If you found this article you probably invest in NFTs. Because the industry is so new, it’s chock-full of people trying to take advantage of you with every link you click and every NFT you mint. It’s the modern-day wild west out here!
Today, I will show you everything you need to know to understand how NFT scams happen, what to look out for as a project founder and NFT collector, and ultimately how to keep you and your community safe in Web3.
NFTs are not different from any other store of value in that they attract some of the biggest scum on the earth. The same cool reasons you’re into NFTs are why bad actors are here as well. That is the decentralization and open source that NFTs offer! If we take a look into successful NFT hacks we see most of them have been successful due to loose security measures. Let’s take a deeper look into some of the bigger cases.
A number of high-profile hacks and scams have occurred in the world of non-fungible tokens (NFTs). In one incident, hackers stole thousands of dollars worth of artwork from user accounts on Nifty Gateway, a platform for buying and selling NFTs. Nifty said that the platform itself had not been compromised and that the actual people affected were users who had not enabled two-factor authentication on their accounts.
In another case, scammers were able to hack the Twitter account of digital artist Beeple and tweet out a fake link to a raffle promising free mints of his NFTs. Once users connected their wallets to the link, the scammers emptied them and stole approximately $400,000 worth of cryptocurrency assets.
The popular NFT project Bored Ape Yacht Club also fell victim to hacking when attackers posted a phishing link on the company's Instagram page. The link led users to a fake smart contract, which wiped out their wallets when they connected them. In total, around $3 million worth of Bored Ape NFTs and other assets were stolen.
In addition to these attacks, the NFT marketplace OpenSea has been targeted by phishing scams, and a loophole on the platform was exploited, allowing users to purchase NFTs at much lower prices than their market value.
Even Adidas, the sportswear giant, was affected by a smart contract flaw that was exploited to bypass the limits on the maximum number of tokens that could be purchased for a given wallet. An attacker was able to collect 330 NFTs by simply removing the limit that only allowed two NFTs per wallet.
Finally, Magic Eden, one of the largest Solana NFT marketplaces, had to suspend its platform and services due to two major "rug pulls" (when an NFT project is abruptly terminated, causing investors to lose their money). Magic Eden refunded the minters of the two projects and has since then taken more steps to ensure the authenticity of projects they choose to allow on their launchpad.
NFT security doesn’t stop at the blockchain level. Many of the recent NFT hacks mentioned above were a result of hacked login credentials and phishing attempts due to users’ lack of awareness or experience level.
If you are the manager of an NFT community, it can be tough to maximize security since you’re in charge of so many different social media accounts. All of these accounts you are responsible for are at risk of scams and social engineering attacks. Bad actors will target members of your community and try to take advantage of them through various methods such as phishing, token copies, airdrops, and rug pulls.
Here are some methods scammers will use to take advantage of you and your community:
Scammers will create tokens that look like the legitimate token of your community in hope that you purchase them or trade them, just so they can dump them on you.
A classic in the NFT space. A scammer will create a token or an NFT project where they will then spend a lot of money to artificially hype it up and create fast growth. Once they sell out their mint, they delete all of the social media, websites, etc, and disappear with everyone’s money and leave you with a worthless token.
These usually occur around the project launch where users will be gifted tokens instead of having to purchase them. A common scam is that tokens won’t swap when you attempt an action and the user will be redirected to a website that requests the user for their personal information such as their seed phrases, private keys, passwords, etc.
Phishing and spear phishing attacks are a threat to the community. These attacks are carried out by sending malicious links or attachments to community members, with the goal of tricking them into clicking on them. The attackers may also target account owners and administrators, attempting to trick them into revealing sensitive information, such as passwords or seed phrases, in order to gain access to their accounts. Once they take over an admins account, they are able to post announcements that have scam links. Since it’s coming from an admin, many members of the community will fall for it.
To improve the security of your NFT project, it is important to stay educated and aware of potential threats. As a community manager or smart contract developer, you can implement best practices to increase the security of your project.
Scammers often use popular crypto platforms and mediums such as Twitter, Discord, Telegram, Metamask, Phantom, OpenSea, and Magic Eden to facilitate scams and account takeovers. Be wary of any emails or DMs requesting seed/recovery phrases or private keys, as these are common tactics used in phishing campaigns. Remember that official support accounts will never ask for this sensitive information!
Let’s take a deeper look into good security hygiene.
Use a password manager to protect your passwords and generate complex and unique passwords.
Do not store passwords in a web browser, especially for browser-based wallets.
Enable two-factor authentication (2FA) on every account, especially if you are an admin.
Avoid using SMS or email authentication, and use app-based 2FA instead.
Verify the sender's address before responding, clicking on links, or sharing any information.
Keep your seed/recovery phrase for any wallets tied to a project safe.
Store your seed/recovery phrase offline and make multiple copies.
Physically write your seed/recovery phrase, split it into two pieces and store each half in a different location.
Consider using a secure hardware wallet and distribute your assets on cold storage. Only have assets on a hot wallet when you are going to sell/exchange them.
Create an allow list on your wallets and accounts if possible for added security and to stop unwanted transactions.
Keep your browsers, devices, and OS as up-to-date as possible
Ensure you are using the latest versions of all tools, third-party libraries, and integration points.
Conduct regular security audits and enlist the help of others to review your work
Be mindful of adding extra functionality, as it may come with security trade-offs
Follow best practices for developing complex, multi-functional contracts on your chosen blockchain network
Use automatic validation tools and choose a programming language that prioritizes security
Test your contracts thoroughly using both unit tests and blockchain test networks
Consider offering bug bounties to incentivize others to help find vulnerabilities in your contract
Use specialized testing tools, such as formal verification and symbolic execution, to validate your contracts
Vet any third-party developers or contractors you use for your smart contract build
Implement community guidelines to help keep your users safe, including verified communication channels and usage guidelines.
It's important to plan for the unexpected and have a strategy in place to protect your community and assets in case of a compromise. Here are some steps you can take if you suspect you have been compromised:
Have a plan in place and know who to contact for help, such as a security expert or trusted friend.
Change your passwords and enable two-factor authentication (2FA) immediately.
Notify your community about the breach and warn them not to click on any suspicious links or respond to fake messages.
If the compromised password is used on other accounts, change those passwords immediately.
Check your digital wallets for any suspicious transactions and disconnect them from any sites where applicable.
Transfer any funds or non-fungible tokens (NFTs) to a new wallet as soon as possible and change the new wallet's password and enable 2FA.
Check your devices for any malware that may have been installed.
Implement spending limits and smart contract approvals to prevent large losses.
Enable allow listing to a safe address to prevent the attacker from making unauthorized transfers.
NFTs offer various opportunities, such as investment, brand collaboration, digital art collection, and supporting the creator economy. However, like any other asset, NFTs can be exploited through various vulnerabilities. It is crucial for those developing NFT projects to understand the risks and implement security measures, such as security audits and best practices, to protect their communities. As an NFT collector and user, it’s important to understand where these vulnerabilities can exist. Make sure you take all steps necessary to protect yourself and your investments.
Subscribe* to my newsletter for more articles and to be eligible for NFT airdrops!
Feel free to reach out to me via Twitter if you have any questions!
If you would like to donate and buy me a coffee please do so Here.