Original author: Nancy
Original source: PANews
The dark forest of the cryptocurrency industry is full of dangers and hidden dangers and traps. Stories of asset theft often occur, and popular NFT tracks and well-known players are not immune. Kevin Rose, founder of the NFT project Moonbirds, confirmed on January 25 that his personal wallet was hacked and a total of 25 Chromie Squiggles and other NFTs were lost.
As NFT theft incidents and amounts increase, this article PANews will sort out common scam types and prevention techniques.
How much do you know about NFT scams?
While the scale of the NFT market is growing day by day, "zero-yuan purchase" theft incidents are becoming more frequent, and attack methods are emerging in an endless stream.
1. False advertising window
Recently, the crypto KOL NFT God tweeted that it lost all its crypto assets and NFTs due to hackers hacking into its Twitter, Substack, Gmail, Discord and wallet. The hackers also posted fraudulent links through stolen accounts. The reason for the hack was that the Ledger was previously set as a hot wallet instead of a cold wallet on the new device. After the mnemonic was imported and used in the wallet on the networked computer, and then after downloading the video streaming software OBS for game live broadcast, clicked on Google Sponsored links downloaded malware, allowing hackers to access their funds. In fact, Google's ads allow anyone to bypass rankings and rank first in search results, and the probability of users clicking on such display ads is very high, which also provides more possibilities for scams.
2. False airdrop deception
Acquisition of airdropped NFTs at "high prices" is a new type of fraud. After the victim receives some unknown NFT airdrops, the scammer will offer a high price to acquire them. If investors choose to trade this NFT, they will enter a fake phishing scam website for authorization when a transaction error message occurs due to some special reasons, which will eventually lead to the theft of their assets.
3. Counterfeit NFT
In March this year, Whitestone in Tokyo, Japan, issued an NFT-related fraud announcement, stating that unofficial individuals were selling NFTs of well-known artist Yayoi Kusama under the guise of Whitestone Gallery. In fact, there are many scammers on the market who plagiarize artists' works and put fake versions on the NFT market, causing many people to buy fake NFTs without any value. Not only that, there are also some scams that will upload fake projects with similar names on the NFT trading platform, and even create several transactions to confuse users. It is very easy for some users who are accustomed to using the search function to fall into the trap.
4. Fake emails
In February this year, OpenSea officially launched a smart contract upgrade, and users need to migrate their NFT lists on Ethereum to the new smart contract. The hacker took the opportunity to pretend to be an official and sent an upgrade reminder email to users. Many users who did not have strong awareness of prevention authorized their wallets on the phishing links, resulting in the theft of NFT assets, including Bored Ape Yacht Club, Cool Cats, Doodles and Azuki. wait.
Since many NFT projects require users to bind their email addresses to obtain information as soon as possible, many attackers pretend to be officials and send phishing links to users for reasons such as contract address modification and wallet re-verification. Therefore, email addresses have also become a target for fraud. The hardest hit area.
5. Officials were hacked or impersonated
Or due to various reasons such as employees being attacked by phishing, downloading malware, or not setting up two-factor authentication, the official accounts of NFT projects are often hacked. In April 2022, the official Bored Ape Yacht Club Instagram account was hacked, and the hackers used the Instagram account to share a fraudulent link that imitated the Bored Ape Yacht Club website, which included a link asking users to connect their MetaMask to a scam wallet. Participated in fake airdrops, and hackers subsequently stole over $2.8 million worth of NFTs. In June of the same year, Yuga Labs' Discord server was hacked, and the attackers used the account to make money by posting phishing links in the official BAYC and Metaverse projects.
Of course, there are also scammers who forge the official accounts of NFT projects and gain the trust of users, and then send phishing websites to ask them to sign, that is, they can purchase NFTs in the account without spending any money, and most users are unable to distinguish the string of Issues in signed content that combine numbers and letters. In addition, private message links are a common method of fraud. They often privately message members in batches through various communities on Telegram, Discord and other platforms, and even pretend to be administrators to defraud users of their wallet private keys.
6. Generate addresses with the same tail number
Generally speaking, most users will only check whether the address is correct by checking the leading and trailing digits of the contract address, which also gives attackers an opportunity. They will take advantage of users' habit of copying past addresses in historical transaction records, forge a contract with the same number of digits before and after, and continuously airdrop small amounts of tokens. If users do not carefully check the complete address, assets can easily be stolen. In addition, in addition to the same mantissa scam, zero-transfer on-chain address poisoning attacks also need to be vigilant. Many users will regard this address as a trusted interactive address.
The right steps for asset protection
On-chain operations are irreversible. After assets are stolen, it is actually very difficult for most people to recover them, especially ordinary users without any technical skills. So, how can you prevent your assets from being defrauded?
1. Protect the private key or mnemonic phrase: Unlike the passwords that can be changed if Web2 accounts such as emails and social platforms are leaked, the private key and mnemonic phrase, as the "keys" of the wallet, cannot be modified or retrieved. Once the assets are leaked, they will be Looted. Attackers will use FOMO emotions such as NFT airdrops/lotteries and Free Mint to induce users to send their private keys or mnemonic phrases. They may even pretend to be official administrators and build fake domain name websites to lower users' vigilance.
2. Collect commonly used websites and screen official social accounts: Although phishing websites are the easiest to identify, they are one of the main reasons why NFT assets are stolen. In fact, no matter how beautifully packaged this type of website is (you can check the domain name, URL spelling, etc.), the ultimate goal is to interact with the wallet. Users should remain cautious, collect frequently used official websites, and enter social accounts from the official website (you can use Judging by the number of fans, account activity, comment participation, etc.), and not easily clicking on links shared in private messages or emails will largely avoid the possibility of asset theft. In addition, although most users do not have the ability to identify contract risks, installing anti-phishing plug-ins will effectively help identify some phishing websites.
3. Asset isolation and regular inspection: Use multiple wallets to participate in NFT transactions and minting, and wallets that store assets and interact with applications need to be isolated. In particular, wallets that store large amounts of funds should avoid any interaction. In addition, users need to regularly check whether the wallet interacts with abnormal contracts and cancel authorization in a timely manner.
4. Multi-party information cross-certification: Due diligence is very important before participating in and casting NFT. Users can evaluate it by checking whether social accounts are verified and cross-checking project information through multiple channels.
5. Check the address carefully: For any transfer behavior, users need to check the complete contract address, or use the address book transfer function of the wallet to transfer funds by directly selecting the address. In addition, for some contract addresses participating in the project, users can obtain the addresses from official channels to avoid being modified by middle attackers.
Of course, with the continuous advancement of technology, asset theft techniques are also advancing with the times. Therefore, once their assets are stolen, users need to immediately isolate their assets and change their social account passwords and other personal information. They also need to inform Other information related to the defrauded account. If it is a virus attack, computers and other equipment need to be disconnected from the Internet. In addition, users can also seek professional security companies to conduct fund tracing to maximize the compensation for fund losses.
(The above content is excerpted and reprinted with the authorization of our partner PANews, original text link)
Statement: The article only represents the author's personal views and opinions, and does not represent the objective views and positions of the blockchain. All contents and opinions are for reference only and do not constitute investment advice. Investors should make their own decisions and transactions, and the author and Blockchain Client will not be held responsible for any direct or indirect losses caused by investors' transactions.
This article NFT prevention guide: Learn about common NFT scams in one article first appeared on Blockchain.
