Part I: Avoiding Scams on Web3
I. What are we talking about here
As blockchain technology continues to gain popularity and disrupt various industries, it has also become a target for scams and hacks. Just like literally any other industry off chain. Decentralization and transparency make the blockchain an attractive platform for many reasons. The desperation, FOMO, and willingness to take risks on the other hand, makes crypto adjacent spaces very attractive for grifters and scammers.
From phishing attacks and fake ICOs to smart contract vulnerabilities and wallet breaches, the blockchain space is subject to numerous threats that pose risks to users' funds and assets. Understanding these vulnerabilities is crucial in safeguarding oneself from potential scams and hacks in the ever-evolving landscape of blockchain technology.
I would like to start this 3-part article series by taking a closer look at the most common ways people lose their assets, and some ways to avoid this happening to you. Keep in mind that most of this is not new, and the same methodologies pre-date the blockchain all the way back to the beginnings of the internet, and furthermore: IRL. Grifts, scams, and cons are as old as the human species, and there will always be new ways for you to fall victim if you do not stay vigilant.
II. Common Scams and Hacks
A. Phishing Attacks
Who the hell sent you that link?
Phishing emails, websites, and social engineering tactics are possibly getting more sophisticated and evolving, but really we’re just not getting smarter. Stop clicking on shit from folks you don’t know. I appreciated recently that Everbuild’s application process asks for a screenshot JPG of your resume, instead of having you send a PDF in. Nobody wants malicious files or links.
Here’s just 3 basic methods by which folks get their wallets jacked.
Email Spoofing and Urgent Security Updates
Malicious parties send you phishing emails that mimic the appearance of legitimate blockchain platforms or wallet providers. “Urgent security update!” from Metamask is just not how they operate. “Update your password!” from any web3 service… Why the actual fuck would you click on that?! You connect with your wallet, not by entering a username/password, you ding dong.
The links generally lead to fake websites designed to collect your wallet credentials. They are convincing with their branding and formatting, making it challenging to distinguish it from a genuine communication - except for the fact that they would never send you something like this. For fucks sake.
Fake Airdrops and Token Sales
More fraudulent websites and social media profiles! Exclusive airdrops or token sales? This attracts people like flies to honey. Offering the distribution of free tokens or lucrative investment opportunities are classic, but how likely is it that folks are giving away free shit?
You are required to sign up, or provide your wallet credentials to participate. Once you have freely handed over this sensitive information, the scammers gain access to your wallet and proceed to drain your funds, or steal your NFTs. These scams are taking advantage of your desire to profit or acquire new tokens, exploiting your greed and FOMO. But you have nothing to worry about unless you actually have anything of value in your wallet (fuck me, I have so many useless jpegs).
Social Engineering via Impersonation
In some cases, scammers impersonate legitimate figures or influencers in crypto spaces. As with phishing, fake social media accounts or websites that closely resemble the original ones are not hard to spin up. The worst part is how they connect with you, and waste so much of your time if you don’t know how to tell the signs that you are speaking to a scammer or grifter.
They will initiate conversations with you, offering assistance or promising exclusive rewards. “I love your art!” or “Can we hire you to make art for our project?” Come on assholes, you clearly didn’t bother to check that I hang people from hooks, you absolute fuckwads. Not even trying sometimes, I swear.
Once they have earned your trust after days/weeks of chatting with you, they will persuade you to connect with a contract, download a file, or even click on a link that will jack your discord token (among other things). Unaware of the impersonation, you might unknowingly disclose your wallet information, leading to unauthorized access and potential loss of funds or NFTs.
It is crucial to remain vigilant and cautious when dealing with this shit. Always verify the authenticity of the sender, triple-check URLs and avoid clicking on suspicious links, and never share your wallet credentials or seed phrases with anyone else. Their tactics are always evolving, but the basics are always the same. Ask somebody you trust if you are uncertain about anything - there is no shame in this.
B. Malicious Smart Contracts
How can you identify malicious contracts, and avoid them?
First of the fuck all: is the contract you’re about to interact with verified?! You don’t know how to check? Good lord, how have you made it this far on web3?! See graphic below, click here to view it yourself on etherscan. In my I-don’t-even-fucking-care-if-it-is-humble opinion, this is one of the most absolutely basic technical things you should know how to do. If the contract is not verified, it is possible that the dev set up some dumbass shit, either because they did sloppy work due to inexperience or laziness, or because they are hiding something malicious in their contract code.
It’s unrealistic to expect everybody to thoroughly examine the contract's code for any potential red flags. However, you can look for some basics. For example, pay attention to functions such as "transferFrom" and "ApproveForAll" that involve the transfer of NFT ownership or granting of permissions to move all your tokens after you give consent to do so. Nowadays, wallets like Metamask will actually throw up red flags prior to you signing for a transaction, which is nice. But this doesn’t mean it will catch everything for you. Click here for a nice rabbit-hole by Metamask talking about checking if a contract is safe to interact with.
One of the most important things you can do - and I know how fucking cliche this is - is to research the project and its team extensively. DYOR. Look for any past incidents, community feedback, or reports of suspicious activities. Ask folks in communities that have been around for a while, like Pillheads, Mad Rabbits, NFD to name a few. Utilize trusted platforms and marketplaces with a solid reputation and a vetting process to reduce the risk of encountering malicious NFT contracts. And if you’re on a minting website and it looks like absolute dogshit, maybe just don’t use it. Curb your fomo!
There are many other types of contracts, separate from NFTs of course. Similar precautions should be taken with all of these. Be dilident about scrutinizing functions such as "send" or "transfer" that involve the transfer of funds. Check for proper input validation and ensure that the contract implements safeguards against reentrancy attacks or front-running exploits. Furthermore, examine any functionality related to external calls, such as "call" or "delegatecall." These functions can introduce vulnerabilities if not implemented securely. If you have no idea what this means, you probably should not be interacting with these contracts. Go back to sending your money to strangers on Twitter that have thousands of followers, at least that way you sent your money consensually into a dumpster fire, and even though you will never get it back, your wallet won’t get drained.
I think it’s very important to identity, and rely on trusted sources such as well-audited dApps or reputable platforms, before interacting with contracts. Be cautious of unsolicited messages or links that could lead to phishing attempts or scams. By paying attention to these specific contract calls and adopting a vigilant mindset, you can minimize the risk of falling victim to malicious contracts and the feeling of your stomach lurching into another universe when it happens to you. It sucks.
C. Fake ICOs and Token Sales
This one is for the non-NFT folks.
Investors can, and should exercise caution and take specific precautions to avoid falling victim to fraudulent ICOs and token sales. Thorough research is crucial, including verifying the credibility and experience of the project's team members. Ben.eth is not a fucking credible or experienced anything; he’s just a fucking Rich PFP on Twitter. Investors should be looking for transparent information about the project's technology, roadmap, and progress. It's incredibly important to remain skeptical of overly ambitious claims and carefully examine the project's online presence, community engagement, and independent audits.
Seeking advice from trusted sources or professionals in the blockchain space is your best friend. Without validating the legitimacy of a project, you are gambling in a dark Vegas alleyway, with dudes that crept out of cardboard boxes. Additionally, investors should be cautious of social engineering tactics that create a sense of urgency or exclusivity. Quick profits are a lie. Due diligence and skepticism are clutch. Being a part of trusted communities is 👑.
III. Real-Life Examples
All of this is kind of bullshit without sharing first-hand experiences of individuals who have experienced wallet drains, and/or NFT theft. Here are two first hand accounts highlighting what happened, and the ensuing impact and consequences.
The first example is from Path, who has been deeply entrenched in blockchain tech and culture, since 2013. Click here to check out an interview I did with him last year. He is somebody I consider to be extremely experienced, when it comes to anything blockchain related.
I had several of my wallets compromised one night, just after I'd gone to bed; it took me a few days to figure out that LastPass was the common factor. I had some seeds saved on there for convenience, either because they were alt chains with no hardware options or because they were developer wallets that required sharing and use in live environments anyway. Not too long after, LastPass confirmed my suspicion when they announced that their developer keys had been compromised; this supply chain attack meant that the source code itself was vulnerable for a space of months and was likely changed and updated with malicious intent, decrypting all user's vaults by sending their password inputs to a third party.
While it is obviously not fun to lose money and have a security panic, this has opened my eyes to the fact that even the most obscure and extreme points of failure in a system can be compromised. An ounce of prevention is worth a pound of cure. I have revised my security and would suggest everyone else do the same.
The next example is from the iconic artist/animator, Ykha Amelz. She has been interacting with the blockchain regularly since 2021 - the year myself, and the vast majority of artists got into NFTs as well. I consider the 2020-2021 generation of artists joining the web3 space to be very well versed with how things work.
I used Firefox with a Metamask desktop extension and fell into a trap by fomo-ing during the $BLUR airdrop. Thinking I was being cautious enough, I went to their official Twitter account to find the correct link from their tweets. However, what I thought was part of a Twitter thread turned out to be a reply to the original tweet, using the same pfp and a fake Twitter handle that closely resembled the real one. I failed to notice the subtle difference and clicked the link in that reply, which directed me to a fake website resembling the real one. I then connected my wallet without realizing it.
Though I don't recall the exact wording, a pop-up appeared stating, "You're not eligible to claim the airdrop," accompanied by an OK button. Regrettably, I clicked on it, wanting to disconnect my wallet. I immediately felt an intense uneasy feeling. I rushed to check my Metamask and discovered that my ETH had already been drained, and one NFT from my collection had been transferred to the scammer's wallet. The amount of ETH lost wasn't significant because I only kept a small portion for minting purposes, while the majority remained safe in my hard wallet. Nonetheless, the moment I realized I had been scammed, I felt like I couldn’t breathe, as if my head was on fire, and my body trembled. Shocked, I began imagining the worst possible outcomes. Later, I learned that hundreds of people had fallen victim to the same link.
Another artist who had also been scammed the same way reached out to me and pointed me to someone who could help verify and explain the situation. I contacted that person, who assisted in examining the transaction. Thankfully, it was a one-time transfer, indicating that my wallet had not been compromised. Consequently, all I needed to do was revoke all access to my wallet. This scam was a hard lesson, and I still consider myself very lucky. It could have been far worse.
Both are drastically different experiences, and yet both share similar outcomes. I am thankful for folks like them sharing their experiences with us, because this is the best way to learn. All my blabber about being safe means jack shit without anecdotal experiences. You can read a book about pain a thousand times, but it means nothing till you actually experience it. It’s even worse when you get hurt by the book you were reading. Paper cuts hurt worse than getting hit by the hardcore, just sayin'.
IV. Conclusions
It’s impossible to cover everything in one article, especially because you’re here to read an article, not a book. What we’ve covered here today is that there are some basic precautions we should all be familiar with, right from the start. I believe that the examples I shared show that we are not limited however, to direct web3 interactions.
Look, there’s still Nigerian princes out there stealing money from grandmas, and grifters rip off folks at bars and casinos every single day. LinkedIn is fucking FULL of scammers trying to get your personal information under the guise of “I give you job, you win, we make good business.” As the blockchain slowly integrates into daily usage, I imagine these scams will continue to proliferate, and increase in complexity. Hopefully the apps we use will get safer, but really, it’s up to us to stay vigilant, be diligent, and remember that trust is earned, not given.
Part II of this 3 part articles series, will be focused on the changing landscape of crypto, how regulation is unlikely to fix any of the problems with scammers and thieves, and lay out a few more specific examples of what getting phished looks like.
Go Tweet about this article if you want to contribute something to the discussion, and I’ll see you next week!
Remember to take a shower, eat food, stay hydrated, and go touch some grass this weekend you filthy animals.