Rob Behnke
December 7th, 2022
NFT scams have become a growing problem in the world of Web3. In the first half of 2022, it’s been estimated that over $100 million worth of non-fungible tokens have been stolen from NFT marketplaces and social media platforms.
The cost of these NFT scams can be devastating so it’s important to understand and identify the most common methods and tactics that scammers use in order to protect your digital assets.
Rug pulls can be divided into two categories: soft pulls and hard pulls.
Soft pulls – also commonly referred to as exit scams – often start with intense advertising on social media, with developers aiming to lure investors into their NFT project. As people get lured in and start to invest in the NFTs, the NFT collection will start gaining real value on the market. This will make the ads and the promise of the collection more true to investors and potentially have a snowballing effect on the sales and the relative values of NFTs within a very short time.
However, after selling enough NFTs from the collection, scammers sell off their tokens, abandoning their investors with NFTs whose values are tremendously reduced. One notorious example of a soft pull or exit scam in the world of NFTs occurred back in September 2021 with the Evolved Apes NFT project which you can read more about here.
After a rug pull, developers often will delete or stop the NFT project’s social media accounts and all communication channels. Creating a foggy, chaotic and speculative situation for investors.
Here are some ways you can protect yourself from soft pull scams:
Hard pulls – also referred to as smart contract scams – are premeditated as they have to be made during the construction process of the NFT collection’s smart contract. With hard pulls, you’ll typically see malicious codes embedded in the smart contract, some backdoors, or bugs intentionally left in the contract. Hard pulls can result in:
To increase your protection against hard pull NFT scams, do your own research (eg. read the NFT whitepaper) and make sure a third party has conducted a security audit of the project.
With airdrop scams, scammers replicate the interfaces of well known projects’ websites and use a very similar domain name to the original project. When these malicious ads are clicked on – typically inciting users to receive a free giveaway of NFTs – it will redirect the user to another link which will try to convince the user to perform a malicious transaction to receive the airdrop of the NFTs. However, this malicious transaction will only allow the scammers to transfer all the NFT and funds from the victims wallet into their own.
Scammers can also hack into the social media accounts of influencers and celebrities to use their public profiles to share links to malicious websites.
Here are some ways you can protect yourself from NFT airdrop scams:
Phishing scams are manipulation techniques that aim to trick people into giving their sensitive wallet information. Customer support phishing is done by bad actors who disguise themselves as the technical or customer support team of an NFT project or marketplace, reaching people through WhatsApp, Telegram, Discord, or similar channels.
The “customer service” rep will eventually ask for your seed phrase or private key in order to help you with your problem. Scammers can also persuade you into clicking unverified site links or downloading malicious data depending on the context.
To protect yourself from these kinds of NFT phishing scams:
Bidding scams happen when a scammer becomes the highest bidder on an NFT and, just seconds before the auction’s end, the scammer changes the cryptocurrency to one which is much less valuable. If the seller of the NFT is not careful and the change in cryptocurrency types goes unnoticed, the seller will be scammed, receiving a below-market payout for his/her valuable NFT.
To protect yourself from NFT bidding scams:
“Pump and dump” scams are similar to rug pulls. However, pump and dumps create the illusion of demand on their NFT projects via funding, whereas rug pulls usually accomplish this using social media ad campaigns.
Scammers will often split their assets into different wallets and continuously buy and resell the NFTs in the project (the Wash Trading technique), intending to create the illusion of active trading and demand for the project. This method tricks investors to buy the NFTs and, when certain funds are collected, developers abandon the project, taking all the funds out of the project.
To protect yourself from pump and dump scams:
Creating an NFT is not very difficult. With options such as lazy minting on the OpenSea NFT Marketplace, an attacker can potentially copy other artists’ works without paying a penny in advance.
Some artists have reported thousands, even tens of thousands, worth of their artworks available on OpenSea without their consent or recognition. Even though OpenSea has improved its regulations and the community is more informed than it used to be regarding stolen NFTs, the problem of fake or counterfeit NFTs still persists.
After copying the original NFT, attackers lure users to buy these fake NFTs using various methods such as hacked social media accounts or social media ads.
To protect yourself from fake NFT scams:
The NFT landscape is full of scammers and thieves who seek to take advantage of those who are new to the Web3 market. To protect yourself from these scammers’ traps, the most important thing you can do is RESEARCH the project and use your critical thinking skills. For more information on how to stay safe in the world of Web3, bookmark our blog, follow us on Twitter @HalbornSecurity, subscribe to our YouTube channel, and reach out to our Web3 security experts at halborn@protonmail.com.