Now, with NFTs selling like proverbial (and digital) hotcakes, hucksters have shifted their tactics to exploit this growing market — and their efforts appear to be working.
There are two main ways that they are seeking to gain access to one's wallet and whatever tokens are held therein.
Pretending to provide support services
One key tactic has been to pretend to provide support services on behalf of NFT marketplace OpenSea.
This technique is effective because there are so many issues with NFTs, ranging from checking whether a collection is official or not, with NFTs not showing up in wallets, or sometimes they will show up with incorrect attributes. These types of issues demand help, and as a result, confused buyers will seek support from either the NFT issuer or the marketplace with which they’re dealing.
What happens is typically the NFT buyer will reach out for help in messaging platform Discord, which has grown to be the hub of NFT activity and conversations.
The problem: it’s trivial for someone to set up an account named “OpenSea Support” or equivalent and hang around in these chat groups. When someone mentions their issues, the fake support service will reach out to them via a direct message offering to help.
One rather effective tactic involved in-browser wallet MetaMask. The scammer would invite the user to share their screen and direct them to a certain part of the wallet that’s designed to connect your wallet across different devices. By doing this, the scammer would set up the wallet on their own device, gaining complete access to the user’s funds.
Since this became a big issue, MetaMask has temporarily disabled this function.
This exact issue happened to Jeff Nicholas, a creative director at Authentic AI. In a tweet thread, he described how he went to the OpenSea Discord looking for support and ended up getting coaxed into a DM by a scammer with “OpenSea” as their name. He ended up showing the QR code that lets the account be transferred to another device, then he began noticing his wallet being emptied.
“They transferred everything. All the Apes, the dogs, the cat, the airdrops, all the ETH,” he tweeted. “They’re in my other account too, so I get in & try to salvage as much as I can, transferring it out to another wallet before it’s all gone. I get a few NFTs, some tokens.”
While this part of the attack may no longer work for MetaMask, the key thing to be aware of is that supposed support accounts in Discord may be fake — and they will use any trick in the book to steal your funds.
Capitalizing on NFT mint confusion
Not only are scammers targeting NFTs in general, but they are also focusing specifically on the mints — aware that they are a perfect time to catch people off guard.
When NFTs are launched, there is a public date and time announced in advance. At this time, the website will provide a “mint” button and anyone can pay to create one of e.g. 10,000 NFTs. If the mint is in high demand, it can sell out in minutes, or even seconds. This can make the moment incredibly stressful, particularly when the mint doesn’t quite go to plan, as often happens. It can also lead to a lot of confusion — and that’s when the scammers take advantage.
Both right before the mint, prospective NFT buyers will be looking for where it will happen and the key details (best found in the FAQ). During it, if there are any problems they will be looking for answers and solutions. They will typically be sitting in the main general chat in the relevant Discord channel.
One method is to pretend to provide a minting service. The scammer will say that the mint has gone wrong and the only way to get an NFT is to send cryptocurrency to the wallet address that they provide.
Another example is when scammers will post fake links, hoping that people won’t notice. One tactic is to post a website link claiming that’s where the drop will take place. It will look similar to the official website, but it will likely transact all of their NFTs out of their wallet.
This particular tactic affected Messari research analyst Chase Devans, who used a link that his friend saw in Discord and gave to him. When he tried to mint an NFT on the site, it took $15,000 in solana (SOL) from his wallet and all of his NFTs.
He tweeted: “I've gotten rekt before. Shitcoins, May 19th cascades, you name it. This one hurts differently though. Had been refining my craft and building up a solid stack on SOL based on fundamentals. All gone in an instant, poof.”
Such tactics were very effective in the NFT mint yesterday for Solana-based project Aurory. One wallet ended up with $1.5 million and 350 NFTs, some of which were later frozen. Since there was a bug in the mint contract that saw the NFTs sell for 1 SOL instead of 5 SOL, that one scammer ended up making even more money than the NFT issuers.
One relevant aspect here is that the popular Solana wallet Phantom had an auto-approve feature that would approve any transaction from an approved website (designed to make it faster to mint). But this could allow the website to approve a variety of other transactions, potentially putting your NFTs at risk. Phantom said it is removing this feature.
The main advice here is to check that you are using official links, which can typically be found in the project’s FAQ channel — and not to use any links that are provided in an open channel. Plus, it’s recommended to set up a separate wallet to use for each mint, so that you can’t lose more than what’s contained in that wallet.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.