NFT Anti-Theft Guide: Four Common Methods and Three Identification Techniques

Author: Rhythm Research Institute, NFT Labs

The world of crypto is like a dark forest, where countless crises may lurk around you. Just a few days ago, hackers took advantage of the OpenSea contract upgrade to send phishing emails to all users' inboxes, and many users mistakenly took it for an official email, authorizing their wallets and leading to theft. According to statistics, this single email resulted in the theft of at least 3 BAYC, 37 Azuki, 25 NFT Worlds, and other NFTs, with the hacker's earnings reaching as high as $4.16 million based on floor prices.

And just today, a MAYC and two Doodles held by Jay Chou were stolen; the Discord communities of top NFT projects BAYC and Doodles were simultaneously hacked, and the losses caused by the hackers are yet to be determined.

Now, the hacker attacks we need to guard against are not only technical but also stem from social engineering. With the prices of numerous NFT projects soaring, a moment's inattention can lead to significant asset losses. In light of the recent surge in scams in the NFT space, Rhythm has summarized several common types of scams, hoping that readers will remain vigilant and not fall victim.

Scam Tactics:

1. Phishing website links via Discord DMs

Phishing links sent through Discord DMs are a common tactic used by hackers. They often send bulk DMs to members through different Discord communities or impersonate community admins to offer help with problems, tricking users into revealing their wallet private keys. Alternatively, they may send fake phishing websites, telling users they can claim NFTs for free. Once users authorize the hacker's counterfeit website, it can lead to significant losses.

2. Attacking Discord servers

Discord servers being hacked is something that almost every popular NFT project experiences. Hackers will attack the accounts of server administrators and then post fake announcements in various channels, tricking community members into visiting fake websites set up by the hackers to purchase fake NFTs. Nowadays, hackers may also trick server administrators into revealing their tokens by sending phishing websites, making it ineffective even if the administrator has 2FA enabled. If the phishing website set up by the hacker requests wallet authorization, it can lead to even more severe financial losses for users.

3. Sending fake transaction links

This type of scam is common during private negotiations for NFT transactions. Platforms like Sudoswap and NFTtrader encourage users to "exchange" their NFTs or tokens through private negotiations, providing security for these transactions. While this is generally a good thing for the NFT market, hackers have begun to scam users by creating counterfeit Sudoswap and NFTtrader websites.

After negotiations on Sudoswap or NFTtrader, users need to initiate a transaction, which generates an order confirmation website. Once both parties confirm, the transaction is automatically executed via a smart contract. Initially, the scammer pretends to negotiate which NFTs to exchange and shows you a legitimate website link. Then, they propose modifications to the transaction, and when the trader lets their guard down, the scammer sends a phishing link. Once the user clicks to confirm the transaction, the corresponding NFTs in their wallet are sent to the scammer's wallet.

4. Obtaining recovery phrases

Scammers use various methods to lure users into sending their private keys or recovery phrases, such as setting up phishing websites or pretending to be helpful administrators. All these actions aim to lower users' vigilance and seize their private keys and recovery phrases.

5. Creating fake collections and seeking trades in the project's Discord public channels

Fake NFT collections are most commonly encountered before the launch of many popular projects. Before the official launch of NFT blind boxes, scammers will upload similarly named NFT collections on platforms like OpenSea and "decorate" these collections with information released by the official team. When the real NFT collection hasn't launched yet, users are likely to find the most closely named collection first. Some scammers even create a few transactions to make users believe the fake NFTs are legitimate by sending offers to the currently listed counterfeit NFTs.

To save on platform and project royalties, community members often engage in private trades. Besides the previously mentioned scams through counterfeit Sudoswap and NFTtrader websites, some scammers send links to fake NFT collections priced slightly below the floor price in community channels. Users often overlook the authenticity of the NFTs in their eagerness to purchase NFTs below the floor price, leading to scams.

6. Fake emails

Most NFT platforms require users to bind their email addresses to inform them of their NFT transaction status promptly, making email a hotspot for scams. Scammers typically impersonate official accounts of platforms like OpenSea, sending phishing website links under the pretext of needing to modify contract addresses or re-verify wallets. Recently, after OpenSea announced a contract upgrade, hackers used this method to defraud users of nearly $4 million. As of the writing date, the OpenSea team is still investigating affected users.

Anti-Scam Guide

1. Website verification

No matter how elaborate the hacker's packaging or how mesmerizing their language may be, when they ultimately steal your crypto assets, they always need a way to interact with your wallet. Ordinary users may not have the ability to assess contract risks, but fortunately, we are still in an internet world dominated by web2. Almost all crypto contracts require a web2 front-end webpage to interact with users.

Therefore, the vast majority of thefts of crypto assets targeting users (rather than project parties) occur on counterfeit phishing websites. Once you learn how to identify phishing websites, you can avoid 99% of crypto asset theft.

For Generation Z, who have grown up with smartphones, they live in an "ecosystem" created by various apps and may have become less familiar with the outdated concept of web pages. In the web2 era, the DNS domain name system gives each website a unique identity. Understanding the basic rules of domain composition is sufficient to deal with almost all fake phishing websites.

In traditional DNS domains, the domain hierarchy is divided into three levels. Reading from the first separator (/) from right to left, each period separates a level. For example, in https://www.opensea.io/, ".io" and similar top-level domains like ".com" or ".cn" cannot be customized. "opensea" is called the second-level domain, which is the main part of the domain and cannot be repeated under the same top-level domain (e.g., both being .io). The "www" part is the third-level domain, which can be set by the website operator. Operators can even add fourth-level or fifth-level domains before "www."

The order of domain levels is counterintuitive: the hierarchy decreases from right to left. This design is contrary to most people's reading habits, giving attackers an opportunity. For example, the address https://www.opensea.io.example.com, while highly similar to the opensea address, actually has "example.com" as its true domain instead of "opensea.io."

Whether phishing attacks still exist in Web3 is hard to predict. However, in the Web2 world, the DNS domain name system ensures the uniqueness of domain names (or URLs), making it nearly impossible for users to open fake websites when the domain is genuine.

2. Do not disclose private keys or recovery phrases

Crypto wallets are not like Web2 email accounts, where private keys and recovery phrases cannot be modified or retrieved. Once leaked, it means that the wallet belongs to both you and the hacker, and all assets in your wallet can be transferred by the hacker at any time. Due to the anonymity of Ethereum addresses, you cannot determine who the hacker is, and losses cannot be recovered; this wallet can no longer be used.

3. Timely revoke wallet authorizations

If you have authorized your wallet on a phishing website, you can promptly check your wallet authorization status and revoke it at the following three addresses:

https://etherscan.io/tokenapprovalchecker

https://revoke.cash/

https://debank.com/