Scams have become an inevitable part of the NFT ecosystem. At this point, almost all of the biggest names in the space have been hacked. In January 2023 alone, the founder of PROOF Collective kevin rose lost over $1 million worth of NFTs in a phishing scam, and the Azuki’s Twitter account It was manipulated. Followers who clicked on a nefarious link posted by the hackers lost nearly $800,000 in combined NFTs. If the biggest names in crypto and NFTs can get hacked, so can you. Despite the growing awareness of these scams, everyone who works in NFTs is still at great risk of being scammed out of their assets by bad actors.
Fortunately, you can mitigate some of the risks by adopting standard best practices set forth by blockchain developers and security professionals.. True, scams can’t all be avoided all time. Still, by taking the necessary (if sometimes arduous) steps to protect software wallets, the NFT community could likely mitigate a large portion of the plentiful and popular scams. That’s how.
Save your opening sentence
The most obvious way to keep your cryptocurrencies and NFTs safe is by taking the right precautions when it comes to your wallet seed phrase. For those unfamiliar, a seed phrase is a randomly generated collection of words that represent the private keys associated with a software wallet and are presented to a user when they first create a wallet. This private key acts as a fail-safe that allows the contents of a crypto wallet to be restored in the rare event that a user gets locked out of their wallet or finds it necessary to import their wallet to a new device.
You should never write the seed phrase of your wallet. Take the thought out of emailing it to yourself or saving it to a Google doc or other notes app on your computer or phone. Just record your unique private key on paper and keep it in a safe place at home. Some even go so far as to engrave their seed phrase on a metal plate and keep it in a safe deposit box.
Use a hardware wallet or delegate a wallet
While it may be tempting to keep all your assets in one or two software wallets for easy access and quick trading, using a hardware wallet to secure your cylinders and large amounts of crypto could save you from a world of suffering. A hardware-based wallet, such as Ledger or Trezor, stores users’ private keys offline on the secure microprocessors of the source device. Considering that a computer or other device can be compromised by malware, keyloggers, screenshot devices, and more, using a hardware wallet right out of the box is a reliable way to keep your NFTs safe.
While some strive to keep some software wallets enabled online (hot wallets) for active trading while keeping other assets safe in an offline hardware wallet (cold wallet), even this system can be compromised. As we recently witnessed with recent hacks of prominent figures of Web3 like Rose, Nikhil Gopalani, CryptoNovo, and more, the simple act of signing a transaction with a high-value wallet can lead to losses. To further mitigate risk, users may consider using a disposable wallet (a wallet with no stock or site connections that is only used for transacting) or a proxy wallet. a make transactions instead of an active one.
To do this, collectors can use services such as Delegate Cash. With Delegate Cash, users can create and assign a new MetaMask hot wallet as a delegate for a cold wallet where valuable NFTs are held. By doing so, users can claim airdrops, confirm ownership, or use an NFT without keeping it in an active wallet. We recently saw this method used to great effect when pseudonymous collector tropoFarmer offered his Sewer Pass for others to play Dookey Dash via a proxy wallet.
Triple check identifiers, URLs and signatures
Before you even consider minting, collecting, signing or interacting with a website or contract (including Delegate Cash), you should always triple check that the portal you are using is secure and authentic. Time and time again, prominent Twitter accounts and Discord servers get hacked, leading to the fake NFT mints ad and lots of crypto lost by the NFT community.
For the most part, scams will lure users into shelling out their crypto or NFTs by asking them to enter a seed phrase (again, something you should never consider doing) or by signing a malicious transaction. Since the latter is what compromised Rose, be sure to check all the URLs she wants to interact with and the url source be extra cautious. It is incredibly easy for scammers to create fake links and browser-based popups that look and behave identically to MetaMasks.
However, even if you are not forced into a scam site or fake wallet app, blindly signing a transaction can leave you vulnerable to compromise. Hackers undoubtedly count on users to do just this. Considering the incredible number of signatures and transactions that are presented to collectors on a weekly basis, it can be easy to overlook the details when signing speed-defining minting transactions. To be cautious, always take a good look at what you are signing and the contracts you allow your wallet to interact with.
8/ If your TX asks you to sign a message like 0x6fe64a…..87, you are signing a transaction that could be malicious, check the originating website and that you are actually signing something you want to sign. pic.twitter.com/DtnGAgDTfe
— richerd.eth (@richerd) February 2, 2022
What to do if you get hacked
If all else fails and you end up on the receiving end of malicious intent, your next actions will depend on the nature of the hack or scam you were subjected to. If you interacted with a fake mint or claim and signed a transaction… bad luck. Once your cryptocurrencies or NFTs leave your possession, there is little you can do about it. Because of this, it is essential to understand the security flaws of others to prevent an attack from happening in the first place.
While market security teams can help you in some cases, especially if they are at fault, the responsibility almost always lies with the user. To better equip yourself to keep your assets safe, educate yourself. Read about common scams, learn to identify red flags, and above all, implement the security measures described in this guide or established by trusted members of the NFT community as soon as possible.
