Last year, without a doubt, was the year of NFTs. The NFT market generated more than $23 billion in trading volume in 2021, with some NFTs selling for tens of thousands of dollars. From acclaimed artists to celebrities and iconic brands, we witnessed the who’s who of numerous industries foraying into the space. Unfortunately, as the industry continues to take giant strides, NFT scams are increasingly plaguing the industry. Driven by a lack of regulations and the chance to make a quick buck, a growing number of scammers have now hit the industry.
The biggest NFT scams and how to avoid them
As NFTs become more mainstream, the scammers are also becoming smarter and better at stealing NFTs and crypto. This has led to even veterans in the space getting scammed. Take the famous rapper, Waka Flocka Flame for example, who lost $19,000 in an NFT scam just days back. Apparently, hackers sent some malicious NFTs to one of his wallets. When he clicked on the assets in an attempt to delete them, his funds were automatically transferred to the attackers.
Clearly, you can never be too careful in the NFT space. You never know what scam may hit you, when, and from where. The only way to keep your crypto and NFTs safe is to take all the necessary precautions. And it goes without saying—always keep your guard up and be extremely wary of who and what you interact with online. An important way to avoid NFT scams is to be aware of what’s happening out there.
Let’s take a look at some of the biggest NFT scams and learn how to protect yourself from them.
NFT Phishing scams
Basically, phishing is a common online scam where scammers impersonate real organizations to steal sensitive information through emails, texts, and other means. The same has been widely happening in the NFT world, where impersonators try to steal your private key or seed phrase.
Now, a seed phrase is a list of 12 to 24 words generated by a crypto wallet to give you access to the wallet, meaning, to the crypto and NFTs stored there. This key cannot be reset by anyone, including your wallet provider. Due to the underlying blockchain technology, once a wallet is compromised and the funds are stolen, no one can reverse the transactions. Put simply, once your assets are stolen, they are gone forever.
A typical example of an NFT phishing scam is a tempting NFT giveaway that leads unsuspecting NFT enthusiasts to share their seed phrase. Stazie, the co-founder of the play-to-earn game, Hedgie, is one such phishing giveaway’s victim. In August, he lost nearly a million worth of digital assets, including 16 CryptoPunks, and a substantial amount of ETH.
After clicking the link for a giveaway by a CryptoPunks bot on Discord, Stazie was taken to a site very similar to that of CryptoPunks. He also got a pop-up for what looked like MetaMask. This was followed by a message stating that the “security was compromised” and asked him to enter the seed phrase to restore the wallet—which, unfortunately, he did. Before he could do anything, the scammer (or scammers) got away with his assets.
Similarly, fraudsters pretending to be security agents or support staff members can reach out to you to help with some issues. Some may even send fake wallet security alert emails or OpenSea offers for your NFT. All of these will likely come with phishing links to steal your seed phrase.
This brings us to—
We cannot stress this enough: NEVER share your seed phrase!
Remember, you won’t ever have to enter your seed phrase to complete any transaction. Neither NFT marketplaces nor wallet providers will ask for your private key. If anyone asks you this, it is a scam and quit immediately. In addition, make sure to store your password securely and offline so that hackers do not get access to it.
Fake NFT projects and websites
As we mentioned in the case of phishing attacks, there are plenty of fake websites out there. Even if you are Googling an NFT website yourself, a simple typo could land you on a fake website. Since most of these sites look strikingly similar to the original, you probably won’t realise what happened until it’s too late.
Consider NFT Trader—a website commonly used by NFT traders. While the official domain is ‘nfttrader.io’, there are several bogus websites that go by domains such as “ntftrader.io” or “nfttrader.link”. In one such scam, @shanterpster lost a Bored Ape worth $281,000. Hence, every time you use an NFT website dApp, double-check to ensure that you are using the right one.
The same goes for NFT projects within marketplaces—scammers create scores of replicas of NFT projects online. Here are some ways to avoid getting scammed by a fake project:
- Marketplaces like OpenSea verify collections and creators as authentic and add a verified badge to the accounts. Buying from verified collections is a good way to avoid getting into NFT scams.
- Look for the tell-tale signs of fake NFTs. This includes an exceptionally low price, small collection size, and low sales volume.
- Another way to spot a fake NFT is by checking its individual description and properties. Most often, scam NFTs won’t have any description or property.
Do not interact with NFTs and tokens sent to your wallet!
Connecting your wallets on websites, in itself, is safe. The only drawback is that as the website has your wallet address, it could be used for any attacks. For example, some websites use unsafe methods like ‘eth_sign’, which will allow even transaction messages to get signed (check below example from fabdarice.eth). There is a common misconception that disconnecting your wallet once connected will help—it won’t. To protect your wallet, you must never interact with an unknown contract. If the contract has any malicious functions, it can steal your wallet’s contents when triggered.
Follow the golden rule: if it’s free, it’s probably bad news for you. If someone sends you free NFTs, do not interact with them in any way. Remember what happened with Waka Flocka Flame? So, do not try to delete them, send them elsewhere, or sell them—simply ignoring them is the best course of action.
Beware of rugpulls!
For the uninitiated, a rugpull happens when creators fail to deliver on a project and absconds with all the money. Typically, the scammers will create a legit-looking project with artwork sneak peeks, a website, social media accounts, and more. However, post-launch, when the collectors have minted NFTs, the developers flee with all the money, leaving the investors empty-handed.
From Iconics and Bored Cat Club to Tokyo Ten and Crazy Lemur club, several rugpulls have riled the NFT industry recently. A particularly jarring NFT scam of this kind is that of the Evolved Apes rugpull, where the developers stole $2.7 million worth of ETH.
Unlike the NFT scams mentioned above, rugpulls are more difficult to identify. So, be extremely wary of new NFT projects and do enough research, especially of the developers, before investing. Naturally, developers who have doxxed themselves are slightly more trustworthy.
Stolen artworks and NFT artist impersonation
Another increasingly common scam in the NFT market is art forgeries. A slew of artists like Derek Laufman, RJ Palmer, Trevor Henderson, Liam Sharp, and more have had their works stolen and sold as NFTs. As the scammers often impersonate the artist, complete with their profile picture and bio, unsuspecting fans end up buying the NFTs. In one instance, acclaimed graffiti artist Banksy’s website got hacked, with the hacker adding a link to a fake NFT auction site. None other than Pranksy fell for the scam, shelling out $336,000 for the piece.
While it’s easy to fall prey to such scams, here are some steps to ensure you don’t end up buying a stolen NFT:
- Buying from verified artists on marketplaces is an easy step to confirm the NFT’s authenticity. Alternatively, you can choose highly curated websites like Foundation, SuperRare, and KnownOrigin.
- If it’s a famous artist, they are likely to post about the drop on their social media accounts as well. So make sure to look for any official announcements from them. Just to be sure, you could always ask the artist directly.
- If it’s a relatively unknown artist, carefully look at their social media sites to see how legit they are.
- Use Google’s reverse image search to know about the origins of the artwork and the versions that exist online.
Discord hacks are on the rise
We have already discussed phishing and by now you should know that you must never click on unknown links you receive, whether on emails or Discord DMs. But, links posted by authentic NFT projects in their Discord servers must surely be safe, right? Well, not always. Unfortunately, a series of hacks have been transpiring on NFT Discord servers where fraudsters hack their bots.
Basically, after hacking the bot, the malicious actors will post a message on the channel. Often, the hackers will announce a “stealth launch” with a link to a fake website. Once people mint through the website, the scammers will walk away with all the money. This is what happened recently with the Boss Beauties NFT project. The project is one among many that have been privy to such Discord scams in the recent past.
Again, Discord hacks are difficult to spot, especially if the dubious links are posted in the official Discord channel. All you can do is double-check any links before spending any amount. Alternately, confirming with the project founders before minting can also help.
As the industry evolves, the NFT scams are only going to increase. While we have listed some of the most common scams, it is not an exhaustive list and new methods are only going to come up. As a rule of thumb, always be extra cautious every time you plan to mint any NFT. Additionally, make sure to take extra precautions such as using two-factor authentication for your accounts and a password manager. You can also use a cold wallet to store your assets offline, making it more secure.