In a call to action for the US Congress to grant his organization greater authority over crypto regulation, reigning Securities and Exchange Commission Chairman Gary Gensler famously analogised the growing digital asset market to the ‘Wild West.’ While Gensler’s comparison – which draws parallels between the crypto world and an era where lawlessness and crime ran amok – is in some ways hyperbole, it aptly describes the pervasiveness of scams in the NFT market and the absence of legal recourse for those investors who fall victim.This article will provide an overview of the most common scams one will encounter in the NFT world followed by a brief discussion of the best practices to stay safe. In particular, the following subjects will be covered:
Among the most convincing and insidious ploys used by hackers to steal NFTs is a form of social engineering that entails masquerading as support staff from popular platforms to have users reveal private details on their digital wallets. One example of this scam being used in practice was shared by victim @oneinaneillion who famously lost high-value tokens originating from the Bored Ape Yacht Club (BAYC) and Cool Cats collections, among others.
The victim placed a support ticket in the OpenSea Discord to have a member of the marketplace’s staff assist him with an account issue. Shortly thereafter, an individual purporting to be a part of the OpenSea support team messaged the victim, creating a new private channel in which they could ostensibly resolve the problem. The individual claiming to work for OpenSea then requested that the victim unsync their MetaMask mobile wallet and share their screen as they navigated the MetaMask browser extension. In the course of doing this, the victim was misled into inadvertently displaying the mobile sync QR code, enabling the hackers to then sync their devices to the victim’s wallet address and siphon out many of their most prized possessions in addition to some of their ETH reserves.
Brand Impersonation and Bad Faith Giveaways
Comparable to the act of impersonating support staff, many scams are funnelled through fraudulent social media accounts posing as popular and well-regarded brands in the NFT world. These misappropriated brands may either belong to marketplaces and exchanges or to prolific digital artists and content creators. After assuming the role of a well-known brand, the operators of these malevolent social media accounts begin to shill otherwise unknown collections and promote fake giveaways designed to drain the accounts of anyone gullible enough to follow the associated links. These sorts of bad faith giveaways may also come courtesy of random individuals directly messaging users on Discord, Twitter, Telegram, or other media, promising them free tokens from a collection that is poised to ‘moon’ and encouraging them to click the attached malicious link. Collectors who fall victim to these scams by clicking the provided links and following the routine steps of connecting their wallets will invariably face a rude awakening as the scammers gain dominion over their accounts and quickly siphon out their highest-value NFTs.
A type of scam that has long plagued the crypto realm at large, rug-pulls occur when seemingly legitimate projects raise significant amounts of financing from users only for the project’s developers to then disappear with the funds before delivering the promised tokens to investors or fulfilling their roadmap objectives. These scams are carefully-orchestrated thefts, with the bad actors creating convincing marketing materials and social media presences to lull investors into a false sense of security and grant them the necessary assurance to invest in the project.A recent example of an NFT rug-pull was seen with the Evolved Apes collection, which comprises 10,000 primate avatars and was originally slated to be accompanied by a play-to-earn fighting game. While investors did receive their NFTs, the project’s Twitter page and website have since been deactivated and the developers have vanished with USD$2.7M in user funds that were intended to finance development of the promised game. Unlike other rug-pull victims, Evolved Apes collectors can at least find solace in having received the NFTs they purchased. However, that investors’ funds have been embezzled for purposes other than what was intended still means that they too have fallen victim to one of the most blatant forms of fraud in the NFT world.
This scam follows a far less elaborate approach to deceiving NFT collectors, meaning it is more likely to succeed among users who are less tech-centric or less attentive to securing their funds. In practice, this scam follows a tried-and-true Web2 phishing approach wherein malicious replicas of popular sites are developed and used to coerce unsuspecting victims into volunteering their private account information. An example of this scam being used was observed in the case of @jamiebxne, who fell victim to an illegitimate version of the OpenSea platform and lost 4 high-value BAYC tokens and the vast majority of their ETH as a result. In attempting to navigate to OpenSea via Google, the victim was naturally inclined to select the first search result on the presumption that it would lead to the actual marketplace. The victim seemingly did not realize that malicious developers could purchase Google Ads in order to have their phishing sites bypass rankings and appear atop the search results, and therein was the fundamental mistake which led to their eventual theft. Upon clicking the first link and noticing no material design differences relative to OpenSea proper – that is, aside from the broken English, which itself should have been a dead giveaway of the site’s fraudulence – the victim logged in to their account only to have their tokens transferred out shortly thereafter.
A few other dimensions exist to these marketplace-oriented scams. For one, some scammers will create fraudulent replicas of nascent NFT collections on platforms such as OpenSea, enabling them to monetize the ignorance of users whose judgement may be clouded by FOMO and who have not taken the requisite steps to distinguish real collections from their bootlegs. A more sophisticated approach to this scam involves bundling a few tokens from a legitimate collection with several tokens from that collection’s fraudulent counterpart, allowing scammers to market the offerings as fully legitimate and grossly overcharge victims for the few valuable NFTs in the bundle. Further, some phishers have taken to directly emailing collectors under the guise of automated messages from OpenSea, prompting users to click on malicious links and openly grant their login details to the scammers.
The massive presence of fraud in the world of NFTs should not be a deterrent for investors interested in entering this bleeding-edge market. That said, certain best practices should be subscribed to in order to avoid the aforementioned scams and safeguard one’s digital assets. Chief among these best practices, investors are encouraged to do the following:
Chalk, A. (2021, October 6). 'Evolved Apes' NFT creator Evil Ape disappears with $2.7M. Retrieved from PCGamer: https://www.pcgamer.com/evolved-apes-nft-creator-evil-ape-disappears-with-dollar27m/
Johnson, K. (2021, August 3). U.S. SEC Chair Gensler calls on Congress to help rein in crypto 'Wild West'. Retrieved from Reuters: https://www.reuters.com/technology/us-sec-chair-gensler-calls-congress-help-rein-crypto-wild-west-2021-08-03/
Rees, K. (2021, October 21). The 5 Biggest NFT Scams and How to Avoid Them. Retrieved from MakeUseOf: https://www.makeuseof.com/biggest-nft-scams-how-to-avoid/
Get an inside look into web3 industry news, the most innovative technological NFT and metaverse developments, our company updates, and events.