donât even need to use Opensea since you should be able to transfer NFTs directly from your wallet to others
a hardware wallet connection is highly recommended - you can even use a seperate one for this and keep it in a safe.
if you want, you can also create an ens name (e.g. artistnamevault.eth) or subname of your main ens name for this wallet (e.g. âvault.artistname.ethâ) if you like. But donât forget to cut off the connection to the site after registration later.
Centralized
đ¸ CEX WalletTo withdraw money to your bank account you can use a CEX Wallet app (e.g. by Coinbase or Binance) of your trust. On there you can very securely buy crypto with fiat money ($, âŹ) or sell it and withdraw the funds in your currency to your bank account or Paypal. I wouldnât recommend to longtime hold much money in here but just use it as a pit stop.
Essential
đ Hardware WalletNext to these wallets you will need at least one Hardware Wallet (e.g. by Ledger or Trezor) to keep your coins and NFTs safe in general or longtime and authorize transactions with.
To be most secure you can even set up your wallets on here first and then connect to MetaMask. This is especially recommended for Wallets Type 2 and 3.
Keep your digital house clean with a routine
Wallet Routine - this is something you want to do regularly or after every usage:
clear âconnected sitesâ in your MetaMask wallet
check Etherscan tokenapprovals (https://etherscan.io/tokenapprovalchecker) and remove if you find some (or use revoke.cash)
lock your wallet everytime after usage or activate the automatic lock after a few minutes
you can also switch to another safe blockchain/host before locking. Example: âFirewallâ created by a trusted member of our community @kaijuking77: https://kk779.io/firewall/
Safe & Clear PC - regularly
empty out browser cookies and downloads
use an updated antivirus program and scan your PC (esp on Windows)
check for updates (Windows, MacOS, devices, other hardware, software)
donât download anything (esp not from anyone you donât know) on devices with your most valuable wallets (files like .zip, .rar, scr, .word, etc )
Stay safe on mobile devices, too
always update your phone to the latest version since they often get new security updates
use a (bluetooth) hardware wallet with it, too
use an antivirus software if possible (esp for Android)
A safe is safe
try not to reuse any passwords on anything
do not save any, but especially not wallet passwords, seedphrases and private keys on your devices! Use pen and paper or even a metallic plate to store your keys so they canât even burn. To be extra secure: Put this in a fireproof safe somewhere.
you can even put one of your rarely used hardware wallets in a safe on which your longtime hold crypto and assets are connected to and stored on.
use multi-factor authentication (2FA) on anything if possible
always be sus about everyone donât be ashamed to ask many questions to be sure about anything
take your time before and with every transaction and click you are about to make
How to discover something or someone might be a scam:
My rule: âIf it seems sus, it often is sus.â These are some common indicators:
they never say your name (e.g.: just âHelloâ or âHiâ in the first sentence)
they donât say anything specific about you (could be a mail to anyone really)
they use wrong/ unofficial email-addresses or impersonate others with similar nearly identical names, profile descriptions, pfp, banner etc. on social media
they are not doxxed
no one you know follows or knows them
they are only in very high valuable or recently hyped NFT project Discords (BAYC, Pudgy Penguins)
they wanna send you any links to click or files to open
What to do if sth happened:
POV you have been scammed:
stay/ get calm before you do anything first because if you are emotional you (re)act very vulnerable and might do even more damage
screenshot and save evidence of anything you can remember: What got you into this situation? Who? When? How? What did you lost? Use Etherscan and your wallet history. Write it down - this document (PDFs are recommended) will be helpful in any case, especially if you want to send in a police report.
then reach out to to any official authorities depending on what happened where and what you wanna go for (MetaMask, Opensea, Ledger, Police etc). Donât forget to send them a list of the stolen assets (best with links to Etherscan or Opensea) and anything you know about the person/site that scammed you.
never answer any unknown people who come to you after an incident especially not in DMs (Discord, Twitter etc)
always be careful with everyone in general (donât give out too many personal informations)
inform yourself of any legal actions and rules depending on where you live and where the incident happend (insurances, police, law,) before you act further
donât do sth illegal to possibly save your lost assets (many âhackersâ or âdevelopersâ might come to help you get back things you lost, which isnât only illegal but often they are just further scammers, who just want some money upfront for their work and then disappear or trick you into loosing your wallet control)
you can ask trusted people you know (if they are doxxed to you itâs even better), wizards, developers and tech friends to look over your transactions on etherscan if you donât understand what is says and to check if some kind of contracts were created and if they are still active and your wallet is compromised. But donât give anyone your private key or seedphrase ever.
You can also inform the communities of stolen NFTs in their official Discords or ticket service about which ones were stolen (with links) so the community doesnât buy them from the scammer. This reduces further damage to anyone and prevents complicated situations with people, who buy the stolen assets while they will soon, or already have been, flagged orange by OS. This applies to when they are red-flagged because you reported it to the police as well. Best to wait for the police to send you an answer first. This can take time.
If you have contacted the police and your stolen goods have already been traded to new collectors in the meantime, they will most likely contact you to remove the flags. Inform yourself or get legal help from a lawyer if possible. Itâs your decision to find an agreement with these collectors to set the NFTs free again, to get them back (would be the morally right thing to do) or wait until you have more answers from authorities. You must know, that itâs most likely not legal to trade stolen goods especially not if you are aware of it! So these collectors will proceed at their own risk if they actually would resell or dump them on other markets (such as Blur) and getting new collectors in trouble with owning a stolen good if they have been reported as such and are still flagged.
revoke any tokens on etherscan or revoke.cash if possible (this will cost ETH for txns)
then transfer all the remaining NFTs to another (new) wallet on another device or to a trustable friend or family member if there still is anything you want to save immediately (will also cost txns). Only use direct transfer or if the approvals for the tokens are still on or ETH offers are active, use the option of a reserved sale on Opensea to transfer them for 0 ETH. You can also bundle up to 20 NFTs for such a sale on OS.
if you lock the wallet, do not have more then 1 Dollar in ETH in your (compromised) wallet after this. If it is compromised and you lost your wallet control, the person having access can still withdraw any NFTs or funds with this.
if there arenât any more NFTs and funds to save, lock your account on Opensea so no further NFTs can be traded on there.
if you have lost assets you can let them be marked as stolen with a warning orange flag on the assets by Opensea, if they havenât done that already. But to save them of further trading and lock them up for longer then 7 days, you have to hand in a official police report during that time.
scan your device for malicious programs and activities with an antivirus program
In case you want to change your MetaMask password: Make sure you do have your MetaMask seedphrase and key safe offline, delete the extension from your browser and import it again with the seedphrase and a new password.
Inform your community/ collectors, that your wallet is compromised and you need to make and use a new one from now on.
Transfer your ens address to a new wallet if you (still) have it and set the manager and registration for it to it. Later you can create a subnames of it for your old account etc.
If you want and can: Give your collectors the option to burn the NFTs they bought from you and remint them on a new contract, especially 1/1s and if they have the intention to resell them at some point and you should get any royalties. They might even provide the minting or transactions fees. In every case, be patient and wait till gas is low. Otherwise you can promise to not remint them ever again because in the end there are many collectors of 1/1 artworks who mainly bought to support the creator or because they like to collect and keep the artwork in the first place. You will collaboratively find solutions, if necessary.
Know, that you donât have to offer anything right away, make sure to get safe and back on your feet first, so you can think clearly.
the provenance and data of your artworks are saved on the blockchain and therefore in any case, already are part of the history of the Web3 space written down on a block. So be sure, that this is something you canât loose.
In any case, this definitely is a good time for you to reconnect with your friends, community and collectors.
Luckily you can also change the admin of your Manifold contracts and who receives the royalties to your new wallet.
Sadly this isnât possible for Foundation contracts but if you still have access to the compromised wallet you can at least change your username on Foundation and reuse it for a new account. You can also put a note and link to your new account on the site of the old one.
Itâs always a good idea to have a portfolio or website with your (old) artworks. Especially if you have to restart with a new wallet. If you would still would love to add the NFT Links and somehow lost access to your past wallets where they are minted on, you can add a warning or informing text to inform potential buyers or a little attention symbol â ď¸ next to the art on your website.
âNever Give Upâ
Donât loose hope in humanity just because you encountered some evil bad types of our species, but rather look out for the ones that are lovely, helpful, grateful and caring humans. Itâs important to surround yourself with nice people especially if something bad happened. Then equip yourself with the lessons you might have learned and new knowledge to prevent something like this will hopefully happen ever again - or not to such an extent. â¨
If you made it this far, thanks a lot for reading - I hope it was easy to understand and please: stay safe!
Warmly,
đ¸ Looona Lou
LittleLisArt for being my work buddy and caring friend,
Aziz for being there when I called for the purple gang,
Orabel for remembering me of the Manifold possibilities,
Wailoaloa for offering me my first new waifu to restart a new collection with,
Kiwi for helping me to confirm and understand what was going on with my wallet
and everyone else I mentioned in this text, my friends and the Anifam community including everyone who has collected art from me on Tezos or Ethereum in the past and who recently contacted me because of this incident!
Thanks a bunch! đ đ¸ You guys are the reason I love this space so much!
PS: If this smol article was any helpful, share it to everyone who you think also needs to be protected at all costs! **(ăŁÂ´â˘Ďâ˘)ăŁđ
If you would like to support me and my work or just wanna help me getting back on my feet, feel free to collect one of my âGentle Guardianâ editions of my new series âPATRONUSâ as a symbolic and cute protection of your own wallet or a friendâs. đ¸đđ There also is an option to purchase a copy of this article.
If you enjoy reading, I recommend checking out some fellow creators who have published helpful and interesting articles on mirror: