As our partners at Ledger would agree, NFT security is a high-priority focus for newcomers and veterans alike in the NFT space. But what exactly does safety and security mean as it relates to NFTs? How do we avoid crypto scams and NFT rug pulls?
Essentially, NFTevening and Ledger started this partnership to answer these questions directly. Unfortunately, NFT owners continue to experience scams, hacks and other security threats. Thus, Ledger and NFTevening are proud to present our security 101, aiming to educate both experts and beginners. If you want to know what an NFT wallet is, how to protect your NFT Collection and how to avoid scams; here are some NFT security fundamentals!
NFT Security Basics
Before we can get to how you can make sure your NFTs are fully secure, you need to know the basics of NFT Security. That starts with education, so let’s take a look at some basic NFT knowledge you might need to know.
Firstly, your wallet is protected by a password. This is called a seedphrase or private key. Let’s start with a recap of what each of these are, and what it means for your NFT security.
Let’s start at the beginning – What is a private key?
Owning crypto means owning the private key for the address on the blockchain where that crypto is kept. Whether you’re interested in coins, tokens or NFTs, the private key is what defines your ownership of that asset.
However, watch out! Losing access to your private key – or letting it fall into the wrong hands – means losing access to your crypto wallet and all of your NFTs it contains! If you want to learn more about private keys, make sure to check out Ledger’s extensive guide on what a private key really is.
The key takeaway is this: how you store your private key determines the security of your entire NFT collection. This is where NFT wallets come in.
What is an NFT Wallet?
Basically, an NFT wallet is a digital crypto wallet which allows you to store the private keys for your NFTs . To properly secure your own NFT collection, you should understand the difference between the following types of crypto wallet:
Firstly, Hardware vs Software wallets, and then; Custodial vs. Non-custodial wallets. Let’s start with a recap of what each of these is, and what it means for your NFT security.
Custodial VS Non-custodial wallets
In a basic sense, crypto wallets can either be custodial or non-custodial. A custodial wallet is a software wallet, the private keys of which are held by a platform. One major example is Coinbase, which offers its own crypto wallet. The benefit of using a custodial wallet is simplicity: the platform controls the private keys and you the user simply “log in” when you want to access your wallet. But since you don’t control the private keys, you don’t really control the contents of the wallet either, and this means you sacrifice security and control for convenience.
In contrast, a non-custodial wallet is one whose private keys are controlled solely by you, the owner. This means you retain absolute control over your NFTs – but it also means you’re responsible for how you manage those all important keys, and keeping them safe.
There is more than one type of non-custodial wallet, each offering a different level of protection. Let’s take a deep dive into those now.
Software wallets: High Convenience, Poor Security
Software wallets like MetaMask exist on your computer or phone, and are a convenient way for users to control their own private keys (more on that to come). However, they come with major disadvantages which make them a less secure way to store NFTs.
The fact that they are online – which is why they’re also known as hot wallets – makes them susceptible to all kinds of attacks that are deployed via your internet connection. In the past, all MetaMask users on iCloud were put at risk due to a major phishing attack. Attacks like these can compromise your NFT security by targeting your software wallet (and the private keys stored within them). As long as that interface exists on a connected device, this will always be a risk.
Hardware wallets: Maximum Security, Reduced Convenience
Hardware wallets are much safer. First, what exactly is a hardware wallet? Hardware wallets are physical devices where you secure your private keys that exist separately from your computer or phone. The point of doing this is that they remain isolated from your internet connection and the risks that are deployed there, making them, and your NFTs, much more secure. Anybody actively acquiring NFTs or other crypto assets should really be using a hardware wallet to keep those assets secure.
If you want to dig deeper into hardware wallet security, Ledger have a great guide on how to secure your NFTs. For an in-depth breakdown on all other types of NFT wallets, check out our guide on choosing an NFT wallet.
The Key To NFT Security
You’ve probably understood by this point that managing your NFTs involves striking a careful balance between two big considerations: security and ease of use. Admittedly, it can be hard to find the sweet spot between these two things. Ease of use tends to mean securing your private keys using a software interface on a connected device, while proper security means keeping those keys offline. So how can you interact seamlessly with Web3 while enjoying complete peace of mind?
The answer is: by using a system that combines the security of a hardware wallet with the convenience of an online management interface.
Ledger Nano and its partner Ledger Live
Ledger is a great example of this approach in action.
Its hardware wallet (Ledger Nano) stores your NFT private keys offline at all times, while its management interface Ledger Live allows you to buy, sell, visualise and manage your NFTs easily, making it the safest and most enjoyable way to explore the Web3 ecosystem. Another particularly helpful feature of Ledger Live is an NFT integration that shows the full details of any NFT transaction you go to sign through the application, meaning maximum transparency and minimal blind signing risks as you interact with dApps.
Using Ledger Live, you can get all the important details of an NFT transaction and keep your NFTs safe, all in one place.
Your Seed Phrase Explained
It wouldn’t be a proper discussion of NFT security without a few words on the seed phrase (or recovery phrase). When you create your own crypto wallet, you will always receive a set of 24 words known as the seed phrase: this is simply a back up of all the private keys secured within that crypto wallet, allowing you to recover your assets on another wallet, even if you lose access to the original.
It is extremely important to keep these (up to) 24 words safe, because ANYBODY can use them to recover your crypto assets, via any other wallet. They are like the master key to your valuable NFTs, and how you manage these words will make or break your security.
How to Manage your Seed Phrase
There are a few essential rules when it comes to managing your seed phrase. Let’s go through some of these extra important NFT security tips now.
Firstly, Never tell anyone your seed phrase. Read that again.
If someone has access to your seed phrase, consider your NFTs gone, it’s that simple. This might seem straightforward, but there are a few things to consider in terms of how you store these words.
Where to store your Seed Phrase and Private Keys
Never record your phrase on your phone, computer or anywhere it will be connected to the internet. You’ll know from our previous section that connected devices allow scammers and hackers to access your sensitive data – this can be done via bad links that deploy spyware onto your device, meaning that connected devices are not the place to store your precious seed phrase.
Instead, make sure to write down your seed phrase on paper (or preferably, record it on metal so that your record of it can’t be destroyed by fire or water). This is your only back up if you ever lose access to your NFT wallet. Yes, that’s right – if you lose it, there’s no way back.
NFT Security Starts At Home
Storing your seed phrase and private keys somewhere safe is very important. Some keep them in a secure spot in your house, a personal safe, a safety deposit box or with a close and trusted family member. Some people even engrave their seed phrase on thin metal slabs!
The Winklevoss Twins famously take their private key storage incredibly seriously. They split it into different parts. Then, they stored each part in several banks across the four time zones of the US.
You likely don’t have to go as far as that! Still – the concept of splitting up copies of your seed phrase (and or your private keys), and storing them in different places, is a high-level security practice. Wherever you decide to keep your seed phrase, protecting it well means keeping your NFTs secure. However, make sure it’s accessible and you may want to make some copies, just in case.
Smart Contracts and How They Affect Your NFT Security
Smart contracts are digital agreements that execute without a middleman. This allows blockchain users to interact with decentralised apps (and one another) in a “trustless” fashion.
However – watch out! You cannot reverse the action a smart contract triggers once you sign it. This makes smart contracts a popular vehicle for scammers looking to get access to your NFTs under false pretenses. Many scams today trick users into interacting with a malicious smart contract. In effect, the scammers make you open the door to your own assets. This is why understanding what you’re agreeing to is so essential for NFT security.
Blind Signing: Leaving your NFTs Vulnerable
Scammers take advantage of people’s lack of knowledge about smart contracts to convince them to sign rogue transactions. For example, you may think you’re giving permission for buying an NFT, when in fact, the contract you’re agreeing to gives the lucky scammer access to all the NFTs in your wallet.
This is a major vulnerability because crypto wallets can’t always display full smart contract details, making it hard to see what you’re signing. This is called blind signing, and it leaves your NFTs and crypto extremely vulnerable. Even when the details are displayed, it can be hard for the average user to interpret them because they’re technical. In both cases, you are the gatekeeper for your NFTs’ security. Only you can ensure they stay safe.
How to protect yourself from blind signing
The best way of doing this is a two-pronged approach. The first part of this is choosing a wallet that is able to display smart contract details in full, otherwise known as clear signing. This is one major benefit Ledger Nano brings to the space, enabling clear signing for transactions with integrated dApps and platforms. This means that whenever you’re signing a transaction, you’ll be able to see all relevant details, and know exactly what you’re agreeing to. This means there are no surprises, and no hidden intentions.
But doing this effectively also means being able to understand what you’re reading, and that means taking the time to learn for yourself how to interpret smart contract details.
How to Interpret Smart Contracts
Blockchain explorers like Ethereum’s Etherscan are what you use to search smart contracts and learn more details about them. All you need to find a smart contract on a block explorer is the contract address.
There you will find various important bits of information about the smart contract; including who deployed it, and what it does – both of which are important for verifying your own transactions with peace of mind. Understanding these elements can help to detect scam transactions – and save you from signing one.
NFT Security Basics for Web3
Beyond the fundamentals of smart contracts and transacting, there are also a few rules you need to bear in mind for staying safe as you explore and interact with Web3.
- Don’t trust stealth mints,
- Don’t follow random links
- Only Connect to trustworthy sites and projects and check every website address thoroughly
Following this advice will help you avoid most scams, but let’s take a look at the most popular scams of the moment:
What are the most famous NFT Phishing Scams?
Phishing scams are the most common NFT scam at the moment. For those who don’t know, the term phishing returns to a form of social engineering. It involves bad actors sending messages to people. By design, these messages coax people into revealing private information that compromises their security.
In the case of NFTs, phishing scams either attempt to get people to sign scam transactions, or give away their seed phrase or private keys.
Who Are NFT Scammers Targeting?
Holders of high-value NFTs like BAYC, Doodles, and Azuki are especially targeted in phishing scams. As a matter of fact, even OpenSea has had issues with phishing scams targeting its users too.
Then there are scam NFT swaps. In these cases hackers target people actively looking to trade their NFTs. They reach out to them, usually via Discord or Twitter, and engage in “trade talks”. Then they provide the victim with a phony trade link. If the person goes through with the trade, they can lose not just the NFT they’re trying to trade, but everything in their wallet.
NFT Security on Social Media
NFTs are all about community, and this means a lot of interaction with other community members on social channels such as Discord and Twitter – these are effectively community hubs where a lot of the excitement takes place. But with so many people and so much hype all in one place, these hubs are a great venue for opportunists, and it’s important that you familiarise yourself with the risks you face here.
NFT Scams on Discord
As the default home for most NFT projects and communities, it’s easy to encounter scammers on Discord. Hacking Discord servers often starts with phishing attacks on server moderators and admins. Often, these scammers will contact you via a DM from seemingly legitimate accounts.
The number one rule of NFT security on Discord is to turn off DMs from anyone you don’t know. By only allowing DMs from people you accept as friends, you’re already filtering out a majority of scammers. Plus, if you want to know more, check out Ledger’s guide on staying safe on discord.
NFT Scams on Twitter
As the social media platform of choice for the NFT community, Twitter is also a haven for scammers.
While project Twitter accounts have rarely gotten hacked themselves, scammers have taken to stealing or buying other, usually verified, accounts. Then they impersonate a project or project lead, and direct people to some kind of malicious link. This happens the most either before or right after a major project release. This was the case with Yuga Labs’ Otherside mint, Moonbirds and Azuki’s Beanz airdrop.
Make sure to triple check any accounts posting links for any kind of NFT transaction. If a verified account tags your account in a tweet reply amongst a list of others, likely, it’s compromised. Be sure to report and block fake accounts, and never click on any links they post.
What are Malicious NFTs?
Malicious NFTs are tokens with smart contracts that can compromise your security if you interact with them. These NFTs are usually airdropped directly into people’s wallets, making them that much more devious.
While some malicious NFTs are obvious, some look like stealth mints from major brands, and can leave people fooled. These NFTs can affect you in all kinds of ways, including wiping NFTs and cryptocurrencies from your wallet.
What Should I Do If Someone Sent Me a Malicious NFT?
As of now, the best thing to do if you receive a malicious NFT is to do nothing! Some people have actually had their wallets drained simply by attempting to transfer scam NFTs out of their wallets.
For that reason, if you notice a malicious NFT, just leave it alone. Now, OpenSea delivers most airdrops directly to your hidden folder. This makes it easier to ignore them.
The Biggest NFT Security Vulnerability: FOMO
Not all NFT scams are technical. Just like in real life, some fraudsters rely on getting you all worked up for an idea that just isn’t quite what it seems, and Web3’s notorious FOMO vibes make it a perfect environment for opportunists to deploy these tactics.
What is a Rugpull?
Rug Pulls are a completely different kind of NFT scam. They may not jeopardize the security of any NFTs you currently own, but they can certainly steal your money!
Essentially, a rug pull is where an NFT project jumps through all the usual hoops pre mint, only to take buyers’ money and run afterwards. If you want to know more, Ledger has a great guide explaining what rug pulls are further in depth.
Quick cash grab rug pulls become very obvious after mint. In many cases, the project founders simply delete all accounts tied to the project and disappear. Some more devious scammers – like those behind the Racoon Secret Society and Balloonsville rug pulls – like to taunt their victims on the way out. Basically, they’ll change the metadata of the NFT, and leave you with something you didn’t ask for. That’s why it’s so important to know where your NFTs are stored.
What is A Slow Rug?
Slow or soft rug pulls are much harder to identify. But, what is a soft rug pull exactly? Basically, they are slow burning projects that die down and ultimately fade away. Whether an NFT project fails due to wrongdoing, incompetence, or unforeseen challenges can be a highly subjective matter.
Unfortunately, this means that many scammers can get away with slow rug pulls, as they can always claim that their intentions were good. Then, they slowly siphon the money away whilst posting less frequently on social media.
How To Spot A Rugpull
NFT Rug pull projects are often hard to spot but here are some serious red flags:
At this point, there are serial NFT rug pullers with track records of taking advantage of their communities. As a matter of fact, countless influencers, celebrities, and even some NFT OGs, have been accused of rug pulls. Just take Logan Paul’s crypto projects and Lana Rhoades’ NFT ventures as a good example. In fact, Floyd Mayweather’s NFT track record isn’t too great either.
Celebrities, in particular, wield enormous power to create successful cash grabs. Be very wary of celebrity NFT projects or hyped-up influencer mints. Then, once you get to know the repeat offenders in the space – run the other way!
So, firstly, what is Shilling? In short, it’s the act of promoting an NFT project or cryptocurrency. Basically, it’s an unavoidable fact of life when it comes to NFTs. In fact, the line between shilling and marketing is razor-thin, if it even exists at all.
Nevertheless, there’s a certain kind of hard shilling that can be a dead giveaway for scams.
Rug pull projects tend to lack a real community, and so they resort to paid promotion to market their scams. This can be through celebrities and influencers, or even paid promo on Twitter and Instagram. Either way, it’s good to learn the difference between authentic, community-led promo, and hard shilling.
Suspicious Community engagement and bot activity
Project Twitter accounts and Discord servers can be a dead giveaway of rug pulls as well. If a project boasts a massive following on either platform, yet has a disproportionately low amount of engagement, chances are that they have used bots to boost their numbers.
Another way bots reveal themselves is through oddly worded messages, often repeated word-for-word by different accounts. A good example of this was Unc0vered NFT, who later ended up rugging the community.
NFT Security Tools to help you spot a scam
The good thing about Web3 is that you have lots of tools at your fingertips to critically assess projects you’re interested in. Accordingly, knowing what these tools offer puts you in a great position to navigate the space safely.
Rarity sniper, NFTGO, and more can help you secure your NFTs
Maybe you have seen an NFT deal that is too good to be true? It probably is! It’s always good practice to check NFT data sites for a collection’s current stats before signing your wallet away.
Be vigilant and check the floor prices, recent sales and rarity of your NFTs before buying or selling anything of value. Rarity.tools, Rarity Sniper and NFTGO all boast tools that can give you insider information on NFT projects. Plus, there are also some paid NFT analytics tools like icy.tools and breadcrumbs that can give you even more information and analysis.
Etherscan comes in handy again here too, allowing you to view vectors such as token distribution, sales activity and project lineage for NFT projects you’re interested in. All of these enable you to gather data on your prospects before putting your money where your mouth is.
Educate yourself using NFT News and Media Sites
Educate yourself on technology and stay up to date on the latest scams and hack by following NFT Media sites, youtube channels and newsletters. Luckily for you, NFTevening covers content using all of those channels and more. Check out the NFTevening youtube channel here!
We regularly cover the latest rug pulls and scams in an attempt to protect our readers from losing their precious NFTs. Make sure to follow our newsletter for daily updates and you will hear about the latest scammers before anyone else.
Final Thoughts on NFT Security
In conclusion, there are a lot of factors at play when it comes to ensuring the security of your NFTs – from understanding the technical details like smart contracts and private keys, to recognizing the signs of a bogus project or founder. All of these angles deserve proper research if you’re to navigate Web3 securely.
The world of NFTs, crypto, and decentralization is an exciting and rapidly evolving frontier, but we must also be clear about the increased responsibilities we all have in Web3. At the end of the day, security is something we each have to take into our own hands. Ledger and NFTevening are proud to be able to provide tools to do exactly that.