Last year, without a doubt, was the year of NFTs. The NFT market generated more than $23 billion in trading volume in 2021, with some NFTs selling for tens of thousands of dollars. From acclaimed artists to celebrities and iconic brands, we witnessed the who’s who of numerous industries foraying into the space. Unfortunately, as the industry continues to take giant strides, NFT scams are increasingly plaguing the industry. Driven by a lack of regulations and the chance to make a quick buck, a growing number of scammers have now hit the industry.
The biggest NFT scams and how to avoid them
As NFTs become more mainstream, scammers are also becoming smarter and better at stealing NFTs and crypto. This has led to even veterans in the space getting scammed. Take the famous rapper, Waka Flocka Flame for example, who lost $19,000 in an NFT scam just days back. Apparently, hackers sent some malicious NFTs to one of his wallets. When he clicked on the assets in an attempt to delete them, his funds were automatically transferred to the attackers.
According to a survey, by PrivacyHQ, nine out of 10 respondents reported being victims of an NFT scam. Besides, 16% of respondents said their accounts had already been hacked.
Clearly, you can never be too careful in the NFT space. You never know what scam may hit you, when, and from where. The only way to keep your crypto and NFTs safe is to take all the necessary precautions. And it goes without saying—always keep your guard up and be extremely wary of who and what you interact with online. An important way to avoid NFT scams is to be aware of what’s happening out there.
Let’s take a look at some of the biggest NFT scams and learn how to protect yourself from them.
NFT Phishing scams
Basically, phishing is a common online scam where scammers impersonate real organizations to steal sensitive information through emails, texts, and other means. The same has been widely happening in the NFT world, where impersonators try to steal your private key or seed phrase.
Now, a seed phrase is a list of 12 to 24 words generated by a crypto wallet to give you access to the wallet, meaning, to the crypto and NFTs stored there. This key cannot be reset by anyone, including your wallet provider. Due to the underlying blockchain technology, once a wallet is compromised and the funds are stolen, no one can reverse the transactions. Put simply, once your assets are stolen, they are gone forever.
A typical example of an NFT phishing scam is a tempting NFT giveaway that leads unsuspecting NFT enthusiasts to share their seed phrase. Stazie, the co-founder of the play-to-earn game, Hedgie, is one such phishing giveaway victim. In August, he lost nearly a million worth of digital assets, including 16 CryptoPunks, and a substantial amount of ETH.
After clicking the link for a giveaway by a CryptoPunks bot on Discord, Stazie was taken to a site very similar to that of CryptoPunks. He also got a pop-up for what looked like MetaMask. This was followed by a message stating that the “security was compromised” and asked him to enter the seed phrase to restore the wallet—which, unfortunately, he did. Before he could do anything, the scammer (or scammers) got away with his assets.
Similarly, fraudsters pretending to be security agents or support staff members can reach out to you to help with some issues. Some may even send fake wallet security alert emails or OpenSea offers for your NFT. All of these will likely come with phishing links to steal your seed phrase.
This brings us to—
Remember, you won’t ever have to enter your seed phrase to complete any transaction. Neither NFT marketplaces nor wallet providers will ask for your private key. If anyone asks you this, it is a scam and quit immediately. In addition, make sure to store your password securely and offline so that hackers do not get access to it.
Stay wary of phishing emails
Malicious actors pretending to be real companies and reaching out via emails are also extremely common in phishing scams in the NFT space. Unfortunately, even experienced crypto users fall prey to these scams. Take for example the case of Arthur, a crypto investor and founder of the crypto venture fund, DeFiance Capital.
A hacker accessed Arthur’s wallet via a “targeted social engineering attack”. To explain, they sent Arthur a phishing mail seemingly from one of their portfolio companies. Moreover, the e-mail featured “general industry-relevant content” from two “seemingly legitimate sources”.
The e-mail was from “Azure Information Protection” and included a document titled: “A huge risk of stablecoin”. When Arthur clicked the file, the hacker was able to gain access to their hot wallets in the system. Eventually, they took a range of NFTs, including several Azuki NFTs, from arthur’s wallet.
As a matter of fact, Kaspersky researchers have identified an APT (advanced persistent threat ) group—which they call BlueNoroff. BlueNoroff is a large group of Lazarus attackers involved in malware implants, exploits, and more on the banking sector. Reportedly, the group is now targeting cryptocurrency businesses.
Essentially, the group develops fake cryptocurrency software development companies to lure individuals into installing seemingly authentic applications, which can eventually compromise the users’ accounts. The group goes even a step further. BlueNoroff operators have been found to track existing cryptocurrency startups, identify interactions between individuals, and send “social engineering attacks” that look like your everyday conversations.
“A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion,” explained Secure List. “BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”
This is likely what happened in Arthur’s case.
Use hardware wallets
In the examples above, it is clear that it’s not easy to avoid such elaborate schemes. As long as your crypto wallet is connected to the internet, it is at risk of an attack. Therefore, a good safety measure is to use a hardware wallet, like Ledger. A hardware wallet stores your digital assets offline, in what is referred to as “cold storage”.
Think of these like your external drives. In other words, you have to plug them into your device to access your currency. As your NFTs won’t be stored on online servers, these are more secure than software wallets like MetaMask. Even if a hacker hacks your device or someone steals your wallet, they will still need your private key to access and transfer your NFTs.
However, even while using hardware wallets, you must be careful. Hardware wallets allow you to install a certain number of apps. Some crypto apps in the hardware wallet have a ‘Blind Signing’ option, wherein, you can sign a transaction blindly without being able to see the details of the message and the sender. This is extremely risky and you may end up approving malicious transactions.
Fake NFT projects and websites
As we mentioned in the case of phishing attacks, there are plenty of fake websites out there. Even if you are Googling an NFT website yourself, a simple typo could land you on a fake website. Since most of these sites look strikingly similar to the original, you probably won’t realise what happened until it’s too late.
Consider NFT Trader—a website commonly used by NFT traders. While the official domain is ‘nfttrader.io’, there are several bogus websites that go by domains such as “ntftrader.io” or “nfttrader.link”. In one such scam, @shanterpster lost a Bored Ape worth $281,000. Hence, every time you use an NFT website dApp, double-check to ensure that you are using the right one.
The same goes for NFT projects within marketplaces—scammers create scores of replicas of NFT projects online. Here are some ways to avoid getting scammed by a fake project:
- Marketplaces like OpenSea verify collections and creators as authentic and add a verified badge to the accounts. Buying from verified collections is a good way to avoid getting into NFT scams.
- Look for the tell-tale signs of fake NFTs. This includes an exceptionally low price, small collection size, and low sales volume.
- Another way to spot a fake NFT is by checking its individual description and properties. Most often, scam NFTs won’t have any description or property.
Do not interact with NFTs and tokens sent to your wallet!
Connecting your wallets on websites, in itself, is safe. The only drawback is that as the website has your wallet address, it could be used for any attacks. For example, some websites use unsafe methods like ‘eth_sign’, which will allow even transaction messages to get signed (check the below example from fabdarice.eth). There is a common misconception that disconnecting your wallet once connected will help—it won’t. To protect your wallet, you must never interact with an unknown contract. If the contract has any malicious functions, it can steal your wallet’s contents when triggered.
Follow the golden rule: if it’s free, it’s probably bad news for you. If someone sends you free NFTs, do not interact with them in any way. Remember what happened with Waka Flocka Flame? So, do not try to delete them, send them elsewhere, or sell them—simply ignoring them is the best course of action.
Beware of rugpulls!
For the uninitiated, a rugpull happens when creators fail to deliver on a project and abscond with all the money. Typically, the scammers will create a legit-looking project with artwork sneak peeks, a website, social media accounts, and more. However, post-launch, when the collectors have minted NFTs, the developers flee with all the money, leaving the investors empty-handed.
According to PrivacyHQ, this is the most common scam people have experienced—the NFT provider shutting down entirely. Apparently, around 43.8% of respondents claimed to have purchased an NFT that eventually disappeared.
From Iconics and Bored Cat Club to Tokyo Ten and Crazy Lemur club, several rugpulls have riled the NFT industry recently. A particularly jarring NFT scam of this kind is that of the Evolved Apes rugpull, where the developers stole $2.7 million worth of ETH.
Unlike the NFT scams mentioned above, rugpulls are more difficult to identify. So, be extremely wary of new NFT projects and do enough research, especially on the developers, before investing.
Here are a few red flags to keep an eye on before investing in new NFT projects:
Red flags to watch in new NFT projects
- Naturally, developers who have doxxed themselves are slightly more trustworthy. A doxxed team reaffirms that there are real, trustable people behind the project.
- Projects with tonnes of fake followers, especially those with Discord invite contests, are mostly using bots. Even if it’s a legit project, this is not authentic community building, which is important for staying in the space in the long run.
- Another tell-tale sign of a suspicious project is artificial hype and celebrity endorsements. Oftentimes, people don’t realise that projects can buy celebrity endorsements for cheap to create fake hype. Thus, before falling for celebrity endorsements, double-check to make sure it is an official partnerhsip.
- Several shady projects also tend to have exorbitant mint prices. Usually, they create fake hype to sell the NFTs for upwards of 1.5 ETH per mint. As opposed, genuine projects tend to keep a reasonable starting mint price to build a real community.
- Projects that use tactics like floor sweeps or ban members who list below set prices to keep the floor high, are another red flag.
At the end of the day, there’s no foolproof way to ensure the authenticity of a project. The best you can do is to keep an eye out for the above red flags (which is in no way exhaustive) and look for projects that are building a community more organically. Projects with a proper, innovative roadmap, effective tokenomics, adequate security measures, and transparent functioning, are more trustworthy.
Stolen artworks and NFT artist impersonation
Another increasingly common scam in the NFT market is art forgeries. A slew of artists like Derek Laufman, RJ Palmer, Trevor Henderson, Liam Sharp, and more have had their works stolen and sold as NFTs. As the scammers often impersonate the artist, complete with their profile picture and bio, unsuspecting fans end up buying the NFTs. In one instance, acclaimed graffiti artist Banksy’s website got hacked, with the hacker adding a link to a fake NFT auction site. None other than Pranksy fell for the scam, shelling out $336,000 for the piece.
While it’s easy to fall prey to such scams, here are some steps to ensure you don’t end up buying a stolen NFT:
- Buying from verified artists on marketplaces is an easy step of confirming the NFT’s authenticity. Alternatively, you can choose highly curated websites like Foundation, SuperRare, and KnownOrigin.
- If it’s a famous artist, they are likely to post about the drop on their social media accounts as well. So make sure to look for any official announcements from them. Just to be sure, you could always ask the artist directly.
- If it’s a relatively unknown artist, carefully look at their social media sites to see how legit they are.
- Use Google’s reverse image search to know about the origins of the artwork and the versions that exist online.
Discord hacks are on the rise
We have already discussed phishing and by now you should know that you must never click on unknown links you receive, whether on emails or Discord DMs. But, links posted by authentic NFT projects in their Discord servers must surely be safe, right? Well, not always. Unfortunately, a series of hacks have been transpiring on NFT Discord servers where fraudsters hack their bots.
Basically, after hacking the bot, the malicious actors will post a message on the channel. Often, the hackers will announce a “stealth launch” with a link to a fake website. Once people mint through the website, the scammers will walk away with all the money. This is what happened recently with the Boss Beauties NFT project. The project is one among many that have been privy to such Discord scams in the recent past.
Again, Discord hacks are difficult to spot, especially if the dubious links are posted on the official Discord channel. All you can do is double-check any links before spending any amount. Alternately, confirming with the project founders before minting can also help.
As the industry evolves, the NFT scams are only going to increase. While we have listed some of the most common scams, it is not an exhaustive list and new methods are only going to come up. As a rule of thumb, always be extra cautious every time you plan to mint any NFT. Additionally, make sure to take extra precautions such as using two-factor authentication for your accounts and a password manager. You can also use a cold wallet to store your assets offline, making it more secure.