How To Protect Yourself From Scams (And What To Do If Your Wallet Is Compromised)

How To Protect Yourself From Scams (And What To Do If Your Wallet Is Compromised)

This space is so new that it is important to know how to avoid the most common scams, protect your wallet, and if that fails, what to do if your wallet is compromised.

By Sloika

Back to Blog

How to avoid most common scams

Web3 is a place of opportunities. At the same time, this space is also so new for the coming wave of creators that it is important to know how to avoid the most common scams, protect your wallet, and if that fails, what to do if your wallet is compromised.

Unfortunately, because there is so much money to be made (and lost) in crypto, creators, large and small, are the targets of myriad scams. It is exacerbated by the fact that creators rely on social media and making new connections to find genuine collectors.

Most common scams today are as follows:

Scams in DMs

Sometimes finding a collector might mean having a conversation in someone’s DMs. Be extra cautious as many “collectors” would use names or avatars to sound more authoritative.

Collectors with a good reputation will have their ENS wallet available in a name or their bio, and will have links to their gallery or a wallet. Such collectors generally announce their purchases that can be proven with a link to an artwork or a blockchain transaction.

The scam works like this: a “collector-to-be” would spend a lot of time chatting you up and saying that they love your work and are ready to collect your art, but have funds “tied up” in a trade (often along with a screenshot to prove it), so they need you to send them some money first, promising a sale or return of funds with interest within a few minutes. Don’t fall for it.

Free Mints

Sometimes the scam is particularly effective if a valid social media account was compromised. The message will say that this is a “hot drop”, and have a link to a website. Connecting your wallet on such a website will immediately expose all of your NFTs and all crypto to the scammer to grab (basically they code in a special permission to withdraw anything from your wallet). Any getting rich quick scheme in crypto is guaranteed to be a scam.

Emails

There were two types of scam emails floating around lately focusing on fear and greed. One would imply that you violated some community rules and to correct them you need to email back, which causes the attacker to send a file (usually a “.zip” or “.exe” file), which will compromise your system. The other type of email focused on greed and would imply receiving acceptance from an invite-only marketplace. Since many have shared their excitement about applying on social media, the job of a scammer is much easier. Do not respond to suspicious emails. Check in with the project team via a trusted channel.

Anonymous Teams

While scams occurred with both doxxed (identity known to the public) and anonymous teams, the vast number of them are from anonymous teams. In one of the latest scams, an anonymous team stole $800K in users’ funds just this week! If a website or a project has a team that is hiding behind an avatar and username, be cautious. The biggest projects in the space, such as Coinbase or FTX, have management teams with a known name, face, and career history.

Discord Hacks

Unfortunately, almost every discord server has been hacked at least once. There are leaderboards that show projects who have been compromised over and over again, including many large projects. The common source of a hack is a bot (a program configured to increase usability of some feature) that was improperly setup. You might see official accounts or official looking links being posted in a channel urging you to take action. Best defense: bookmark a trusted website and verify the website you are on.

Website Hacks

While all previous scams require “social engineering” to lure you into connecting your wallet or sending crypto to a scammer, a website scam requires some real hacking. There has been a large number of high profile websites that were compromised and a malicious code injected to initialize a wallet connect. For that the only solution would be to use a hot wallet with a small amount of funds in it (see “how to protect your wallet” below), and to look out for design inconsistencies when connecting to it.

Of course, much has been written on how to be careful with some suggesting not to click on any links. While it is commendable, it is unlikely to be a reasonable solution for many. So best to keep your activity to a limited number of projects, don’t trust people you don’t know (anonymous or not), and verify the links or emails you receive.

How to protect your wallet

First thing to realize that with ENS and a public identity of creators, targeting individual wallets is easy — this information is known and exposed on social media and marketplaces. Hacking the wallet using computational techniques is almost impossible, so all hacks happen using social engineering.

Unfortunately, in the current stage of web3 development, your wallet is both a bank (crypto), an identity (ENS), and a gallery (NFTs). It is also unique in a way that you are responsible for safekeeping the secret phrase and maintaining good security practices. So what can you do?

Do not write down your secret phrase on your phone or computer

We’ve seen creative people saving this information in their Notes app, only to be hacked a few weeks later. Where to store it? Write it down on paper with a rich ink pen, and keep it safe (ie: with your passport or jewelry)

Do not share your screen on calls with strangers

Apps such as MetaMask would expose the private key as a QR code when clicked in the settings menu, so unknown to creators, sharing their screen and clicking a few buttons might mean the loss of your crypto accounts.

Do not connect to websites you don’t know or trust

We know that free mints can be tempting, but if there’s even a 1% chance that a project can be a scam, it most likely is. With recent updates to MetaMask, and upgrades to your own knowledge you can read the requests that website makes. If there’s nothing suspicious (assuming you can read the requests correctly), connecting to any website is safe. Visiting any website is most likely safe too (so clicking on any link is OK — just don’t connect a wallet!). Unfortunately such knowledge is not common, and thus it is better to stay on a safer side.

Maintain multiple wallets

Maintain several wallets (each with its own secret phrase, if possible), such as a hot wallet and a cold wallet. Hot wallets to contain a small amount of crypto to transact, and maybe your ENS as well. Cold wallets are where you keep most of your NFTs and crypto for storage.

This wallet combo might look like this. Hot wallets: MetaMask, Rainbow, MyEtherWallet. Cold wallets: Ledger (hardware wallet), Trezor (hardware wallet), Coinbase, Binance, Gemini, Kraken. The cold wallet doesn’t have to be a hardware wallet, just separated enough that you don’t use it to connect to websites (to mint NFTs, swap funds, and so on).

As a rule of thumb, store only as much crypto in each wallet as you are willing to lose in each instance, so if your situation requires multiple hot or cold wallets, do so.

Revoke token approvals

Etherscan and Revoke Cash are two common tools. Revoking permissions will require a gas fee.

If you maintain multiple wallets, getting your hot wallet compromised would be an unfortunate, but a manageable situation. Next, learn what to do if your wallet was compromised.

What to do if your wallet is compromised?

Unfortunately, there are no obvious flags if your wallet is compromised. It happens quietly. So an empty wallet might have been compromised months ago, with attackers waiting if you load it with funds or receive a payment from an NFT sale. This makes maintaining security so much harder. If you believe you connected to websites you don’t know, or otherwise acted in a way that might compromise your wallet, it’s a great time get yourself a brand new wallet.

You will get no emails or notifications that your wallet is compromised. The most common way is just finding our that your valuable NFTs are missing, and crypto was sent somewhere else (and not by you). To stay on top of your own wallet activity, download Zerion app on your phone and enable notifications. You can get push notifications for every transaction that happens with your (or any other) wallet.

If your funds or NFTs are missing, act fast! There is no way to rectify the compromised wallet. You will have to abandon it. Before you do, if there are funds, ENS, or NFTs in a wallet, transfer them somewhere safe (see “maintain multiple wallets”). If there are no funds to cover the gas fees, you will need to fund the wallet with a small amount of ETH to pay for transfers (generally about 0.002 ETH per transfer), and initialize the transfer in a very short period of time (assume attackers are watching your wallet). Once you do so, you can start rebuilding your wallet.

Make sure your new wallet has a different secret phrase from your compromised one. If unsure, use MyEtherWallet to generate a brand new wallet. On MyEtherWallet page, click on “Software” method and then “Mnemonic Phrase”. You can then write down your secret phrase (24 words recommended, it’s more secure than a 12 word secret phrase), and once you complete it, click once again on “Software” to retrieve your wallet address (you’ll need to type all 24 words in correct order).

When you move your ENS to a new wallet, login to ENS Domains to check the “Records > Addresses” tab shows the correct wallet address. If unsure, you can check by pasting your ENS in the Etherscan search bar and see if it points to your new wallet.

Unfortunately, if you have sold any NFTs as a creator, your collectors will essentially have an NFT that originated from an account now controlled by someone else. While they can’t do any damage, the provenance between creator and collector will break. Most creators re-mint and airdrop an identical NFT to a collector, and ask the collector to burn the piece they acquired from you.