How to Keep Your NFTs Safe

Last year was unprecedented for NFTs, from blue-chip collections to celebrities joining in to a huge influx of community members, the space has endured a meteoric rise compared with 12 months ago.

Although that's brought liquidity to the space, opportunities, and vast potential to grow, it's also attracted potential scammers. Due to the decentralized nature of the NFT world, many have been left vulnerable to a number of scams, and in many cases, there's been little anyone can do to counter them.

Scammers are becoming more sophisticated, and every day someone tweets about losing their most prized digital gems. Collectors need to be more cautious than ever. Here's how.

Prime targets

The NFT space is still in its experimental stages—many have compared it to the Wild West. There's no overarching customer support, you cant report losses to the authorities, but the space still generated billions of dollars in 2021. That's what makes it a perfect breeding ground for scammers.

"Blue Chip" NFTs are being target the most, perhaps none more frequently than Bored Ape Yacht Club—one of which now sits at around 60 ETH. This means a scammer potentially could rake in hundreds of thousands of dollars with a single click. In a space built on a strong sense of community and positivity, it's still frighteningly easy for anonymous scammers to infiltrate conversations and manipulate holders. All it really takes is one momentary lapse in judgment.

The Blockchain and NFTs provided autonomy, but it also means we're responsible for our assets—no bank is watching them. Understanding different types of scams will help keep your NFTs safe.

Types of scams

Fake mint pages

Often during highly anticipated NFT drops, a number of OpenSea pages emerge, which can make it difficult to verify which is the legitimate collection, especially if the collection isn't verified. With FOMO percolating, time ticking, many collectors fail to take the extra step of authenticating where the assets are minting from, and they mint the wrong NFT.

Soon after, the illegitimate collection is removed from OpenSea along with that NFT, but the scammers still have the buyer's money. This recently occured with Punks Comic, where many were tricked into minting from an Opensea page, losing hundreds of dollars.

Steps to take

• Never click unverifiable links.
• Double check the domain link—a scam website can often be distinguished by just one different character.
• Confirm you're minting the verified link by going to the official collections Twitter or Discord first.

Fake airdrops

Due to NFTs existing on the blockchain, your address is public to everyone, and so is your every move. This means anyone can interact with your account, and they can send NFTs to your wallet as gifts—aka an airdrop.

Scammers will often send NFTs to your wallet to get you to interact with them and learn your personal details, so it's best not to interact with any new NFTs unless you've verified their origin.

Impersonation

Impersonation is perhaps the most malicious scam, and it can entail of a variety of methods.

Recently, a Twitter account was brought to my attention—it had 5,000 followers, my profile picture, a copy of my bio, and they shared some of my same tweets. The only difference between my account and the fake one was that the fake one's username included an extra S—"NFTs1nsight" instead of NFT1nsight. That account could have easily fooled someone who hadn't seen my real account.

I can't confirm how the account was used—if DMs were sent to potential scam victims—but I can only assume it was created maliciously. Such scams have become increasingly common, with some fake accounts adding thousands of followers to seem more real.

Steps to take

• Having lots of followers doesn't mean an account is real.
• Always double check Twitter handles and who's following the account.
• If you verify it's a fake account, report it to Twitter.

There are also brand impersonations, where scammers similarly create a profile to offer support to victims of hacks or other issues, often on Discord or Twitter.

Fake links

Scammers will send fake OpenSea offers to people's emails, asking recipients to click the "view" button. Those links often will take you to a fake page asking for your wallet and seed phrase. Similar scams also are on Discord. Once a scammer has your info, they'll transfer all of your assets to another wallet and sell them—and there's no way of stopping them. You'll find yourself in a race to salvage as many NFTs as you can.

Many scammers will sell NFTs at lowball prices just to unload them, and suspicious buyers may just scoop them up instead of inquire as to how the seller acquired them. Sometimes community efforts can help thwart this, but not always.

Jenkins impostor: A case study

Just recently, the prominent NFT collection Jenkins the Valet’s Discord was compromised by hackers after a moderator shared his screen and they were able to lock down the Discord, banning the mods and the founders themselves. The hackers impersonated Jenkins, which then enabled them to drop a fake mint link to a stealth drop, which many members believed to be legitimate. Not only was the link almost identical to the original site's, the hackers also created a stage to talk about the mint, banning anyone who questioned the authenticity of what was happening. Unfortunately, many fell for it, and the community was scammed out of a few dozen ETH.

The lead moderator was tricked by scammers via discord DMs that accused him of being a scammer himself. In a moment of panic and confusion, he tried to prove his innocence by sharing his messages. He shared his screen, which allowed the scammers to hack his Discord, and take control of the server.

The second issue was that Jenkins did not have full ownership of the server. Because of this, he was banned, which would have been impossible if he owned the server. Since then, the permissions and ownership have been transferred, and control has been regained, which should help prevent future scams.

The Jenkins team reacted clearly and concisely in response to the hack, rebooting its Discord from top to bottom, introducing 24/7 moderation via bots, conducting an audit, and compensating everyone who lost ETH in the scam. Jenkins also gave away a Bored Ape Kennel Club Dog as a way to apologize for the unfortunate incident.

A small upside is that the hack means they're now better equipped to battle future scammers. (You can read more about the timeline of events and the full situation here.)

There is a hack/scam(bypasses 2fa) that scammers are using to compromise discord accounts. If you are a project founder/admin, this is IMPORTANT.

Our server just got attacked.

Here's how, a🧵

— Little Lemon Friends (@LittlelemonsNFT) January 3, 2022

Security best practices

Here are more ways to keep your assets safe:

• Ensure you have verified links before clicking them—never click on random or broken links sent by unknown sources.
• Never share your screen.
• Before minting anything, make sure to check the contract address, which should specify where the NFT was minted. If it's been verified on OpenSea, it should be legit. If it looks too good to be true, it probably is.
• Never share your recovery phrase with anybody.
• Keep your seed phrase away from your phone and computer—store it physically, with multiple copies in safe places.
• Always confirm you're minting on the verified website.
• For many, it's easier and safer to turn off Discord DMs due to bots and scammers abusing them.
• Bookmark verified sites like OpenSea—it helps prevent landing on fake pages.
• If you need assistance, you will never be sent a DM first—turn to official sites for assistance, not social media.
• Ask trusted friends questions, turn to official teams for answers, and don't be afraid about asking questions that prioritize your safety and security.
• Use two-factor authentication, an extra layer of security.
• Use strong and unique passwords—it's wise to use a different password every time you create an account.
• Use a hardware wallet such as a Ledger or Trezor—these cold wallets are offline, so nobody can access it other than you through your private key.
• DYOR. Before you do anything in the NFT world, make sure to research the collection, the seller, the contract, the link, and more.

On Securing your NFTs 🔒

This week I have looked at 5 different cases of wallets being compromised and NFTs being stolen from their owners.

It breaks my heart every time this happens, but the patterns are always the same.

1/ Below are some rules to live by to stay safe
🧵👇

— richerd.eth ᵍᵐ (@richerd) February 2, 2022

Always remain vigilant in the NFT space. One brief lapse in judgment can mean the difference between a full wallet and an empty wallet.