Explaining Common NFT Scams to Watch Out For
by Corporate Trash
With any new popular technology, there are scammers waiting to take advantage of inexperienced people just getting started. The NFT space is extremely fun, but also is extremely unregulated — after all, decentralization is kind of the point. It’s more important than ever to ensure you are aware of the most common NFT scams, and brush up on how you can best protect your assets.
We’ve previously covered how to protect yourself from scams, but it’s also important to know the common NFT scams to look out for as you start collecting.
Discord and Twitter DMs and Announcements
Direct messages are probably the most common way that scammers target people in the NFT space — especially on Discord. People have been scammed with fake minting links, fake MetaMask support links, fake NFTtrader links, impostor Discord accounts and impostor Twitter accounts.
Scammers will go a very long way to duplicate a website or social media profile down to the very last detail. This is why it’s important to verify any link — even from someone you trust — before engaging with it.
In Discord, people will create fake accounts imitating Moderators in that channel and DM people pretending to be support. Remember: It’s highly unlikely a project or their employees will ever DM you with an opportunity. Always verify who you are talking to.
You can turn off Discord DMs from strangers by default by going to Preferences > Privacy and Safety > turn off Allow direct messages from server members. This is highly recommended for all NFT-related servers.
The best practice is to not click on any links that you get in Discord or Twitter DMs. If you want to verify if you are in fact talking to the right person, you can message them on other social media sites and ask if the communication was, in fact, from them. Check them or their project’s website for official links to their social media accounts.
Discord #announcements NFT Scams
Many Discords have been hacked by scammers, including Jenkins the Valet, Alien Frens, and many others. In these cases, the attackers make themselves administrators through web hooks and post a fake minting link in the Announcements channel. Collectors go to the link and connect their wallet, only to find out it has drained them of their NFTs and Ethereum.
Be aware of this risk, as sometimes, even Discord announcements aren’t safe. Even with announcements, especially in the case of a surprise “mint”, look for an official second source on other social media channels to verify the website before proceeding.
Collectors often try to avoid paying royalty and transaction fees on marketplaces like OpenSea, Rarible, or LooksRare by doing a transaction off-market. This puts a huge burden on whoever sends the assets first.
For example, in NBA Top Shot, people sold unopened packs off the marketplace, but some people didn’t know that you actually cannot transfer an unopened pack to somebody else — they were left with less money and no packs.
Another example is someone who was unknowingly talking to a scammer in a Twitter DM to do a deal, then sent over their NFT, only to get nothing in return.
Fake NFT Trading links
If you choose to use a middleman like NFTtrader (NFttrader.io) or sudoswap to make a trade, always beware of fake links to trades. These are a very prevalent scam right now and many of these links look similar to the actual NFTtrader UI. Always do your due diligence on a link before connecting your wallet or proceeding with a transaction.
This goes beyond just NFTs, but it is good practice to have two-factor authentication on every platform that offers it. By activating this on Discord and Twitter, it will add an extra step past just your password — like texting a code to your phone number — to ensure it is actually you who is logging in.
A strong password alone unfortunately is not enough these days to protect your account from hackers. When available, the strongest two-factor authentication is using an authenticator app, like Google Authenticator, on your phone.
One prominent person on NFT Twitter had their password stolen, and their hacker demanded a ransom of Ethereum to be paid before they would hand back control. They changed the person’s bio and had access to all of their DMs. Ultimately, the hacker came around and there was no payment made, but that could have been an expensive lesson to learn.
Checking the Transaction
When you mint or buy something, there will be a transaction created in your MetaMask wallet. It is best to review the contract address and make sure you are interacting with the right one.
You can paste the contract address into Etherscan and check out the token to ensure it doesn’t look like something suspicious.
Another good practice is to limit the spend approval limit on a contract. You can do so by following the instructions here:
Take the short time to double check the transaction and set spend approval permissions. It may seem cumbersome, but you may be saving your future self by doing it.
NFT Delisting Bug on OpenSea
This isn’t so much a scam, but a bug. On some NFT marketplaces such as OpenSea, there are bugs which have inadvertently robbed people of some of their most valuable NFTs.
After you list an item and want to cancel the listing, you have to pay gas fees on a transaction to cancel it. However, if you transfer the item to another wallet, the listing is canceled without a fee. Some do this to get around pricey cancellation fees, but some do this inadvertently in order to move the asset to another wallet.
The problem is, if this same asset is moved back to the original wallet it was listed from without the listing being canceled, the listing automatically returns at whatever price it was before. This is a massive issue and has caused many people to lose high-value NFTs.
Before you transfer your high value NFTs, make sure the listings on it have been canceled. You can revoke OpenSea’s access to your NFTs by using revoke.cash, which will cancel your listings on any NFT collection..
Downloading Unknown Files
One of the biggest ways that hackers target people is by sending links to files in emails and DMs. Files can have hidden .exe programs in them, which can install a keystroke logger to steal passwords and invade your system.
If I get a file sent to me from somebody I don’t know, I never open it. Ask them to use a Google Doc instead, and double check that it is a valid Google Doc link. Another suggestion is to use the Mac operating system, which is commonly said to be less vulnerable to some types of attacks.
Use Official Links directly from Projects
Many people looking for a correct website URL will put it into Google. Google Ads show up at the very top of the search results, and people will click it thinking it is the official website.
Scammers know this, and buy ads that look like the official link. This will actually take the visitor to a malicious website. Once their wallet is connected, the person’s wallet can be drained of Ethereum or NFTs.
Make sure to use the official links channel in the project’s Discord and other social media channels only. This will also help you avoid falling victim to buying fake collections on OpenSea, which are extremely rampant.
In your hidden folder on NFT marketplaces like OpenSea, sometimes random NFTs show up (like the ones shown below). These are considered NFT “junk mail” and it is unknown if they are malicious or not. Most of the time these are Polygon network NFTs, since it doesn’t require gas fees for the sender to send.
By interacting with these tokens (burning or sending them elsewhere), you are putting your wallet at risk. It is best just to keep them in your hidden folder on OpenSea and not interact with them.
This can also happen with ERC-20 (fungible) tokens like BadgerDAO coin. One day I looked at my Coinbase wallet and it said it was suddenly worth $23 million. Someone had airdropped me a ton of fake BadgerDAO coins. I am not touching them for fear of risking other assets in my wallet.
Long story short — $23 million probably isn’t going to just drop out of the sky into your wallet! If it looks to good to be true, it probably is. Same goes for airdropped NFTs.
Common Scams with Hardware Wallets
Many think that using a hardware wallet like Trezor or Ledger makes them immune to scams or hacks. The fact is, even a hardware wallet won’t keep you safe if you are connecting it to the internet and signing transactions with it.
One OpenSea user had the unfortunate experience of getting their Bored Ape and Doodle stolen by attempting to claim an airdrop. Dingaling explained how it all went down in a detailed Twitter thread. It was only allowed to happen because:
1) the user attempted to claim an airdrop without making sure it wasn’t a scam, and
2) the user had previously approved both NFT collections to interact with that wallet.
Do not let the fear of missing out on an airdrop push you to make a hasty transaction decision! Let the dust settle. See what the buzz is on Twitter, or talk about it with people in the space who you trust.
Whatever it is, it’s most likely not worth risking connecting your high-value NFT wallet anyways.
The tool revoke.cash will show you which allowances you have made for ERC-20 and ERC-721 tokens. Make sure to periodically go through and revoke access to these tokens for each of your wallets, especially the wallets with your most valuable NFTs.
Summary on NFT Scams
The crypto and NFT space is a risky one. Being aware of the common scams will help you protect your assets. In a fast-moving space like NFTs, scammers take advantage of people moving quickly to try to capitalize on an opportunity. “Fear of missing out” is real, and can distract your better judgment when you’re in the moment.
Don’t click links in DMs, use official links only, use two-factor authentication, beware of shady contracts, only buy what you can afford to lose, and never, ever give your seed phrase out.
For more tips on additional crypto and NFT wallet protection, check out our article with our 10 commandments for security.