With the popularity of NFTs (Non Fungible Tokens) increasing and becoming an attractive target for scammers, we have put together our list of the top (5) five methods used to achieve this. We’ve included a short guide on how to make this harder for the criminal to succeed. (If you’re still wondering what an NFT is and how it works, take a look at our NFTs intro article from last year!)
TLDR: check the link before you click on it
Following on from the OpenSea news last week with regards to a data leak and customers’ emails being disclosed. OpenSea has already warned its customers against potential phishing (via e-mail).
Phishing, the practice of deceiving a user into clicking or downloading something by pretending to be a trusted source, is nothing new and is not unique to cryptocurrency. What this most recent data breach allows is a more targeted messaging to be delivered, known as ‘spear phishing’. The attacker now has a list of email addresses to target that they know have interacted with OpenSea.
People are more likely to open and respond to an email that comes from a familiar or known address.
To that end, it is possible for the attacker to craft an email message to the victim “from” OpenSea.
They may use some tactics to fake the address into looking more genuine, such as changing the ‘O’ (letter) to ‘0’(zero) (0penSea).
They may also try to hide the true domain by making a chain of subdomains, such as “security.opensea.io[.]scammer.net/link_url/recoverpassword_pleaseclick”. In this example, though you might see ‘opensea.io’, the actual domain is ‘scammer.net’. Look for the last two words before the ‘/’ and make sure they are correct for the sender. They may cover this by using URL shorteners or simply by editing the text; make sure you check the link before you click on it.
A further measure to consider is to verify the transaction history of the NFT/ seller. A major red flag to look for is If an NFT (Non-Fungible Token) is far below a realistic price and seems too good to be true, this can be achieved by viewing the contract address on Etherscan, or by checking the details on the actual NFT page such as price history, etc.
Also verify the URL and look for minor differences on the website or marketplace before linking your Web3 wallet.
TLDR: If the deal seems too good to be true it probably is!
With promises of limitless wealth with no effort or knowledge required, the social media influencer is the go-to for many a victim looking to capitalize on these schemes without doing any research at all. The frauds normally take a well-known influencer or project and spoof the account and post outrageous and unachievable gains or freebies. They will often DM the victim to build trust and part you from your assets.
And it is not just the unverified accounts to watch out for, there have been many articles of legitimate influencers being paid by scammers to promote various scam projects, and a price list of influencers’ charges has been published online.
Remember if the project fails there is generally no course for refund, and the influencer will just state they did not realise it was a scam. As always if it seems too good to be true it probably is too good to be true, take a minute to stop and think clearly before parting with your assets. Do not be overcome with dreams of being a multi-millionaire.
TLDR: Verify the authenticity of the NFT before making a purchase
Several bad actors have been known to observe the wallets of social media influencers and celebrities in some detail. They then use the information gained to create NFTs comparable to what the influencers hold.
A lot of people want to see what is in these wallets and make related ventures and investments. Because of this due diligence should be conducted to verify the authenticity of the NFT before making a purchase. There is also the issue with Fake Mints, whereby the scammer mints NFTs to a public address and then claims the project has been endorsed by the person involved in the project.
NFT imitations have become such an issue that some services and other projects have decided to implement a Proof-of-View protocol that will verify the authenticity of the NFT to prevent people from becoming victims of this type of scam.
TLDR: Beware of smishing
Discord is a voice, video, and text communication service used by over a hundred million people to hang out and talk with their friends and communities. The platform is used by many NFT and crypto projects. It is used for many purposes, and with such a large pool of potential targets it has become an attractive prospect for scammers.
There is a large amount of data on discord which can be played to the scammer’s advantage, as with the social media scams this is achieved by either hacking the channel or sending false messages to Discord users via DMs. (Smishing)
Do not click on links posted by unknown entities. On main pages, it is required to confirm the messages sent by admins prior to clicking. Owners of legitimate projects do not generally send private messages to anyone without good reason. Exercise caution when dealing with any users on Discord and remember it is easy to use as an anonymous platform.
TLDR: Hackers being “puppet influencer social media accounts”
Much alike other pre-mentioned scams, compromising social media accounts from trendy influencers by various social engineering methods is an exceedingly popular way scammers utilize to mislead users into connecting their wallets to malicious entities and is a gateway to a host of other attacks as mentioned above.
Hackers who can obtain control of an official account of a project can send various links for unsuspecting victims to link, these normally take the form of free gifts of any kind such as airdrops etc.
In April 2022, the Instagram account of Bored Ape Yacht Club was compromised, and a post was made offering an airdrop for any user that connected their MetaMask Wallets. The thief managed to obtain over $1 million in stolen NFTs.
For more information, to get a demo, or to get a report – get in touch with our expert team at [email protected]
Disclaimer: The information presented does not constitute legal advice. Crystal Blockchain B.V. accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.