The crypto industry has long been plagued by opportunistic scammers, who range from those who run Twitter giveaways to those who airdrop tokens as bait and then steal all of your tokens if you try to move them.
Now that NFTs are selling like hotcakes (both physically and digitally), con artists have shifted their tactics to take advantage of the growing market — and it appears that their efforts are paying off.
They are attempting to gain access to a person’s wallet and any tokens stored therein in two ways.
Pretending to be a support person
One key strategy has been to pose as a support representative for the NFT marketplace OpenSea.
This method is effective because there are so many issues with NFTs, such as determining whether a collection is official or not, NFTs not showing up in wallets, or NFTs showing up with incorrect attributes. These types of issues necessitate assistance, and as a result, perplexed buyers will seek assistance from either the NFT issuer or the marketplace with which they are dealing.
Typically, the NFT buyer will seek assistance in the messaging platform Discord, which has grown to be the hub of NFT activity and conversations.
The issue is that it’s very easy for someone to create an account called “OpenSea Support” or something similar and hang out in these chat groups. When someone mentions their problems, the phony support service will contact them via direct message and offer to assist them.
MetaMask, an in-browser wallet, was one of the most effective strategies. The scammer would ask the user to share their screen and point them to a section of the wallet that allows you to connect your wallet to multiple devices. The scammer would then set up the wallet on their own device, giving them complete control over the user’s funds.
Because this has become a major problem, MetaMask has temporarily disabled this feature.
Jeff Nicholas, a creative director at Authentic AI, experienced the same problem. In a tweet thread, he described how he went to the OpenSea Discord looking for help and was coaxed into a DM by a scammer using the name “OpenSea.” He eventually showed the QR code that allows the account to be transferred to another device, and then he noticed his wallet was being emptied.
“Everything was transferred. “All the Apes, dogs, cats, airdrops, and ETH,” he tweeted. “They’re also in my other account, so I log in and try to salvage as much as I can by transferring it to another wallet before it’s all gone. I receive a few NFTs and tokens.”
While this part of the attack may no longer work for MetaMask, it’s important to be aware that fake Discord support accounts exist, and they’ll use any trick in the book to steal your money.
Taking advantage of the NFT mint’s confusion
Scammers aren’t just targeting NFTs in general; they’re also focusing on the mints, knowing that they’re a great time to catch people off guard.
When NFTs are launched, a public date and time are announced ahead of time. At this time, the website will include a “mint” button, through which anyone can pay to create one of, say, 10,000 NFTs. When a mint is in high demand, it can sell out in minutes, if not seconds. This can make the situation extremely stressful, especially if the mint does not go as planned, as it frequently does. It can also cause a lot of confusion, which scammers take advantage of.
Prospective NFT buyers will be looking for the location and key details both before and after the mint (best found in the FAQ). If there are any issues, they will seek answers and solutions during this time. They’ll most likely be in the relevant Discord channel’s main general chat.
Pretending to provide a minting service is one method. The con artist will claim that the mint has malfunctioned and that the only way to obtain an NFT is to send cryptocurrency to the wallet address they provide.
Another example is when scammers post fake links in the hope that no one notices. One strategy is to post a website link claiming to be the location of the drop. It will resemble the official website, but it will most likely transfer all of their NFTs from their wallet.
This tactic impacted Messari research analyst Chase Devans, who used a link that a friend saw in Discord and passed along to him. When he attempted to mint an NFT on the site, it deducted $15,000 in solana (SOL) from his wallet as well as all of his NFTs.
“I’ve been rekt before,” he tweeted. You name it: shitcoins, May 19th cascades, and so on. This one, on the other hand, hurts in a different way. I’d been honing my craft and putting together a solid SOL stack based on fundamentals. Everything was gone in a flash, poof.”
Such strategies worked wonders for Solana-based project Aurory yesterday at the NFT mint. One wallet contained $1.5 million and 350 NFTs, with some of the latter being frozen. Because of a bug in the mint contract, which caused the NFTs to sell for 1 SOL instead of 5 SOL, one scammer made even more money than the NFT issuers.
The popular Solana wallet Phantom, for example, had an auto-approve feature that would approve any transaction from an approved website (designed to make it faster to mint). However, this could allow the website to approve a variety of other transactions, potentially jeopardizing your NFTs. Phantom has stated that it will be removing this feature.
The most important piece of advice here is to make sure you’re using official links, which are usually found in the project’s FAQ channel — and not any links provided in an open channel. It’s also a good idea to create a separate wallet for each mint so that you don’t lose more than what’s in that wallet.