NFT Scams: Stay Safe Online!

A practical guide to staying safe from NFT and other crypto scams.

Image source: The Verge
Image source: The Verge

In many ways, the NFT boom of 2021 feels eerily similar to the ICO boom of 2017 (we all know how that ended). The spate of projects, the price rise, the mass hysteria and, not surprisingly, the scammers. Ironically, an industry fueled by a mostly trustless technology sure has a high number of breaches of human trust.

Over the past few months, we have seen an increase in social engineering attacks on users holding high-value NFTs, marketplace vulnerabilities as well as outright scam projects and "rug pulls". While humans have been, and will continue to be, the weakest link, we can avoid headaches with a few extra checks before making a purchase. Here are some things you can consider, in no particular order.

Use Well-Known Wallets and Browser Extensions

Depending on the platform, you'll find a wide array of self-custody wallets to hold your NFTs and coins. Stick with the popular, battle-tested ones, preferably open-source, for your frequent transactions. MetaMask, MyEtherWallet and Trust Wallet are popular wallets for Ethereum, while Phantom is a Solana fan-favourite. If you own valuable NFTs, you may instead consider a hardware wallet (Trezor, Ledger Nano S/X) or even a custodial service. If you are buying a hardware wallet, it's best to buy directly from Trezor or Ledger, rather than an intermediary.

Do Not Share Your Seed Phrase with Anyone

This bears repeating often - crypto allows you to be your own bank, but you also have to be your own security guard, CCTV camera, metal detector etc. Once you create a wallet, store the seed/recovery phrase in a secure location and guard it zealously. Do not upload it to random websites or share with anyone pretending to be a friendly support personnel.

Use a Burner Address for Minting NFTs

When you create a wallet, it can generate and hold multiple wallet addresses (essentially the public keys attached to the private seed phrase). If you are minting NFTs rather than buying from a marketplace, it is a good idea to use a separate address for each transaction. You will need some ETH or SOL for gas fees though. At today's gas prices, it does become expensive quickly for Ethereum, but it is certainly a viable option for Solana. Using a burner (one-time) address ensures that any potential compromise is limited to the funds attached to that address only. Once the NFT is in your burner address, you can move them to your "vault" address for posterity. Do check if the project requires the NFT to be stored in the minting wallet address for future royalties or benefits though. If yes, a burner option may not be viable for that project.

Ensure the Creator/Artist is Genuine

Granted, in the pseudonymous NFT world, it may be hard to ascertain whether a creator/artist is genuine or simply ripping off art from others. But, if you like their work, check out their social media presence (Twitter, Medium etc) as well as their community platforms (Discord/Telegram). Transparency about the project and roadmap, as well as quality community engagement are great signs, and can also help you to separate genuine artists from those using bots to bolster activity.

Ensure the NFT Mint Website is Authentic

The artificial scarcity created during the NFT minting process can induce anxiety and FOMO (fear of missing out), making it the perfect time for scammers to ply their trade. By impersonating or even hacking community moderators, scammers may announce that the mint website or service has changed just before launch (see stealth mint attack on Creature Toads), or even exploiting Discord features like webhooks. A genuine project will always delay launch if there is an issue with the mint, rather than switch infrastructure at the last minute. If in doubt, stay out.

Check the NFT Metadata Storage Location

The other thing to look for is the media storage location. Projects storing the media assets on centralized storage like Google Drive, Dropbox or even uploaded to the mint website should be avoided at all costs. If these projects go under or storage access is revoked, you will lose your assets forever. The best option is on-chain but, in the case of Ethereum, that incurs significant storage costs. A good alternative is storing the media assets on decentralized protocols like Arweave, which are built specifically for permanent data storage and are quite cost-effective in the long run. CheckMyNFT (now inactive) allows you to check the metadata strength of Ethereum-based NFTs, while SolGuard (now inactive) does similar for Solana. Of course, these are just GUIs for the underlying contracts, which can also be reviewed directly using blockchain explorers like Etherscan and Solana Explorer.

Look for the Verified Checkmark on NFT Marketplaces

A close cousin of the mint website is the NFT contract address, which denotes the contract storage location on the blockchain. Creating NFT projects is quite easy these days, especially if you are ripping off existing projects. Scammers arbitrage the period between listing fake projects on NFT marketplaces and getting caught, and unsuspecting victims buy seemingly cheap NFTs without realizing that they are fake. While buyers may verify the website listed, it is far less likely that they will diligence the contract details.

If you are buying NFTs on secondary markets like OpenSea/Rarible for Ethereum, or Magic Eden for Solana, look out for the verified checkmark against the collection. If the marketplaces have not verified the collection yet, look up the associated contract address in blockchain explorers like Etherscan or Solana Explorer. Additionally, you can also look up the project's social media accounts or pinned messages in Discord/Telegram to verify the address.

Ignore Unsolicited DMs on Discord/Telegram

This is really the easiest scam to identify, but also sadly one of the most prevalent. If you post queries in a successful project's Discord server or Telegram group, it is highly likely that you will be contacted via DM by someone purporting to be a support personnel. Depending on your query, you may either asked to complete some pre-requisites, be redirected to a fake website asking for seed phrase, or asked to share your screen for troubleshooting purposes. You will be treated with empathy and respect, putting you completely at ease while taking off with your assets. Please do not fall for this. Better yet, disable DMs globally, and only selectively enable them for groups you absolutely trust.

Beware of Fake Twitter Giveaways/Airdrops

Another remnant from the ICO era, fake Twitter giveaways/airdrops are still very common. In the most benign form, fake accounts harvest your personal data (your public wallet addresses, social media profiles, tagged friends etc) for offline scams. Alternatively, users also fall prey to get-rich-quick schemes and are redirected to malicious websites, or simply send crypto to a scammer's address in return for lucrative or scarce NFT assets, which obviously doesn't materialize.

Don't FOMO or Spend More Than You Can Afford to Lose

Of all the items in this list, this may actually be the hardest thing to do. Human greed knows no bounds. It makes us do extraordinary and extraordinarily stupid things in equal measure. Unless you are filthy crypto rich, spend your money wisely. And hopefully learn a thing or two from our collective mistakes.

Did I miss anything? Hit me up on Twitter and I'll add to this list.

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.