October 20, 2022 - 8 min read
Breaking down the four most expensive Crypto and NFT hacks in history and 7 proven ways to protect yourself from web3 scams.
NFTs have grown in popularity because they provide a viable way for artists and creators to sell their content, earn money, and provide value for their holders. Unfortunately, the fame has also attracted a flood of NFT scammers.
Service hacks in 2022 resulted in the theft of cryptocurrencies valued at $1.9 billion from January to July, compared to slightly under $1.2 billion at the same time in 2021 (Chainalysis mid-year report).
To help you understand NFT and crypto scams better, this post examines the most sizeable web3 scams to date, the most common types of scams used, and how to protect your assets.
In March 2022, more than $620 million in ETH and USDC were stolen from Ronin Network, the Ethereum-based sidechain for the cryptocurrency game Axie Infinity. The attacker "used hacked private keys to fabricate phony withdrawals" in two transactions from the Ronin bridge contract. Four of the nine private keys used in the attack were stolen when an Axie developer clicked on a faked job offer PDF.
In 2021, a hacker took advantage of vulnerable cross-chain contract calls to steal $613 million from Poly Network's funds on three separate chains: BSC, Polygon, and Ethereum. Luckily, the hacker eventually returned all the money.
On April 25, 2022, BAYC announced on Twitter that they had been the victim of a phishing attempt launched on their Instagram and Discord channels. Hackers had gotten access to their community administrators' accounts and sent an unauthorized 'mint" link. As a result of the exploitation, 24 bored apes and 30 mutant apes worth $13.7 million were taken.
Riding on the popularity of the Bored Ape Yacht Club, Evolved Apes, and Baller Ape Club NFT collections were launched. But, after minting, the developers' rug pulled the projects and stole ETH and SOL worth almost $4.7 million. (We’ve got more on how “rug pulls” below.)
Phishing schemes involve impersonating or feigning membership with a reputable organization to gain the target's personal information or deceive them into donating money. For example, phishers might send emails that appear to be from your online wallet and pretend to be moderators of Telegram or Discord channels. At the same time, others might create a false website to imitate a product or service.
They could, for example, send an SMS claiming that a withdrawal request was made from an unfamiliar IP address. The notification then instructs you to cancel the withdrawal request by clicking on an identical link in the message.
For example, they may substitute a zero for the letter O in duckduckgo.com to create duckduckg0.com. They may also omit a period from the URL, such as ssoduckduckgo.com, rather than sso.duckduckgo.com. The link would take you to a phishing site where your wallet credentials are stolen.
Rug pulls are especially prevalent in decentralized financial projects that attempt to disrupt industries like banking, insurance, NFTs, or non-fungible tokens. It occurs when the development team abruptly halts support, abandons the project, and sells or removes all of its liquidity.
The Frosties NFT rug-pull, run by two 20-year-olds named Ethan Nguyen and Andre Llacuna, is a classic example of an NFT rug-pull scam. First, they advertised their NFT with several guarantees, such as unique mint passes, gifts, and access to a metaverse game. Then, after receiving more than $1.3 million in funding, they shut down their website and social media accounts.
Centralized marketplaces like Open Sea and Nifty Gateway possess private keys to every asset on their platform. If the exchanges are breached, hackers can take sizable amounts of NFTs.
In 2021, numerous Nifty Gateway accounts were compromised, allowing the hacker to access NFTs in different wallets, trade them for further NFTs, and then sell them for a profit.
Additionally, some victims of the exchange vulnerability claimed their credit cards on file were used to make additional multi-thousand-dollar NFT purchases that were transferred to the hacker's account.
Cryptocurrency evolves at a breakneck pace. To generate interest in a new currency or NFT, a company would offer a part of it before a general public sale. This is popularly known as an Initial Coin Offering (ICO). The company may then claim a once-in-a-lifetime opportunity to stake the new crypto with a guaranteed 500 percent return in six months. Once you sign the smart contract for an amount of crypto in your wallet to be staked, the scammers will have access to everything and can make transactions on your behalf.
Scammers are using social media to spread giveaway hoaxes. They share screenshots of fabricated messages from top executives of an exchange platform or NFT artist offering a giveaway and links to scammy websites. Fake users on the social media platform will then react to these postings, confirming the legitimacy of the scam.
However, clicking on the link will request that you verify your wallet address by transferring crypto to the scam giveaway. In other cases, scammers might use a verified account to announce that they will match or multiply the crypto donated to them within a specified timeframe. The urgency encourages people to donate. It’s only after the transfer that they realize have been scammed.
Scammers use psychological manipulation and deception to access sensitive information about user accounts. They will often approach you, offering their help or whatever it needs to gain your trust, regardless of how long it takes.
At some point, they will ask sensitive questions, request you to send money to their online wallet, click a particular link, or reciprocate the help by staking in their new project. Recently, a DAO founder shared on Twitter how he was targeted in a carefully engineered scam.
Smart contracts are programs that run on the Ethereum blockchain and encrypt the text of the buyer-seller agreement into lines of code. The code is self-executing and in charge of the transaction execution, both trackable and irreversible. Sometimes, hackers can exploit an NFT project's smart contract vulnerabilities for their benefit.
In 2017, one of the most well-known NFT projects, CryptoPunks, suffered a bug that blocked ETH from getting into the seller's wallet. Due to the bug in the contract, scammers could purchase CryptoPunks and later withdraw the money used to buy the NFT. The project was later re-launched with a new smart contract to combat the bug.
NFTs are non-fungible tokens, meaning they are distinctive and cannot be copied or substituted. However, in a lot of NFT platforms, plagiarism unfortunately proliferates. Scammers can save the jpegs of a popular NFT project and create a new collection on a marketplace.
In a recent analysis by Opensea, over 80% of NFTs created with its minting tool are fake or copycats. As soon as Opensea spots a fake, the collection is flagged and every buyer loses their funds.
Watch out for common red flags, including typographical errors, glaring misspellings in emails, contractual commitments that bind you to hold the crypto without the ability to sell, and promises of free money.
Be wary of websites that promise unrealistically high profits for staking. When something appears too good to be true, it is a scam.
Invest in a web3 auth solution to protect your DAOs and NFT communities against theft and intrusion. You can use it to protect the private data in your app, on Discord, or wherever you share community content.
Regardless of who shared it or where you saw it, double-check that the website URL you're accessing is the correct one.
A verified account or a large number of followers is pointless. Don't buy in or trade cryptocurrencies based on the advice of someone on the internet. Do your research (DYOR). Know the team behind the project and read through the whitepaper to identify a project's goals and strategies.
Use a cold wallet and only transfer a small amount to your online wallet at any point.
Don't share your private keys, recovery questions, or other sensitive information with anyone, no matter how close you get. Store these pieces of information in a safe place offline.
Ultimately, we’re all responsible for our own security and more often than not people are scammed because of their own lack of due diligence. To keep your assets safe, follow our seven tips.
Newsletter
Enter your email address below to subscribe to my newsletter