Over the past few years, non-fungible tokens (NFTs) have become high-value assets, attracting thousands of users and investors worldwide. Unfortunately, NFT holders are prime targets for hackers who exploit vulnerabilities in crypto wallets and trading platforms to steal these valuable digital assets.
With NFTs gaining more exposure and value, it has become essential to take the necessary steps to protect your digital collectibles. This guide explains the most common NFT scams and tips to safeguard your NFTs.
Common NFT Scams
Most NFT thefts occur because the owners fall victim to one of several fraudulent schemes. As such, it is crucial to understand how these NFT scams operate to determine the best way to protect your assets.
Rug Pulls
Rug pull scams are typically orchestrated by the creators of an NFT project. These deceitful founders often create detailed roadmaps that promise exciting future developments and numerous benefits for investors who support the project. Once the project garners significant attention and investment, the founders disappear with the funds raised from NFT sales, leaving investors to scratch their heads in losses.
One popular example of this type of scam is the Evolved Apes rug pull, where the anonymous founders pulled the plug on the project just a week after the initial drop, making away with over $2.7 million in ETH.
To avoid falling prey to rug-pull NFT scams, conducting thorough research on the project’s founders and their reputation is crucial. It is also critical to evaluate their transparency and communication and carefully review the project’s roadmap and whitepaper.
NFT Airdrop Scam
Airdrop scams, also known as NFT giveaway scams, involve fraudsters luring users into promoting fake projects or signing up in exchange for free NFTs. However, when it’s time to claim the supposed reward, the scammers request users’ wallet allowance, giving them access to the victim’s wallet address to steal his or her valuable collectibles.
These scams have caused significant losses for users, with one example being the case of a Bored Ape Yacht Club (BAYC) holder who lost a BAYC NFT valued at 102 ETH and other collectibles in an airdrop scam last year. The user lost assets worth over $500,000 in the incident.
To avoid falling victim to airdrop scams, it’s essential to be wary of offers that seem too good to be true, especially regarding free NFTs. Users should carefully review the project’s legitimacy, read reviews from other users, and avoid sharing their wallet recovery phrases with third parties.
Also, never interact with any tokens you don’t recognize in your wallet. The above is true for airdropped NFTs, but also for any other ERC20 that could end up as malicious.
Phishing
Phishing is one of the oldest and most popular scams in the short-lived history of the web. It involves hackers using fraudulent ads, emails, or pop-ups to trick unsuspecting individuals into sharing sensitive information such as login credentials.
In the case of NFTs, the hacker may use phishing to lure users into sharing their NFT marketplace logins and wallet recovery phrases or approve smart contract commands that automatically transfer assets to the attacker’s address.
In February 2022, users of OpenSea, the largest NFT marketplace, became victims of a massive phishing attack. The hackers created fraudulent websites and used OpenSea’s email to send users links to update their contact details. This caused users to lose nearly $1.7 million worth of NFTs. As such, it is crucial to be cautious when receiving unsolicited messages to avoid falling prey to such phishing scams.
Customer Support Impersonation
Fraudsters frequently pose as the customer support team of leading NFT marketplaces and projects to extract sensitive data from unsuspecting NFT holders. These scammers operate on social platforms such as Discord, Telegram, Twitter, and Reddit, where they approach users under fake identities that appear legitimate.
Sometimes they will send you an email from the correct URL (i.e., [email protected] ) however, keep in mind that anyone can use a simple mailing software and the set the sending email address to be any domain.
The verification will be to reply to this email, in this case, a reply to the above address will be received by the original email holder at Opensea.com. Regardless, be suspicious about any email you receive, even if you recognize the sender’s email address.
When NFT owners connect with these fake customer representatives, they are asked to provide confidential information, such as private keys, or to interact with malicious protocols under the guise of resolving an issue or receiving some tokens or NFTs for free. In most cases, scammers can access the victim’s wallet and steal their assets. Thus, it is crucial to exercise caution and avoid divulging sensitive information or private keys to unverified individuals, even if they appear to be genuine customer service representatives.
7 Tips to Protect Your NFTs
Here are seven tips to safeguard your NFT assets.
Interact Only with Reputable NFT Marketplaces
One of the best ways to safeguard your digital assets is by using established and trustworthy NFT marketplaces instead of conducting transactions through independent unknown protocols. Several top NFT marketplaces offer users enhanced security by providing a secure platform for NFT trading. These platforms include OpenSea, Rarible, SuperRare, and Nifty.
All of the listed names above are decentralized. Unfortunately, and following incidents like the FTX collapse, we have learned that it’s safer to use decentralized exchanges (DEXes), but requires more responsibility on the user’s side.
Most leading decentralized NFT marketplaces support the widely used non-custodial digital wallet, MetaMask, which provides users complete control over their assets. By utilizing secure and established NFT trading platforms, investors can minimize the risks of being scammed or losing their assets to fraudsters.
Don’t Click on Random Links and Google Ads
Most phishing scams aim to get users to connect their wallets to a fraudulent website. Scammers can create fake sites and apps that mimic the original, and unsuspecting investors can fall for their tricks if they overlook minor differences in the site’s URL and design.
Popular NFT projects and marketplaces are often the targets of copycat websites that attempt to lure users into sharing sensitive information. The Bored Ape Yacht Club Instagram hack, where scammers stole over $2.5 million worth of NFTs, shows how sophisticated and deadly phishing hacks can be.
Some attackers may lure users into approving commands such as “setApprovalForAll()” that will permit smart contracts to transfer assets from the victims’ wallets at a future date or just send the NFTs to the hackers’ address.
Thus, avoid clicking on random links and Google ads is vital as they may have malicious intentions.
Never Sign Transactions You’re Unsure About
Another way to protect yourself from NFT theft is to exercise caution and avoid signing transactions you’re unsure about. To approve a transaction, you must sign a smart contract function that authorizes the marketplace to carry out the transaction.
However, some functions give the smart contract the authority to transfer your digital assets. Enabling this function on your wallet can make it possible for malicious actors to steal your entire NFT collection. Therefore, ensure you do not sign asset transfers until you are very sure about it.
This tip is in line with the previous one. Always check the website you’re interacting with. Pay attention to the URL, spot typos, and always bookmark the crypto platforms and exchanges you interact with.
Use a Hardware Wallet
You can improve the safety of your NFT collections by using a hardware wallet, also known as cold storage. Although popular non-custodial wallets such as MetaMask provide a level of protection and control, they still process transactions that could become vulnerable to hackers.
In contrast, hardware wallets like Trezor and Ledger are physical devices that add an extra layer of security. These wallets require users to sign transactions within the device using their private keys locally, so your wallet’s private key is never exposed to devices connected to the internet. In other words, without their ‘permission,’ no transaction or smart contract can be signed.
Although hardware wallets are considered highly secure, approving malicious transactions with your physical device will not save your assets. On the other hand, unlike hot wallets, if your device gets infected, it will be impossible to steal your funds without connecting your hardware wallet.
It is worth noting that hardware wallets come at a cost. However, investing in one is a small price ranging from tens of US dollars to a few hundred to secure your valuable NFT collections.
Store Your Seed Phrase Securely
Storing your digital assets in a hardware wallet requires you to take full responsibility for your assets’ safety. For one, keeping your seed phrase, which represents your private key, in a safe and secure location is crucial. The seed phrase, or secret recovery phase, is typically 12 or 24 words representing your private key and providing complete access to your wallet and assets. Hence, never sharing your seed phrase with anyone is crucial, as it will give them access to your NFTs and crypto assets. On the other hand, always make sure to back up properly.
Many users make the mistake of storing their seed phrases on their PC – whether online or offline, such as emails or digital notes, which can make them vulnerable to hacking or theft. Instead, it’s recommended that you write down your seed phrase on a piece of paper and store it in a secure location such as a safety deposit box. It’s even better to separate the phrase into two or three parts and store it separately.
Whatever you do, NEVER store it on your hard drive, and never store it online or in the cloud. Never ever send anyone your seed phrase.
Do Not Store All Your NFTs in One Wallet
Using multiple wallets to store your NFTs will reduce the risk of losing all your assets to a single point of failure.
You can group your digital collectibles based on their value, rarity, or category and store them in wallets with varying security measures. For instance, you can keep your most valuable NFTs in a hardware wallet and less valuable ones in a web (hot) wallet. This way, even if one of your wallets gets compromised, you only lose a portion of your NFT collection. Also, since blockchains are public, any bad actor can see and target public addresses or wallets holding many valuable NFTs.
It is worth noting that using multiple wallets to store your NFTs requires additional organization and diligence. You must keep track of which NFTs are stored in which wallet and ensure that you have the necessary backup recovery phrases for each wallet. Remember that using wallets like Metamask allows you to open a few accounts – each with a different public address – but they are all under the same secret recovery phase.
Perform Due Diligence
Conducting thorough research before investing in any NFT project always pays off. This requires due diligence to ensure that the project has a realistic roadmap and well-defined user cases. Investors must also verify that the project’s founders are credible and publicly identified. Doxxing the team helps confirm that the founders have previously worked on successful projects and have a good reputation.
You should be wary of projects that promise unrealistic returns as they are often too good to be true. Taking Azuki as an example, despite being one of the most promising NFT projects in 2022, the collection lost its value after one of its founders naively ousted himself as one of the founders of several past failed NFT projects that rug-pulled investors.
Conclusion
With the rise of NFTs, taking steps to protect your digital collectibles has become necessary. This article highlights the most common NFT scams, including rug pulls, airdrop scams, phishing, and customer support impersonation, and provides tips to safeguard your NFTs.
To protect your assets, use reputable NFT marketplaces, try to interact with known collections only, don’t click on random links or Google ads, be wary of airdrop scams, and never sign transactions you’re unsure of. Conduct thorough research on NFT project creators and avoid sharing sensitive information with third parties. Following these tips, NFT holders can protect their assets from hackers and scammers.
