NFT Scams Are Everywhere. Heres How to Avoid Them – Rolling Stone

At the start of the new year, global NFT sales leapt over the $4 billion mark. Simultaneously, like the stench of a bloated trash bag busting open, talk of scamming in the space spread with gusto: Google searches for NFT scam hit an all-time high the week of Jan. 1. With droves of people buying in some far more tech-savvy than others Rolling Stone asked experts for tips on how to avoid expensive blunders.

As more money flows into the metaverse, so do bad actors hoping to extract value at the expense of everyday crypto users, says Georgio Constantinou, who discovers, builds, and produces crypto projects. Crypto scams have been getting increasingly more sophisticated, and it emphasizes the caution that people need to exercise in a decentralized ecosystem. As Constantinou explains, there are various types of scams, and its important to know how to identify them in order to avoid them.

According to Greek mythology, the Trojan War started when a goddess, Eris, threw something sparkly a golden fruit now known as the apple of discord into a party of feasting revelers. Nowadays, a fake link on Discord the decentralized, online network of chatroom servers can be similarly enticing and chaos-inciting.

Discord hacks are one of the most common NFT scams out there. They happen when hackers gain administrator-level access to a Discord server and post a fake minting link in the announcements channel. The message, according to Constantinou, will usually look like its coming from a project organizer and offer a deal that seems too good to be true something like, Due to demand, were releasing 1,000 more NFTs. Often, hackers will intentionally seek out sold-out collections, because of the ability to create demand. Once a collection is sold out, most will never do a surprise mint of additional NFTs, he says.

Constantinou notes that most projects will put all official links in a separate, designated channel and wont let minting happen via sketchy looking URLs just on the projects primary website. Constantinou also suggests that everyone turn off the direct-messaging function on Discord. If a community member says theyre having trouble with something and innocently asks for help on a hacked Discord, theyll immediately get like five DMs from scammers, says RAC, a longtime crypto enthusiast, musician, and entrepreneur who co-founded Six, a Web3 consultancy firm, with Constantinou and their colleague Jesse Grushack last year. Project teams will never DM you first, says Constantinou. Its best practice to assume everyone is a scammer until proven otherwise.

A fake Discord link will probably ask for Ethereum (ETH) tokens to create a new NFT that never actually materializes, as the perpetrator runs off with the money but an even greater problem arises if said perp asks for the victims seed phrase, which is a series of confidential words used to gain access to a crypto wallet. Due to FOMO, people will rush to mint the fake collection and, in many instances, not only lose their ETH, but their tokens and NFTs as well, says Constantinou. No one should have your private key ever, adds RAC. Thats a big one. People are literally just getting their funds stolen.

Outside of Discord, phishing can happen in Twitter messages and emails. RAC likens the NFT space right now to an inbox: You wouldnt jump to give your social security number to any old emailer. Constantinou suggests that people buy hardware wallets USB-sized, tangible devices that plug into computers and recommends the brands Ledger and Trezor, which are arguably more secure than online options. A hardware wallet allows you to avoid ever having to enter [seed phrases] into a browser, he says. It will protect you from yourself. Hes also a big fan of using two-factor authentication when possible, as well as complex passwords. (He recommends a software called 1Password for storage.)

Although hes never been scammed himself, Constantinous heard stories of hackers pretending to be representatives from OpenSea, the Internets largest NFT marketplace, and Metamask, a popular NFT-storing digital wallet. In some of these instances, he says the representatives told their victims they were randomly selected to receive a surprise airdrop of virtual goods, directed their victims to fake a login page, and told them to sign in. He says people should only ever download and interact with wallet extensions via their official websites. If using an app, triple check the reviews. If browsing, eyeball that URL closely.

Airdrops themselves can have malicious coding in them as well. As a prominent figure in the space, RAC says tokens are randomly airdropped into his online wallet all the time. The name of the token is a website to try and get you to go to your website, he says. They want you to think, Oh hey, I got these free tokens. Let me go to this website and try to sell them. Everythings programable, so what they do is they make these tokens unsellable. It basically locks you into something and forces you to give them access to your funds, and then they steal your money. Anyone can send anyone tokens at any point: The wallet holder, like an inbox-owner getting an email, doesnt need to approve or accept a transfer. The best thing to do is simply ignore it, he says. Thats what I do.

But sometimes these airdropped tokens dont actually do anything other than serve as smoke and mirrors: If someone is creating a project with both a fake NFT collection and useless tokens, they may airdrop said tokens into influencers wallets so they can technically say that the influencer holds their currency, implying that they back the project.

Fake, or half-baked collections, have become a huge problem. When a person or group of people positions a preliminary set of basic NFTs as the beginning of a bigger project that will unfold over time perhaps with a video-game component, merch, and/or in-person events and then runs off with the millions of dollars raised well before any of the promised steps could take place, thats called a rugpull. If the only thing the creators ever promise is an NFT that could then unlock additional perks later on, theyre probably not liable when glassy-eyed sheeple lose money. Constantinou only gets behind projects with online hubs that are brimming with thoughtfully presented information. Big collections with massive potential dont come together at lightning speed, he says: If a project looks like it was spun up in a day and the website is janky, theres always a risk that its just a quick cash grab.

Paying for a Ferrari and getting Hot Wheels is made worse if the proverbial vehicle holds a malicious smart contract the kind that send assets from the wallet its in to the hacker. When that happens, Constantinou encourages the use of a website called revoke.cash, a tool that essentially checks which websites have permissions to engage with a wallet and lets the wallet owner revoke those permissions. To be clear, revoke.cash cannot return monies lost, but it can stop the action from happening again and if you realize that you fell for a scam quickly enough, you may be able to stop the hacker before they have a chance to set that part of the plan in motion.

Ragzy, a visual artist who debuted her first NFT series last year and has since become a collector, says that she always looks for a fully doxxed team one made up of reputable figures whove openly identified themselves before she gets involved in any project. Undoxxed teams, she says, get away with it because nobody knows who to hold accountable.

Ragzy, who has a second TikTok just for educating Web3 beginners on NFTs, has noticed that a lot of undoxxed rug-pullers name themselves after the project. She sees that as a red flag. She brings up a hypothetical collection of cartoon cats: It would be like Lead Cat 1 and Blue Cat 2 with no affiliation to any specific person. Ragzy pushes cryptos golden rule of doing the research. Look at their backgrounds, she says. What is their reputation in this space? Did they have another successful project? Who is the artist? Look at the art itself. Does it translate well? Constantinou echoes this sentiment. Dont trust. Verify, he urges. Slow down and triple check everything.

Even if a reputable person is advertised on a projects website as a team member, that doesnt guarantee their affiliation. So, her modus operandi is to question everything: Who are the people investing in this project and do they want to see it survive longterm or are they gonna dump their NFTs?

Ragzy also points out that social media numbers dont necessarily mean anything if theres no clear value to the project. Communities come together for a common purpose, and if the common purpose is to buy the NFT and flip it, thats not really a community, she says. Of course, followers can be bought, and so can celebrity backings. Youll see a lot of celebrities being asked to promote not just NFTs but other cryptocurrencies, and theyll have no clue what it is. Its not their fault. Theyre looking at it like its a sponsored ad. If theyre endorsing it like theyre part of the project, it still doesnt hold any weight for me. Just because a celebrity endorses a project or creates it, does not mean its going to survive.

As a visual artist, Ragzy is fearful of the long-lasting impact this ebb-and-flow pandemonium may have. A lot of artists have never been paid fairly. Artists are often asked to do work for free or are underpaid and are told to be grateful. Our work isnt valued. You were a rich artist when you were dead. NFTs are changing that, she insists. Not only are we creating an environment wherein were getting compensated fairly but we get a royalty on our work if its resold. This is why I hate all the scams and the rugpulls that have been happening, because I think it gives the space such a terrible name. What was meant to be so innovative and such a beautiful way for artists to finally capitalize on their work and ideas is now turning into a place with a lot of scams and negative things associated with it.

RAC, on the other, is confident that this too shall pass. In his eyes, its cyclical. There was a time when people didnt dare put their credit card online. They were like, Oh my god. Never do that! Youre going to get your money stolen. The Internet wasnt always the safe place that we think it is. Hes not worried about mainstreamers writing off crypto and running away for good: This always happens when theres money, when its a bustling new thing. I saw this happen in 2017 the year Bitcoins value slingshotted from $900 to $18,000 and then it completely died out in 2018 and 2019. It came back full force in 2020, and I think were now seeing the NFT version of that.

Being scammed is the risk you take by entering into this relatively uncharted territory, RAC says, adding that people should really look at their participation as a form of investing. This system is safe in a lot of ways, but you cant stop people from trying to scam you. Because this is a completely open system with no safeguards on by design were going through that early growth phase. Its not fully professionalized yet. Its not fully trusted Nefarious individuals are just going to take advantage of less-educated people. He admits that its really unfortunate, but also says you kind of just have to live with it to some extent.

Six co-founder Jesse Grushack agrees: The reality is its a new frontier and if you dont understand, dont do it. If youre not willing to lose, dont play. Coinbase and other custodial options are great for beginners. Theres no such thing as a free lunch so, if it sounds too good, it probably is.

See the rest here:

NFT Scams Are Everywhere. Heres How to Avoid Them - Rolling Stone