15 April 2022

Most Common NFT Scams And How To Protect Yourself.

Although in another article we will talk more in depth about the technological basis of NFT tokens, emphasizing the limits and scope that this technology promises, this time we will talk about the most common types of fraud around these cryptoactives to establish some parameters that allow us to take care of ourselves and operate calmly when using them.

Table of Contents

Context on NFTs and fraud

Although we can say that the world of non-fungible tokens, better known as NFTs for its acronym in English or nifties, began approximately in 2012 with the creation of Colored Coins, lately they have begun to attract more attention from users due to the explosion that this technology has had in various segments such as art, the creation of collectibles related to sports or the video game segment.

In fact, several blockchain-based video games are moving the economy around the world, so we can assure you that it is a rising market in which the number of active wallets, buyers, sellers and volumes of transactions are also growing. sales. It is important to note that, in 2020, the NFT market grew almost 300% compared to 2019 and that currently the operations involving NFT exceed 300 million dollars in transaction volume. As expected, this combination of factors aroused the interest of cybercriminals, just as it happened with cryptocurrencies .

Now, the truth is that a digital wallet is needed to buy, sell or store an NFT .Keeping these wallets and the use of their associated systems safe is one of the issues that generates the most concern around the protection of these crypto assets. For example, in the event that someone tries to steal a physical work of art, they would have to violate the physical security of the museum that hosts said work, while to steal a digital asset it is necessary to violate the security of the system that hosts it and those who are involved. around it. In this context, threats such as malware, the use of Social Engineering techniques such as phishing and other forms of deception are becoming more frequent due to the greater interest of attackers seeking to appropriate or manipulate these crypto assets.

Regarding the scams and frauds that have been known in recent times, we can point out some examples of artists who have had their works copied without permission and have been sold as NFT. This happened, for example, after the death of artist Qing Han in 2020, when a scammer assumed her identity and several of her works became available for purchase as NFTs. Similarly, last year a scammer managed to compromise the Banksy’s official site and launched an auction through a page that has since been removed, through which he managed to sell an NFT allegedly made by the artist for $336,000.

Among other crimes we can highlight “ sleepminting ” which is known as a process that can also allow a scammer to mint an NFT in an artist’s wallet and transfer it to their own account without the artist noticing. In recent times, several crimes have appeared around these cryptoactives. Cybercriminals take advantage of the fact that the NFT market is unregulated and has no legal recourse to deal with such crimes. Many stolen digital works of art are fraudulently sold as NFTs. Although there are incipient security strategies, such as the one proposed by Adobe through Photoshop with a functionality to guarantee the proper attribution of NFT art by creating a database of theinterplanetary file system , there is undoubtedly much to be done, since vulnerabilities in systems are renewed day by day and, as is usual in security, the weakest link is in the behavior of users.

Although some of the scams that we have just mentioned, along with other frauds such as rug pull and identity theft or false profiles, are the ones that generate the most problems in the NFT community, below, we review what are the most common scam modalities around NFTs and share some tips on how to avoid them and how to stay safe.

Beyond the modalities that we will mention below, it is important to keep in mind that malicious actors are always looking for new methods to commit fraud, which forces us to stay informed and alert at all times.

Cheats through direct messages on Discord

Discord is very attractive to cybercriminals and there are different ways of cheating through this platform. Last December, criminals compromised the Discord channel of Fractal , an NFT gaming marketplace, and deceived 373 users by stealing approximately $150,000 in Solana cryptocurrency from their wallets. In fact, scams seeking to steal access to Discord accounts are quite frequent. But the reality is that there are various types of scams on Discord that NFT owners should be aware of. Posing as friends or using compromised accounts they send direct messages making up a story and/or impersonate an NFT project, brand, artist or influencer.

It is worth remembering that Discord is a platform that is made up of servers that bring together users interested in specific topics. The platform allows you to send direct messages (DM) that allow you to have individual and private conversations with other users in the Discord community and also allows you to send direct messages and start group chats regardless of the server you are on. For this very reason, the more you expand your Discord network, the more fake invites you’ll receive. That’s why users should never click on links from unknown sources, no matter how legitimate they seem, or direct messages from ” friends “.” asking for money, or “ads” for NFT projects. We always have to check. If you get a strange message from someone you know, make sure it’s the person they say they are by first checking their ID.

Fake profiles on social networks

Both on Twitter and on other social networks, users must learn to live with false profiles that will try to make us fall into a trap. We must get used to paying attention since they often copy information from the official profile. Therefore, if you are not attentive, you will not identify that perhaps the only difference may be just one letter between one profile and another.

A malicious campaign using Twitter bots was detected in 2021 . The criminals automatically replied to posts that included certain keywords and that referred to a problem with a crypto asset. After a while, cybercriminals responded by posing as a support representative and ended up tricking the victim by stealing the recovery phrase or seed phrase to gain access to cryptocurrency wallets.

On the other hand, through fake accounts criminals can try to send you a message pretending to be willing to chat or asking for help and advice about something. Usually, if we pay attention to certain elements, like the number of followers, tweets copied and pasted from real handles, too many retweets from other accounts without original content, we will realize that they are not genuine.

Fake sites posing as official (phishing)

It is very common to create fake sites that are very similar copies of NFT stores, digital wallets, etc. These fake sites can be distributed through social platforms like Discord, Twitter, or even email.

Fake site seeks to connect with wallets

Another fake site posing as OpenSea seeks to steal cryptocurrency wallets

Instance where you seek to steal cryptocurrency wallets

Fake sites impersonating legitimate brands have been around forever and will continue to exist. These pages can be distributed from any social platform, be it Discord, Twitter, forums, email, etc. Fake sites can be surprisingly similar to the official ones, albeit with some minor changes to the URL or layout.

For this reason, we should always take a close look at any links we receive by any means before clicking on them or in case they ask for personal information, such as a seed phrase or password. We must remember the golden rule that we should never enter our seed phrase outside of our wallet and we should always pay attention to the domain we are browsing.

On the other hand, and in the face of possible NFT counterfeiting, if we’re looking to buy expensive and in-demand crypto art, it’s worth doing some background research, especially if the artwork costs less than it should. It is important to always investigate if the NFT contract address is the real one, look at who is selling the NFT, what else has been sold, and if the NFT is also available in other markets, because if it is a unique edition there should be no more than one for sale.

Imitators of artists or creators

If you plan to buy NFTs, remember to do so from artists that are verified or that demonstrate by their seniority or activity that they have not been involved in anything suspicious. In addition to the Banksy case we mentioned, in which a scammer managed to sell from the artist’s official site, there were also other cases of identity theft. For example, when Tyler Hobbs, the artist behind the generative art collection (Art Blocks) called Fidenza, denounced the SolBlocks platform for selling imitations of his works created using his code without his permission. Another case was the one that affected the artist Derek Laufman, when on Rarible, the platform for buying and selling NFTs, someone created an account in his name that was even verified and began selling his work as NFTs. The list of artists who were victims of accounts and sites that sold NFTs of their work without the consent of the artist with several. In fact, several artists began to check on platforms such as OpenSea or Rarible if their work was being minted without their consent.

Pump & Dump Scam

Pump & Dump is an English term that could be translated as “inflate and dump”, which describes a scam model in which a person or group of people buys a large amount of NFT (although it can be a token or cryptocurrency) to generate an increase in demand and thus increase its value.

Generally, those who fall for the deception are naive users who believe that the price will increase and who feel that they have found a great opportunity. Many times driven by influencers who promote them through their social networks. However, once the value of the NFT or other asset rises, the scammers dispose of all of their assets and make a significant profit on them, leaving victims with worthless NFTs and massive losses.

To detect a Pump & Dump scam it is recommended to review the transaction history, since if it is a genuine project the range of buyers must be wide and not just a few buyers who are selling and reselling. Platforms like OpenSea or any other NFT platform allow you to look at the total number of transactions and who bought the NFT collection.

rug pull scam

These types of scams occur in general in the crypto world and of course NFTs are not left out. There have been several cases of rug pull scams in recent times, and this is partly because they can be difficult to detect until it is too late. Recent cases include ‘Evolved Apes’ , a project in which the creator simply disappeared with $2.7 million, and also the Squid token case(in honor of the Squid Game series, which in Spanish is The Squid Game), whose value fell precipitously after going from 1 cent to 2,800 dollars in a week. From there, the value fell and the official Twitter account disappeared, as did its website and Medium account. It is estimated that the developers of the token kept $3.3 million.

This fraud occurs when those responsible for a project abandon it and keep the investors’ money. When the value of the token and the number of investors reaches a certain point, fraudsters empty the liquidity pools of a decentralized exchange (DEX, for its acronym in English) causing the value of the crypto asset to plummet and leaving the owners of these assets without being able to sell them.

These scams are often camouflaged with excuses like there is a bug in the software and it takes time to fix it. They are more prevalent in the DeFi ecosystem and on DEXs (Decentralized Exchanges).

auction scam

One of the most popular scams are fake offers, known in English as Bidding Scams. In these cases, someone auctions an NFT at a base price for users to bid on it, but the scammer, without the seller’s knowledge, changes the cryptocurrency with which they make the purchase for one that has a lower value.

There are some variations of the same fraud. In other cases, it has been seen that someone lists an NFT for sale at a price, then delists it and relists it, but moving the decimal one place to the right. As this Twitter user explains , last year he found that the OpenSea platform wasn’t registering that change for 30 minutes, so someone could accidentally end up paying more than he thought. The recommendation to avoid falling for this scam is to verify the cryptocurrency used and not accept a lower amount or buy for a higher amount than the NFT supposedly contained.

Fake profiles and impersonation of artists or collectors

This is a scam in which scammers create fake profiles or impersonate a collector, artist, or NFT creator. The ways of dealing with victims are varied. For example, criminals may try to direct message these creators to buy an NFT from them by pretending to be someone they are not, and first asking the seller to take an action , such as registering on a site or the like, or sharing an image. retouched from his cryptocurrency wallet showing a significant sum. They can also be through Twitter accounts in which they publish that they have 1 ETH to invest in NFTs and invite creators to share their works. Unfortunately, they are often scams.

Fake profiles seek to lure NFT creators

For those just starting out and looking interested in buying their NFTs it can be tempting, and criminals know it. Therefore, if you face this situation as a seller, be careful.

Sweepstakes, giveaways and bogus offers

Many fake offers and unexpected giveaways around NFTs and other crypto assets are often advertised through Discord accounts, Twitter and other social platforms. In some cases, they are accounts that were compromised and their name was changed. Thus, from these fake but very real-looking accounts (in some cases with many followers and posts), criminals pose as a recognized brand or person and announce, for example, that they are giving away cryptocurrencies. But to get the supposed gift, users will have to provide some kind of password or secret phrase.

False “mints”

This is a scam in which developers send NFTs to influencers by making it appear that they are the ones minting the NFTs. They do this knowing that many buyers monitor wallets for trends and what is being bought to try to anticipate mass interest. Tools exist to monitor ETH wallet addresses and they can be configured to receive notifications via Telegram or Discord. The problem is also that those who monitor the wallets trust without having previously investigated. As revealed by OpenSea , the leading NFT Marketplace, more than 80% of the NFTs minted using its free minting tool were fake, plagiarized, or spam.

In this post , The Prometeus Project team shares some tips to recognize false mints.

How to protect yourself?

While we cover what the most common NFT scams are and in some cases how they combine with each other, the truth is that cybercriminals are innovative and always find new strategies to carry out their attacks. Therefore, the most important thing is to be vigilant and be wary of anything that is too good to be true. Skepticism can save you a big headache.

As we saw throughout the article, all these scams involve various vectors, such as users, social networks where NFTs are promoted, tools used to carry out transactions, etc. Each of these vectors has its own weaknesses and their respective combinations that lead to more sophisticated attacks that are changing all the time.

Therefore, beyond knowing that we must always be informed and never forget the classic scam techniques, such as those provided by social engineering, below, we will review some important items to operate with NFT more safely.

Never share your seed phrase or password unless you are absolutely sure and have triple-checked where you clicked.
Always check the history of direct messages and verify their origin.
Don’t click on any links that promise freebies, offers, or anything that requires you to make a quick decision. If you’re tempted to click, thoroughly check who is sending the links first, and especially on Discord.
Try to keep your most valuable assets in a “cold wallet”. A wallet that you do not use regularly and that has several security measures to access it.
Try to use a hardware wallet. These types of wallets are highly secure and allow us to store our funds offline.
Get a password manager for all your wallets and accounts. These types of tools help generate and save complex passwords