With billions of dollars pouring into a largely unregulated NFT space, it’s hardly surprising to find unscrupulous characters lurking within. Scammers have found fertile ground in a fast-moving marketplace driven by hype, quick profits, and FOMO (Fear of Missing Out).
However, while security in the anonymous and decentralized world of Web3 is undoubtedly a cause for concern, you shouldn’t let it deter you from investing. The best thing that you can do to protect your digital assets is to educate yourself on the particular challenges of web3 security and apply some common-sense techniques to stop scammers in their tracks.
What is Web3?
Web3 is a blockchain-based web that’s built on the core tenets of transparency, pseudonymity, and decentralization. It promises a future of self-sovereign individuals who have full ownership of their data and finances in a censorship-free environment governed by incorruptible smart contracts.
Instead of large tech companies setting the agenda and profiting from the invasive harvesting of people’s personal data, Web3 offers users the opportunity to anonymously participate in the governance of companies and services. Simply invest in an NFT or relevant cryptocurrency token to become a shareholder and a community member, rather than a customer or product.
Unique security challenges in Web3
With Web3 growth accelerating at an unprecedented pace, it seems that mass adoption is only a matter of time. However, with the technology still in its infancy, there are some challenges for early adopters to overcome. Securing the ecosystem from scams without compromising people’s data and identities is one of the most urgent.
“Most developers and people who contribute to the ecosystem prefer to work under pseudo names,” explains Jack Reacher, developer at the security-focused NFT project Vault-X. “Ensuring trust and credibility while maintaining that anonymity is a big challenge, and that’s what we’re looking to solve.”
To do this, Vault-X has created a decentralized escrow protocol that allows Web3 users to transfer ownership of digital assets securely and anonymously. This is a big step forward towards creating trust in a trustless environment.
For example, NFT projects can now lock their community funds in a secure vault that can only be accessed when community-chosen roadmap milestones are achieved. “This can put an end to rug pulls and other scams and give full power to the community right from day one,” Reacher told Blockmate.io. “We feel that solutions like this are very important for the whole ecosystem to thrive and scale.”
Vault-X is just one of many Web3 security solutions that are changing the game without the need for overbearing regulations. However, while the ecosystem continues to evolve, there are still a few red flags to look out for in the current NFT market.
Common NFT scams
NFT scams occur in a few different ways. It’s not always the case of simply connecting your wallet to a malicious site and getting drained—there can be more complex psychological factors involved. Let’s look at a few of the most common methods.
Scammers posing as trusted parties to convince you to give away sensitive information is one of the oldest tricks in the book. But while phishing in Web2 might lead to your email address or other details being compromised, in Web3, it’s much easier to gain direct access to your funds.
A typical example would involve scammers pretending to be project admin. They’ll direct users to a fake site promising early access to mint a new NFT. Unsuspecting users, eager to get their hands on a hyped collection before anyone else, connect their wallet to the site, and poof! the wallet gets drained of all its contents.
This is when the founders of a project suddenly cut all contacts and social media accounts and disappear with the funds raised from NFT sales. These projects will often release elaborate roadmaps and promises of future development but have no intention of following through.
A recent high-profile example is Blockverse, a utility-packed NFT collection that promised access to a popular Minecraft-based game. The project had huge hype and sold out in just 8 minutes, immediately raising 500 ETH and adding a further 792 ETH in secondary sales— worth more than $1 million at the time. However, within a few days, the anonymous founders suddenly pulled the plug on the project, leaving the NFTs worthless and law enforcement agencies powerless to intervene.
Pump and dump
This elaborate scam usually involves a group of people that conspire to artificially “pump” a project’s value. When the value reaches a certain point, a mass “dump” occurs, as those in the know decide to suddenly sell their holdings.
It’s typically selfish influencers or powerful “alpha” groups that are behind pump and dumps. An agreement is made to buy into a certain project and flood social media with memes, slogans, and wild predictions about its investment potential. As the price rises rapidly and more buyers jump in, the group quickly sell their NFTs for a tidy profit, tanking the price and moving the hype along to their next target.
Fake NFTs and marketplaces
Counterfeit collections sometimes appear with slightly altered names, tricking users into buying worthless NFTs. This is a particularly acute problem on Opensea, currently the most popular NFT marketplace.
Even marketplaces themselves can be copied, with elaborate fakes appearing at the top of search engine results. For example, while Opensea’s URL address is Opensea.io, a search might yield results for mirror sites with subtle differences, like Opensee.io or Opensea.com. A careless connection to any of these fake sites will likely have your wallet drained of all its contents before you can say “oh no.”
7 essential tips to keep your NFTs safe
Just reading about these maliciously mendacious schemes might be enough to put you off NFTs forever. Don’t worry though, there are plenty of things that you can do to keep your investments safe.
Don’t respond to DMs on Discord and Twitter
Most NFT projects communicate with their holders via Discord or Twitter, so this is where scammers will target users with phishing attempts. If founders have something important to say, they’ll say it via a public announcement. There's a general rule in NFTs which says: project staff, admins, and co-founders will never DM you first. Remembering this very simple but powerful guideline will go a long way towards keeping you safe.
There’s also been a recent trend of project Discord accounts being compromised. Hackers posing as trusted mods and admin trick people into clicking on links with “exciting news” or “flash giveaways.” These kinds of scams are even harder to guard against. It’s advisable to treat any unexpected or out-of-character interaction on Discord with suspicion and don’t click on any unsolicited links.
Keep your wallet seed phrase safe and NEVER share it
Your seed phrase is a unique code that controls access to your crypto wallet. It’s crucial that you keep this code safe and secure and don’t share it with anyone else. Nobody needs your seed phrase for anything other than nefarious purposes. Some people write it in an email, which they send to themselves for easy access in their inbox—this is a terrible idea! It’s best to physically write it down and store it in a secure location.
Look for verified collections
When browsing NFTs on Opensea, you’ll notice that some of the most popular collections have a blue tick next to them. These are collections that belong to a verified account and have significant interest or sales. Verified collections build trust in the ecosystem by helping users to identify authentic creators and content. Newcomers to NFTs can significantly lower their risk of rug pull scams by purchasing blue-ticked collections only.
Double-check URL before connecting wallet, and use a burner to mint
The aim of most phishing scams is to get you to connect your wallet to a compromised site. When minting a new NFT, always check the URL of the site you’re connecting to and make sure it matches with official announcements/links that the project has provided. To be on the safe side it’s always recommended to use a backup “burner” wallet to connect to unknown sites. This wallet should only contain the amount needed for each transaction so that losses are minimalized in case of a hack.
Get yourself a hardware wallet
The most popular crypto wallets, like Metamask and Phantom, are installed as extensions on a browser. They connect seamlessly to websites and store your digital assets online. These “hot” wallets are quick and easy to use for active trading, and they’re also easier for scammers to gain access to. That’s where a hardware or “cold” wallet comes in. This is a physical device that can plug into your computer and secure your NFTs offline. All transactions are routed through your cold wallet for verification and a digital signature. This puts them out of reach for anyone who doesn’t possess the device. A cold wallet is a must for any serious NFT or crypto investor.
Research projects and founders thoroughly
One of the most common acronyms in Web3 is “DYOR” (do your own research). Creating trust in an anonymous and trustless environment is one of the biggest challenges in this nascent yet fast-growing space. Ideally, project founders will be fully “doxxed” (identifiable by name and address in the real world), but that is not always the case.
Good projects will always have a whitepaper giving an in-depth description of the NFT's use-cases and plans for the future. It should also provide insights into the founders’ professional backgrounds and previous projects.
As well as a whitepaper, check activity on projects’ Twitter and Discord pages. What kind of following is there? Are founders active in the community and available to answer questions? Are the exchanges authentic, or artificially boosted with bot accounts? The more you can learn about a project and the community around it, the better. And as these are NFTs we’re discussing here, don’t forget to check out the artwork too!
Resist the urge to FOMO
Fear of missing out, or FOMO, is especially strong in the NFT space. Interest in seemingly unremarkable projects can suddenly skyrocket, driven by nothing more than social media hype and influencer promotion. Resist the urge to make snap decisions and buy into these projects as they rapidly increase in price—the inevitable dump is likely to catch you out. Stick with the fundamentals and projects that you’ve carefully researched, no matter how tempting the hype may be.
In the current market, NFTs are high-risk, high-return assets. However, with a few basic safety precautions and a more long-term perspective, it’s more than possible to avoid common scams, filter out the noise, and discover some real gems. A good strategy is to look out for projects like the aforementioned Vault-X, builders who are contributing to the growth and security of the Web3 ecosystem as a whole. These are the projects that will define the space in the future. To steal a common phrase in the NFT world that works perfectly here—you’re still early!