5 Lessons About How to NOT FALL for SCAMS in the NFT Space
Enough is enough: Learn how to protect yourself Anon
Hello frens.
I come to you today with an urgent topic:
HOW TO NOT FALL FOR SCAMS IN THE NFT SPACE!
While this is not the article I was expecting to write and publish as my first article back on my Substack, it’s the information that needs to be shared so here we are.
Today I have watched TWO major scams happen where $100,000’s, if not millions of dollars worth of NFTs have been stolen, sold, and the money tornado cash’d away before anyone could do anything about it.
While I wrote a little thread about how to protect yourself on Twitter earlier today, a more in-depth breakdown is necessary.
Here’s the thread if you’re interested:
(P.S. If you’re not following me on Twitter, I’m active there 24/7/365 so I really recommend giving me a follow to keep up-to-date on everything I’m up to here: https://twitter.com/BowTiedGolem)
Let’s get started.
LESSON #1) THERE WILL ALWAYS BE SCAMMERS
Welcome to 2022.
We live in a world filled with billions of people, many millions of which are rotten to their core.
These people do not like you, or at least are completely apathetic towards you, and will do anything/everything within their power to scam you of your hard earned money.
This is not new.
I remember the first time I got an email address and was using AOL dial-up service in the 90’s, you would get scam emails from Nigerian Princes asking for a quick-loan of $10,000 so that they could “unlock their fortune” and give you back $100,000 for your assistance.
Many people were fooled by these Web 1.0 scammers, and millions of dollars was lost.
Here’s where we learn our first lesson:
THERE WILL ALWAYS BE SCAMMERS.
Sure you might surround yourself with sugar & rainbows, believe life is just hunky-dory, and that everyone has good intentions.
Unfortunately that is not the real world.
Back when I was traveling in Europe, my friends told me to always be vigilant and keep watch over my backpack/bags.
Why?
Because there are many pick-pockets that look for unsuspecting tourists with their head-in-the-clouds to rob.
So it is in the real world, so it is in the web 3.0 world.
People that are not vigilant about their safety & security in web 3 are going to get that one-way ticket to Rekt city sooner rather than later.
Please understand that Cryptocurrencies & NFTs pose the absolute greatest potential to scam/steal from people in history.
Instant (self-authorized) transactions
No borders
Black markets
Anonymous
Self Custody
These are key features of crypto that can be co-oped for incredible things or nefarious things.
The best way to protect yourself in web 3 is to recognize that:
You are entirely in control (everything is your fault)
There are no do-overs (can’t reverse txns)
People are actively trying to scam you (all the time)
In this case, honestly, it’s more beneficial for you to be paranoid, all the time.
Which leads nicely into our next lesson…
LESSON #2) All DMs Are SCAMS Until Proven Legit
This goes for both Twitter + Discord, our main two mediums of communication in crypto, however it seems like most people get scammed in the DMs of discord.
Why?
Well, scammers have gotten really effective at mass targeting and sending DM’s to people.
If you send out 100,000 scam DMs even if you only hit on 0.1% of them (so 99.9% fail) that’s still 100 people falling for these scams.
And they do this for EVERY SINGLE NEW PROJECT that has any sort of hype whatsoever.
Here’s what it looks like:
Now, “how did they get inside of my DMs?!” You may be thinking.
See that 1 mutual server thing next to the “add friend” button?
That means we’re both inside of the MURI project official discord, which is what this scammer is trying to capitalize on.
Here’s 2 tips for everyone to immediately get rid of this type of spam:
Tip #1: Turn off Discord DMs to people that are not your friends (recommended)
Tip #2: Turn off Discord DMs for each individual server you are in
I am an NFT degen that is always in 200 servers so option #2 is too tedious for me, but if you’re not in many, I recommend just going that route.
Here’s what the scammers do…
They create a bot that automatically sends out a pre-written message to every single person in that server that has their DMs open.
Often they will do this immediately after you join the discord.
Or if the discord is minting or just sold out, they will send DMs with a strong sense of urgency like “MINT NOW BEFORE IT SELLS OUT” and people get caught up in their emotions and end up clicking the link, minting, and either losing ETH or losing ALL of their NFTs.
Don’t fall for cheap tricks like this fam.
If it sounds too good to be true, or if it is something that you did not initiate, 99.9999% of the time it is a scam.
So there’s a really easy way to protect yourself in this situation.
If someone Dm’s you and they are not your friend, then it is a scam.
Period.
LESSON #3: ALL “Surprise” Announcement Mints in Discord Are Scams
This is a new(er) scam that has been going around discord for the past few months.
What happens during this scam is that an official discord for a legitimate project will get hacked and taken over by scammers.
This is usually due to a lapse in security for an admin/mod of the project or a plugin that the project was using that gets infiltrated by hackers.
The hackers will then:
Kick all of the mods/admins of the discord so they are in complete control
Block all chatting allowed on the server
SPAM post an announcement that has an incredible amount of urgency in the post to mint from their (hacked) website
Unfortunately this happened today in one of my long-term hodling projects, Capsule House.
Honestly, this hack is what prompted me to write this post.
Here’s what it looked like:
If you took 30 seconds to look at this post you would immediately realize something is wrong.
The main culprit? The URL.
This post is linking to capsulehouse.org when the REAL url for Capsule House is capsulehouse.io.
(Pro tip: Always know the official URL of your projects.)
It’s a subtle change, one that people in the heat of the moment won’t see or recognize in their mad dash to mint this great deal.
But if you take 30 seconds to breathe and READ what you are doing, like I did, then you would have noticed.
Maybe if you took that 30 seconds you would also realize that every single OG mod except for Grindin had been kicked out of the server, or that every single chat channel was locked and nobody could post anything in the discord.
Seems sus, doesn’t it?
Maybe if you took an extra 30 seconds before blindly clicking you’d also realize that this proposition doesn’t make any sense at all.
Capsule house is a 10,000 unit collection.
NO PROJECT would ever just add 1,000 additional units to their collection randomly, nor could they.
Smart contracts are CONTRACTS.
Meaning they have constraints, one of those main constraints being “TOTAL SUPPLY” for the collection.
Which is always capped at a certain number and can’t just be changed willy-nilly.
I hate to say a cliché again, but listen…
IF IT SOUNDS TOO GOOD TO BE TRUE IT PROBABLY IS!
Here’s the thing about discord announcement scams.
Every single project I’ve ever been in will ALWAYS give you official heads up if something is coming.
They’ll say, “hey, you should be paying attention to announcements this week ;)” if they’re planning on doing some type of stealth drop.
AND!
If they are doing something like adding a new collection for you to mint, it will always be IN BENEFIT to the current holders.
Adding 1,000 units to the main collection, at mint price, 6 months post-mint? Come on.
You don’t need to be 160 IQ to realize that does not make sense for the project to do & it would HURT the current holders by diluting the supply.
Also.
One final point here.
Come on anon…
In what world will someone offer you something for 0.08 eth when the floor is 1.2 eth?
They’ll only do that if they’re trying to scam you.
Unfortunately people let their emotions take over and they’re signing malicious txns before their brain has time to process it.
Don’t let that be you.
LESSON #4: All Projects Are Rugs/SCAMS Unless Proven Otherwise (Especially Derivatives)
Ok so, this one is a bit of a catch-all on the entire NFT market.
I’m sitting here trying to think of how to explain this in an eloquent way but I’m just going to come out and say it.
When you first hear about a new project that’s MINTING RIGHT NOW or THE NEXT BIG THING or Heavens forbid, was DM’d to you from someone you don’t know, I need you to tell yourself…
“Yeah, that’s probably a scam.”
EVEN IF IT’S NOT!
This is a surefire way to protect yourself from getting scammed.
If your “default setting” is that any new project you’ve never heard of or done DD (Due Diligence) on is a scam, then you will be much more cautious and inevitably you will save yourself a lot of $$$ & heart ache in the long run.
“But Golem,” you may be thinking, “If I do that then I’m probably going to miss the next hot stealth NFT drop that nobody saw until too late!”
Yes, you probably will.
But you know what you won’t do in the meantime?
You won’t get all of your ETH & NFTs cleaned out of your wallet from interacting with a malicious contract.
(Also if you’re doing this part-time, you have no chance to get in there in front of full-time degens. Harsh to say but true.)
I almost NEVER jump in on random mints I have no idea wtf they are & certainly not stealth mints I wasn’t anticipating.
The ONLY time I will randomly APE into a project I know next to nothing about is when someone I (personally*) TRUST as having good judgement tells me that they’ve done DD and it looks good to them.
(*That means someone that I know on a personal level who I have chatted with via dm’s or in discord groups or chilled in VC with, etc. NOT an influencer I am following that I have never had one-on-one communication with.)
Even then, I will still quickly look at the website, discord, & contract of the project before minting.
What makes me bring this up in particular is the BAYC Animation SCAM that happened earlier today.
Some scammer got access (either by purchasing or hacking) to a ‘verified’ account on twitter and used it to RT a post about Free BAYC pfp animations.
You can check out the breakdown below by CT’s very own crypto-detective @ZachXBT:
tl;dr
BAYC hodler of 3x BAYC sees post promoting free animations for his BAYC
He goes to website
Connects wallet
Approves transaction
All 3x BAYC in his wallet disappear
BAYC are transferred to scammer’s wallet
Scammer immediately lists all 3x BAYC below floor price
They are bought instantly
Scammer then takes ETH and throws it into Tornado Cash
Trail goes cold
What went wrong here?
Well…
The BAYC owner clearly did not do any diligence whatsoever about this “BAYC Animation project” (every single one has been a scam over the past few months btw)
The BAYC owner then went ahead and APPROVED a transaction on a RANDOM website with his wallet containing his BAYC
The first error is drastic, but the second error is fatal.
This person is either A) Stupid or B) Incredibly naïve.
Regardless, they did this to themselves and there’s quite literally nothing they can do about it.
(REMEMBER: IN CRYPTO, EVERYTHING IS YOUR FAULT. NOBODY FORCED YOUR HAND AND TOLD YOU TO DO THE TRANSACTION. YOU APPROVED IT, YOU NEED TO LIVE WITH THE CONSEQUENCES OF YOUR ACTIONS.)
But you, dear fren, you can LEARN from their mistakes to make sure you don’t make the same mistake in the future.
LESSON #5: Never Approve A Transaction With An Unknown/Unverified Contract
This one we’re going to go a little bit deep.
The example above STILL could have been 100% avoided even if the person:
Went to the fake website,
Connected their wallet to the scam website
And got the prompt to approve the transaction
How?
BY LOOKING AT THE CONTRACT YOU ARE INTERACTING WITH BEFORE YOU INTERACT WITH IT!
But how do you do that?
Etherscan.
You know about https://etherscan.io/, correct?
It is the database (aka block explorer) that logs ALL of the data from every single block on the ethereum blockchain forever.
Which means, it contains every single ethereum wallet, contract, and transaction ever done on there.
Which means you can look up anything you want.
PUBLIC BLOCKCHAIN, remember?
Example time! (Don’t mind me, I love this stuff.)
In this example I am showing you how I can figure out everything I need to know about a contract from starting on the transaction approval screen on MetaMask. (Via Opensea & BYOCrafts)
Step 1) You get a request to approve a transaction. It looks like this:
“Account 1” is you
“0x3e5…b335” is the contract you are interacting with
“https://opensea.io” is the website you were on that interacted with this contract.
Step 2) Click on the contract address you are interacting with. In this case it’s “0x3e5…b335”.
Then you’ll get a popup that looks like this:
Step 3) Click on the link where it says “View on block explorer” this will take you to that contract’s etherscan page.
Looks like this:
See where it says “Tracker”? That is the ID for this NFT collection. In this case, I am interacting with BYOCrafts so that is the ticker I am expecting.
Hackers will try and match this as much as possible.
So you need to do 3 more things to really get a feel for what’s going on.
Step 3a) Look at the transaction log. If it is an active collection that is legitimate it should have hundreds, if not thousands and thousands of transactions logged for it.
For that, all you need to do is scroll down the page.
3,297 transactions? From tons of different addresses? Seems legit to me.
But we’re not done here.
Step 3b) Look at the actual contract! See that tab that says “contract” with the check mark next to it?
That check mark means that the contract has been reviewed by etherscan and looks legit to them. Good sign. (BUT NOT ONLY SIGN!)
Click on it. You can literally read the contract. Everything is public.
This is the beauty of Web3.
Now most people aren’t coders, and I get that, but you can scroll through there and get a general vibe of whether or not this is legit or not.
Step 3c) Look at the owner of the contract! There’s 2 ways to do this.
The fun way is to click on that tab where it says “read contract” after you click on contract. Scroll down to where it identifies the owner of the contract and click on that address.
The other way is to simply scroll back up to the top of the page and click on the url link next to where it says “creator: 0x…..”
Then you’ll be taken to the creator of the contract’s page, which if it is a legitimate project should be the admin deployer address that releases all of their contracts.
For BYOCrafts it looks like this:
Seems legit to me!
Looks like this contract is safe to interact with.
Now, our BAYC anon above, he probably:
Doesn’t know how to do this
Never thought about reviewing the contract he was interacting with before doing so
Which is why he got robbed.
Ignorance is not a defense, it’s a liability.
Remember lesson #1?
THERE WILL ALWAYS BE SCAMMERS.
And honestly fam, they’re getting better and better every single day.
You need to take the time to LEARN how to protect yourself and then take the ACTIONS that will protect you now and in the future.
I need to put some warnings below….
I honestly feel silly typing these out because duh, that’s obvious, right?
But if this saves 1 person from not connecting to a malicious contract, I will consider my job done:
NEVER CONNECT YOUR WALLET TO A WEBSITE YOU DON’T KNOW
NEVER, EVER, APPROVE A TRANSACTION ON A WEBSITE/PROJECT YOU DON’T KNOW
NEVER, EVER, EVER APPROVE A TRANSACTION ON A WALLET HOLDING A BAYC (OR INSERT ANY NFT WORTH 1 ETH+) UNLESS YOU ARE 1,000% SURE YOU ARE ON A LEGITIMATE SITE
What seems like common sense really ain’t so common.
I hope that this article has been informative and entertaining for you to read.
It wasn’t what I was expecting to write after such a long Substack hiatus but after seeing the two major scams happen today, I felt like it was needed.
The NFT world right now is in its wild-wild-west phase and there are incredible opportunities to make a fortune here.
There’s also just as many opportunities to lose fortunes.
Safety is of the utmost importance in this space.
And the hard/scary part is that IT’S ALL ON YOU.
It’s hard enough as it is to make NFTs/Crypto trading your full-time gig, don’t make it harder for yourself by getting scammed and losing your hard fought coins & NFTs.
With that I bid you farewell and hope that you have a wonderful rest of your week anon.
Stay safe out there!
Your fren,
Golem
Love it Golem! Good from anyone doing their first mint to a 2017 punk holder!