From trading cards in the form of cariacutures of Donald Trump to pixelated owls, NFTs, or non-fungible tokens, are a type of digital asset that represents ownership of a unique item or piece of content, such as a digital art, collectibles, in-game items, music, and videos. They are built on blockchain technology, which allows them to be verified and tracked securely, making sure that the ownership and authenticity of the digital asset can be proved. With Yuga Labs, the company behind smash hit NFT series Bored Ape Yacht Club (BAYC), recently announcing its first NFT launch since last May, the market is more riled up than ever to get its hands on these shiny new collectibles.
According to leading data aggregator Statista, revenue in the NFT sector is projected to reach US$3,546.00 million in 2023, while user penetration in 2023 is expected to hit 0.7% reach 0.8% by 2027.
“NFTs continue to move forwards driven primarily by utility applications and forays into the metaverse,” blockchain analytics firm Nansen reported in late 2022. “The NFT space saw incredible capital allocation throughout 2021, and even in the colder prevailing market conditions, it still sees high trading volume.”
It comes to no surprise, therefore, that NFTs often serve as the initial gateway and impetus for web2 natives to dip their toes into the waters of web3. Massive web2 conglomerates are also entering into the foray of web3 through this very channel as well, with the likes of Starbucks, Nike, and Reddit launching their own NFT collections over the past year in the hopes of bridging its consumer base into the cornucopia that is web3. This however, belies the true danger that presents itself to new web3 users – aggressive marketing strategies, coupled with fan hype and FOMO (fear of missing out) have led many web2 natives to jump on the bandwagon to procure these digital collectibles – without understanding the risks and dangers that lie lurking in the unchartered waters of web3.
According to London-based blockchain analysis company Elliptic, between 2021 and 2022, as much as US$100 million have been stolen through NFT scams – with 4,600 NFTs stolen in July 2022 alone, underscoring the high level of risk that presents itself especially to those new to the NFT scene.
Here are some key dangers to keep a lookout for as you trawl for the next addition to your NFT collection.
As the term suggests, wallet drainers are pieces of malicious software and code that once interacted with, can allow the hacker to execute a smart contract code that drains an unsuspecting wallet of its funds and assets, including any other tokens or NFTs stored on that particular wallet.
These forms of software are unfortunately widely available for purchase and use, as a brief search on Github shows:
With terms such as “Guaranteed ROI” and “Free Download”, the use and deployment of such software can be incredibly tempting for malicious users in need of some quick and fast cash. Wallet drainers can be easily employed under the guise of NFT mint sites, wherein once an unsuspecting user opts to mint the NFT directly and sign the associated smart contract without paying attention to the address, could result in irrecoverable damage.
These wallet and NFT drainers are typically designed to appear reminiscent of new and existing NFT projects and their respective websites, leveraging malicious smart contracts to steal the contents of a victim’s crypto wallet.
Minting an NFT directly from a website can be incredibly tempting for NFT hunters, particularly if they are still new to the space and are on the lookout for taglines such as “free-mint” and “limited mints only”. Knowing this, many malicious users often target this vulnerable demographic by using such landing pages to get users to connect their wallet to the site and sign the contract to procure the “free-mint”. Experienced hackers may even employ tools to build hype around their sham project, such as deploying bots to create fanfare and clout around the social media pages of their project, and even air-dropping sneak previews of the NFT line to popular content creators in the hopes that they may unknowingly shill or promote this sham project.
Should the unsuspecting user opt to claim the “free-mint” and sign the wallet transaction, chances are they may find their wallet balance deplete down to zero soon after. While some wallets may provide warning prompts to users beforehand, not all wallet drainers can be detected this way, and users also have the ability to disregard the warning message and proceed on with the transaction in either case.
In January this year, an incredibly convincing website featuring the Pokemon Trading Card Game launched, only for users to discover that it was yet another phishing scam. The website integrated key pokemon iconography, licensing material, and even an NFT marketplace. Interacting with the website, however, would lead to a malware tool being downloaded into the unsuspecting user’s computer.
The tool, later identified as NetSupport Remote Admin Tool (RAT) by South Korea’s Ahnlab’s Security Emergency Center (ASEC), allowed attackers to not only take control of the user’s devices such as computer and keyboard, it also opened a back door into the user’s rig, making it more susceptible to further malware intrusions.
Another tactic employed by black-hat hackers involves airdropping mint passes into wallets with the tagline of providing these “fortunate” users with exclusive benefits to mint free NFTs. These Airdrop scams happen when people receive tokens in their wallets that they did not ask for and did not know about, usually ending with a .io extension.
Although this may not be inherently suspicious at face level given that even legitimate NFT founders also use unsolicited airdrops as a tool for marketing and promotion, the comparative difference is that these malicious airdrops often serve to direct users to an external site instead of serving as the NFT in itself.
The manner or front used to solicit private keys and seed phrases from unsuspecting users may differ from scam to scam, but more often than not the website would indicate an “error” message when the user is prompted to connect their wallet, and will then proceed to request for the private keys and seed phrases from the user, which then allows the scammers to gain access to the funds of their unfortunate victims.
Social Media Scams
Even newbies to the NFT scene would have almost immediately realised the importance of social media platforms such as Discord and Twitter in the NFT ecosystem, be it for marketing and promotion purposes or qualifying for certain whitelists. Yet these spaces are also often attractive hunting grounds for malicious users, who often launch attacks on these platforms to phish for user information and data.
In June 2022, a hack took place on BAYC’s discord server, wherein project’s community manager, Boris Vagner, had his Discord account compromised, which the attacker then used to post phishing links in both the official BAYC and its related metaverse project called Otherside’s Discord channels. An estimated whopping $260,000 was stolen along with several of the coveted NFTs as a result of the attack.
While NFT Discord and Twitter communities have begun to learn from these attacks and implement measures such as constantly reminding their members to be on the lookout for scams and fake accounts, it is still not completely foolproof, and the nature of Web3 inherently makes identity verification difficult for most users.
Behind the glitz and glamour of these digital collectibles lie numerous threats that may not be easily detected, even by crypto and Web3 veterans. Yet NFTs still play a crucial role in onboarding the next wave into Web3, as evidenced by how TradFi companies such as Starbucks and Nike are deploying these virtual collectibles as a means to bridge their consumer base into the world of Web3. And who can blame them? NFTs are not only collectible, they also feature prominent Web2 iconography and IP licenses that are familiar to Web2 users sitting on the fence.
Keeping your funds SAFU
In the face of these threats, how can users best protect themselves while procuring these digital tokens? We have compiled a list of hygiene measures to keep your funds safe while traversing the NFT realm:
Always check wallet transactions and approvals when interacting with contracts
Be mindful of any alert messages that your wallet might sound off to you, including messages such as “Signing this message can have dangerous side effects” or “Only sign this message if you know what you are doing or if you completely trust the requesting site”. However, it should be important to note that not all wallet drainers are detectable by your wallet. In these cases, it might be apt to inspect the source code further to identify the origins of the tool before you interact with it. Below is an example of a closer inspection of a “free mint” button on a suspicious NFT mint website:
Here, it is quite obvious once inspected, that the source code has an NFT / Wallet drainer software embedded within it, confirming the danger of the website. While this may be a more accurate means to identify if NFT mint sites are trustable, not many causal NFT collectors or Web2 natives may take this additional step to verify the security of the website before minting from it.
Do not click suspicious or unexpected links sent as direct messages or on social media channels
This is especially true on platforms such as Discord, which is currently still one of the more popular mediums for grinding tokens, qualifying for NFT mint whitelists, as well as interacting with others within the same NFT community. Always be wary of any direct messages you may receive while within the particular channel, and keep a close lookout on any announcements on your channel notifying the community of a possible scam.
Never share private keys or seed phrases. Ensure these are stored offline and not on devices or cloud storage.
This goes without saying, but your private key and seed phrases are your only lifeline in the realm of Web3. Never disclose them to anyone else, not even a close friend or family member, as even though they may not be malicious actors themselves, they may unwittingly disclose your keys if they fall for a phishing scam. Minimise exposure as much as possible, and secure your private keys as much as possible. At present, it seems that storing your private keys offline is one of the more popular ways in securing them. Even storing them on a paper wallet, which is essentially just a piece of (preferably laminated) paper with your keys, can be considered a decent security measure – provided you don’t lose the document entirely.
Ensure due diligence is carried out on any project before investing; check the profile and background of a project and its founders.
While this may be a fairly subjective metric, it might be good to consider paying close attention to the founding members of the NFT project, for instance. Stepping into the shoes and adopting the mindset of a major VC might be a useful method, and some questions you may ask before investing or minting an NFT project could be: Who are the founders and have they been a part of any other successful NFT project before? What do the communities surrounding these projects look like, and do they mostly seem like bots? Is there any real verifiable utility of the NFT, and is it merely an inverted copy stolen from another series?
While these prompts may not be complete and exhaustive, they can hopefully help to kick-start your brainstorming process before you commit to investing in the project.
Purchasing NFTs from renowned marketplaces as opposed to minting directly from a website.
Consider purchasing NFTs on renowned NFT marketplaces instead of minting directly from the project’s website. While there may be legitimate mint websites out there for sure, there remains many sham websites that either have wallet or NFT drainers lurking behind the corner. Admittedly, the thrill of qualifying for a whitelist and perhaps procuring a coveted NFT at an early-bird or exclusive price may be tempting for many. However, this has to be weighed against running the risks of encountering a rug-pull NFT project, or worse, interacting with wallet drainer software. A safer bet may be to purchase your desired NFT off an NFT marketplace instead, such as Bitget Wallet (Previously Bitget Wallet (Previously BitKeep))’s very own NFT marketplace.
Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) NFT Market, as an aggregated NFT marketplace, is meant to facilitate the collection and display of various artworks, as well as provide global creators and collectors with the ultimate NFT trading platform. Trusted by more than 8 millions global users across 168 countries thanks to its state-of-the-art security, ease of use, and inclusiveness, Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) has partnered with several top 30 mainnets including Bitcoin, Ethereum, BNB Chain, TRON, Polygon, Arbitrum, Avalanche, Optimism, Fantom, and Solana to provide new users with a safe, secure, and diverse environment to jump-start your NFT collection journey.
Follow Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) to stay up-to-date with all of our latest events, findings, and promotions, and let Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) be your premier gateway into the Web3 space.